How Russia’s invasion of Ukraine threatens the IT industry
Editorial Note: In response to Russia’s “unprovoked attack on Ukraine” on February 23, the Cybersecurity & Infrastructure Security Agency (CISA) published an updated set of cybersecurity recommendations for organizations.
In the five years since I first explored the potential impact of a Digital Cold War on the IT industry, tensions with Russia have gotten worse, especially following a series of cyberattacks on systems in the United States. These include Russia’s involvement in the SolarWinds breach, as well as its interference with the 2016 US presidential elections via attacks on the Democratic National Committee infrastructure and the purchasing of tens of millions of ads on Facebook in an attempt to sow discontent among US voters.
Under Vladimir Putin’s leadership, the nation has focused on international cybersecurity activity for many years.
In response, the United States, NATO nations, and allied countries have imposed numerous economic sanctions on Russia, including blocking its two state-owned banks from debt trading on US and European markets and freezing their assets under US jurisdictions, as well as freezing the assets of the country’s wealthiest citizens. Germany has halted its plans on Russia’s Nord Stream 2 Gas Pipeline. Further wide-ranging sanctions are expected as Russia continues its assault on Ukraine.
On February the 23rd, President Biden condemned the military action and said, “President Putin has chosen a premeditated war that will bring a catastrophic loss of life and human suffering. Russia alone is responsible for the death and destruction this attack will bring, and the United States and its Allies and partners will respond in a united and decisive way. The world will hold Russia accountable.”
The economic impacts of this conflict will likely be significant, including a halt on Russian oil and natural gas exports to Western Europe and, presumably, the denial of civil and commercial air transit to Asia through Russian airspace. Although the United States, unlike Europe, is not a major consumer of Russian energy exports, it would be simplistic to say that Russia has no impact on US business at all.
An extended conflict with Russia — coupled with the imposition of wide-ranging sanctions — will have a tangible impact on the global technology industry.
Software companies with concerns about Russian connections
Many companies with significant market share and widespread use within US corporations have various levels of connections with Russia. For example, some were founded in Russia and others are headquartered elsewhere but have a development presence within Russia and other parts of Eastern Europe.
UK-incorporated Kaspersky Lab, for example, is a major and well-established player in the antivirus/antimalware space. It maintains its international headquarters and has substantial research and development capabilities in Russia, even though its primary R&D center was moved to Israel in 2017.
It’s also thought that Eugene Kaspersky, the company’s founder, has strong personal ties to the Putin-controlled government. Kaspersky has repeatedly denied these allegations, but questions about the man and his company remain and will be further scrutinized, particularly as the conflict develops.
In the past, evidence emerged that Kaspersky’s software was involved in compromising the security of a contract employee of the United States National Security Agency in 2015. Kaspersky Lab insists that, to the contrary, the evidence supporting this has not been properly established and has produced an internal audit of the findings.
It’s also important to note that companies with no evidence of any wrongdoing are suffering guilt by association.
NGINX Inc is the support and consulting arm of an open source reverse proxy web server project that is very popular with some of the most high-volume internet services on the planet. The company is of Russian origin but was sold to F5 Networks in 2019. The founder of the company, Igor Sysoev, announced his departure in January of this year.
Parallels, Inc., which Corel acquired in 2018, focuses extensively on virtualization technology. Their Parallels Desktop is one of the most popular solutions for Windows virtualization on the Mac. Historically, their primary development labs were in Moscow and Novosibirsk, Russia. The company was founded by Serguei Beloussov, who was born in the former Soviet Union and later emigrated to Singapore. Two of their products, Virtuozzo and Plesk, were spun off as their own companies in 2017. Parallels’ Odin, a complex management stack for billing and provisioning automation used by service providers and private clouds running on VMware’s virtual infrastructure stack and Microsoft’s Azure, was sold to Ingram Micro in 2015.
