Big Interview

Telecoms security and the Russia-Ukraine crisis

Michaela Lodlova - Wiggin.png
Michaela Lodlová, consultant at Wiggin LLP

As the Russia-Ukraine crisis enters its third week, Capacity reflects on the future impact of this situation, examining the potential implications for the carrier community – particularly from a security perspective.

Michaela Lodlová, consultant at Wiggin LLP, a UK-based law firm that specialises in media, technology and IP, explains that new telecoms security & cybersecurity obligations caused by the ongoing conflict may result in increased compliance costs for operators.

"Since 2019 we have witnessed, as part of our detailed monitoring of the international regulatory landscape, increasing nationalisation and tight national security restrictions in the communications regulatory and wider technology space in Russia," says Lodlová.

By May 2019, the country adopted a law on Russian Internet (Runet) that laid the foundations for isolating internet traffic in Russia from the rest of the world, as evidenced by the recent blocking of certain social networks.

"This has allowed full scope filtering of the Internet content with the Russian regulator Roskomnadzor requiring all ISPs to interconnect technically with its facilities and run all traffic destined to the World Wide Web via it," adds Lodlová.

At the same time, strict requirements were put in place for pre-installed Russian software on all devices imported and sold, including PCs, laptops and handsets. By 11th March, all servers and domains were due to be transferred to the Russian zone in readiness for of the cut off from the global Internet.

"We expect that western foreign operators will now face their licences being reworked, their assets nationalised or expropriated, and their operations effectively ceased," explains Lodlová.

"Furthermore, telecommunications operators offering global or international services to Russia (or countries that may yet fall under similar international sanctions), will face challenging situations. This is especially true as they try to comply with the constantly increasing sanctions, comprising of bans on technologies and services including entities with Russian ownership or capital (where such fact may be far from obvious)."

She adds that there is also the perennial issue of which services to take down, as one circuit to one sanctioned customer may be fairly simple but taking down a common network element can be very challenging. As such, "a lot of work will be needed to coordinate network and sanctions teams in order to ensure pragmatic decisions are made".

This will require significant work on the part of "key individuals" as well as import teams who will need to adapt to and keep up to date with the increasing restrictions on the types of equipment/ technology that can be imported into the countries.

Sanctions and networking aside, Lodlová says that the home countries of large, international organisations that provide telecoms services are also likely to tighten national security and cybersecurity requirements to protect against cybercrime.

"This includes targeted attacks on critical infrastructure in these countries, the spread of fake news and the prevalence of propaganda. Tightened cyber security rules are well under way in the Western world and will intensify," she says.

This will result in additional costs in not only reinforcing critical infrastructure but also in "ensuring the administration of content mediation, filtering and blocking services that the service providers already face. We are seeing large numbers of new rules in this regard appearing across multiple jurisdictions".

Interestingly, Lodlová points to subsea cables as an area of particular concern describing it as "essential communication pathways from the East to the West and especially between Europe and Northern America".

In light of these repercussions, its unsurprising to learn that new compliance rules and legislation are likely to come about as a result of these threats.

Firstly, Lodlová says that eome countries that were traditionally very open to the global economy, like the UK, the Netherlands or Denmark, recently introduced government scrutiny of foreign direct investment in strategic infrastructure sectors like communications networks & services, data centres or infrastructure for digital and cloud services.

"This will, in our view, gain momentum and more European countries will follow suit," she says. "We also expect that there will be further scrutiny and new rules regarding ‘anonymous’ use of services and many jurisdictions which currently do not have strict rules on customer or SIM registrations will introduce these in some shape or form."

There is also scope for similar discussions in the areas of social networks, particularly regarding fake accounts, sponsored by state terrorism or aimed at incentivising hatred or harmful content.

Data sovereignty is also likely to be affected, with Lodlová having seen an increasing trend of data localisation in Russia and other countries in the region over the last two years.

"This is likely to continue, with more countries imposing strict data localisation rules not only for the communications sector but for wider personal data processing requirements," she adds.

"We expect to see more national versions of the global Internet as seen in other regions, like the Middle East or China, where a significant portion of information & content is either blocked or filtered."

For its part, she says that Russia has already introduced full-scope data sovereignty for all communications sector data and any personal data processing.

If data sovereignty is likely to become more prevalent, then countries and jurisdictions that are governed by GDPR, UK GDPR regime or similar regimes, "will impose absolute restrictions on data transfers to jurisdictions like Russia. This will increase the geopolitical isolation and economic sanctions put on the nation," Lodlová says.

The downside to this as she points out, is that data protection rules in different countries are likely to become more "incompatible" and "giving rise to new partitioning in the digital space".

What is further concerning is that this could lead to technical and other incompatibility issues regarding standards "which would break the current globalised world into nationsal or regional silos limiting the scope for big data, data economy or open data initiatives".

With a plethora of clients and partners across the TMT space, Lodlová says that the firm has already begun seeing a number of the aforementioned topics being discussed as areas of concern, indicating that many are preparing for what likely to come.

Of the ones not previously mentioned these include, greater restrictions on network service offerings requiring more filtering and blocking as well as more foreign direct investment rules.

Regulation failing to keep pace with new technologies leading to ever increasing rules on enterprise customers, which are more customer centric and the expansion of some of those rules to OTT providers but little consistency on some.

And an ever more patchwork quilt of regulation requiring hugely detailed analysis to allow any cross-border application – and risk of more fines for any cross jurisdictional service offering.