The Bank of Russia fears a violation of the operational reliability of banks if Roskomnadzor blocks a number of foreign VPN services in Russia. To do this, the Central Bank wants to know which VPNs Russian banks use and for what purposes. The regulator sent a letter to the supervised organizations on August 26 asking them to specify which VPN service the organization uses, for what, from which IP address and who is responsible for all this. “Vedomosti” got acquainted with the document, the representative of the Bank of Russia confirmed the distribution of the letter “to a number of financial organizations.” Its receipt was confirmed by representatives of the banks “FC Otkritie” and “Renaissance Credit”.
The Bank of Russia considers it important to consult with financial institutions in order to prevent a violation of their operational reliability if foreign VPN services are blocked in Russia, says a representative of the Central Bank. In the letter, the regulator listed the VPN services in question: Psiphon, Tunnelbear, Thunder, Redshield and others similar to them. If a bank uses VPN services for its production needs, then if they are blocked, the bank’s services or services will stop working, says a representative of Otkritie Bank.
VPN (virtual private network) allows you to provide a network connection over another network (for example, the Internet). Using a VPN, you can open sites and services blocked by Roskomnadzor (RKN) in Russia. Banks use VPN services mainly to ensure the security of remote work of employees: through virtual networks, they connect to banking systems, explained an interlocutor of Vedomosti from the information security service of a large bank.
Several months ago, Roskomnadzor began blocking VPN services to combat circumvention of restrictions and access to content prohibited in Russia. Since June 17, the agency has restricted the use of VPN services VyprVPN and OperaVPN. On June 30, RKN announced plans to introduce centralized control over a means of circumventing restrictions on prohibited information. It was also about VPN services. RKN sent a request to the departments with a request to inform about the use of VPN to ensure the work of technological processes of enterprises and organizations. At the same time, the work with services was allowed to continue to those companies that use them for continuous technological processes. By law, VPN services and anonymizers are required to restrict users’ access to prohibited sites from November 2017.However, the requirement applies only to services that received a notification from the RKN and connected to the federal state information system – it contains information about prohibited sites.
The representative of the RKN did not respond to a request from Vedomosti.
The letter from the Central Bank says that there is no need to send a response if the bank does not use the specified VPN services in its work. Renaissance Credit does not use third-party VPN services, so the bank has nothing to say to the Central Bank, says Dmitry Sturov, head of the bank’s information security department.
Earlier, the Bank of Russia also sent out another letter on a similar topic: the regulator asked whether VPN was used for transactions with clients and whether the service would suffer in the event of a general shutdown of the corresponding services, a source from a large retail bank told Vedomosti. Another question that interested the regulator is whether the provision of remote services will suffer if the VPN is blocked, he continued.
The Central Bank is probably collecting information from supervised organizations so that the RKN does not block the use of VPN from their IP addresses or establish some special exceptions, says Alexey Lukatsky, business security consultant Cisco Systems. VPN technology itself is not good or bad, but using it to bypass blocking is against the law and can be punished for. The Administrative Code provides for punishment for telecom operators, and there was also a discussion of possible sanctions for other persons, Lukatsky explained.