Russian enterprises unconcerned by NSA network hack allegations

Despite allegations the NSA hid spyware in the equipment of a number of suppliers, the market in Russia for western network hardware remains buoyant

In the wake of reports that the National Security Agency (NSA) has been allegedly planting spyware and hidden surveillance software in computer network devices and hard drives of several top computer makers, including Cisco, Russian companies are taking no drastic steps to replace US-made equipment.

Indeed, many of them have avoided commenting on the issue, which they consider too sensitive given the strained relations between the two countries over Ukraine.

Back in February 2015, Russia's leading computer security firm Kaspersky Lab said in a report that the NSA hid surveillance software in hard drives of several top computer makers. According to Reuters sources, these firms included Western Digital, Seagate and Toshiba.

In its report, Kaspersky said it discovered the Stuxnet-like spyware in PCs in 30 countries and linked it to a nearly 20-year operation by the so-called "Equation Group" that "surpasses anything known in terms of complexity and sophistication of techniques”.

At about the same time, The Guardian reported that the NSA allegedly planted backdoors and other spyware into routers, servers, and other US-manufactured network equipment before it was shipped to other countries.

New cold war?

Against the backdrop of what many refer to as a new cold war in relations between Russia and the west, some Russian officials have called for cutting back on the use of western technology and equipment out of fear of spyware and hidden surveillance devices. However, by and large Russian companies continue to actively use US-made network and data storage equipment.

Vladimir Ivanov, director of infrastructure at Russia's largest internet company, Yandex, said the firm use equipment made by various companies, including those from the US.

“We have a number of selection criteria and we evaluate all possible risks, including those related to surveilling traffic,” he said.

Many Russian companies declined to comment on their use of US-manufactured network equipment, saying that the issue is "too sensitive", although it's thought their use of US-made equipment is substantial.

Read more about IT in Russia

Head of the information security department at Russian airline Transaero, Sergei Gavrenkov, said: “We have to admit that just about all communications networks are based on equipment developed by US manufacturers.

“Moreover, even equipment manufactured in other countries could contain firmware with complete functionality that is not described in available documentation.”

Elsewhere, general director of computer security company Doctor Web, Boris Sharov, said his firm hadn't "come across bugs in either US-made equipment or equipment manufactured elsewhere”.

According to Gavrenkov, no one could guarantee that network equipment manufactured just about anywhere outside Russia doesn't contain undocumented – and undesirable – elements.

Kaspersky experts have stressed that recently discovered security threats may not necessarily be linked to the equipment's country of origin.

“I wouldn't connect information about bugs in US-made network equipment or the 'Equation' module, capable of reprogramming hard-disk drive firmware, to the manufacturing country of the equipment. Bugs have been discovered in Chinese equipment as well,” said Kaspersky Lab antivirus expert Denis Legezo.

He added that equipment used for storing or transmitting secure information has to be tested and protected in accordance with the goals of its use.

“It doesn't matter if we talk about strategic objects or a desktop computer in which a corporation's financial data is stored,” said Legezo.

10 years behind

The only way to make sure that network and data storage equipment contains no bugs and spyware would be manufacturing it in Russia under strict control procedures, according to Gavrenkov.

However, he said, the implementation of that option would take years and is unlikely to be seriously considered.

“In the current situation, if that goal were set, very serious work on creating a relevant infrastructure and a number of specific steps would be required, which would take at least 10 years,” said Gavrenkov.

Read more on Network security strategy