Russia tightens cybersecurity rules
Starting in 2025, Russian state-owned entities will be prohibited from using information security tools produced in “unfriendly” countries, a presidential decree has declared.
On Sunday, Russian president Vladimir Putin signed a law that aims to boost the country’s information security. The document, which has been published on the government’s website, says that state-controlled entities will be prohibited from using information security tools originating in “foreign states which commit unfriendly actions against the Russian Federation, Russian legal entities or individuals” or produced by manufacturers that are controlled or affiliated with “unfriendly” states.
The list of entities subject to the decree includes governmental and regional authorities and organizations, state funds, state-controlled companies, strategically important organizations and “legal entities that are subjects of the critical information infrastructure of the Russian Federation.”
The decree orders the heads of these entities to assign cybersecurity responsibilities to their deputies and establish dedicated departments tasked with preventing and eliminating the consequences of hacking attacks and responding to “computer incidents.”
Publication of the decree came just a few days after Nikolai Lishin, deputy head of the information systems department of the Russian Defense Ministry, compared the presence of foreign software in Russia to an “enemy tank.”
“Imagine an enemy tank on the territory of the Russian Federation, what would happen here now. But for some reason, we allow imported software to be here, on our territory,” Lishin said earlier this week, adding that “the current times” make clear what course of action is needed. This declaration comes amid Russia’s ongoing military offensive in Ukraine and the significant deterioration of Moscow’s relations with the West.
The last few years have seen Western countries repeatedly accusing Russia of conducting hacking attacks against critical infrastructure, political institutions, banks and medical facilities. Moscow has vehemently denied all such allegations.
In early April, Russian Security Council Deputy Secretary Oleg Khramov revealed that the United States has unilaterally closed communication channels with Russia regarding cybersecurity. Previously, the two countries had exchanged lists of critical internet infrastructure under the auspices of the Russian Security Council and the US National Security Council.
In the wake of the unprecedented sanctions imposed on Moscow, Russia added all EU member states, the UK, Canada, Japan, and several other states to its list of “unfriendly” countries. All of those given such a designation are subject to various retaliation measures, restrictions and specific requirements from Russia.
Russia sent troops to Ukraine in late February, following Kiev's failure to implement the terms of the Minsk agreements, first signed in 2014, and Moscow's eventual recognition of the Donbass republics of Donetsk and Lugansk. The German and French brokered Minsk Protocol was designed to give the breakaway regions special status within the Ukrainian state.
The Kremlin has since demanded that Ukraine officially declare itself a neutral country that will never join NATO. Kiev insists the Russian offensive was completely unprovoked and has denied claims it was planning to retake the two republics by force.