Monday, April 3, 2017

ANDREI: ACADEMIA - THE TELNET PROTOCOL AND ZERO DAY ATTACKS: AN INVESTIGATION INTO THE VAULT 7 CISCO EXPLOITS AND THE IMPLICATIONS THEREOF


The Telnet Protocol and Zero Day Attacks: An Investigation Into the “Vault 7” Cisco Exploits And The Implications Thereof


Abstract
Control the routers, and you can control the Internet. Recent revelations of leaked material from the United States Central Intelligence Agency by Wikileaks, from the collection known as “Vault 7”, show that the agency was hoarding a plethora of so-called “zero day” exploits: undisclosed vulnerabilities that can exploit computer systems. CIA manuals indicated specific areas of the Cisco IOS code as being vulnerable, in particular the Cluster Management Protocol code. Cisco engineers found the potential to exploit the Telnet protocol, an unsecure Internet or LAN protocol that allows for virtual terminal connections. The exploit, labelled by Cisco as CVE-2017-3881, allowed for the remote and unfettered access of at least 300 different models of Cisco switches over the Internet, despite the access intending to be allowed only for LAN. There are broad implications from this discovery. One is that the continued use of the antiquated Telnet protocol is prone to broad digital attacks, such as the Mirai botnet which targeted Internet of Things or “IoT” devices. Two, as the largest networking company in the world, such a broad exploitation of Cisco devices compromises the Internet at its fundamental core. Three, the hoarding by intelligence agencies of these exploits is risky to the public at large, due to the potential for overlap discovery where other nefarious hackers discover the exploits or, as in the case of the Shadow Brokers leak in 2016, where NSA cyberweapons that also utilized zero day exploits, and happened to target Cisco, were released in the open. Lastly, the repeated aforementioned loss of these government hoarded secrets strongly suggests that the agencies cannot be trusted with legislated backdoors into digital security such as encryption.

 -----------------------------------------------------

            Control the routers, and you can control the Internet. On March 7th, 2017, the largest publication of confidential documents from the United States Central Intelligence Agency was released by Wikileaks, known as “Vault 7” (Assange). Of particular interest to digital security specialists was how that the agency was hoarding a plethora of so-called “zero-day” exploits: undisclosed vulnerabilities that can exploit computer systems (Ulanoff). One exploit is alleged to make use of the Telnet protocol, an unsecure Internet or LAN protocol that allows for virtual terminal connections, in order to gain elevated access to Cisco’s routers and switches (Cimpanu). The exploit, labelled by Cisco as CVE-2017-3881, allowed for the remote and unfettered access to at least 300 different models of Cisco switches (Kennedy). As the largest networking company in the world, such a broad exploitation of Cisco devices compromises the Internet at its fundamental core. This paper will examine the history of the Telnet protocol and attacks upon it, Cisco switches, the recently revealed practice of intelligence agencies hoarding digital exploits, and the worldwide risk to digital security presented by this practice.

            The Telnet protocol was first defined and used in 1969 (TELNET: The Mother of All Applications Protocols). The protocol predates the modern Internet and is the basis for many other protocols such as HTTP and FTP (Geerling). Telnet, short for either telecommunications network or terminal network, is considered by some to be the “original Internet” (Gil, Fisher). The protocol allows for plain text remote interfaces over TCP/IP networks, and was designed with the assumption of a high level of trust between client and mainframe computers (Gil). These client computers did not require powerful hardware – only a connection to the network and a text based interface to utilize Telnet (Geerling). Using these terminals boosted productivity and saved time for those at universities and enterprises that required multiple users accessing the mainframe at once, which could often also be very distant. As such, security steps such as encryption were not designed into the protocol nor perhaps were they even needed given its use for closed networks (Gil, Geerling). What this entails for the modern user is that data transmitted via Telnet can easily be read through network packet sniffing. For most of its purposes, Telnet was superseded later by the Secure Shell protocol, better known as SSH, in response to a password-sniffing attack on a university utilizing plain text communication (Geerling). Unlike Telnet, SSH utilizes encryption through different methods at various points in the transaction including symmetrical encryption, asymetrical encryption, and hashing (Ellingwood). Telnet is still utilized, however, for checking services on remote servers, devices through local serial connections, and some remote device configuration (Neagu). Telnet also had a popular use for searching through public access library catalogs in the early days of the Internet (Lavendar). Some of these online catalogs are still accessible, assumed to be Telnet daemons running on machines that also provide HTTP access or on antiquated, forgotten servers (Public Access Catalogue). The protocol has also been utilized for bulletin-board access along with text-videogames known as multi-user dungeons or MUDs, due to antiquated code bases for MUDs not supporting SSH (Why Do MUDs use Telnet?). However, the most risky use of the protocol – the risk most relevant to the topic – is the use of the protocol for remote configuration (Fisher).

            Modern operating systems typically come with both the Telnet client and Telnet server disabled, and as of Windows Server 2016, the Telnet server itself is not included (Fisher, Gregory). The SANS Institute, a resource for information security training and security certification, warns that even the ability for a system to utilize Telnet increases risk (Zirkle). Since 1994, CERT – an cyber-security organization out of Carnegie Mellon University – has warned against the use of Telnet (Ongoing Network Monitoring Attacks). However, as demonstrated by recent attacks and potential exploits that made use of the Telnet protocol, there is still significant risk. To even summarize the large list of potential Telnet exploits in different systems is vastly beyond the scope of this paper, so only the most recent attacks that actually took place will be examined. First, the largest distributed denial of service attack ever recorded was done with the Mirai botnet (Mapping Mirai). Denial of service attacks are where systems all simultaneously make garbage communications attempts with an endpoint, such as a specific company’s Internet servers. In other words, it suffocates the connection through using available bandwidth (Popeskic). A botnet is a network of computers over the Internet that have been compromised in various degrees (Mapping Mirai).  In the case of Mirai, the focus was on “Internet of Things” or IoT devices – so-called “smart” Internet connected devices such as fridges, toasters, CCTVs, baby-monitors, et cetera (Mapping Mirai). There are estimated to be over 15 million devices on the Internet that still actively use the Telnet protocol, and Mirai spread in large part through these (Mapping Mirai). Mirai utilized a bruteforce attack – typically, a systematic guessing of usernames and passwords based on dictionaries, but in Mirai’s case based on a list of factory defaults – against these devices, many of which lack bruteforce protection (Mapping Mirai).. Once infected, these devices continue to function, albeit sluggishly, and monitor to a command and control server which then indicates the target of a DDoS attack. Mirai is far from the only piece of malware to spread through Telnet, and segments of its source code have been utilized in other malware that infects Linux-based embedded devices through the use of default passwords and bruteforce attacking (Leyden). Of particular interest is the CVE-2017-3881 vulnerability in Cisco devices, which allowed for an unauthenticated, remote attacker to reload a targeted device or execute code with elevated privileges in over 300 types of Cisco switches. To understand the grave potential for this exploit, it is important to understand how Cisco switches operate and what the practical security aspects are of the CVE-2017-3881 vulnerability.

