Russia's new internet law presents a cybersecurity minefield for global enterprises

May 3, 2019
Nation demands VPN providers to use state content-filtering system or face ban

Running a global organization always carries with it the burden of navigating a plethora of geo-political forces that could present certain risks to the business at any given time. Sometimes that manifests itself in trying to keep executives as well as rank and file employees away from locations that are experiencing high levels of violence or a natural disaster. However, one of the more common challenges experience by organizations today is preventing data – both their own and that of their customers – from falling into the hands of cybercriminals.

A new measure signed into law this week by Russian President Vladimir Putin that would enable the country to create its own internet network, independent from the rest of the world and regulated by national telecom agency Roskomnadzor (RKN), should give corporate executives around the pause about the cybersecurity implications of doing business in the country moving forward. As part of the maneuver, Russia has also demanded 10 of the top providers of Virtual Private Networks (VPNs) to connect to a state content-filtering system or be banned from operating in the country.   

According to Francis Dinha, CEO of OpenVPN, one of the aforementioned VPN providers facing a ban by the Russian government, companies with remote workers in the country that need to access sensitive information from their homes offices in the U.S., Europe or elsewhere will have to rethink their security approach moving forward as authorities will have the ability surveil any data being transmitted through the new network.

“Think about the trade secrets, confidential information and intellectual property companies are exchanging back and forth. Russia will have the capability to spy pretty much on everything,” Dinha says. “Especially with current technology… they have all kinds of AI capabilities and they would know exactly how they can extract (certain data).”

The easiest way to think about what Russia is doing, according to Dinha, is to think of it as how a business builds a private network. In the same way an organization wants all network traffic to flow through their firewall and unified threat management system to ensure that employees are accessing the proper things while the company retains open access to everything, Dinha says Russia is essentially doing the same thing at a greater scale.

“There are definitely security implications and I think enterprises have to be wary about this,” he adds. “This is not good for Russia in the first place. I don’t know if this is a good move for their economy or maybe they don’t care.”

Dinha says the challenges for organizations will be very similar to those doing business in China who must navigate what is referred to as the “The Great Firewall,” which is essentially the censorship tools the government uses to regulate internet use in the country. But unlike China, which still uses the World Wide Web and even allows businesses to apply for a waiver to use VPNs in certain circumstances, Russia’s attempt create a network separate from the rest of the world is unprecedented.

“In China, what they’ve done is created this kind of transit point where there is an entry point with a lot of rules and sometimes they fail,” Dinha explains. “They are applying different deep packet inspection technologies and they’re doing all sorts of things to figure out what are these websites, where are their servers, etc. and so it is a kind of cat and mouse situation. They are trying with technology – looking at the content, blocking different protocols, monitoring all of these VPN providers out there and blocking their IP addresses – but on the other side, a lot of technology companies are finding ways to circumvent.”  

Dinha suspects Russia will initially take the approach the Chinese have in implementing a nationwide firewall as it will take years for the country to bring this new network online and that a similar cat and mouse game will play out there in the meantime. Aside from trying to continue to use a VPN, Dinha says he would advise those working in Russia to be cautious about accepting security certificates on websites.

“This is where there is some certificate injection that countries like these use. They say, ‘hey, you have to accept this certificate if you want to use this website,’” he explains. “What that means is they are going to be acting as a man in the middle. That means you are not supposed to honor the certificate directly from the website you are accessing in terms of encryption but rather we (the government) are going to encrypt and then intercept everything and decrypt. When you see that on your browser, be very careful with it.”

For its part, Dinha says that OpenVPN will not be complying with Russia’s demands to run through the state’s filter.

“We’ve told them to take a hike. We’re not going to comply with Russia,” he says. “We don’t have any servers in Russia. We’re not serving the government of Russia or China, we’re serving our clients. We’re in the security business and we need to provide secure and private internet access for our customers. We do have clients there and they want to use our service, but we’re not going to be deploying points of presence or servers in Russia.” 

About the Author: 

Joel Griffin is the Editor of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].