Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime

Internet Experts Propose Blocking Culpable Russian Sites

Open Letter Responds to Ukraine's Request to ICANN to Cut Off Russian Domain
Internet Experts Propose Blocking Culpable Russian Sites
Source: Geralt via Pixabay

In an open letter addressing last week's request by the Ukrainian government to the web governance entity the Internet Corporation for Assigned Names and Numbers, dozens of researchers, internet activists, politicians and academics voiced their disapproval, instead calling for precise, measured sanctions that could more effectively weaken Russian military and propaganda efforts.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

The letter - signed by members of the European Parliament, ICANN, Packet Clearing House, the Electronic Frontier Foundation, the Digital Democracies Institute and others - suggests blocklisting select sites, a practice currently used to block spam and malicious content. This, they contend, would not hinder the operations of Russian schools, hospitals and other civilian areas.

The blocklisting would empower individual networks to decide whether to deny access to cited IP addresses, they say.

In the letter, the experts also call for the creation of a volunteer committee that can act quickly, in light of global events, and deliberate over such digital sanctions.

Commenting on the letter, co-signer Bill Woodcock, executive director of the internet infrastructure security nonprofit Packet Clearing House, said via Twitter: "Ten days and dozens of authors working together, we now have a document that describes the internet infrastructure governance community's position on sanctions: what's appropriate, and a multi-stakeholder governance method for their imposition."

Initial Request

The letter responds to a request from Andrii Nabok of the Ukrainian Ministry of Digital Transformation, addressed to ICANN on Feb. 28. In its plea, the ministry asked ICANN to permanently or temporarily revoke the country code top-level domains ".ru," ".рф" and ".su." This included requests to revoke associated SSL certificates and disable DNS root servers within the Russian Federation.

The authors of the open letter, however, say: "Internet governance sanctions must be selected and implemented carefully, in order to achieve the greatest effect and to avoid unanticipated consequences."

They say it is now "incumbent upon the internet community to deliberate and make decisions in the face of humanitarian crises."

At the time of this writing, the Russians continued to advance toward Ukrainian population centers, increasingly ramping up their shelling of civilian-occupied areas.

The letter's authors say: "Disconnecting the population of a country from the internet is a disproportionate and inappropriate sanction, since it hampers their access to the very information that might lead them to withdraw support for acts of war and leaves them with access to only the information their own government chooses to furnish.

"Sanctions should be focused and precise. They should minimize the chance of unintended consequences or collateral damage."

Letter Details

Nevertheless, the experts signing on to the letter today say both military and propaganda agencies and their information infrastructure are, in fact, potential targets of sanctions. Their proposed multistakeholder mechanism, then, would publish related IPs in public data feeds. They say this system matches current efforts among network operators to block spam, malware and DDoS attacks and "requires no new technology and minimal work to implement."

They say that the primary users of any country code Top Level Domain, or ccTLD, are civilian constituents, and any removal of a ccTLD from the DNS "would make it very difficult for anyone, globally … to contact users of the affected domains," which would be mainly Russian-speaking civilians.

They say the move would have "relatively little effect" on Russian military networks, which "are unlikely to rely upon DNS servers outside their own control."

So any such measure, they continue, would "disproportionately harm civilians."

On the revocation of certificates associated with governmental or military domains, the co-authors say this too is "not effective," because the targeted government "is likely already using a Certificate Authority under its own control." If it's not, they add, they can cause a CA under its influence to issue a replacement certificate.

And revoking certificates associated with private subdomains - the letter writers use and as examples - would render communications between the organizations and their constituencies "insecure and vulnerable to cybercrime." They say that "decreasing law and order and rendering a civilian population more vulnerable to crime is not an effective sanction."

A Russian map/graphic courtesy of Peggy_Marco via Pixabay


The signatories also offer nontechnical sanctions options related to the internet's operation and governance, but they do not elaborate further. These options include disallowing sanctioned personnel to participate in internet governance, policymaking or standardization proceedings.

They tout the multistakeholder-governed list approach, which is already used by network operators and DNS resolver operators, to selectively choose which traffic to route and pass.

Blocklisting IP addresses and Autonomous System Numbers, the letter writers say, "allows network operators to block both the acceptance of routes and the passage of traffic, each or both of which may be appropriate in different situations and in response to different threats."

The experts call this approach the "best mechanism for sanctioning both IP routes and traffic and domain names" and a tactic with "no inherent danger of being overbroad."

John Bambenek, principal threat hunter at the firm Netenrich, agrees, saying: "It’s more precise, and with less collateral damage, to just not route Russian IPs" than to disconnect .ru domains.

The assessment also carries political support. Bart Groothuis, a member of the European Parliament for the Netherlands, and a co-signer, says of the letter: "Internet sanctions against Russia might be a good idea, but can easily go wrong. What is appropriate and how to execute? Proud to sign this letter with dozens of top-experts on how to impose sanctions."


As the humanitarian crisis worsens on the ground in Ukraine, and as millions flee the war-torn country, Russian President Vladimir Putin is increasingly leaning toward scorched-earth tactics. Meanwhile, officials in the U.S. have pledged more financial aid for the country's military operations, while reportedly mulling additional sanctions.

As world powers deliberate, inside Ukraine, officials are reportedly considering contingencies to safeguard critical data.

Late last month, it was reported that Ukrainian officials were prepared to move servers and critical data outside the capital city of Kyiv, but now, according to Reuters, they are considering moving such assets abroad - to keep them out of the hands of advancing Russians.

According to the same report, Victor Zhora, deputy chief of Ukraine's State Service of Special Communications and Information Protection, has confirmed his team is moving to protect the country's IT infrastructure. The team prefers to keep it within Ukraine, he says, but it has other cross-border options.

In order to make such moves, however, Ukrainian lawmakers would need to approve the action.

The report indicates that officials have shipped IT equipment to "more secure areas" and that the country has "received offers" to host data from foreign partners.

Such measures might involve the physical transport of servers and storage devices or rapid digital migration to different, secure services or servers, the report states.

About the Author

Dan Gunderman

Dan Gunderman

Former News Desk Staff Writer

As staff writer on the news desk at Information Security Media Group, Gunderman covered governmental/geopolitical cybersecurity updates from across the globe. Previously, he was the editor of Cyber Security Hub, or, covering enterprise security news and strategy for CISOs, CIOs and top decision-makers. He also formerly was a reporter for the New York Daily News, where he covered breaking news, politics, technology and more. Gunderman has also written and edited for such news publications as, and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.