            The actual code of the malware mentioned in Vault 7 has not yet been publicly disclosed, and it is entirely possible that the CVE-2017-3881 vulnerability is actually not the code affected. Nevertheless, according to Omar Santos and analysts with the Cisco Product Security Incident Response Team or PSIRT, they believe the CIA has access to malware that can target different families of Cisco devices, and that the malware can provide:

…Data collection, data exfiltration, command execution with administrative privileges (and without any logging of such commands ever been executed), HTML traffic redirection, manipulation and modification (insertion of HTML code on web pages, DNS poisoning, covert tunneling, and others. The authors have spent a significant amount of time making sure the tools, once installed, attempt to remain hidden from detection and forensic analysis on the device itself. It would also seem the malware author spends a significant amount of resources on quality assurance testing – in order, it seems, to make sure that once installed the malware will not cause the device to crash or misbehave.

Without immediate access to the code of the malware, Cisco was forced to audit the code based on clues from the Vault 7 leaks (Chirgwin). In the process, they found that the Cluster Management Protocol in the Cisco IOS and IOS XE Software could allow for a remote attack (Kovacs). The Cluster Management Protocol utilizes Telnet for signaling and command between cluster members. However, according to Cisco the vulnerability was due to two specific factors:

The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device.

In response, Cisco recommended the hardening of devices through disabling the ability for devices to accept Telnet connections, and later released software updates to address the specific vulnerability (Santos).

            According to the International Data Corporation or “IDC”, Cisco makes up as of 2016 nearly 60% of the market share in routers and switches (Haranas). Given this as well as the use of proprietary, typically closed-source software such as IOS in their devices, this makes Cisco a particularly large target. While attacks like Mirai were impressive in the multitude of embedded devices that were affected and crippling in botnet attacks and the difficulty in responding, the stealth and range of damage that could be affected by outright “owning” routers and switches is far more compromising. For example, as an intelligence agency or a criminal enterprise – data collection on routers in the Internet can do raw packet dumps, unencrypted passwords, browsing behaviors, vulnerability assessment, and so on. Data exfiltration through redirecting TCP and UDP packets can subvert firewall protection. Command execution with administrative privileges bypasses system management and also has the potential to be non auditable – a router rootkit. The implications of HTML redirecting and the insertion of HTML code on webpages also have widespread implications: redirection could cause “phishing” attacks at otherwise authentic URLs. For example, a false login page on a mirrored and compromised website stealing one’s credentials while using the exact same URL as the authentic website.

Of note, the fact that this exploit utilizes the Telnet protocol means that it could stand to reason that the exploit is very old. This raises questions about the company’s own auditing process in their software. While Cisco claims there is no evidence of the exploit ever having been used, in the same breath they say there is no way to accurately audit the exploit (Chirgwin). Wikileaks claims that the CIA was exploiting the flaw, but it is unknown whether there is hard evidence of that or if it is an assumption by the organization (Kovacs). Ergo, it logically follows that there is no way to know from simply auditing their device logs.

            The attacks uncovered by the Vault 7 leaks are not the first against Cisco by US intelligence agencies. In 2014, Edward Snowden through Wikileaks revealed that the National Security Agency or “NSA” had a practice of physically intercepting devices in transit and installing rootkits to monitor target companies (McElroy, Schneier). In 2013, the Shadow Brokers hacking group is believed to have compromised an NSA staging server, stealing the spy agency’s cyberweapons which made use of hoarded exploits. This was not revealed until 2016, potentially after elements had already been utilized and/or sold (Schneier). There is no indication the NSA was aware of the hack until 2016 (Whittaker). “When the NSA screws up, it’s US technology companies that have to bear the reputational costs,” says ACLU Chief Technologist Chris Soghoian. “The NSA gets to avoid all of the unpleasantness associated with its mistakes” (Brandom). Unlike the Wikileaks “Vault 7” leaks, Shadow Brokers released segments of the actual malware code to the public writ large, along with selling other tools on the black markets on the darknet, compromising Cisco equipment through dozens of different and previously unknown exploits. For instance, VPNs using IPsec internet key exchange with PIX firewalls below version 6 could be sent specially crafted packets to obtain the contents of the device memory. Other attacks included exploiting parsers through buffer overflow flaws, allowing remote SNMP code execution (Whittaker). The exploits are known as CVE-2016-6367 and CVE-2016-6366, or “EPICBANANA” and “EXTRABACON” per Omar Santos. According to Derek Kortepeter,

It is likely that we will hear of more patches being released from all companies exposed by this NSA leak. There is talk in the cybersecurity community now of how to best avoid incidents like this in the future. One of the most thrown-around suggestions is making sure the NSA is more diligent about disclosing vulnerabilities to vendors, rather than hoarding them. As we’ve seen, by hoarding all of this data, the NSA has made vendors’ jobs extremely difficult in regard to defending against cyber attacks.

