Will Cybersecurity Export Controls Thwart Russia’s Technological Progress?

Will Cybersecurity Export Controls Thwart Russia’s Technological Progress?

The U.S. move is a consequence of Russia’s longstanding and aggressive use of cyber capabilities in asserting its sphere of influence in Eastern Europe and carrying out large-scale cyberattacks against the U.S. government.

 

U.S. export controls against the Russian technology sector escalated rapidly in response to Russia’s invasion of Ukraine, but the United States has been gradually restricting the flow of technology to Russia throughout the past decade. Specifically, the United States imposed export controls on Russian cybersecurity companies after Moscow’s election interference in 2016 and significantly restricted the flow of cybersecurity items to Russia in early 2022. The ultimate goal is to technologically isolate Russia and degrade its offensive cyber capabilities.

The U.S. move is a consequence of Russia’s longstanding and aggressive use of cyber capabilities in asserting its sphere of influence in Eastern Europe and carrying out large-scale cyberattacks against the U.S. government. Most recently, before launching its invasion on February 24, Russia attacked Ukrainian computers with data-wiping software. A year before, the U.S. government found out that the Russians had carried out the massive SolarWinds hack, which had allowed them to spy on the Homeland Security and Treasury Departments for several months, among other upper echelon agencies.

 

Export controls on high-end semiconductors are likely to be the most effective in achieving this goal, mainly due to the United States and its allies’ near-monopoly over the chips production process. However, controlling the exports of cybersecurity items such as intrusion software will be less impactful as numerous other foreign companies are capable of creating and selling them to Russia.

What Are Cybersecurity Export Controls?

The U.S. Commerce Department’s Bureau of Industry and Security (BIS) recently revised the Commerce Control List (CCL) to include cybersecurity items such as intrusion software and Internet Protocol (IP) network communications surveillance. By adding cybersecurity items in CCL, the Commerce Department requires U.S. entities to acquire licenses before exporting them. Notably, these cybersecurity items are already covered in the Wassenaar Arrangement, a voluntary export controls regime that serves as an information-changing platform among its forty-two member states. The goal of cybersecurity export controls is to weaken Russia’s ability to launch destructive cyberattacks on other countries or for spying on its opposition members.

Apart from adding cybersecurity items to the CCL, BIS also added a number of Russian tech companies to its entity list, which means that U.S. companies will have to acquire licenses before exporting items to the listed entities. Currently, there are around ninety Russian tech companies in the BIS entity list, ranging from computer and microprocessor manufacturers to business automation software. Notably, listed companies produce or operate dual-use technology (civilian and military) and directly or indirectly contribute to the advancement of Russia’s military capabilities. By preventing listed organizations from acquiring U.S.-produced advanced technologies like semiconductors, the United States is trying to slow down the Russian military’s technological advancement.

How Will Export Controls Affect Russia’s Cyber Capabilities and Tech Sector?

Controlling tech exports to Russia and including Russian tech companies in the BIS entity list affect Russia’s cyber offensive capabilities by first, crippling tech companies’ operations and their ability to assist the Russian government in carrying out cyberattacks and, second, slowing down production processes of computers and electronic components, resulting in the overall inferiority of the Russian tech sector.

One of the companies that closed down after being included in the export controls list is Esage Lab, a Russian cybersecurity company accused of assisting the Russian government in launching cyberattacks during the 2016 U.S. presidential election. Specifically, Esage Lab provided technical research assistance to GRU (Russia’s Main Intelligence Directorate), which attacked the Democratic Party’s servers. After being added to the entity list, the company closed down.

Another example is Positive Technologies, a cybersecurity company that was added to the entity list in 2021 because it trafficked in cyber tools used for gaining unauthorized access to information systems. Earlier, the company was sanctioned for its support of the GRU and FSB (Federal Security Service) intelligence agencies. While the company claims that most of its revenue comes from Russia and that it hasn’t been affected by export controls, it will not be able to raise capital or sell to clients in Western markets, reducing its potential for further growth. Thus, export controls are likely to negatively affect Russian tech companies’ operations by either fully closing down their operations or limiting their access to Western capital markets.

In addition, Russian companies will no longer be able to purchase hardware or software designed to develop, command and control, or deliver intrusion software from Western suppliers. Intrusion software includes software specially designed for avoiding monitoring tools while extracting data from a computer. Similarly, Russian tech companies won’t be able to obtain IP network communications surveillance systems from American companies, which could be used for capturing and analyzing application data. Thus, the goal of adding these cybersecurity items in the CCL is to ensure that U.S.-origin software and hardware do not contribute to advancing Russia’s offensive cyber capabilities and surveillance tools.

Just as importantly, export controls are already slowing down the manufacturing processes of Russian tech companies. As this visual shows, the bulk of Russian tech companies subject to export controls specializes in the manufacturing or sale of electronic components. However, they rely on imported semiconductors for producing electronics. For example, Taiwan Semiconductor Manufacturing Company (TSMC), which has joined the United States in controlling exports to Russia, was supposed to manufacture the latest Elbrus microprocessors, designed by the Moscow Center of SPARC Technologies. Apart from TSMC, other leading chip-makers such as Samsung have also suspended exports to Russia, choking Russian companies of materials they need for manufacturing electronic components and computers. In the long term, these export controls are likely to result in the overall inferiority of the Russian tech sector.

Will Tech and Cybersecurity Export Controls be Effective?

Export controls on semiconductors are likely to be the most effective, given that South Korea and Taiwan, which have joined U.S. export controls against Russia, have a near-monopoly on high-end semiconductor production. Even if Russian companies manage to find alternative suppliers of chips, such as Russian and Chinese producers, it will take them years to reach the level of sophistication Taiwanese or Western semiconductors have. Thus, Russian electronics and computer manufacturers are likely to use chips that lag behind Western/Taiwanese semiconductors, threatening their ability to be at the forefront of tech innovation in the future. Furthermore, adding Russian tech companies to the BIS entity list is likely to be successful in either fully closing down enlisted companies or limiting their growth potential, as the cases of Esage Lab and Positive Technologies have demonstrated.

Meanwhile, export controls on IP network surveillance systems and intrusion software are likely to be less effective given that no single country has a monopoly over their production. For example, Israel’s NSO Group used to sell malware to authoritarian governments. Equally importantly, Russia has considerable capacity for developing offensive cyber capabilities domestically. For example, a Russian cybersecurity company with the code name ENFER has reportedly developed malware for offensive use for the FSB. Thus, export controls on cybersecurity items will create inconvenience for Russian companies who are purchasing technology from American suppliers but finding alternative suppliers of those cybersecurity items will be less challenging.

In sum, U.S. cybersecurity export controls on Russia are likely to succeed when the United States and its allies have near-monopolistic control over the production process of an item. U.S. export controls are likely to be less successful in thwarting Russia’s ability to build up offensive cyber capabilities given that intrusion software and IP network communications surveillance are more easily obtainable domestically and internationally. However, the United States and allies’ coordinated export controls policy is likely to deny Russian companies access to the latest semiconductors and other critical technologies and hinder the advancement of the Russian tech sector in the long term.

Maia Nikoladze is a program assistant at the Economic Statecraft Initiative within the GeoEconomics Center.

Image: Reuters.