How a digital Cold War with Russia threatens the IT industry
For the last three years, all the world’s eyes have been on Russia.
It began when the hopeful spirit of international peace and cooperation during the Sochi Winter Olympics turned to fear and uncertainty when Ukraine’s government ousted its president, Viktor Yanukovych, a close ally of Russian president Vladimir Putin.
Russia followed by sending more and more troops into the region and confiscating Ukranian military bases and assets.
When we thought this had calmed down, concerns heightened when evidence of its breaching of systems run by the Democratic National Committee was brought to light after the election, as well as possible collusion by current and exTrump administration officials.
More recently, it appears that Russia has been attempting to sow conflict among different sectors of the US population and within our government’s legislature by purchasing ten million unique pageviews of advertisements on Facebook. Google is also in the process of uncovering evidence that this has occurred on its online properties as well.
The reaction by the Western world has been a complete condemnation of Russia’s activities.
While the United States, unlike Europe, is not a major consumer of Russian gas exports, it would be simplistic to say that Russia has no impact on US business at all.
Let’s start with Russian software companies themselves.
Many of these have significant market share and widespread use within US corporations. Some of these were founded in Russia, while others are headquartered elsewhere but maintain a significant amount of their development presence within Russia and other parts of Eastern Europe.
UK-incorporated Kaspersky Lab, for example, is a major and well-established player in the antivirus/antimalware space. It maintains its international headquarters, and has substantial research and development capabilities, in Russia.
It’s also thought that Eugene Kaspersky, the company’s founder, has strong personal ties to the Putin-controlled government. Kaspersky has repeatedly denied these allegations but questions about the man and his company remain and will be a subject of further scrutiny, particularly as US-Russia tensions escalate.
Recently evidence has emerged that Kaspersky’s software was involved in compromising the security of a contract employee of the United States National Security Agency in 2015. Investigation as the company’s actual involvement is still ongoing.
NGINX Inc., while less than ten years old, is the support and consulting arm of an open source reverse proxy web server project that is very popular with some of the most high-volume internet services on the planet. The company has offices in San Francisco, but it is based in Moscow.
Parallels, Inc., is a multinational corporation headquartered in Renton, Washington, that focuses extensively on virtualization technology as well as complex management stacks for billing and provisioning automation used by service providers and private clouds running on VMware’s virtual infrastructure stack and Microsoft’s Azure. However, their primary development labs are in Moscow and Novosibirsk, Russia.
Acronis, like Parallels, was founded in 2002 by Russian software developer and venture capitalist Serguei Beloussov. He left Parallels and became CEO of Acronis in May of 2013. The company specializes in bare metal systems backup, systems deployment and storage management software for Microsoft Windows and Linux and is headquartered in Woburn, MA, a suburb of Boston. However, it has substantial R&D operations in Moscow.
Veeam Software founded by Russian-born Ratmir Timashev, concentrates on enterprise backup solutions for VMware and Microsoft public and private cloud stacks. Like Parallels and Acronis, it is also multinational. The company maintains its US headquarters in Columbus, Ohio but much of its R&D is based in St. Petersburg, Russia.
These are only just a few examples. There are numerous Russian software firms generating billions of dollars of revenue which have products and services that have significant enterprise penetration in the United States, EMEA and Asia. There are also many smaller ones which perform niche or specialized services, such as subcontracting.
It should also be noted that many mobile apps, including entertainment software for iOS, Android and Windows also originate from Russia.
We aren’t even counting the giant technology companies in the software and technology services industries that are household names in the United States and EMEA which due to the excellent reputation of Russian developers producing high-quality and value-priced work compared to their US and Western Europe-based counterparts, have invested hundreds of millions of dollars in having developer as well as reseller channel presence in Russia.
The Trump administration does not need to levy Iran-style isolationist sanctions against Russia for a snowball effect to start within US corporations that use Russian software or services.
The cooling of relations has already made C-seats within corporate America extremely concerned about using software that originates from Russia or has been produced by Russian nationals. The most conservative of companies almost certainly will probably just “rip and replace” most offthe-shelf stuff and go with other solutions, preferably American ones.
The Russian mobile apps? BYOD blacklist MDM policies will wall them off from being installed on any device that can access a corporate network. And if sanctions are put in place by the current or next administration, we can expect them to actually disappear off the mobile device stores entirely.
Cut the Rope, which is made by Moscow-based Zeptolab, and countless games and apps originating from Russia could be no more if actual sanctions on that industry are put in place.
Contractor H-1Bs are almost certainly going to be canceled en-masse or will not be renewed for Russian nationals performing work for US-based corporations. You can count on it.
Any vendor that is being considered for a large software contract with a US company is going to undergo significant scrutiny and will be asked if any of their product involved Russian developers. If it doesn’t pass the most basic of audits and sniff tests they can just forget about doing business in this country, period.
Obviously, there’s the question of how recent the code is, and whether or not there are good methods in place to audit it. We can expect that there will be services products offered in the near future by US and Western European IT firms to pour through vast amounts of custom code so that they can be absolutely sure there are no backdoor compromises left behind by Russian nationals under the influence of the Putin regime.
We will be almost certainly be dealing with Russian cyberattacks from within the walls of our own companies for years to come, from software that was originally developed under the auspices of having access to relatively cheap and highly-skilled strategically outsourced programmer talent.