Unlike the Shadow Brokers hacks, WikiLeaks has promised exclusivity in the direct binaries and some technical details with vendors affected by the Vault 7 leaks, including Apple, Microsoft, Google, Mozilla, and MicroTik. It is unclear whether this information has also been provided to Cisco, if the binaries are available to be provided at all, or if Cisco refuses to work with WikiLeaks. According to Eduard Kovacs, there could be legal repercussions for using any of the information obtained by WikiLeaks, as “classified files remain classified even if they are made public.” Looking at the segments of the publicly available leaks, they are more developer notes rather than program overviews – or even the programs themselves. Nevertheless, the CIA refuses to comment on the authenticity of the leaks, but given the exploits discovered, it seems obvious there is merit (Kovacs).

The CIA criticized the leaks as “such disclosures… equip our adversaries with tools and information to do us harm.” According to Wired writer Andy Greenberg, the real problem isn’t “someone in Langley is watching you through your hotel room’s TV. It’s the rest of the hacker world that the CIA has inadvertently empowered.” The vast amount of the zero-day stash revealed by the Vault 7 leaks suggests that it is not only the CIA that has access to these digital vulnerabilities, but theoretically foreign intelligence agencies and hacking syndicates may also have access. According to Kevin Bankston, director of the New America Foundation’s Open Technology Institute, “If the CIA can use it, so can the Russians, or the Chinese or organized crime. The lesson here, first off, is that stockpiling a bunch of vulnerabilities is bad for cybersecurity. And two, it means they’re likely going to get leaked by someone” (Greenberg). As the NSA cybertools were hacked by the Shadow Brokers group, according to WikiLeaks, the Vault 7 archive was circulated among US government contractors and paid, freelance hackers in an unauthorized manner, which raises the possibility of these leaks being the hands of nefarious hackers long before WikiLeaks’ publishing. The hoarding of these exploits also appears to contradict Obama administration policy. Again per Greenberg,

…the CIA appears to have kept the security flaws those techniques exploited secret. And the sheer number of those exploits suggests violations of the Vulnerabilities Equities Process, which the Obama administration created in 2010 to compel law enforcement and intelligence agencies to help fix those flaws, rather than exploit them whenever possible.

“Did CIA submit these exploits to the Vulnerabilities Equities Process?” asks Jason Healey, a director at the Atlantic Council.

If not, you can say that either the process is out of control or they’re subverting the president’s priorities… The deal we make in a democracy is that we understand we need military and intelligence services. But we want oversight in the executive branch and across the three branches of government. If the CIA says ‘we’re suppose to do this, but we’re just not going to,’ or ‘we’re going to do it just enough that the White House thinks we are,’ that starts to eat away at the fundamental oversight for which we have elected officials. (Greenberg)

There are thus large ethical dilemmas also raised by the compromise of digital security by US intelligence agencies. The implication that the CIA may have overstepped its legal boundaries through violation of the Vulnerabilities Equities Process implies that the agency operates as though it is beyond oversight, dangerously compromising the separation of powers inherent in the United States federal system of government.

When these secrets fall into the wrong hands, or even simply keeping them from vendors, compromises security not only for “targets” of the CIA but the worldwide digital infrastructure, affecting not only Americans. While these ethical and legal concerns are largely beyond the scope of this paper, they nevertheless deserve mentioning. It should not be considered disarmament for reasons that security expert Bruce Schneier raises,

The implications of US policy can be felt on a variety of levels. [Such] actions have resulted in a widespread mistrust of the security of US Internet products and services, greatly affecting American business. If we show that we're putting security ahead of surveillance, we can begin to restore that trust. And by making the decision process much more public than it is today, we can demonstrate both our trustworthiness and the value of open government. An unpatched vulnerability puts everyone at risk, but not to the same degree. The US and other Western countries are highly vulnerable, because of our critical electronic infrastructure, intellectual property, and personal wealth. Countries like China and Russia are less vulnerable -- North Korea much less -- so they have considerably less incentive to see vulnerabilities fixed.

The CIA’s security practice, ethics aside, also show a degree of irresponsibility in waging cyberwarfare. The act of buying exploits from so-called “blackhat” hackers on the dark web, hoarding those exploits, and then entrusting their portfolio to agency employees and contractors – one of whom is the source of the Vault 7 leaks – is according to some analysts, in many ways, the digital equivalent of sloppy nuclear arms dealing that one would expect from a failed state. Not all security analysts agree with this assessment, however. Rob Graham of Errata Security notes that the agency buys zero-day exploits in order to utilize them. Critics of the policy are thus asking the government to spend millions on vulnerabilities in order to disclose them (Leyden, CIA Hacking Dossier).

            The inability for the agencies to keep this cache of malware and exploits secure is also particularly worrying in the wake of demand for government-legislated backdoors into devices. If these huge caches are so easily leaked, then certainly a “factory default” account or methodology for root access can also be leaked. FBI Director James Comey called for companies to intentionally build security flaws into their devices – a technical backdoor – in the wake of the San Bernardino shooting case (Hall). The FBI had also attempted to force Apple to provide access into the devices of the shooters, before dropping their request and settling on paying a hacker to do so (Nakashima).

            More and more, there is a conflict between interest of security and privacy and intelligence aims of state actors. Companies like Cisco, who operate in the global market, have their reputations and products at risk when state actors are allowed to uncover or purchase and utilize vulnerabilities free of legal repercussion. This particularly becomes problematic when those caches are released into the public. Nevertheless, digital vendors also have a responsibility to continuously test and patch their own software. The use of Telnet, for instance, in any way shape or form – a protocol that has been warned against for over twenty years – is irresponsible. Why Cisco continues to permit the utilization of the protocol in modern switches and router is probably due to compatibility issues between cluster manager services. Nevertheless, such weak points in the technological foundations of the Internet are an Achilles’ heel. Worse still, intelligence agencies operating outside the bounds of their own regulation and will of the people are a weakness in the integrity of state apparatus.


