Would Banning Russia From Getting Software Updates Make It Easier to Hack?

Ukraine’s government asked the U.S. government to take several actions to retaliate against the Russian government for the invasion of its neighboring country on Thursday, including cutting off U.S. software updates.

In a list of “suggested actions” sent to President Joe Biden’s administration, the government of Volodymyr Zelenskyy asked for “a ban on the supply of any goods, including hardware and software,” as well as “a ban on the supply of any goods and technologies, incl. Software used in sectors of the Russian aviation industry, incl. in civil aviation,” and “a ban on U.S. companies supplying and updating software in the interests of Russian consumers.” 

The list was first reported by Reuters journalist Raphael Satter, who later wrote in an article that the list was circulated to American officials. 

The White House, and the Treasury Department did not immediately respond to a request for comment. 

“We don’t speak to allegedly leaked documents,” A spokesperson for the State Department said in an email to Motherboard. “The President will be speaking today to lay out additional elements of our response.”

The ban on software updates, specifically, captured the attention of cybersecurity experts. One of the most basic pieces of advice for consumers and companies is to make sure all software is updated to the latest version, because known vulnerabilities are patched out. If Russia was prevented from updating software, this would, in theory, make unpatched systems easier to hack. 

Dmitri Alperovitch, a cybersecurity veteran and the chairman of the Silverado Policy Accelerator, told Motherboard in an online chat that such a ban is “just going to drive them even more towards open source [software].” The country has been trying to shift to using more open source software since 2010, with the government committing to removing Microsoft services in 2016. 

Joe Slowik, the threat intelligence and detections lead for cybersecurity company Gigamon, told Motherboard in an online chat that it would be possible to apply the ban, but it may affect the operations of U.S. companies in Russia, such as Microsoft, which has an office in Moscow. 

“I think the material cutoff (aviation components, etc.) is a lot more realistic than the software side of things given the long-tail into realms like smaller suppliers and firms that have operations outside of the U.S.,” he added.

Dr. Lukasz Olejnik, independent cybersecurity researcher and consultant, said that cutting off Russia from software updates is “quite a novel idea, with potential long-term consequences. Russia is for long developing its cyber sovereignty with this particular risk in mind.”

The potential impact of such a ban is unclear, but it could be significant.

“Notably, it would leave a lot of consumer devices open to cyberattacks, because of course blocking updates would also block security patches,” Olejnik told Motherboard in an email. “That would cause some infrastructural issues.”

Alan Woodward, a cybersecurity professor at the University of Surrey, said such a ban would be “more of a statement move than a practical implication.”

“Over time it of course means that the Russian based software diverges from the mainstream. Of course, it might cause little long term impact if the updates are allowed to resume later,” he added in an online chat. “If we isolate Russia completely technically they could theoretically go it alone but my experience during [the Cold War] was that their technology, even when direct copies of Western technologies, wasn’t that great.”

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.