Acronis, like Parallels, is another company founded by Beloussov. After founding Parallels in 1999, and being involved with both companies for some time, he became CEO of Acronis in May of 2013. The company specializes in cybersecurity products for end-to-end device protection, and in the past, has had bare-metal systems imaging, systems deployment, and storage management products for Microsoft Windows and Linux. The company maintains its global headquarters in Singapore. However, it has substantial R&D operations in Eastern Europe in addition to operations in Israel, Singapore, and the US.
Veeam Software founded by Russian-born Ratmir Timashev, concentrates on enterprise backup solutions for VMware and Microsoft public and private cloud stacks. Like Parallels and Acronis, it is also multinational. For many years, it had much of its R&D based out of St. Petersburg, Russia. It was purchased by Insight Partners in 2020 and installed a new management team. However, it has yet to be determined how much Russian legacy code is in its products or continues to be contributed to them.
These are only just a few examples. Numerous Russian software firms generate billions of dollars of revenue that have products and services that have significant enterprise penetration in the United States, EMEA, and Asia. There are also many smaller ones that perform niche or specialized services, such as subcontracting.
It should also be noted that many mobile apps — including entertainment software for iOS, Android, Windows — also originate in Russia.
Russian services firms will also be impacted
Many global technology giants in the software and services industries have used Russian and Eastern European developers in the past because of their high-quality and value-priced work compared to their US and Western Europe-based counterparts. And many have invested hundreds of millions of dollars in having a developer as well as reseller channel presence in Russia.
World governments do not need to levy Iran-style isolationist sanctions against Russia for a snowball effect to start within US corporations that use Russian software or services.
The escalation into full-blown conflict in Ukraine will make C-seats within global enterprises extremely concerned about using software that originates from Russia or has been produced by Russian nationals. The most conservative companies will probably “rip and replace” most off-the-shelf stuff and go with other solutions, preferably American ones.
The Russian mobile apps? BYOD mobile device management (MDM) policies will wall them off from being installed on any device that can access a corporate network. And if sanctions are put in place by world governments, we can expect them to disappear entirely from the mobile device stores.
Countless games and apps originating from Russia could be no more when actual sanctions on that industry are implemented.
But C-seats aren’t going to wait for governments to ban Russian software. If there is any lack of confidence in a vendor’s trustworthiness, or if there is any concern that their customer loyalty can be swapped out or influenced by the Putin regime and used to compromise their own systems, be assured that software of Russian origin will disappear very quickly from enterprise IT infrastructure.
Contractor visas will certainly be canceled en-masse or will not be renewed for Russian nationals performing work for large corporations. You can count on it.
Any vendor that is being considered for a large software contract with a US company is going to undergo significant scrutiny and will be asked if any of their product involved Russian developers. If it doesn’t pass the most basic audits and sniff tests, they can just forget about doing business in this country.
So if a vendor does have a prominent Russian developer headcount, they will have to pack up shop and move those labs back to the US or country that is better aligned with US interests — as we have seen with the companies listed above. This goes especially for anybody wanting to do federal contract work.
Then there is the issue of custom code produced by outsourced firms. That gets a lot trickier.
Obviously, there’s the question of how recent the code is and whether or not there are suitable methods in place to audit it. We can expect that there will be services products offered shortly by the US and Western European IT firms to pour through vast amounts of custom code so that they can be sure Russian nationals leave behind no backdoor compromises under the influence of the Putin regime.
If you thought your Y2K mitigation was expensive, wait until your enterprise experiences the Russian Purge.
I don’t have to tell any of you just how expensive a proposition this is. The wealthiest corporations, sensing a huge risk to security and customer confidence, will address this as quickly as possible and swallow the bitter pill of costly audits.
But many companies may not have the immediate funds to do it. They will try their best to mitigate the risk on their own, and compromised code may sit around for years until major system migrations occur and the old code gets (hopefully) flushed out.
We will almost certainly be dealing with Russian cyberattacks from within the walls of our own companies for years to come, from software initially developed under the auspices of having access to relatively cheap and highly-skilled strategically outsourced programmer talent.
Will Russian software and services become the first victim in a Digital War? Talk Back and Let Me Know.