References

Assange, J. (2017, March 7). Vault 7: CIA Hacking Tools Revealed. Retrieved April 01, 2017, from https://wikileaks.org/ciav7p1/
Brandom, R. (2016, August 19). After Shadow Brokers, should the NSA still be hoarding vulnerabilities? Retrieved April 01, 2017, from http://www.theverge.com/2016/8/19/12548462/shadow-brokers-nsa-vulnerability-disclosure-zero-day
Chirgwin, R. (2017, March 19). Cisco reports bug disclosed in WikiLeaks' Vault 7 CIA dump. Retrieved April 01, 2017, from https://www.theregister.co.uk/2017/03/19/cisco_goes_public_with_its_first_vault7_response/
Cimpanu, C. (2017, March 20). Cisco's Investigation into Vault 7 Leak Uncovers 0-Day Affecting 318 Products. Retrieved April 01, 2017, from https://www.bleepingcomputer.com/news/security/ciscos-investigation-into-vault-7-leak-uncovers-0-day-affecting-318-products/
Ellingwood, J. (2014, October 22). Understanding the SSH Encryption and Connection Process | DigitalOcean. Retrieved April 01, 2017, from https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process
Fisher, T. (2017, March 6). What is Telnet? (How to Use Telnet Client in Windows). Retrieved April 01, 2017, from https://www.lifewire.com/what-is-telnet-2626026
Geerling, J. (2014, April 15). A brief history of SSH and remote access. Retrieved April 01, 2017, from https://www.jeffgeerling.com/blog/brief-history-ssh-and-remote-access
Gil, P. (2017, March 19). What Exactly Is 'Telnet'? What Does Telnet Do? Retrieved April 01, 2017, from https://www.lifewire.com/what-does-telnet-do-2483642
Greenberg, A. (2017, March 08). How the CIA's Hacking Hoard Makes Everyone Less Secure. Retrieved April 01, 2017, from https://www.wired.com/2017/03/cias-hacking-hoard-makes-everyone-less-secure/
Gregory, K. (2016, October 14). Telnet Server Removed From Windows Server 2016. Retrieved April 01, 2017, from http://www.innovativeii.com/telnet-server-removed-windows-server-2016/
Hall, J. (2016, March 03). Issue Brief: A “Backdoor” to Encryption for Government Surveillance. Retrieved April 01, 2017, from https://cdt.org/insight/issue-brief-a-backdoor-to-encryption-for-government-surveillance/
Haranas, M. (2016, June 27). IDC: Cisco's Networking Market Share Dominance Slipping As It Battles HPE, Huawei. Retrieved April 01, 2017, from http://www.crn.com/slide-shows/networking/300081109/idc-ciscos-networking-market-share-dominance-slipping-as-it-battles-hpe-huawei.htm/pgno/0/1?itc=refresh
Kennedy, P. (2017, March 20). Cisco 0-day Unpatched Switch Telnet Vulnerability CVE-2017-3881. Retrieved April 01, 2017, from https://www.servethehome.com/cisco-0-day-unpatched-switch-telnet-vulnerability-cve-2017-3881/
Kortepeter, D. (2016, August 31). NSA hack: Cisco releases patches for exposed vulnerabilities. Retrieved April 01, 2017, from http://techgenix.com/nsa-hack-cisco-releases-patches/
Kovacs, E. (2017, March 20). Cisco Finds Zero-Day Vulnerability in 'Vault 7' Leak. Retrieved April 01, 2017, from http://www.securityweek.com/cisco-finds-zero-day-vulnerability-vault-7-leak
Lavender, C. (n.d.). Using Telnet and the WWW to Search Library Catalogs Online. Retrieved April 01, 2017, from https://csivc.csi.cuny.edu/history/files/lavender/library.html
Leyden, J. (2016, October 31). A successor to Mirai? Newly discovered malware aims to create fresh IoT botnet. Retrieved April 01, 2017, from https://www.theregister.co.uk/2016/10/31/iot_botnet_wannabe/
Leyden, J. (2017, March 8). CIA hacking dossier leak reignites debate over vulnerability disclosure. Retrieved April 01, 2017, from https://www.theregister.co.uk/2017/03/08/cia_hacking_tool_dump_vuln_disclosure_debate/
Mapping Mirai: A Botnet Case Study. (2016, October 05). Retrieved April 01, 2017, from https://www.malwaretech.com/2016/10/mapping-mirai-a-botnet-case-study.html
McElroy, R. (2017, March 22). Own the Routers. Own the Internet. Retrieved April 01, 2017, from https://www.carbonblack.com/2017/03/22/own-the-routers-own-the-internet/
Neagu, C. (2015, October 06). Simple Questions: What Is Telnet & What Can It Still Be Used For? Retrieved April 01, 2017, from http://www.digitalcitizen.life/simple-questions-what-telnet-what-can-it-still-be-used
Ongoing Network Monitoring Attacks. (1994, February 3). Retrieved April 01, 2017, from http://www.cert.org/historical/advisories/CA-1994-01.cfm
Popeskic, V. (2015, September 14). Telnet Attacks – Ways to compromise remote connection. Retrieved April 01, 2017, from https://howdoesinternetwork.com/2011/telnet-attacks
Public access catalogue? r/telnet. (n.d.). Retrieved April 01, 2017, from https://www.reddit.com/r/telnet/comments/3n8ve4/public_access_catalogue/
Santos, O. (2016, August 17). The Shadow Brokers EPICBANANA and EXTRABACON Exploits. Retrieved April 01, 2017, from http://blogs.cisco.com/security/shadow-brokers
Santos, O. (2017, March 7). The Wikileaks Vault 7 Leak – What We Know So Far. Retrieved April 01, 2017, from http://blogs.cisco.com/security/the-wikileaks-vault-7-leak-what-we-know-so-far
Scheneier, B. (2014, May 22). Disclosing vs Hoarding Vulnerabilities. Retrieved April 01, 2017, from https://www.schneier.com/blog/archives/2014/05/disclosing_vs_h.html
TELNET: The Mother of All (Application) Protocols. (n.d.). Retrieved April 01, 2017, from http://www.ics.uci.edu/~rohit/IEEE-L7-v2.html
Ulanoff, L. (2017, March 08). This is why you should be terrified of the Wikileaks Vault 7 data dump. Retrieved April 01, 2017, from http://mashable.com/2017/03/08/what-wikileaks-vault7-reminds-us-about-iot/#EqlrKjWmu8qB
Whittaker, Z. (2016, August 18). Cisco, Fortinet patch flaws used by alleged NSA hacking group. Retrieved April 01, 2017, from http://www.zdnet.com/article/cisco-fortinet-patch-flaws-exposed-by-alleged-nsa-hacking-group/
Why do most MUDs use Telnet instead of SSH? r/MUD. (n.d.). Retrieved April 01, 2017, from https://www.reddit.com/r/MUD/comments/2qfu6q/why_do_most_muds_use_telnet_instead_of_ssh/
Zirkle, L. (n.d.). IDFAQ: Do telnet and rlogin increase the risk of compromise? Retrieved April 01, 2017, from https://www.sans.org/security-resources/idfaq/do-telnet-and-rlogin-increase-the-risk-of-compromise/7/2



