Targeting Russia’s IT Dependencies

Computers and Information Technology (IT) are ubiquitous. Nations, organizations, infrastructure, economic sectors, schools, and homes use computers for everything from architecture and research to weapons systems design. Russia is particularly dependent on western software for manufacture of military materiel as well as energy extraction—the backbone of Moscow’s ability to fund its war in Ukraine, and the U.S. Treasury’s Office of Foreign Assets Control (OFAC) has recently taken critical steps to hinder Russia’s ability to use U.S. IT and software services.

OFAC’s New Determination on IT and Software Services

A new determination issued by OFAC pursuant to Executive Order (EO 14071)—Prohibiting New Investment in and Certain Services to the Russian Federation in Response to Continued Russian Federation Aggression—applies prohibitions on the exportation, re-exportation, sale, or supply, directly or indirectly, from the United States or U.S. persons to any person in Russia of IT consultancy and design services and IT support services and cloud-based services for enterprise management software and design and manufacturing software.

⏰ The effective date for OFAC’s prohibition on IT consultancy, design service, and support for certain IT services is September 12, 2024, giving U.S. persons three months to implement changes.

Computer data centers and cloud file storage services contribute to the resilience of Russia’s economy and support Moscow’s ability to wage war in Ukraine, according to a recent report from the Yermak-McFaul International Working Group on Russian Sanctions at Stanford University’s Freeman Spogli Institute for International Studies. The Russian energy sector relies on modeling software and cloud services, using AI and big data to enhance efficiency and reservoir engineering and modeling software for the design, management, and exploitation of oil and gas deposits, according to the report. Western software dominates the Russian energy industry, and Russia continues to access and use these advanced software systems.

Although Russian laws mandate that cloud providers store data only in Russia, the working group paper highlights that “key virtualization software, network equipment, and related infrastructure are designed and developed by western companies.”

The Institute for Financial Integrity’s article in February focused on exhausting Russian resources by imposing restrictions to limit Russia’s access to western software, underscoring ongoing global efforts to hinder Russia’s ability to use western technologies.

OFAC’s recent determination does just that.

Key Definitions and Examples

What are “cloud-based services” for “covered software,”—currently defined as “enterprise management software” and “design and manufacturing software?”

OFAC’s new Frequently Asked Question (FAQ) 1186 defines cloud-based services as the supply of software and associated services via the internet or the cloud, including through Software-as-a-Service (SaaS).

OFAC also provides examples of activities that would be prohibited by the new determination if provided to Russian entities not owned or controlled directly or indirectly by a U.S. person.

• A U.S. company sells a cloud-based enterprise resource planning software subscription to a Russian company.
• A U.S. employee of a third country company provides customer support services to a Russian company that is experiencing technical difficulties with its human resources software.
• A U.S. company provides a software patch to a Russian company to fix a bug in its computer-aided design software.

The new determination complements new regulations by the U.S. Commerce Department’s Bureau of Industry and Security (BIS), which issued additional measures in its continued efforts to constrain Russia’s aggression in Ukraine.

OFAC also clarified that “IT consultancy and design services,” include both IT consultancy services and IT design and development services for applications, consistent with the UN Central Production Classification (“CPC”) Codes 83131 and 83141, respectively. In a new FAQ (1187), the agency noted that:

• The provision of IT consultancy services includes “providing advice or expert opinion on technical matters related to the use of information technology, such as: (a) advice on matters such as hardware and software requirements and procurement; (b) systems integration; (c) systems security; and (d) provision of expert testimony on IT related issues.”
• “IT design and development services for applications” includes services of designing the structure and/or writing the computer code necessary to create and/or implement a software application, such as: (a) designing the structure of a web page and/or writing the computer code necessary to create and implement a web page; (b) designing the structure and content of a database and/or writing the computer code necessary to create and implement a database; (c) designing the structure and writing the computer code necessary to design and develop a custom software application; (d) customization and integration, adapting (modifying, configuring, etc.) and installing an existing application so that it is functional within the clients’ information system environment.

