10 essays analyzing the strengths and weaknesses of the Russian Federation were released by the Center for New American Security (CNAS): “Identifying Russian Vulnerabilities and How to Leverage Them”
Vulnerability 3: Russia’s Technology and Cyber Industries
ALSO READ:
INTRODUCTION
VULNERABILITY 1: RUSSIA’S DEFENSE INDUSTRY
VULNERABILITY 2: RUSSIAN ARMS SALES
Russia’s war in Ukraine has jeopardized its access to the technology and talent that has long fueled its aggression in cyberspace.
By Gavin Wilde
American military theorists John Arquilla and David Ronfeldt wrote in 1993 that cyber conflict “is about organization as much as technology.”
Nearly 30 years later, cyber scholar Max Smeets affirmed this notion in his book on military cyber commands, No Shortcuts, stating that people are “the most important element […] required to run an effective cyber operation.” To the extent that these axioms hold true for yet another three decades, Russia faces an acute crisis. Even prior to Moscow’s intensified invasion of Ukraine in February 2022, a chronic case of “brain drain” and heavy dependency on foreign-made technology had arguably begun chipping away at Russia’s status as a global cyber power. As Moscow’s war on Ukraine drags into its second year, both dynamics appear likely to intensify.
After Vladimir Putin took the helm of the presidency at the turn of the century, emigration from Russia steadily declined during his first two terms, according to Moscow’s own figures. His return to the presidency in 2012—after a brief stint as Prime Minister to Dmitriy Medvedev—was marked by popular protest and an ensuing wave of crackdowns and repressions. A sharp rise in outward migration followed, accompanied by dire metrics about Russia’s broader demographic decline.
The Kremlin’s illegal annexation of Crimea and military incursion into Ukraine’s Donbas region in 2014 kicked off a similar outflux. As a range of punitive Western economic sanctions began to bite, pollsters, researchers, and senior Russian officials noted a common theme: Russia’s best and brightest were among those flocking to the exits. Out of an estimated 100,000 yearly émigrés from Russia, 40 percent held advanced degrees— and many had no intention of returning home. By early 2018, then-Deputy Prime Minister Dmitriy Rogozin proclaimed that drastic measures were needed to stem the loss of highly educated specialists to countries abroad, calling it Russia’s “greatest weak spot.” The worst, however, still lay ahead.
After its bumbling and brutal “special military operation” in 2022, a mixture of political repression, fears of military conscription, and economic uncertainty led to yet another exodus—conservatively estimated at 500,000, liberally at a million—at levels unseen since the 1917 Bolshevik Revolution or the Soviet collapse of 1991. Once again, peppered throughout these throngs were the country’s information technology (IT) professionals— at least 10 percent of Russia’s entire IT workforce, per the country’s own Communications Ministry last December. There are even some indications that Russian cybercrime syndicates were disrupted by the human displacement. “That’s a generational impact when you talk about the talent walking out the door,” noted Mieke Eoyang, U.S. Deputy Assistant Secretary of Defense for Cyber Policy.
This wasn’t Russia’s only once-in-a-generation exodus. Multinational tech firms—many of which were either firmly entrenched or amid yearslong investments into the Russian market—began pulling up stakes. Beyond Moscow’s energy revenues, the tech sector had been one of the few bright spots for the Russian economy, yielding over a third of the country’s overall gross domestic product (GDP) growth from 2015 to 2021. But by spring 2022, major players like Intel, Adobe, Hewlett-Packard, Microsoft, Cisco, Dell, Eriksson, Nokia, LG, NVIDIA, Kyocera, Logitech, Siemens, SAP, Oracle, Juniper Networks, and Samsung had all announced suspensions of some (if not all) business operations in, or product deliveries to, Russia. By some measures, IT companies constituted nearly a fifth of this historic pullback.