Wednesday, April 29, 2015

ANDREI: ACADEMIA - BLEEDING GAGAUZIA: FOREIGN MEDDLING IN AN ETHNIC DIVIDE


Bleeding Gagauzia: Foreign Meddling in an Ethnic Divide
            In the increasingly European Union leaning country Moldova, the autonomous region of Gagauzia leans towards the opposite direction – its allegiance towards the East, looking at the Russian Customs Union as essential to its survival whereas Moldova seems more and more poised towards integration with the EU.[1] This was not the initial cause of Gagauzia’s asymmetrical autonomy; in the immediate fall of the Soviet Union, the regions of both Transnistria and Gagauzia – the latter, almost paradoxical given its rising nationalism – were opposed to leaving the Union. Unlike Transnistria, however, the Gagauz are not ethnically Slavic.[2] There are continued fears of becoming a powerless minority or of becoming assimilated and losing their cultural heritage in an independent Moldova, especially with the potential of Moldova and Romania unifying into a single nation state.
The Gagauz make up only 4% of Moldova’s total population, yet 80% of Gagauzia, numbering around 160,000. A Turkic – and, interestingly, commonly Christian – people, the Gagauz are significantly distinct within Moldova.[3] Even with autonomy, however, the Gagauz have had to endure costs brought on by Moldova’s association agreement with the European Union; Russian sanctions against the Moldovan economy directly harmed wine producers in Gagauzia despite exceptions aimed particularly at Gagauzia, and further closeness could crumble the already fragile economy.[4] Despite their Turkic ethnicity and language, most Gagauz speak Russian, and there are a plethora of Russian language schools. [5]
Once considered an example of a successful resolution of post-Soviet ethnic conflict, after having achieved autonomy in 1994 unlike its Transnistrian neighbor which remains a defacto independent state, Gagauzia’s importance as a geopolitical pressure point is once again apparent. Despite a guarantee of Gagauzia’s right to self-determination should Moldova’s status as an independent nation – referring then to the potential for unification with Romania – in the same 1994 law that granted it autonomy, there now seems to be significant rhetoric among the elites for secession if it means retaining close ties, or even closer ties, to Russia.[6] There is no readily apparent desire for equitable inclusion, and autonomy itself seems to no longer sate the Gagauz palette – perhaps aggravated by further Russian meddling in the wake of Euromaidan in Ukraine – despite the central Moldovan government funding at least half of Gagauzia’s budget.
 The question is whether this is a result of a primordialist difference between Gagauz and Moldovan, or instead an instrumentalist interest by both Gagauz and Russians in more tangible factors, with ethnic differences playing only a superficial role. I take a constructivist approach. I argue that Gagauz nationalism does not fit the traditional triadic nexus. While there is a genuine nationalizing nation of Gagauz, and a significant difference between the Gagauz and the Moldovans – a difference which could be sorely exacerbated in a Moldovan-Romanian unification – the real source of the ethnic conflict stems from external influence by Russia, which has an ulterior geopolitical interest in utilizing Gagauzia’s position of autonomy to sway Moldovan politics towards federalism or limited EU ties – if not Gagauz secession entirely – rather than a purely ethnic mobilization from within Gagauzia. I further add that Turkey’s role as an external homeland for the Gagauz is limited and, to date, not politically relevant outside of language politics.
Methodology
            Primordialist and instrumentalist factors will be evaluated and considered in this paper as a way of reviewing the legitimacy behind the Gagauz claim to autonomy, but also understanding the seemingly paradoxical allegiance to Russia which is ethnically dissimilar. The economy and language politics play the largest roles in the ethnic conflict, with external influence from both Turkey and Russia perpetuating separation between the Moldovans and Gagauz.
Instrumentalist Factors:
Economy
            The dominant Gagauz narrative against the Moldovan-EU Association Agreement is the potential harm to the Gagauz economy. A 2014 non-binding resolution, deemed illegal by the Moldovan authorities but supported by Russia, showed that 98% of Gagauz voters preferred closer links with Russia’s Eurasian Customs Union, rather than the European Union.[7]
Wine accounts for 60% of Gagauzia’s industrial production, and 45% of Gagauz wine exports were sent to Russia in 2013, while Moldovan wine was banned from export to Russia as a result of sanctions imposed on Moldova as a warning for the Association Agreement with the EU. However, many Gagauz wineries were exempt, able to continue trade with Russia.[8] Additionally, many Gagauz fear that their products would not be competitive in the EU market if Moldova – and Gagauzia – were to integrate with the EU, as well as the possibility for having access to the Russian labor market blocked. [9]
            Moldova is the poorest country in Europe, and Gagauzia is one of its poorest regions.[10] These high levels of poverty work in Russia’s favor, as has been seen in other regions pining for Russian dominance. Around 25,000 Gagauz work in Russia as migrant workers, a significant economic bargaining chip for Russia.[11]
Foreign Interest
            Gagauzia is an important point of geopolitical pressure for Russia, given its ties to Russia and position in the Black Sea region. If Gagauzia was to abandon autonomy and become another “frozen conflict” rather than a recognized independent state, as has been the case with Transnistria, it would severely complicate Moldovan goals of joining the European Union. The recent referendum shows that Russia maintains a significant degree of influence in the region.
            Russia has acted as an antagonizing external force in Gagauzia. The latest leader of Gagauzia is a Moscow financed, pro-Russian governor named Irina Vlah, who ran a decidedly pro-Russian campaign, such as utilizing a poster showing her under the colors of Russia’s flag with the motto “Russia is with us” and “Being alongside Russia is within our strength.”[12] These mottos were in Russian. [13] Russian television channels – seen in Gagauzia – gave biased pro-Vlah coverage. As the new baskhan of Gagauzia, she stated that Russia is “the guarantor of Moldova's statehood and of the autonomy of Gagauzia.” [14]
Furthermore, Vlah, unlike her predecessor Mikhail Formuzal, seems focused on Russia rather than the approach Formuzal undertook that sought investments from Russia, Turkey, and Azerbaijan.[15] According to analyst for the Jamestown Foundation, Dumitru Minzarari,
Moscow… could point to such regional referendums and demand that Chisinau listen to the popular will… armed with the ‘popular will’ argument, Russia could further explore it in its negotiations with the United States and the EU, claiming that the European integration agenda is being imposed on the Moldovan population by the West.[16]

