‘Putin’s decree to accelerate cybersecurity market growth in Russia’

However, the industry is not ready to replace the demanded import services completely, experts warn

‘Putin’s decree to accelerate cybersecurity market growth in Russia’
Photo: Максим Платонов

By 2029, the domestic market of IT solutions in the field of information security may grow 2-2.5 times, according to industry experts, discussing the effect of the new decree of the president of Russia. The document will prohibit government agencies and strategic companies from using cybersecurity services from unfriendly countries. Hacker attacks can lead to billions of dollars in losses, which means this issue should be in the focus of attention, experts interviewed by Realnoe Vremya believe. At the same time, the country is not yet ready for import substitution of all demanded products on the market.

Trust in foreign solutions in information security segment is falling

In Russia, starting next year, it is prohibited to use cybersecurity services from unfriendly countries. The corresponding decree No. 500 was signed these days by President Vladimir Putin, amending Decree No. 250 dated May 1, 2022 “On additional measures to ensure information security of the Russian Federation”. According to the document, the ban must be observed by government agencies, strategic, system-forming organisations, in short, all subjects of critical information infrastructure (CII).

Previously, the decree of the head of state affected only information protection systems from unfriendly countries, now it prohibits the use of “services (works, services) to ensure information security provided (performed, rendered) by these organisations”.

“Prohibitions are often perceived as something fundamental, dividing the world into “before” and “after”. But trust in foreign solutions, especially in information security segment, has been falling for several years. The decree of the president of Russia No. 500, rather, consolidated the trends already formed in the industry in the legal field, developing Decree No. 250, one of the basic documents regulating the field of cybersecurity," said Innostage CEO Aidar Guzairov.

The new decree clarifies and updates the provisions of the previous one in many ways, agrees Alexander Khonin, the head of the consulting and audit department of Angara Security. At the same time, the industry, according to him, expected these changes, which had been previously announced by the Ministry of Digital Development of Russia:

“Regarding the current document: the main pool of changes affected the centres of GosSOPKA namely accredited centres. In general, this is logical, since it is known that the FSB is currently developing appropriate rules for the accreditation of such centres. And the 250th decree was adjusted taking into account this initiative.”

Ban will accelerate the import substitution of CII

Recently, Russia has been discussing the creation of a new government structure that would deal with cybersecurity issues. Currently, the information security industry is regulated by the FSB, Ministry of Digital Development and the Central Bank.

“In 2022, about a third of the Russian information security systems market was occupied by products from companies from unfriendly countries. The list of unfriendly states includes 62 states. However, there are two exceptions — Israel and China, which are well known in information security market," said digital economist Ravil Akhtyamov. “While restrictions on purchases are in effect, many CII facilities have already been import-substituted, the new ban will accelerate this process.”

However, the trend towards import substitution of information security tools has been traced since 2014 and noticeably accelerated in 2022," Aidar Guzairov noted. Although, according to him, only the installation and/or implementation of information security solutions from Western vendors into the infrastructure was banned, but now the decree also covers the use of cloud variations provided by subscription:

“And these rules, this trend affects not only relevant departments. Recent incidents — for example, with a large logistics operator — have shown a clear link between cybersecurity and business performance. An attack on a large company can lead to billions of dollars in losses. This means that cybersecurity should now be the focus of CEO's attention.

The data leak has recently been announced by SDEK company, where, after a technical failure, information about parcels was publicly available. The operator had to stop working for a while, and the restoration took a lot of time and resources. Moreover, according to cybersecurity experts, the organisation's infrastructure is still vulnerable, and if it does not solve the problem, the attack may happen again.

“Companies could use prohibited services using alternative routes”

During the 2 years that restrictions on the purchase of foreign equipment and software for critical information systems were in effect in Russia, attempts were made to replace them with imports. “In Tatarstan, such systems include state information systems, communication networks and automated control systems. The restriction will apply to both government agencies and large companies of the republic," Ravil Akhtyamov said. At the same time, it is impossible to provide 100% protection against cyber attacks, experts warn. Hackers will always be one step ahead, and companies need to be able to sustain and strive for cyber resilience.

“If we talk about the market, then, according to our estimates, the decree will accelerate the growth of the domestic market of information technology solutions and services, which is still far from saturation. By 2029, it may increase 2-2.5 times. For a long time, there were no Russian analogues of some foreign products on the market, for example, new generation firewalls, NGFW. But now a number of players are already offering effective solutions that are adapted to the needs of local customers," said Aidar Guzairov.

According to Alexander Khonin, the last point of changes in the presidential decree regarding the prohibition of information security services from unfriendly countries may be of great interest to the Russian market: “On the one hand, it sounds loud, but on the other hand, in fact, such services are no longer applied because of sanctions. Many representatives from abroad have already closed access to their various services, including those provided on the basis of ISS. Therefore, we should not expect any significant impact on Russian companies.”

Formally, according to him, a number of information security services were used (for example, separate NGFW or WAF services). They are mostly available to subsidiaries of foreign organisations if the service is integrated into the IT infrastructure at headquarters. Other companies could use similar services using alternative routes," the source noted. “The percentage of such companies is small and hardly any organisation is ready to talk about it.”

As for the readiness for import substitution, according to him, there are a number of demanded classes of information security solutions, which in most cases are not ready yet, and the timing of their import substitution is likely to be shifted. “But in terms of services, there will be a transition to separate information technology products in order to maintain the necessary functionality. A number of organisations will abandon such services and replace them with compensatory measures," he concluded.

Vasilya Shirshova

Подписывайтесь на телеграм-канал, группу «ВКонтакте» и страницу в «Одноклассниках» «Реального времени». Ежедневные видео на Rutube, «Дзене» и Youtube.