I had started writing a piece on the security implications of the VPN bans in Russia and China, but noticed this come out at the same time, and it highlights everything I wanted to say.
The ramifications of such actions by governments go beyond the prevention of cybercrime. They extend even beyond the restrictions on liberty which form the primary complaint of those standing against VPN bans. It appears that people often forget that a Virtual Private Network is for security: a method of creating a secure, private connection between two machines.
To ban a VPN, in any form, is like stripping away a secure layer for individuals and companies that has become so integral to IT that people don’t often realise they are using it. Worldwide, there are currently two stand-out approaches to limiting VPN access:
China – limits access to private VPN, blocks VPN connections, bans VPN software providers, designs regulations to ensure that all data generated in China must stay in China, and then announces ban on all use of VPN connections for 2018.
This approach essentially prevents not only individuals, but companies (particularly foreign companies operating in China) from linking any of their IT operations in China with the outside world. When it comes to the issue of security monitoring and data sharing, it means that data storage has to be within China, separate networks and security solutions will be required for a China-only network, and all IT administration must be done inside China. Essentially it is an IT sakoku*, hindering the security efforts of large companies operating within China and potentially crippling their business operations.
Russia – bans the sale of private-use VPN software, and tightens up regulations over ISPs to the point that none of them are in compliance.
This is short of an outright ban and can be seen as a middle-ground. Ostensibly, this is aimed at individual users who either misuse a VPN to commit felonies or those who look to subvert justice/disagree with the government. This does not prevent businesses from abroad operating in Russia, but allows the government a certain amount of control over the internet and data transfer, as they are able to leverage the non-compliant ISPs to put pressure on them to fall in line.
Both methods obviously show a certain amount of disregard to what we term ‘civil liberties’, but the reaction within each respective country has been vastly different. Russia, unable to put its information under the same levels of control as China, has suffered protests and disruption from the quiet announcement of these rules. China, on the other hand, has spent so long outside the scrutiny of the rest of the world, that these regulations were common practice and the public are mostly unaware of any change to the conditions. However, because of this the effects will be felt even more profoundly by any individuals or organisations connected to the world outside of China.
Limiting or preventing private VPN usage is spreading to nations trying to curb piracy, but none have taken such drastic measures as these two. So where does one draw the line?
From a security vendor perspective, one thing is clear – as in all countries, the security market will continue to grow exponentially in Russia and China, but only internally. There are even more knock-on effects from this, and it remains to be seen how the situation in IT security in these evermore closed-off states will evolve.
*Sakoku was the Japanese isolationist foreign policy from 1639 until 1853.
It’s true, a VPN is something many people think just lets you work around a firewall. If porn is blocked at your job a VPN can help you with that. So China banned VPNs outright, making them illegal, to stop people from accessing censored content. On the one hand, you can’t completely stop people from finding a way around The Great Firewall. On the other hand, you can stop law-abiding citizens from doing so. When VPNs are outlawed, only outlaws will have VPNs.