Many of these companies did not even wait for Western sanctions and export controls to be announced. When they were, they came in full force. The U.S. Commerce Department called its export restrictions to Russia—which were largely mirrored in scope by the European Union (EU)—“the most comprehensive application of [… its] authorities […] targeting a single nation.”50 Moscow’s access to semiconductors consequently plummeted, impacting production of everything from consumer electronics to data servers and scuttling its rollout of 5G mobile networks. The country faced a critical data storage shortage, prompting a scramble by the Ministry of Digital Transformation to identify new options for major service providers. Legislators considered legalizing software piracy despite the fact that pirated programs are inherently insecure and unpatchable (Digital Ministry and industry leaders have since sought to temper the idea). The pullback exposed what the Russian government recently called a “critical dependency” on high-tech imports from abroad. According to economic figures from 2019, 45 percent of the $19 billion in such imports to Russia were sourced from the EU, United States, China, and UK. Information and communication technologies composed a fifth of that total. By contrast, the share of high-tech products in Russia’s total 2020 exports came to less than 15 percent, most of which were destined for (the now largely closed) European market. Such figures are hardly indicative of a self-sustaining tech sector.
Even prior to Moscow’s intensified invasion of Ukraine in February 2022, a chronic case of ‘brain drain’ and heavy dependency on foreign-made technology had arguably begun chipping away at Russia’s status as a global cyber power.
By the start of its 2022 war, Moscow was almost eight years into an “import substitution” initiative, designed in part to insulate the country’s economy from external sanctions pressures, as well as to spur domestic industry and innovation. The effort was already flagging, as Moscow had proved unwilling or unable to build the necessary capacity and infrastructure for an indigenous tech sector to take shape, much less to thrive. Particularly in the digital arena, it had pitted the intelligence and security services against the very industries that needed to innovate most, as the imperatives of regime stability ultimately prevailed against the economic freedoms necessary for competitive modernization. According to researchers at the German Council on Foreign Relations, rather than spurring the Russian IT sector, Moscow merely subjugated it. Meanwhile, as the West set about isolating Russia economically and technologically, analysts Maria Shagina and Emily Kilcrease assessed these restrictions would “force Russia to go through something of a reverse industrialization”: Moscow’s goals would necessarily have to shift from playing catch-up to merely making do with far less. Consequently, ambitious national projects on tech have quietly been scrapped.
Analysts have closely examined the Russian military’s heavy reliance on Western technology, which fuels its kinetic war machine. Such analysis of Moscow’s cyber capabilities is far more difficult, as its premiere cyber-capable agencies—the General Staff Main Intelligence Directorate (GRU), Federal Security Service (FSB), and Foreign Intelligence Service (SVR)—are shrouded in secrecy. However, there is ample reason to suspect a similar dependency prevails there, too.
For example, documents from 2018 detailing the FSB’s vast digital surveillance dragnet, SORM, outlined the central role Nokia and Cisco hardware played—without which functionality “would have been impossible,” said Andrey Soldatov, an expert on Russian intelligence. More recent leaks from a Russian commercial subcontractor, Vulkan, detailed the cybersecurity company’s development of a host of capabilities for all three agencies.62 Schematics for several commissioned projects were riddled with references to hardware and software from Dell, Intel, Kyocera, Juniper, Cisco, and others necessary either for core componentry or for testing new techniques. U.S. sanctions on similar Russian intelligence subcontractors like Positive Technologies have highlighted past partnerships with Microsoft and IBM.63 Windows of opportunity to sustain such close ties and such ready access to hardware and software, however, have rapidly closed over the past year.
Cyber power on the global stage draws from the interplay between state, commercial, human, and technical capacities. Russia now risks running major deficits in all these areas in the coming years.The private-sector ecosystem to develop and test new digital toolsets is now losing both institutional heft and investment capital. The domestic telecommunications infrastructure to both deploy and exfiltrate such toolsets is losing pace with global standards. Data storage capacity is reportedly at critically low levels, as is the country’s share of young, entrepreneurial, tech-savvy workers. R&D spending remains relatively stagnant. Russia has burned through a significant number of offensive cyber toolsets against Ukraine with little strategic impact—other than a much more resilient adversary—to show for it. Under such conditions, Moscow may be able to redirect dwindling digital and human resources toward the military and security services but will nonetheless have to run faster just to stay in place.
Russian Efforts to Mitigate or Offset the Vulnerability
Moscow’s acknowledgment of this vulnerability lies on a spectrum. On one end, the rank and file of the national security bureaucracy seems to have registered a burgeoning crisis. For instance, Moscow has attempted to stem the tide of departing IT professionals by suspending their mandatory military service and offering preferential lending rates to businesses that manage to retain the bulk of their IT staff. Meanwhile, the Digital Development Ministry reportedly circulated a memo to Russian national security officials last summer, warning that overreliance on Chinese tech providers posed clear dangers to not only Russia’s information infrastructure but to the competitiveness of indigenous industries. “The assessment even suggests considering restrictions on technologies produced by Huawei and other Chinese companies in order to avoid a scenario of total dependence,” Bloomberg reported, putting Moscow on a one- to two-year timeline to avoid such a fate. Meanwhile, Huawei may have trimmed its commercial ambitions in Russia, but the R&D facilities it maintains throughout the country have been on a hiring spree over the past year.
