Russia Ramps Up Cybersecurity Systems

Executive Summary:

• Russia is strengthening its national cyber defense by requiring commercial organizations to connect to a unified cybersecurity system. This initiative builds on the “Sovereign Internet” law to centralize cybersecurity control and mitigate rising cyber threats.
• Russia’s cybersecurity sector is facing talent shortages due to the brain drain following its full-scale invasion of Ukraine, technological deficiencies, and slow replacement of Western IT (information technology) security solutions, hampering national security efforts.
• Developments in Russia’s cybersecurity programs are creating increased state control over digital communications. While aimed at preventing cyberattacks, the initiative aligns with the Kremlin’s broader objective of expanding digital surveillance.

The Russian Communications Authority (RosKomNadZor) announced that it has gotten authorization from the Russian Ministry on Digital Development, Communications, and Mass Media to use automated systems to monitor and identify improperly secured personally identifiable information by online services and companies (Vedomosti, January 17). This is another step in Russia’s national cyber defense system to identify vulnerabilities that hackers can exploit. Internet censorship in Russia is a well-known challenge, especially since the adoption of the “Sovereign Internet” law in 2019 (Russian Duma, April 4, 2019; see EDM September 3, November 25, 2024). In addition to cracking down on civilian internet encryption and creating a local network of servers to facilitate internet traffic via the “RuNet” project, the Russian state is moving forward with creating a unified internet security system that aims to incorporate all commercial organizations in the country.

Anton Nemkin, a member of the Russian State Duma’s Committee on Information Policy, Information Technology, and Communications, announced late last year that all businesses would soon be required to connect to unified cyber-defense systems (Interfax, November 8, 2024). The Federal Security Service (FSB) is preparing legislation for this initiative (Vedomosti, November 8, 2024). Nemkin justified the move by citing recent statistics showing that the country’s cyber infrastructure suffered 355,000 DDoS (distributed denial-of-service) attacks in the first half of 2024, a 16 percent increase from 2023 (Interfax, November 8, 2024)

The system is known as the Monitoring and Administration Center for General Use Information Networks (GosSOPKA). It was developed by RosKomNadZor, the FSB, and the Federal Technical and Export Control Service (FTSEK) (GosSOPKA, accessed February 6). The Center for Monitoring and Control of the Public Communications Network (TsMU SSOP) plays a key role in detecting threats to internet security in Russia. TsMU SSOP was originally created in 2013 by a presidential directive and designed to provide security for anything considered “critical information infrastructure,” which includes healthcare, scientific research, transit, telecommunications, the military-industrial complex, and commodities extraction (Infotrust, accessed February 6).

The GosSOPKA technology itself was developed by a group of contractors, including Kaspersky Labs and “Astra Group,” a company that originally developed a custom, highly secure Linux distribution operating system known as Astra for the Russian armed forces and intelligence services (CNews, November 10, 2023). GosSOPKA relies on a government contractor known as “Perspektivnyi Monitoring” (Перспективный мониторинг) for many of the technical operations, including Security Operations Centers (SOC), vulnerability management, and connects the organizations to network log monitoring, analytics, and Intrusion Detection Systems (IDS) (Perspektivnyi Monitoring, August 25, 2023).

The implementation of the system thus far has faced challenges. At the end of 2023, a directive from Russia’s National Computer Incident Response Coordinating Center (NKTsKI), which operates in tandem with GosSOPKA, began requiring the activity logs in such centers to be generated in Extensible Markup Language (XML), a data format that has not been updated since 2006. Many monitoring centers were unable to meet this requirement, preventing proper security monitoring from taking place (CNews, November 11, 2024). Many companies facing cyberattacks seek to avoid dealing with NKTsKI and prefer to work with private incident response centers, as they are concerned about facing penalties for security failures (Vedomosti, May 25, 2024).

The development of a state-sponsored national cyber defense system is likely a response to the country’s continuing challenges with import substitution in the information security space. Russia’s information security sector continues to struggle with a shortage of technology and personnel to prepare the country for continuing cyber conflict with only domestic solutions (CNews, July 10, 2024). A poll conducted in the summer of 2024 by MTC Red, a leading Russian security company, found that only 16 percent of large enterprises had successfully replaced foreign solutions with domestic products in the network security space (Ibid). Further, 64 percent of the 100 respondents surveyed did not believe that the Russian market was capable of replacing the Western IT (information technology) security solutions that exited the country in the aftermath of the invasion, in particular the aforementioned NGFWs, which are used to secure network perimeters and Advanced Endpoint Protection (AEP) systems (CNews, July 10, 2024).

These challenges are compounded by the continuing lack of qualified personnel as a result of a brain drain in the country’s IT sector. These challenges persist despite generous financial incentives offered in the aftermath of the invasion by the Kremlin, including a zero percent tax rate on profit for the sector introduced (RBC, May 29, 2024). The study found that two-thirds of those surveyed lacked qualified personnel, while one-third lacked the resources to address issues in a timely manner. Nearly 20 percent of those surveyed continue to experience challenges with the withdrawal of foreign information security solutions since the invasion. This lack of qualified personnel will make implementing plans to have 95 percent of Russia’s cybersecurity market filled by Russian vendors—outlined in a recent plan from the Center for Strategic Research, a think tank close to the Kremlin—very challenging (CSR, October 2024).

The national cyber defense system also includes scanning systems to identify vulnerabilities that hackers can exploit. A national scanning system developed by the General Radio Frequency Center (GRFC) has already discovered 26,000 critical vulnerabilities in the Russian segment of the internet, according to data presented to the media in October 2024 (Tadviser, October 2024).  This scanning will also include the Duma-approved project introducing automated scanning and machine learning to identify improperly secured personally identifiable information (CNews, January 17). Breaches of Russian PII (personally identifiable information) by foreign hackers since the beginning of the invasion of Ukraine have resulted in vast quantities of such data being released on the internet, which are then used in hacking attacks and fraud targeting Russian citizens and organizations.

Making all commercial organizations compliant and properly connected to such a system will require substantial time and resources for an economy already operating under wartime conditions. The legislation and cyber defense system demonstrate the continuing anxieties surrounding continuing attacks by hacking groups and the Kremlin’s long-term plans to achieve as much surveillance over electronic communications as possible.