Putin orders a new security system to protect Russian data. Will it work?

Kremlin trying to ringfence sensitive government and personal information as hackers target vital Russian resources in a renewed cyberwar over the Ukraine crisis.

AP

Russia will adopt a new indigenously developed system to protect sensitive government data and personal information of its citizens in what is being seen as the Kremlin’s increasing attempts to ringfence itself from the West in the digital space.

President Vladimir Putin has asked the country’s Security Council to get going on building Russia’s own version of a state information protection system. 

Addressing officials of the council on May 20 through a teleconference, Putin told officials to lay out a roadmap on the “additional steps” to be taken “to ensure stable operation of the information infrastructure in government and public administration,” TASS news agency reported.

The new directive comes in the wake of Putin’s May 1 decree that sets new parameters and requirements for establishing the state information protection system. Under the decree, Russia will withdraw all foreign information security tools by 2025 as a counter-measure against the “information war” waged by western nations.

Information security mostly includes antivirus software, programmes to prevent DDoS attacks, protection against leaks and user authentication services.

Russia’s move also came just a few days after a seven-country block led by the US announced a new data exchange channel to prevent the flow of sensitive personal information to two hostile nations, China and Russia. 

‘Real aggression’

“We need to strengthen the defence of the domestic digital space—there should be no weak spots,” the Russian president pointed out, adding that it is fundamentally important to minimise the risks of leaks of confidential information and personal data of citizens, even by means of stricter control of the policies for the use of office equipment and communications”.

"The number of cyber-attacks on Russian information infrastructure has been growing in recent years,” Putin said with an emphasis on “recent years”. With the beginning of the "military operation” in Ukraine, attempts to disable Internet resources of Russian infrastructure have only intensified, he added. "In fact, a real aggression, a war in the information space, has begun against Russia," Putin said.

He suggested “improving and regulating information security mechanisms of the industry on a real-time basis”. He noted that there are still no structural units for the protection of information in one-third of the industry’s critical facilities which the defence of Russia and its economy is directly dependent on. 

“Meanwhile, we have repeatedly said that such units should be established as soon as possible and they should be staffed with specialists who know the specifics of the industry very well,” he added. 

Cheap leakage

Quoting cybersecurity experts, the Russian daily Kommersant wrote that there has been a significant increase in data leaks since the start of the invasion of Ukraine.  In early March, the Yandex.Eda food delivery service notified a customer data leak. 

In May, a map with data from traffic police, VTB bank, Avito, Wildberries and other organisations was published online. But unlike the food delivery service, the companies, the bank and the traffic police denied the leaks, despite the fact that in the new version of the map even the vehicle identification numbers (VIN) were shown, besides surnames, first names, middle names, addresses, phone numbers, e-mail IDs and the total amount of the orders. 

The number of people whose personal data was leaked was estimated at a staggering 6.5 million.  The lists included personal data—including phone numbers and addresses—of journalist and presidential candidate Ksenia Sobchak, son of businessman Oleg Deripaska, Peter, and about 30 other famous people.

Ironically, Yandex.Eda service was fined 60,000 rubles for the leak and Forbes calculated the price of personal data of each Russian citizen to be worth no more than 0.009 rubles.

Declared Cyberwar 

In March, hackers got into the websites of several major Russian agencies, including the Federal Penitentiary Service, Interior Ministry, Ministry of Culture, Federal Social Security Service, Federal Antimonopoly Service, Ministry of Energy and Rosstat. And in February, the websites of TASS, Izvestia, Kommersant, Forbes, Fontanka, Mela, E1, Pravo.ru, Lenta.ru, Buro 24/7, RBC, Znak.Com and many other Russian media were hacked. 

Hackers had posted a collage of images related to the conflict in Ukraine on the home pages of the websites. 

The Anonymous group claimed responsibility for the attacks on Russian Internet providers and government websites. On its Twitter account on February 25, it declared cyberwar on the Russian government.

FSB Monitoring

At the end of March, Putin signed a decree forbidding the use of foreign software for Russia's critical information infrastructure from January 2025. On May 1, he signed a decree on additional information security measures that would prohibit government agencies and companies from using information protection tools from "unfriendly" countries as of January 1, 2025. This document also requires state agencies and organisations to create structural units engaged in information security.

In addition, the bodies and companies were mandated to provide "unimpeded access" to their resources to FSB employees. According to the text of the decree, they will be entitled to monitor the security of information resources belonging to the state bodies and state companies.

Not only federal and regional authorities and state companies are subject to this decree, but also enterprises and joint-stock companies, strategic organisations of the Russian economy and legal entities that are subjects of the critical information infrastructure.

Russian citizens now appear to be coming around to the government’s efforts now, in sharp contrast to the beginning of the Ukraine invasion when there were worries over speculations that Russia could cut itself off from the global Internet.

However, as TRT in Russian wrote at the time, "Completely disconnecting Russia from the outside is an extremely difficult task, because such disconnection does not have a ‘single switch’," the insider admitted.

However, the sanctions have created problems for Russian software users in all spheres of life, from enterprise management and construction to travel, RBC experts say.  The main difficulties are related to the withdrawal of key foreign vendors (Microsoft, Oracle, SAP, Cisco, EPAM etc.) from the country and, most importantly, the termination of their support of their products in Russia. 

Russian analogues of these products are not widespread enough and, in some cases, have not been created yet.

Demand is better than mortgage discounts

The main question since Russian forces entered Ukraine and sanctions were imposed on Moscow: why has not the creation of full-fledged and independent domestic software succeeded in the previous 30 years? As the general director of Aladdin R.D., Sergey Gruzdev said at the Russoft conference, the import substitution used to be done "for the sake of appearances", mainly for the sake of reporting to the superiors.

Alexander Glazkov, Chairman of the Board of Directors of Diasoft, added that the slow import substitution was due to the unwillingness to "break through the open door"— to make products that are already created.

"Import substitution does not create new values," he noted.  And in many cases, it even creates quite serious limitations. So, it is not a good idea to isolate the country from the rest of the world. In addition, on the way of import substitution "we have not received any state support yet," Gruzdev noted in April.

As the developers explained, the state has given and continues to give substantial benefits to the IT industry. However, the main thing that is necessary for the success of new software is strong demand. 

Dmitry Komissarov, founder, board member and director of product development of MyOffice, is sure: "Demand is more important than anything else". 

That is why, of all support measures offered by the authorities, the main thing for a business is not the zero-profit tax, not the mortgage at an extremely low rate of 3 percent, and not a military deferment, but the Ministry of Digital Security state projects, which will be executed by IT-companies. 

President of NP Russoft Valentin Makarov said that in 2015, Diasoft managed to replace foreign software for sanctioned Russian banks at short notice. According to the expert, the banks did not even notice any difference.

Route 6