Analyst Eric Jones adds,

Gagauzia is an important, if not very well known, point of pressure in the ongoing tug-of-war between the West and Russia. Influence campaigns and unforeseen events have the potential for great impact upon the future of security and stability in post-Soviet Eastern Europe. Gagauzia’s geographic location, its ethnic makeup, and its cultural, political, and economic ties to Russia make this unknown region a potential spark in the tinderbox of Eastern Europe.[17]
           
Primordialist Factors:
Language
            Despite the existence and post-Soviet, perhaps Turkish-assisted resurgence of Gagauz as a language, Russian remains the dominant language in Gagauzia. Romanian, however, is the official language of Moldova, and a lack of knowledge in the language severely complicates employment prospects for Gagauz. Simultaneously, the continued use of Russian has allowed Gagauz to work as migrants in Russia.
Romanian is utilized primarily by Gagauz who choose to work in cities such as the Moldovan capital of Chisinau, as Romanian is the state language. But Gagauz is similar to Turkish, and Russian is widely spoken – if not moreso than even Gagauz – and these two languages allow for Gagauz to work in either Turkey or Russia without having to learn a third language. Additionally, most of the political elite in Gagauzia are Russian speakers. With Romanian utilized as the state language, and therefore used in examinations and state jobs, its lack of popularity amongst the Gagauz keeps them alienated from central Moldovan society. As Esman writes,
Rules established and enforced by the state determine the goals that ethnic communities may legitimately pursue and the strategies and tactics they may employ. State policies regulate access to and enjoyment of such material values as education, government, and private employment… They govern the use and status of languages in schools and universities, in public administration, and in official communication.[18]

Additionally, the lack of popularity of the Romanian language in Gagauzia is a structural issue in Russophone media dependence. Russian mass media bias penetrates the Gagauz media landscape, rebroadcast in Moldova, as Russian is spoken by 73% of the Gagauz population as a secondary language.[19] Despite Gagauz being taught as a language in the region, there is no school that teaches its entire curriculum in Gagauz, and the language of Comrat University is Russian. This may have political ramifications, such as the wide support for the Eurasian Customs Union and distrust of the European Union, according to some analysts.
            However, it is ethnic pride that may play a significant role in resistance to the Romanian language. Beyond the tangible factors of alternative areas of employment and the difficulty in learning a third language, to learn Romanian would be to also to overcome the psychological factor of a different assortment of literature and social culture.
            Nevertheless, there is the feeling by some Gagauz that Russian plays too important of a role in Gagauz society. According to Todur Zanet, editor of Ana Sozu, the Gagauz elite have failed to support the national language.
Our language isn’t needed… the leaders of Gagauzia do everything they can in order that the Gagauz language will disappear. Look around, everything is in Russian: all the websites, all the scandals, all the meetings… in the education law, there are no plans for the opening of Gagauz schools and kindergartens.[20]

