The law has already been approved by the Duma, Russia’s lower house of parliament, and is set to go into effect on November 1, 2017. The move follows Apple’s decision to remove all VPN apps from its Chinese App Store on Saturday, in order to comply with government regulations.
VPNs are used to establish a secure connection to a private network, often utilized by business professionals to access company data for work. However, according to the Duma’s information policy committee head, the law is simply meant to block “unlawful content” and not meant to disrupt or restrict law-abiding citizens, RIA news agency said.
The moves in both Russia and China drew criticism from NSA whistleblower Edward Snowden, who took to Twitter to call them a “violation of human rights.” Snowden also wrote that the new law would make Russia “both less safe and less free.” In pointing out both the efforts of China and Russia, Snowden urged readers not to “sleep on the trend.”
VPNs are popular among international business travelers and organizations with a global presence. As such, the decisions from Russia and China should be taken seriously by companies or professionals who do business there.
Bob Gourley, co-founder of the cyber security consultancy Cognitio and former CTO of the Defense Intelligence Agency, said that business travelers need to understand that Russia and China have both spent years developing their espionage capabilities. While there isn’t anything one can do to prevent such spying, there are things one can do to mitigate its impact.
“Steps to take include not bringing any corporate data with you on any device, only communicating when you need to, and never communicating sensitive information while in country,” Gourley said. “If you do have to log into corporate resources, use multi-factor authentication. And remember, your VPN or any proxy technology will likely not work, and if it does work it is because it is being broken and read.”
Just as Apple is bound to follow a country’s laws in doing business there (e.g. removing the VPN apps in China), business professionals have to follow the laws and policies of a country when they do business there, said John Pironti, cybersecurity expert and president of IP Architects. The stringent policies and restrictions on VPN usage can make work more difficult, but there are some alternatives to consider, such as using a browser-based connection instead of a VPN agent.
Proper training is also important, Pironti said. Employees should be reminded that, in many instances, these countries have a legal right to monitor their connectivity and restrict access. “This means that users should be trained how to avoid transmitting sensitive messages and materials that they wish to remain confidential or private while operating within these countries,” Pironti said.
Awareness of different rules among countries regarding VPN use should also be a focus for business leaders, as it is important that they know when and where to use the proper tools for online work.
Finally, it’s important to remember that these restrictions shouldn’t scare an organization away from doing work in these countries, said Peter Tran, RSA’s senior director of advanced cyber defense. But, that doesn’t mean they still shouldn’t weigh the risks.
“This is ‘par for the course’ from a security perspective, as businesses operating in a global theatre should assess what their overall risks are from both a technology and business context as they adjust to platform changes necessary to adapt to changing regulations….this is certainly not a show stopper for business continuity,” Tran said.
The 3 big takeaways for TechRepublic readers
- On Sunday, Russian President Vladimir Putin signed a law prohibiting the use of virtual private networks (VPNs), while Apple recently pulled all VPN apps from the Chinese App Store.
- Businesses should take steps to mitigate potential espionage by never communicating sensitive information, using multi-factor authentication, and limiting corporate data on a device.
- Employees should be trained on alternatives methods of security when traveling, and businesses should weigh the risks and outcomes associated with doing business in these countries.