Enterprise IT finds itself in a war zone – with no script
Where in the stack should sanctions start?
Opinion Trade embargoes are powerful weapons, especially in wartime. They used to be very visible: naval blockades had huge impacts against the Confederacy in the American Civil War and, 50 years later, Germany in the First World War.
The Battle of the Atlantic in the Second World War nearly sank the UK.
The Moscow head office of majority state-owned Russian banking and financial services company Sberbank
Now Russia is in an illegal war against Ukraine, and sanctions against it are the rest of the world's first choice of persuasion. Financial services, new goods and spare parts, travel, all these things are part of an established playbook. Information technology is less so, and when it comes to cloud services and infrastructure, there are far more questions than answers.
Russia's dependence on Western enterprise IT is huge. Its domestic capabilities have improved beyond measure since the collapse of the Soviet Union in 1991, when decades of catastrophic mismanagement left it with no IT industry whatsoever. Cheap hardware and the global online infrastructure allowed it to develop a capable and productive software workforce. Free to use the same tools as the rest of us, big outfits could start to become competitive and entrepreneurs could expect a level playing ground.
Suddenly, that's no longer true. Within a week of the invasion, the list of Western companies that won't sell to Russia is startling – Intel, AMD, Apple – and, more ominously for business, stalwarts Oracle and SAP removing or reducing their presence significantly. As an opening salvo, it gets attention: but the real action awaits.
Removing web apps and services from Russia, especially those for organisations, would be devastating. Russia's own cloud providers have been slow to develop, with the two biggest – Yandex and Mail.ru – coming in fourth and fifth on its home turf, well behind Amazon, Microsoft and Google in a 2020 research report from analyst PwC.
Good luck building out more capacity when you can't buy server chips, and good luck running an economy without the tools and platforms that have come to define modern enterprise's information DNA over the past five years.
So far, though, the embargoing of primary cloud infrastructure and on-demand services hasn't happened, and there's no route forwards in direction or timing.
There's no reason to believe this is through lack of will or fear of losing revenue, no indication that service providers are somehow less willing to move than other industry sectors. It's not happening because nobody's done this before, nobody knows how to do it, and nobody's taking the lead.
Of these aspects, the lack of leadership is the most pressing. That's not the sector's fault: effective embargoes need coherent and unambiguous governmental and regulatory guidance, neither of which are visible.
If you're told you can, preferably must, do something by lawmakers or state agencies, you can escape contractual liability through force majeure, the principle that when something you can't control prevents you from fulfilling an agreement, this absolves you from legal responsibility.
Without that, you can do things like cease selling your product or renewing contracts, less so cut loose existing deals. Turning off the taps means exactly that.
Then there's the fear of going out on a limb, something which again needs strong leadership, this time from within the industry.
If you pull your services from a market but your competitor does not, especially if migration is easy, you won't harm anyone but yourself. This is a multi-dimensional fear: do you take action, what do you do, how much do you take, who do you take it against?
This gets worse the further down the stack you go: whether you withdraw your application or not is up to you, but if you're looking at blocking entire classes of access on a regional or blacklist basis, that has many more ramifications – just ask ICANN.
- Here's why prolonged Russia-Ukraine war would be really bad for us, say chip designers
- Europe's largest nuclear plant on fire after Russian attack
- ICANN responds to Ukraine demand to delete all Russian domains
- Switzerland's SWIFT data centre under guard after Russian banks excluded
Plus, in a war where access to and control of information to individuals – the B2C side of cloud sanctions – there are infinite imponderables. Russian President Vladimir Putin's entire strategy depends on controlling what Russian citizens know, think and decide among themselves; sanctions that strengthen his hand here would be agonisingly counterproductive. Decisions, decisions.
The reaction of IT services, especially at infrastructure level, is important, urgent, and vastly consequential. It needs alignment of sector regulators, government policy makers and CEOs, across trading blocs, countries and regions.
Nobody is at fault here, not yet: there is no how-to video for sanctioning a rogue yet highly interconnected state. We've only learned in the last seven days that we can do sanctions at speed at all.
The path to escalation must be closed, the de-escalation of the violence towards 40 million people must be pushed as hard as possible, and cutting off the ability of Russian organisations to handle their information is a big stick indeed. More, there's the other, much larger, much more technologically advanced authoritarian state on the other side of the world, watching with great interest how we handle this.
This columnist is no fan of hyperbole: here, none is possible. The stakes could not be higher, and there's one shot at getting it right. The fog of war must give way to the cloud at war, or the storm will be fierce indeed. ®