Ethnicity
            Unlike the Transnistrians, who are in large part of Ukrainian and Russian ethnic background, the Gagauz are as aforementioned of Turkic descent, having settled into the region around 1000 CE. The ethnogenesis of the Gagauz remains uncertain, and the Gagauz being of Orthodox Christianity has not been a significant cleavage. There are at least twenty different theories of their origin, but the Seljuk and Steppe hypotheses remain the most common.[21] The study of their origin is ultimately beyond the scope of this paper.
Turkey has provided some measure of support since 1991 to the region, arguably a utilization of soft power. One aspect of Turkish influence was a change in language politics. Despite a commonly pro-Russian stance in Gagauzia, there was a decision to change the Gagauz alphabet from Cyrillic to the Latin script, an alphabet shared with modern Turkish.[22] Nevertheless, as aforementioned, the Russian language remains dominant. Turkey has long acted in the role of an intermediary between Russia and Moldova. According to Marcin Kosienkowski and William Schreiber, then-Turkish President Suleyman Demirel “played a decisive role” in the initial Gagauz acceptance of regional autonomy, as well as making pledges of economic and structural investments.[23] “Demirel... repeatedly stressed that the Turkish role in Moldova and Gagauzia was by no means confrontational to Russia.” [24]Turkey’s temperance as a third party interest may have prevented a more extreme outcome in Gagauzia, as was seen in Transnistria. However, it can be argued that Turkey’s continued role in language politics and ethnic politics may exacerbate the divide between Moldovans and Gagauz. In 2000, both a representative office of Gagauzia was opened in Turkey and Gagauz residents no longer required visas to enter Turkey. Komrat University has partnerships with five Turkish universities, and Turkey finances the scholarships of around 60 students a year to study there. [25]
Unlike the European Union, Turkey has not undertaken policies and actions directly opposed to Russian influence, however, and so the two interests have yet to directly conflict. Nevertheless, to use Brubaker’s term, Turkey may be the “external homeland” in the actual ethnic sense for the Gagauz, but the Gagauz instead see Russia as their true protectorate.[26] Therefore, the Gagauz may be conflicted between two external homelands with which they share the language of both: one ethnic, one civic, given their nostalgia for the Soviet Union and attempts to remain as part of the Union before its breakup. According to Brubaker, “External national homelands are constructed through political action, not given by the facts of ethnic demography.”[27]
Cultural History
            According to Ivan Katchanovski, in his comparison of Gagauz and Crimean Tatar political culture towards Russia, the Gagauz distaste for the possibility of a Moldovan-Romanian unification is historically grounded. During the Romanian rule of Moldova from 1918 to 1940 and 1941 to 1944, the Gagauz were not only repressed, but also “one of the least educated and impoverished groups in Moldova... After Moldova came under Soviet Rule as a result of World War II, a significant number of Gagauz benefited from the Soviet policy of mass education and economic development in the region.” [28]
Although Gagauzia did not exist with any separate privileges from the Moldovan SSR, Rather than assimilate into the Moldovan populace, Soviet policy – as Brubaker writes – pervasively institutionalized nationalism, as the Soviet Union encouraged the Gagauz to retain their culture or russify rather than merge with the Moldovans after the Soviet annexation of Bessarabia in 1940.[29] The Gagauz had legal privileges under both the Russian Empire and the Soviet Union, in contrast to facing assimilation with the Romanians. This history works in favor of the current Russian regime, where Moldova’s desire for closer EU-integration is seen as a potential forte into Romanian unification and assimilation.
            The Turkish State’s interest in Gagauzia is seemingly a mostly modern phenomena in the wake of the fall of the Soviet Union. Like Crimea, Gagauzia is part of a region that was a spoil of war taken from the Ottoman Empire in the 1812 Treaty of Bucharest that resolved the Russo-Turkish War.[30] Some analysts believe that Turkey’s soft power plays are slowly usurping Russia in influence. Whereas its outreach is not yet anti-Russian, in contrast to outreach to the Crimean Tatars, there is a growing Turkish idea of a “united Turan, from Chukotka to the Balkans” that looks beyond the religious cleavage between Islam and Christianity.[31]
Conclusion
            The heavy influence of Russia as an external influence on the Gagauz cannot be overstated, especially in the wake of increasing closeness between Moldova, Ukraine, and the European Union, particularly following the Russian seizure of Crimea. Russia has repeatedly utilized its diaspora in furthering frozen conflicts, but in Gagauzia the pro-Russian populace is not a diaspora, rather it is ethnically dissimilar. As aforementioned, even in Gagauzia it is even felt by some that Russia has coopted use of Gagauz autonomy for its own geopolitical interest, given a lack of importance of the Gagauz language and therefore diminishment of the culture – much of the original reason for the initial autonomy.
            Economics does indeed play a large role – if not the dominant role – in the Gagauz desire to remain autonomous and perhaps even secede from Moldova if it means retaining ties to Russia. There is little question that the transition to the European Union would be a painful one, and given the importance of working abroad in Russia for the Gagauz economy, the Russians hold a significant “stick” coupled with the carrots of exceptions to their sanctions on Moldovan goods. However, whether economics is the sole reason for this allegiance or the continued attachment to the Russian language, rather than opining for the Soviet past or a renewed quasi-imperial Russian protectorate requires much more detailed research.
           


Bibliography
All Web Sources Last Accessed 29 April 2015.

