Recent Russian cyber actions, such as the restrictive use of VPN technology, may make it more difficult for companies to conduct routine business activities.
A new law that bans virtual private networks (VPNs) in Russia is the latest in a series of steps by the country’s government that critics say cracks down on internet freedom and increases cybersecurity risks.
The law bans VPNs and anonymizers, claims Amnesty International, and was criticized by, among others, Edward Snowden, who released a tweet saying, “Banning the ‘unauthorized’ use of basic internet security tools makes Russia both less safe and less free. This is a tragedy of policy.”
Denis Krivosheev, deputy director for Europe and Central Asia at Amnesty International, said in a statement, “This is the latest blow in an assault on online freedom which has seen critical sites blocked and social media users prosecuted solely for what they post online, under vaguely written anti-extremism legislation. The ban on VPNs takes this shameful campaign a whole step further.”
In response, John Pironti, president of IP Architects, warned, “In these cases, organizations may have to consider alternative options for the affected employees, such as the use of browser-based connections versus the use of VPN agents. Employees working in these countries should also be reminded that countries they are working in have the legal right to monitor their internet connectivity and restrict their access to sites and IP addresses. This means that users should be trained how to avoid transmitting sensitive messages and materials that they wish to remain confidential or private while operating within these countries.”
There are other recent cyber concerns related to Russia that may affect multinational U.S. businesses. U.S. Rep. Lamar Smith, R-Texas, for instance, wrote a letter to several federal agencies requesting documents and information regarding Kaspersky Lab, the Moscow-based cybersecurity firm.
“Although Kaspersky Lab was once considered a reputable cybersecurity firm, several concerns have been raised regarding the company and Eugene Kaspersky—the founder and CEO of Kaspersky Lab—and his potential ties to the Russian government,” Smith said in a statement. Kaspersky Lab could be “susceptible to manipulation by the Russian government, and that its products could be used as a tool for espionage, sabotage, or other nefarious activities against the United States.”
Claire Finkelstein, a professor at University of Pennsylvania Law School, told Legaltech News, “Based on recent reporting about higher-ups in Kaspersky Lab, we have every reason to think that the company is not only [open] to ‘manipulation’ on the part of the Russian government, but that they are likely to be cooperating with Russian government cyberattacks and cyberinterference.”
She further noted that Russian businesses “do not succeed to the degree this company has without the approval of the Kremlin, and the nature of this business in particular suggests that it would be both highly useful to Vladimir Putin’s extensive intelligence operation, and that it would not be permitted to operate if it failed to cooperate in Putin’s agenda.”
Another Russia-related cyber event is a lawsuit brought by Microsoft against unnamed hackers believed to be affiliated with a Russia-based cybercriminal operation known as Strontium. Speaking about a lawsuit Microsoft filed in Virginia, cybersecurity attorney Ethan Burger said it can be seen as a way to determine “where the line is” for the Russian state and criminals, meaning, “which criminal organizations will work for the government.”
It also raises the question of “at what point the Russian government starts thinking greater cooperation at combating cybercriminals is actually in their interest. At some point, that will happen,” Burger added.
Moreover, Scott Shackelford, cybersecurity program chair at Indiana University, said the case in part “illustrates the difficulty of shutting down botnets (given how easy it is to set up new command and control servers), along with the trouble of protecting trademarks online. At a higher level, it helps highlight the difficulty of exercising jurisdiction in an interconnected world.”
Overall, U.S. companies do need to realize that everything they do in the cybersecurity area “is not going to be 100 percent effective,” Burger said. “Everything could be compromised. Everything could be hacked.”
He advised keeping some of the company’s data offline, and that doing business in Russia is “almost impossible” without being compromised.
Attorney Christina Ayiotis said that if companies are going to do business internationally, they need to know how data flows work, and be able to explain how they will comply with data governance laws or other requirements in Russia.
“Lawyers need to be on top of these geopolitical risks,” she said, adding that awareness should be part of an overall compliance program.
The ban by Russia comes just as Apple pulled VPN apps from the China App Store to comply with current Chinese laws.
“These moves by Russia and China prove that VPNs can work in keeping prying eyes away from sensitive corporate data,” Bob Gourley, a partner at Cognitio Corp., told LTN about the recent events.
“Businesses that operate in Russia or China should also realize that both countries have spent decades building up their internet surveillance architectures, and they use the internet not just for commerce but for tracking their own citizens. They also use the internet to collect information of use to their own economic ends and that can include information stolen from businesses that communicate in or through their countries,” Gourley added. “The fact that VPNs are now not allowed means all businesses must communicate in the clear, making it much easier for information communicated to be stored and analyzed.”
He identified five ways to mitigate the risks:
• Businesses that send employees to these countries need to ensure they are aware of the threats of communication.
• No sensitive business information should be on the devices they take with them.
• Limited access to corporate resources should be given during the trip.
• Any access should include use of two-factor authentication and should be monitored by corporate IT to ensure no unexpected malicious activity.
• Business travelers should know that violation of the no-VPN rules can be detected and result in penalties.