Cloudflare is resisting requests to fully shut off its services in Russia, saying that such a move would hurt Russian citizens and likely be “celebrated” by Putin’s government. “[W]e have received several calls to terminate all of Cloudflare’s services inside Russia,” CEO Matthew Prince wrote in a blog post yesterday. “We have carefully considered these requests and discussed them with government and civil society experts. Our conclusion, in consultation with those experts, is that Russia needs more Internet access, not less.”
Prince said Cloudflare has seen “a dramatic increase” in users on Russian networks navigating to international media sites, “reflecting a desire by ordinary Russian citizens to see world news beyond that provided within Russia. We’ve also seen an increase in Russian blocking and throttling efforts, combined with Russian efforts to control the content of the media operating inside Russia with a new ‘fake news’ law.”
Prince noted that over the past few years, Russia’s government “has threatened repeatedly to block certain Cloudflare services and customers.” His blog post argued that a Cloudflare cutoff would be welcomed by the Russian government:
Indiscriminately terminating service would do little to harm the Russian government but would both limit access to information outside the country and make significantly more vulnerable those who have used us to shield themselves as they have criticized the government.
In fact, we believe the Russian government would celebrate us shutting down Cloudflare’s services in Russia. We absolutely appreciate the spirit of many Ukrainians making requests across the tech sector for companies to terminate services in Russia. However, when what Cloudflare is fundamentally providing is a more open, private, and secure Internet, we believe that shutting down Cloudflare’s services entirely in Russia would be a mistake.
Our thoughts are with the people of Ukraine and the entire team at Cloudflare prays for a peaceful resolution as soon as possible.
Ukraine Vice PM sought Russia cutoffs
Ukraine Vice Prime Minister Mykhailo Fedorov last week asked Cloudflare to shut off service in Russia, writing that “Cloudflare should not protect Russian web resources while their tanks and missiles attack our kindergartens.”
Fedorov separately asked ICANN (Internet Corporation for Assigned Names and Numbers) to revoke Russian top-level domains such as .ru, .рф, and .su; to “contribute to the revoking for SSL certificates” of those domains and to shut down DNS root servers in Russia. ICANN CEO Göran Marby declined the request, saying that only “broad and unimpeded access to the Internet” can provide “reliable information and a diversity of viewpoints.”
“ICANN has been built to ensure that the Internet works, not for its coordination role to be used to stop it from working,” Marby wrote. He warned that “tak[ing] unilateral action to disconnect these domains” would “have devastating and permanent effects on the trust and utility of this global system.”
Some Russian websites use Cloudflare
Cloudflare offers a variety of free and paid services to improve the security, reliability, and speed of websites. A Bloomberg article today said that “a range of Russian websites rely on Cloudflare services in various capacities. The pro-Kremlin news website Pravda.ru, which on Feb. 28 published an editorial questioning the legitimacy of Ukraine’s borders, uses a Cloudflare proxy service that aims to mitigate attacks.” Russian disinformation sites like news.ru, topwar.ru, and donbasstragedy.info “use Cloudflare’s content delivery network to quickly load Internet pages, as well as Cloudflare DNS.”
Andrii Bezverkhyi, a Ukrainian who is CEO of US-based security company SOC Prime, last week urged Cloudflare, Akamai, Amazon Web Services, and other companies to suspend services in Russia and Belarus. “DDoS protection should not be given to Russia in any way, shape, or form,” Bezverkhyi told Bloomberg.
Bloomberg also quoted the co-founder of a Ukrainian security company urging the US to block companies like Cloudflare from operating in Russia:
Yegor Aushev, co-founder of Kyiv-based cybersecurity company Cyber Unit Technologies, is helping organize a makeshift Ukrainian coalition of hackers that has carried out cyberattacks targeting Russian government assets. He said in an interview he wants the US to block American companies from providing such services to Russia.
“If you defend it, you support it,” Aushev said. “This needs to be stopped.”
Akamai said it has suspended sales efforts in Russia and terminated business with state-owned companies but has “made a deliberate decision to maintain our network presence in Russia.” Amazon said its Web Services division “has no data centers, infrastructure, or offices in Russia, and we have a long-standing policy of not doing business with the Russian government. Our biggest customers using AWS in Russia are companies who are headquartered outside of the country and have some development teams there.”
Cloudflare complies with sanctions
While Prince said that Cloudflare won’t cut off services in Russia, the company is complying with new sanctions against the country. “The scope of new sanctions issued in the last few weeks have been unprecedented in their reach, frequency, and the number of different governments involved,” he wrote.
Cloudflare already had “a robust and comprehensive sanctions compliance program that allows us to track and take immediate steps to comply with new sanctions regulations as they are implemented,” Prince wrote. Since Russia invaded Ukraine, “our team has ensured that we are complying with these new sanctions as they are announced. We have closed off paid access to our network and systems in the new comprehensively sanctioned regions. And we have terminated any customers we have identified as tied to sanctions, including those related to Russian financial institutions, Russian influence campaigns, and the Russian-affiliated Donetsk and Luhansk governments.” Prince expects more sanctions from various governments and said Cloudflare will “continue to move quickly to comply with those requirements as they are announced.”
Helping Ukraine
Prince also detailed actions that Cloudflare has taken to help Ukraine, which he said has faced a “steady stream of DDoS” and other attacks amid Russia’s invasion. Cloudflare “extend[ed] our services to Ukrainian government and telecom organizations at no cost” and is “expediting onboarding of any Ukrainian entities for our full suite of protections,” he wrote.
Cloudflare “moved customer encryption key material out of our data centers in Ukraine, Russia, and Belarus,” Prince wrote. “Our services continued to operate in the regions using our Keyless SSL technology, which allows encryption sessions to be terminated in a secure data center away from where there may be a risk of compromise.” He continued:
If any of our facilities or servers in Ukraine, Belarus, or Russia lose power or connectivity to the Internet, we have configured them to brick themselves. All data on disk is encrypted with keys that are not stored on site. Bricked machines will not be able to be booted unless a secure, machine-specific key that is not stored on site is entered.
Cloudflare is also monitoring Internet usage patterns in Ukraine. “While usage across the country has declined over the last 10 days, we are thankful that in most locations, the Internet is still accessible,” Prince wrote.
