Russia’s Would-Be Windows Replacement Gets a Security Upgrade

For the first time, Russia has granted its highest security rating to a domestically developed operating system, deeming Astra Linux suitable for communications of “special importance” across the military and the rest of the government. The designation clears the way for Russian intelligence and military workers who had been using Microsoft products on office computers to use Astra Linux instead.

“There is hope that the domestic OS [operating system] will be able to replace the Microsoft product. Of course, this is good news for the Russian market,” said German Klimenko, former IT advisor to Russian President Vladimir Putin and chairman of the board of Russia’s Digital Economy Development Fund, a venture capital fund run by the government. Klimenko spoke to the Russian newspaper Izvestia on Friday.

Although Russian officials used Windows for secure communications, they heavily modified the software and subjected Windows-equipped PCs to lengthy and rigorous security checks before putting the computers in use. The testing and analysis was to satisfy concerns that vulnerabilities in Microsoft operating systems could be patched to prevent hacking from countries like the United States. Such evaluations could take three years, according to the newspaper.

A variant of the popular Linux open-source operating system, Astra Linux has been developed over the past decade by Scientific/Manufacturing Enterprise Rusbitech. In January 2018, the Russian Ministry of Defense said it intended to switch to Astra Linux as soon as it met the necessary security standards. Before that, the software had been on some automated control systems, such as the kind sometimes found on air defense systems and some airborne computer systems.

It’s another example of Russia’s self-imposed IT exile, along with the efforts to disconnect the country from the global Internet by 2021 and to create its own domain name service.

"The Russian government doesn't trust systems developed by foreign companies to handle sensitive data, due to fears of espionage through those systems,” said Justin Sherman, Cybersecurity Policy Fellow at New America. “Using domestically produced technologies to manage sensitive data is just another component of the Kremlin's broader interest in exercising more autonomy over the digital machines and communications within its borders."

Sam Bendett, research analyst with the Center for Naval Analyses’ International Affairs Group, said, “One of the main sticking points for the Russian government was the fact that imported operating systems had vulnerabilities and back doors that Moscow thought could be exploited by international intelligence agencies…This is essentially Russia ensuring its cybersecurity against potential intrusions.”

It’s unsurprising that Moscow distrusts Microsoft software, given that Russian-developed malware, like the NotPetya virus used against energy targets in Ukraine, exploits vulnerabilities in Windows.

Sherman says that while the Russian government may find Astra Linux a suitable substitute for Windows, it’s not a serious competitor anyplace else. There’s no particular reason for others to use this bespoke variant of Linux. Also suspicion of Russian software has been rising internationally. The country’s most successful and recognized software company, Kaspersky, can no longer sell its wares to the U.S. government. Last May, the cybersecurity firm opened a “transparency lab” in Switzerland in an attempt to assuage jittery European customers.

“If this operating system were to be marketed outside of Russia, the prospects likely aren't great,” Sherman said. “Astra Linux doesn't exactly have worldwide foothold compared to the systems it's 'replacing' within Russia, and this is only compounded by the fact that just as the Russian government has security concerns about software made in other countries...Other countries may very well have security concerns about using software made in Russia and endorsed by the Russian government.”

But, says Bendett, a potential client list for Russian software does exist outside of Russia, just as there is for Russian anti-aircraft systems. "There is a  growing list of nations that will probably want to have its main government and military systems run on an OS from a nation more friendly to their interest – like Syria.. or other countries where Russia is seeking to make inroads. So the possibility for export definitely exists."