The Yermak-McFaul working group paper highlights the reliance of Russian IT systems on western technologies, which provide support not just for Russia’s military, but also the energy and extractive and financial sectors. Russia is almost certainly aware of how vulnerable critical sectors of its economy are to western disruption and is already focusing on mandating Russian alternatives, diverting resources from the battlefield in Ukraine.

• Russia in 2022 spent more than 5 trillion rubles on the development of a “digital economy that included the creation, distribution, and use of digital technologies for Russian companies, as well as household spending on digital technologies. As of May 2019, Russia has spent 66 billion rubles on the development of information infrastructure under its “Digital Economy” program, recognizing the risks of depending on foreign software.
• Russian president Putin in May 2024 signed a decree which mandates that at least 80 percent of Russian companies in key economic sectors transition to Russian software by 2030 to reduce Russia’s dependency on foreign IT products. To that end, Russia may charge domestic companies that continue to use foreign software.

OFAC notes in its FAQ (1184) that the aim of the new directive is not to prohibit all activity relating to the provision of IT and software-related services to Russia, but rather to limit Russian defense industry’s access to western IT systems and the flow of certain software-related services to Russia. However, OFAC recently assessed that Russia has completed its transition to a full wartime economy, suggesting that IT services are targeted as part of the support system Russia’s military requires to conduct its aggression in Ukraine.

Commerce Department Restrictions

BIS took additional actions in coordination with OFAC’s determination and new designations in mid-June, further cutting off exports of business software that help enable Russian and Belarussian military capabilities. The new restrictions include the export, reexport, or transfer (in country) of certain types of software to Russia and Belarus, even when not specifically identified on the Commerce Control List, with the goal of hindering Russia’s and Belarus’s military industrial sector’s access to modern software infrastructure.

BIS now requires a license to export, re-export, or transfer to Russia or Belarus of EAR99 software (classification of technologies that fall within the scope of the Export Administration Regulations but are not specifically controlled for export). This includes enterprise resource planning (ERP), customer relationship management (CRM), business intelligence, supply chain management, project management, computer-aided design, and other types of software.

EAR99 items can generally be exported without a license, but exporters of these items still need to ensure that the item is not going to an embargoed or sanctioned country, a prohibited end-user, or used for prohibited purposes.

Key Takeaways

The new regulations appear to mirror at least some of the recommendations listed in the Yermak-McFaul group’s working paper—including efforts to ensure that western companies stop providing updates and technical support for software used by Russian entities linked to the country’s military-industrial base—and echo those implemented by the EU and the UK after Russia’s invasion.

• The EU’s eighth package of sanctions, imposed in October 2022, prohibited the provision of IT technology and IT consultancy services to Russia. In addition, the EU in December 2023 removed an exemption for the provision of services necessary for software updates for non-military use.
• The UK, as of December 2022, prohibited UK persons from providing, among other things, IT consultancy and design services to a person connected with Russia.

In response to EU sanctions prohibiting services necessary for software updates, global IT giant Microsoft in March stopped its cloud services from working in Russia. Russian IT firm Softline also has advised Russian users of Microsoft, Google, and Amazon services to store their data on local servers in response to the restrictions.

OFAC provides several examples of prohibited activities under the new determination. A U.S. company, for example, cannot sign a contract with a Russian company to upgrade the Russian firm’s IT systems. A U.S. consulting company cannot advise a Russian company how to best procure the types of software and hardware needed for its operations. U.S. companies cannot design or create custom-made software for the Russian company and cannot modify existing web applications for the Russian company’s internal IT purposes. And a U.S. person working in a third country cannot sign a contract with a Russian company to design the company’s sales website.

Multinational companies that provide IT services, software, consulting, and other related work to clients located in Russia should closely evaluate their exposure to continuously expanding sanctions and strategic trade controls before the September 12 deadline. Resources such as IP blocking and geolocation tools, as well as closer evaluation of indicators of diversion or evasion will be necessary to remain in compliance.