As U.S. lawmakers continue to cast doubt on the independence of Russia-based cybersecurity firm Kaspersky Lab, the Kremlin is considering plans that would cut off foreign anti-virus vendors from the Russian market.
The newly announced plan, first reported by Russian news outlet Meduza, will be reportedly presented Wednesday to Russian President Vladimir Putin. At the moment, a Russian advisory body for strategic projects is reviewing a draft copy of the bill.
If enacted, the proposed law would become effective in mid-2019, according to Meduza.
As it’s currently written, it will become mandatory for any computer that is imported or produced within the Eurasian Economic Union to carry anti-virus software that’s made by a country considered to be a “domestic technology company.” The Eurasian Economic Union is comprised by five member states, including Armenia, Belarus, Kazakhstan, Kyrgyzstan and Russia.
American cybersecurity firms only hold a small percentage of market share among those countries.
The anti-virus mandate is reportedly part of a larger “digital economy” framework, designed in part by Russia’s Communications Ministry, to modernize the country’s internet infrastructure and private technology sector. On Wednesday, Putin pledged to spend $3.3 billion over the next year to upgrade “information technology” used by citizens, according to Russian news outlet REN TV.
This initiative effectively combines the Kremlin’s desire to diversify technology offerings inside the country while also recycling investment opportunities for local businessmen, explained Zachary Witlin, an analyst with political risk consultancy the Eurasia Group.
“Information technology is a special case because of the security implications of relying on foreign-made products. Russia was already tightening oversight over the internet and IT equipment after President Putin’s re-election in 2012 and the Snowden revelations, and that strategy has coalesced in the wake of the Ukraine crisis,” said Witlin. “There are also quite likely suspicions that Western governments could exploit backdoors in products from those countries.”
Foreign policy analysts told CyberScoop the anti-virus plan falls inline with other recent efforts made by Putin to build and acquire software that is exclusive to Russia. In part, these changes are motivated by the Kremlin’s desire to have a greater degree of autonomy over the digital domain, said Keir Giles, an associate fellow of the Russia and Eurasia Program for Chatham House.
In addition to introducing barriers to foreign competition, the communications ministry proposal calls for a reduction in the share of foreign information technology equipment that the government purchases to 50 percent, and foreign software to 10 percent, by 2024.
Giles said that Russia’s digital economy framework is driven by a number of different factors, including a desire to become less dependent on Western technologies. Since at least 2010, the Russian federation has shown an interest in developing a domestic operating system that rivals Microsoft.
“The Russians have long thought they are at economic war with the West and this is a part of that,” said Giles. “The Kaspersky concern that’s being voiced right now in Washington is also something that Moscow thinks about … It goes both ways.”
In recent years, the Kremlin has increasingly sought to review the source code of major U.S. technology vendors, according to Reuters.
It is not uncommon for Russian leadership to voice their concerns regarding software vulnerabilities evident in Western software products. A package of leaked NSA documents detailing the extent to which American technology firms work with U.S. intel agencies is popularly used as evidence by Russian politicians of the threat of western software products becoming surveillance tools.
Experts say that the digital economy plan represents an ongoing trend by the Russian government to consolidate the capabilities of both private and public technology firms under Kremlin oversight.
“This involves developing the IT economy, and tightening rules on telecom, internet, and other IT firms (domestic and foreign alike),” said Witlin. “That means more subsidies or preferences for developing domestic products, more onerous rules and compliance costs for telecom and IT companies, and more muscular efforts to centralize state regulation of the internet.”
It is unclear whether the aforementioned anti-virus mandate is in any way related to mounting pressure from the U.S. toward Kaspersky. It will be months before a decision is made on the Russian proposal, and it’s likely that whatever the final version of the bill is, it will be different from what’s being reported today, said Witlin.
“I would expect the anti-virus proposal to go through a separate legal process because of its implications for the market – the [Russian] Federal Anti-monopoly Service would want to weigh in on this, for instance. So it is some ways off from becoming law,” he said. “Also bear in mind that Russian state programs almost never hit all of their targets. However, given the direction of IT policy, I would not be surprised if a version of the proposal eventually goes through.”
In Washington, the call to scrutinize Kaspersky is only getting louder.
A new draft of the National Defense Authorization Act won unanimous approval of the Senate Armed Services Committee last week. This version of the NDAA carries an amendment introduced by Sen. Jeanne Shaheen, D-N.H., that would ban the use of Kaspersky products in the Defense Department.