On the other end is Putin himself, a reported technophobe and longtime advocate for Russia’s technological autarky who, at least publicly, seems unfazed. His comments last summer indicated a sense of relief about the departure of Western firms, which he called a “blessing in disguise” and a forcing function for the Russian market to “finally move on.” In his meeting with Chinese Premier Xi Jinping earlier this year, he boasted that “by combining our wealth of research capacity and industrial capabilities, Russia and China can become world leaders in IT, cybersecurity, and AI.” In many ways, this is an acknowledgment of clear synergy that existed even before the war: Russia has ample natural resources but lacks tech and capital, while China has the inverse arrangement. Whether the Kremlin is dismissive or simply circumspect about the risk of becoming China’s “junior partner” in the tech sector, as the war drags well into a second year, it does not appear to have any alternative. As prospects for technological self-sufficiency continue to grow dimmer, Moscow will somehow have to square either its domestic shortfalls or its dependency on China with Putin’s notions of Russian “sovereignty.”
Meanwhile, homegrown Russian suppliers are consolidating as they attempt to fill the void left by Western suppliers but are likely to face headwinds without the funding, know-how, and technology previously available to them. Meanwhile, some Chinese tech firms, such as Huawei, appear skittish to rush in, as they risk running afoul of secondary sanctions. Researchers from the Royal United Services Institute recently concluded that “although some components can be sourced from China, many critical components […] cannot. Without the requisite domestic manufacturing capabilities, Russia […] remain[s] highly vulnerable to multilateral efforts to choke off these component flows.”
Opportunities for the U.S. and its Allies to Exploit the Vulnerabilities
Ultimately, any state’s capacity to wage sophisticated, state-backed cyber campaigns against adversaries depends on human and technical capital. Cutting the Russian military, intelligence and security services, and their research and commercial facilitators off from that capital can only benefit the United States and its allies in terms of cybersecurity—not to mention Ukraine on the battlefield
But to maximize these benefits, the United States needs to work more closely with its allies and partners on enforcement. A patchwork of cutouts, obscure shell companies, and opaque end users have enabled Moscow to ensure “parallel imports”81 of desperately needed technology—often via entities located in allied states. Meanwhile, trade data since the onset of the war are sufficient to reveal routes and volumes indicative of likely sanctions evasion. For example, nearly $1 billion worth of advanced chips and electronics were transferred to Russia via China from a foreign-controlled, UK-based company in 2022 despite restrictions being in place. Such instances suggest the need for enhanced anti-money laundering (AML), know-your customer (KYC), and ultimate beneficial ownership (UBO) regulations and enforcement to stem the illicit flow of money and materiel to targeted Russian entities. New and developing outbound investment screening mechanisms from the United States, EU, and other like-minded states could also be synchronized toward this end.
The United States and its allies should similarly welcome and incentivize the migration of Russia’s tech talent—and anchor them permanently in the West— particularly as the globe faces a growing shortage.
By loosening visa regimes for Russian citizens with advanced degrees in cutting-edge fields, the West can gradually sap Moscow of the human capital necessary to feed both its military and cyber aggression.87 Western diplomats could mimic messaging blitzes by the U.S. Federal Bureau of Investigation and Central Intelligence Agency88—aimed at luring away Russia’s spies—to recruit Russian talent from popular landing spots for those disaffected by the war: Georgia, Turkey, Armenia, Israel, and elsewhere. Make no mistake, Russia is likely to remain a formidable cyber adversary, capable of significant disruption and sophisticated attacks. Its intelligence and security services may become even more brazen as the conventional war effort founders. Moreover, Western sanctions and export controls are hardly airtight. Even so, a rapidly diminishing pool of tech talent and a rapidly growing technological deficit threaten to combine over the longer term to make Russian cyber power difficult to sustain, making Russia more vulnerable to cyber foes and friends alike in the interim.