The Ukraine-Russia conflict has raised the question of whether organisations should stop using Russian-made security and tech products and the risks of continuing to do so in the current situation.
CSO spoke with security leaders, researchers, and analysts about this significant issue and the implications for CISOs, businesses, and the wider sector.
Ending use of Russian security and tech products
“From a moral standpoint, CISOs should absolutely stop using Russian-made security and technology products. However, from a security-related standpoint, it’s much murkier,” says Shawn Smith, researcher and director of infrastructure at nVisium.
“There is always conflict in the world, and while you should always evaluate backups in situations like this, the products created by Russians aren’t any less secure now than they were a month ago.”
Dominic Grunden, CISO of UnionDigital Bank, strongly supports stopping use of Russian-made products and services.
“From a moral and humanity perspective, imagine this: Your company would pay the Russian company providing the security and tech product who in return pays taxes in Russia, which directly supports the government and military that is invading the Ukraine and resulting in loss of lives,” he tells CSO.
Grunden also cites the global economic sanctions being imposed against Russia as another issue, as CISOs need to be sure they are not breaking laws in the countries the company is operating in.
For Peter Lowe, principal security researcher at DNSFilter, the biggest reason why CISOs should switch away from Russian-made security products as soon as possible is because of the growing number of companies withdrawing from Russia right now – including major internet backbones cutting off access.
“There is a very real risk that any tech product using servers based in Russia might simply disappear, which could be catastrophic depending on the type of service,” he says.
In contrast, Cyware threat intel specialist Neal Dennis says that businesses should not rush into removing Russian-made products as a blanket approach, but they should be highly skeptical of how far-reaching they are. “Russia has a sordid past of tech companies potentially being used for various efforts,” he tells CSO.
Risks of using Russian security and tech products
With regard to the risks of continuing to use Russian-made products, there are important factors to consider, Grunden says.
“Using Russian made security and tech products can potentially allow Russia to access our companies, customers, and data, and potentially use it for malicious purpose. Under current Russian legislation, company and customer data is not protected and Russia has laws on national security and cyber security which provide the Russian government a legal basis to compel technology companies operating in Russia to cooperate with Russian security services.”
The real threat is for Russia to exploit discovered vulnerabilities within organisations or access them through a backdoor, Grunden warns.
In Smith’s opinion, heightened scrutiny around “anything-and-everything” Russian is creating another problem for CISOs.
“While the platforms developed by Russians aren’t any less secure now than they were a few months ago, many vulnerabilities are being found due to increased probing. The biggest security risk is if a vulnerability is found in your software, it may be very slow to get patched due to the current conflict. It may be safer in the long run to evaluate and switch now than wait and be forced into a situation where you need to switch with very little runway.”
Implications of stopping use of Russian-made products
While he believes businesses should halt their use of Russian-made products and services, Grunden concedes that doing so will not be without implications for CISOs and companies.
“Forcing an organisation to immediately discontinue a Russian-made product or service could impact the organisation’s ability to identify, protect, detect, respond and recover from cyber threats and security incidents,” he says. It will incur immediate cost and effort to replace the security or tech product/service for the entire organisation, and this could be quite detrimental given the current security workforce shortage and burnout concerns, he adds.
Terminating a contract between two companies may result in legalities that would affect the organisation’s credit rating while limiting an organisation’s ability to obtain and use the best products or services available are also issues to take into account, Grunden says.
“I believe the recent Russian invasion of the Ukraine has seen a widespread adoption of large companies such as Apple, Microsoft, Google, Amazon, SAP, etc. who are halting doing business to and from Russia which has immediately impacted the security product and service market,” he continues.
Lowe agrees: “There are lots of valuable tech services and products provided by Russian companies, so initially there is going to be a drop in available services covering the region, government interventions as well as peoples’ lessened desires to purchase Russian tech. Threat intelligence for Russia is also going to suffer.”
This could prompt more companies to take independent research more seriously and look to effectively include OSINT and open-source research into their capabilities for generating self-guided intel instead of solely relying on big data providers, says Dennis.
However, Smith doesn’t predict significant, long-term ripple effects on the wider industry.
“Given how large the security space is, I don’t think there will be any large change in the security product marketplace. Some professionals will migrate off Russian products, others won’t, and some smaller businesses might close shop or migrate to other countries. In the end, it’s going to be pretty close to business as usual for the greater security market.”