This August, Google, Apple, and Mozilla moved to have their web browsers block the Kazakhstan root Certificate Authority (CA) certificate—just one of only a handful of times that tech companies have decided to block a CA because of the risk it might be enabling surveillance of internet users.
A CA is an entity responsible for issuing digital certificates that permit websites, devices, and users to assert their online identity. The use of these digital certificates helps enable secure communication on the web. If User A wants to connect to Website B, the certificate issued by a CA allows Website B to make a verifiable claim about their identity. This claim is used to establish an encrypted tunnel between User A and Website B, permitting secure and encrypted communication between users and websites. This encrypted tunnel is run through a secure version of the old hyper-text transfer protocol (HTTPS).
As nation-states acquire new cyber tools and capabilities, they will need to decide how they will utilize this new technology and where along the spectrum between permissive approaches and more aggressive control they choose to place themselves. If used haphazardly, new technology and capabilities may compromise the personal privacy of their citizens or the legitimacy of government, but also could facilitate the achievement of certain political, economic, or security goals. Statecraft in the cyber domain is ultimately a balancing act where governments have to balance the opportunities of new technologies with the risk that these technologies will have negative impacts on domestic politics, international relations, the rights of their citizens, and more. In this case, the Kazakh government made a decision to create an explicitly government-controlled Certificate Authority, enabling the interception of what should have been secure communication between Kazakhtelecom users and websites.
This decision by Mozilla and the others followed reports that Kazakhtelecom, Kazakhstan’s largest Internet Service Provider (ISP), required users to install these government-issued HTTPS certificates. This meant that Kazakhtelecom could intercept communication between users and websites, facilitating the surveillance of users’ activity on social media sites including Facebook, Twitter, Instagram, Vkontakte, and more. After internet users were forced to install the fake root CA, HTTPS communication between users and websites were intercepted on 7 percent of Kazakhstan’s HTTPS servers, concentrated amongst social media services.
When the technology companies acted, amid outcry from the domestic legal community, the Kazakh government argued that the certificate was being used as part of a program to improve the nation’s cybersecurity. Since then, the Kazakh National Security Committee has backtracked, claiming the program was simply a test and then provided instructions on how to uninstall the certificate.
Just this March, Nursultan Nazerbayev, Kazakhstan’s president for nearly thirty years, resigned and was succeeded by interim President Kassym-Jomart Tokayev. While Nazerbayev stepped down as president, he continues to serve as chair of the country’s influential security council and leader of his political party. Tokayev subsequently won popular elections in June with roughly 70 percent of the vote, amid allegations of vote rigging and large protests and arrests in multiple cities.
Tokayev inherited a country with a growing youth population and sluggish economy that relies heavily on energy exports. Complicating things further, the ethnic makeup of the country includes a small, but dwindling, Russian minority whose interests Russian President Vladimir Putin has promised to protect. The June election represents the first non-violent transfer of power from one leader to another in independent Kazakhstan, setting a precedent for succession for other aging authoritarian leaders in the region. It also demonstrated how the strategic use of democratic institutions by authoritarian governments and restrictions on opposition activists and independent journalists can undermine truly free and fair elections.
The Cyber Statecraft Newsletter
Nazerbayev practiced a softer version of authoritarianism than other Central Asian leaders, but he allowed little room for critics of government policies; and things have improved perhaps only slightly under his successor. So in a country where opposition newspapers and journalists are often targeted by government, social media sites play a critical role in providing an outlet for dissident commentary, challenging trust in governmental institutions, and the legitimacy of political leaders. Facing the resignation of an aging leader, social tensions, and a growing youth population, the Kazakh government made a choice to utilize surveillance technology to monitor communications on the Internet, especially social media sites. This decision was aimed at preserving authoritarian stability while the Kazakh government experiences daunting challenges—changes in leadership for the first time in almost thirty years, the struggle of economic diversification, and a burgeoning youth population that makes up nearly 40 percent of its total population.
In the digital age, governments have the novel opportunity to use technology and cyberspace as a tool to achieve political, security, economic, and social goals—some governments make the choice to leverage technology to the greatest extent, while other opt to use technology in smaller, varying degrees, depending on their interests and priorities. In the mid-2000s, the Kazakh government developed an online presence for government ministries and even rolled out digital government services. Since then, internet penetration has increased, and social media sites have become popular in Kazakhstan to provide an outlet for dissent and mobilize citizens. Adapting to these developments, the Kazakh government reevaluated the role of technology in public affairs, leveraging legislation, cyberspace, and technology to track—and potentially limit—online dissent and criticism of government policies.
The Kazakh case serves as an example of irresponsible cyber statecraft, when governments use cyberspace and technological tools to achieve specific political goals, placing the rights of citizens, as well as their political legitimacy, on the line.
Safa Shahwan is assistant director of the Atlantic Council’s Cyber Statecraft Initiative, within the Scowcroft Center for Strategy.
Tue, Sep 17, 2019
The Cyber Vault collection shows the complexity in design and executing offensive cyber operations which help distinguish an ‘American way’ of cyber warfare—one that is no doubt closely mirrored by many of our allies.
New Atlanticist by
Wed, May 22, 2019
Did the IDF’s airstrike ‘cross the Rubicon’ by using lethal force in response to hacking? On the weekend of May 5, a month after a truce was agreed between Israel and Hamas forces in the Gaza Strip, violence again rose to levels not seen since 2014.
New Atlanticist by