Enterprise IT finds itself in a war zone – with no script

Where in the stack should sanctions start?


Opinion Trade embargoes are powerful weapons, especially in wartime. They used to be very visible: naval blockades had huge impacts against the Confederacy in the American Civil War and, 50 years later, Germany in the First World War.

The Battle of the Atlantic in the Second World War nearly sank the UK. 

The building of Sberbank of Russia in Moscow. Central Head Office

The Moscow head office of majority state-owned Russian banking and financial services company Sberbank

Now Russia is in an illegal war against Ukraine, and sanctions against it are the rest of the world's first choice of persuasion. Financial services, new goods and spare parts, travel, all these things are part of an established playbook. Information technology is less so, and when it comes to cloud services and infrastructure, there are far more questions than answers.

Russia's dependence on Western enterprise IT is huge. Its domestic capabilities have improved beyond measure since the collapse of the Soviet Union in 1991, when decades of catastrophic mismanagement left it with no IT industry whatsoever. Cheap hardware and the global online infrastructure allowed it to develop a capable and productive software workforce. Free to use the same tools as the rest of us, big outfits could start to become competitive and entrepreneurs could expect a level playing ground.  

Suddenly, that's no longer true. Within a week of the invasion, the list of Western companies that won't sell to Russia is startling – Intel, AMD, Apple – and, more ominously for business, stalwarts Oracle and SAP removing or reducing their presence significantly. As an opening salvo, it gets attention: but the real action awaits. 

Removing web apps and services from Russia, especially those for organisations, would be devastating. Russia's own cloud providers have been slow to develop, with the two biggest – Yandex and Mail.ru – coming in fourth and fifth on its home turf, well behind Amazon, Microsoft and Google in a 2020 research report from analyst PwC.

Good luck building out more capacity when you can't buy server chips, and good luck running an economy without the tools and platforms that have come to define modern enterprise's information DNA over the past five years. 

What next?

So far, though, the embargoing of primary cloud infrastructure and on-demand services hasn't happened, and there's no route forwards in direction or timing.

There's no reason to believe this is through lack of will or fear of losing revenue, no indication that service providers are somehow less willing to move than other industry sectors. It's not happening because nobody's done this before, nobody knows how to do it, and nobody's taking the lead. 

Of these aspects, the lack of leadership is the most pressing. That's not the sector's fault: effective embargoes need coherent and unambiguous  governmental and regulatory guidance, neither of which are visible.

If you're told you can, preferably must, do something by lawmakers or state agencies, you can escape contractual liability through force majeure, the principle that when something you can't control prevents you from fulfilling an agreement, this absolves you from legal responsibility.

Without that, you can do things like cease selling your product or renewing contracts, less so cut loose existing deals. Turning off the taps means exactly that. 

Then there's the fear of going out on a limb, something which again needs strong leadership, this time from within the industry.

If you pull your services from a market but your competitor does not, especially if migration is easy, you won't harm anyone but yourself. This is a multi-dimensional fear: do you take action, what do you do, how much do you take, who do you take it against?

This gets worse the further down the stack you go: whether you withdraw your application or not is up to you, but if you're looking at blocking entire classes of access on a regional or blacklist basis, that has many more ramifications – just ask ICANN.

Plus, in a war where access to and control of information to individuals – the B2C side of cloud sanctions – there are infinite imponderables. Russian President Vladimir Putin's entire strategy depends on controlling what Russian citizens know, think and decide among themselves; sanctions that strengthen his hand here would be agonisingly counterproductive. Decisions, decisions.

The reaction of IT services, especially at infrastructure level,  is important, urgent, and vastly consequential. It needs alignment of sector regulators, government policy makers and CEOs, across trading blocs, countries and regions.

Nobody is at fault here, not yet: there is no how-to video for sanctioning a rogue yet highly interconnected state. We've only learned in the last seven days that we can do sanctions at speed at all.

The path to escalation must be closed, the de-escalation of the violence towards 40 million people must be pushed as hard as possible, and cutting off the ability of Russian organisations to handle their information is a big stick indeed. More, there's the other, much larger, much more technologically advanced authoritarian state on the other side of the world, watching with great interest how we handle this.

This columnist is no fan of hyperbole: here, none is possible. The stakes could not be higher, and there's one shot at getting it right. The fog of war must give way to the cloud at war, or the storm will be fierce indeed. ®


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022