Brubaker, Rogers. Nationalism Reframed. Cambridge Unviersity Press: New York, 1996.
Calus, Kamil. “Gagauzia: Growing Separatism in Moldova?” Osrodek Studiow Wschodnich. 10 Mar. 2014. < http://www.osw.waw.pl/en/publikacje/osw-commentary/2014-03-10/gagauzia-growing-separatism-moldova>.
Coffey, Luke. “Is Gagauzia Next on Russia’s List?” Al-Jazeera. 21 Mar. 2015. <http://www.aljazeera.com/indepth/opinion/2015/03/gagauzia-russia-list-150318052557225.html>.
Esman, Milton. Ethnic Politics. Cornell University Press: New York, 1994.
Goble, Paul. “Growing Turkish Influence Among Gagauz Threatens Russian Interests.” Moldova.Org. 23 Dec. 2010. <http://www.moldova.org/growing-turkish-influence-among-gagauz-threatens-russian-interests-215182-eng/>.
Goble, Paul. “Moldova: Gagauz Leaders ‘More Russian than Gagauz.’ EuroMaidan Press. 20 Sep. 2014. <http://euromaidanpress.com/2014/09/20/moldova-gagauz-leaders-more-russian-than-gagauz/>.
Irina Vlah’s Political Platform. <http://vlah.md/index.php?do=static&page=predvybornaya-platforma>.
Jones, Eric. “Gagauzia: Strategic Point of Pressure.” Foreign-Intrigue. 31 Mar. 2015. <http://foreign-intrigue.com/2015/03/gagauzia-strategic-point-of-pressure/>.
Karlsson, Ingmarr. “The Gagauz, a Christian Turkic People.” Hurriyet. 17 Mar. 2006. <http://www.hurriyetdailynews.com/the-gagauz-a-christian-turkic-people.aspx?pageID=438&n=the-gagauz-a-christian-turkic-people-2006-03-17>.
Katchanovski, Ivan. “Small Nations but Great Differences: Political Orientations and Cultures of the Crimean Tatars and the Gagauz.” Europe-Asia Studies (6 Sep. 2005): 57.6. pp. 890. <http://www.researchgate.net/profile/Ivan_Katchanovski/publication/248965160_Small_Nations_but_Great_Differences_Political_Orientations_and_Cultures_of_the_Crimean_Tatars_and_the_Gagauz/links/0c9605225ea57964b4000000.pdf>.
Kohen, Sami. “Could Moldova’s Gagauzia Repeat Crimea Scenario?” Al-Monitor. 5 June 2014. <http://www.al-monitor.com/pulse/politics/2014/06/moldova-gagauz-secede-crimea-scenario-economy.html>.
Kosienkowski, Marcin and William Schreiber. Moldova: Arena of International Influences. <http://books.google.com/books?id=Uuw1kNq11YkC&printsec=frontcover#v=onepage&q&f=false>.
Minzarari, Dumitru. “The Gagauz Referendum in Moldova: A Russian Political Weapon?” The Jamestown Foundation. 5 Feb. 2014. <http://www.jamestown.org/programs/edm/single/?tx_ttnews%5Btt_news%5D=41922#.VUCGdvlViko>.
Moldovan Politics. “Gagauz Elections: Is Russia Interfering in Moldova’s Internal Affairs?” 21 Mar. 2015. <http://moldovanpolitics.com/2015/03/21/gagauz-elections-is-russia-interfering-in-moldovas-internal-affairs/>.
Nationalia. “Pro-Russian Candidate Wins Gagauz Election, Demands Increased Autonomy from Moldova.” 24 Mar. 2015. <http://www.nationalia.info/en/news/2109>.
Noonan, Joshua. “Gagauzia under Russian Pressure.” Silk Road Reporters. 5 Apr. 2015. <http://www.silkroadreporters.com/2015/04/05/gagauzia-under-russian-pressure/>.
Rinna, Tony. “Moldova, the EU, and the Gagauzia Issue.” New Eastern Europe. 14 Feb. 2014. <http://neweasterneurope.eu/interviews/1097-moldova-the-eu-and-the-gagauzia-issue>.
Socor, Vladimir. “Russia Orchestrates Gagauz Election in Moldova, Ponders the Next Steps.” The Jamestown Foundation. 31 Mar. 2015. <http://www.jamestown.org/programs/edm/single/?tx_ttnews%5Btt_news%5D=43724&cHash=b9e211386ad234cc650d69902cae47d5#.VUCG1flViko>.




[1] Tony Rinna. “Moldova, the EU, and the Gagauzia Issue.” New Eastern Europe. 14 Feb. 2014.
[2] Ibid.
[3] Joshua Noonan. “Gagauzia Under Russian Pressure.” Silk Road Reporters. 5 Apr. 2015.
[4] Sami Kohen. “Could Moldova’s Gagauzia Repeat Crimea Scenario?” Al-Monitor. 5 June 2014.
[5] Kamil Calus. “Gagauzia: Growing Separatism in Moldova?” Osrodek Studiow Wschodnich. 10 Mar. 2014.
[6] Ibid.
[7] Nationalia. “Pro-Russian Candidate Wins Gagauz Election, Demands Increased Autonomy from Moldova.” 24 Mar. 2015.
[8] Eric Jones. “Gagauzia: Strategic Point of Pressure.” Foreign-Intrigue. 31 Mar. 2015.
[9] Ibid.
[10] Tony Rinna. “Moldova, the EU, and the Gagauzia Issue.” New Eastern Europe. 14 Feb. 2014.
[11] Ibid.
[12] Ibid.
[13] Irina Vlah’s Political Platform. <http://vlah.md/index.php?do=static&page=predvybornaya-platforma>.
[14] Nationalia. “Pro-Russian Candidate Wins Gagauz Election, Demands Increased Autonomy from Moldova.” 24 Mar. 2015.
[15] Vladimir Socor. “Russia Orchestrates Gagauz Election in Moldova, Ponders the Next Steps.” The Jamestown Foundation. 31 Mar. 2015.
[16] Dumitru Minzarari. “The Gagauz Referendum in Moldova: A Russian Political Weapon?” The Jamestown Foundation. 5 Feb. 2014.
[17] Eric Jones. “Gagauzia: Strategic Point of Pressure.” Foreign-Intrigue. 31 Mar. 2015.
[18] Milton Esman. Ethnic Politics. Cornell University Press: New York, 1994. pp. 19.
[19] Moldovan Politics. “Gagauz Elections: Is Russia Interfering in Moldova’s Internal Affairs?” 21 Mar. 2015.
[20] Paul Goble. “Moldova: Gagauz Leaders ‘more Russian than Gagauz.’ EuroMaidan Press. 20 Sep. 2014.
[21] Ingmar Karlsson. “The Gagauz, a Christian Turkic People.” Hurriyet. 17 Mar. 2006.
[22] Paul Goble. “Growing Turkish Influence Among Gagauz Threatens Russian Interests.” Moldova.Org. 23 Dec. 2010.
[23] Marcin Kosienkowski and William Schreiber. Moldova: Arena of International Influences. pp. 208.
[24] Ibid.
[25] Paul Goble. “Growing Turkish Influence Among Gagauz Threatens Russian Interests.” Moldova.Org. 23 Dec. 2010.

[26] Rogers Brubaker. Nationalism Reframed. Cambridge Unviersity Press: New York, 1996. pp. 5.
[27] Rogers Brubaker. Nationalism Reframed. Cambridge Unviersity Press: New York, 1996. pp 58
[28] Ivan Katchanovski. “Small Nations but Great Differences: Political Orientations and Cultures of the Crimean Tatars and the Gagauz.” Europe-Asia Studies (6 Sep. 2005): 57.6. pp. 890.
[29] Rogers Brubaker. Nationalism Reframed. Cambridge Unviersity Press: New York, 1996. pp. 26.
[30] Luke Coffey. “Is Gagauzia Next on Russia’s List?” Al-Jazeera. 21 Mar. 2015.
[31] Paul Goble. “Growing Turkish Influence Among Gagauz Threatens Russian Interests.” Moldova.Org. 23 Dec. 2010.