Software Piracy and Cybersecurity in Russia: Dangers, Causes, and Solutions

On May 12, 2017, the biggest ransomware outbreak in history spread like wildfire across the globe. Computer users in more than 150 countries saw a message pop up on their screen demanding $300 paid in bitcoin within three days. Failure to pay the ransom would lead to the deletion of all files stored on the computer, now encrypted by the attacker.

The attack was called WannaCry. It exploited a flaw in the Server Message Block (SMB) in Microsoft Windows, a vulnerability that was patched by Microsoft in March of that year, two months before the WannaCry outbreak. It spread like a worm, scanning and locating hosts, replicating itself to infect other exposed machines. For those who had updated their Windows software, WannaCry remained a news headline; many of those who did not watched their hard drives seized by an unseen attacker and wiped clean.

Russia was one of the hardest-hit countries during the WannaCry outbreak. An estimated 20 percent of affected computers were in Russia, including some in the Russian Postal Services, the Ministry of Internal Affairs, Russian Railways, and Megafon. Even the Russian Central Bank reported that some locations had been compromised “in isolated cases.”

The disproportionate impact of WannaCry on Russian computers can be attributed in large part to rates of software piracy in the country. According to The Software Alliance trade group, 62 percent of software in Russia in 2017 was pirated, nearly double the global average. Because pirated software doesn’t receive updates from the manufacturer, all those running pirated Windows software retained the SMB vulnerability, leaving their computer wide open for the WannaCry attack.

Dangers of software piracy

On May 12, 2017, the biggest ransomware outbreak in history spread like wildfire across the globe. Computer users in more than 150 countries saw a message pop up on their screen demanding $300 paid in bitcoin within three days. Failure to pay the ransom would lead to the deletion of all files stored on the computer, now encrypted by the attacker.

The attack was called WannaCry. It exploited a flaw in the Server Message Block (SMB) in Microsoft Windows, a vulnerability that was patched by Microsoft in March of that year, two months before the WannaCry outbreak. It spread like a worm, scanning and locating hosts, replicating itself to infect other exposed machines. For those who had updated their Windows software, WannaCry remained a news headline; many of those who did not watched their hard drives seized by an unseen attacker and wiped clean.

Igor Ivanov:
International Security and «Turbid Waters» of Cyberspace

Russia was one of the hardest-hit countries during the WannaCry outbreak. An estimated 20 percent of affected computers were in Russia, including some in the Russian Postal Services, the Ministry of Internal Affairs, Russian Railways, and Megafon. Even the Russian Central Bank reported that some locations had been compromised “in isolated cases.”

The disproportionate impact of WannaCry on Russian computers can be attributed in large part to rates of software piracy in the country. According to The Software Alliance trade group, 62 percent of software in Russia in 2017 was pirated, nearly double the global average. Because pirated software doesn’t receive updates from the manufacturer, all those running pirated Windows software retained the SMB vulnerability, leaving their computer wide open for the WannaCry attack. (It is worth noting that an unknown portion of the infected systems were not running pirated software, but legitimate software that was behind on updates or antiquated software, such as Windows XP, that is considered outdated and for which updates are no longer released.)

While piracy is often discussed in terms of economic impact (which is not small, totaling a direct loss of USD 43.6 billion in 2017 along with countless indirect losses) or ethical concerns (i.e., piracy is unfair to the creators of the original materials), the security implications of such widespread piracy are often overlooked. AV Test, an independent IT-security institute, registers over 350,000 new malicious programs (malware) every day. Based on the numbers provided by AV Test, incidences of new malware have been exponentially increasing, totaling 719 million new malware programs in 2017 alone. Not only are websites that offer pirated software downloads often malware hotbeds, but software piracy itself makes the job of an attacker far easier, leaving vulnerabilities in illegitimate software that manufacturers are otherwise working around the clock to patch up. These patches never make it to the pirated systems. Infected computers may fall victim to a ransomware attack like WannaCry, be searched through and robbed of personal and/or financial information, or become a tool for spammers and hackers to engage in mass spam email campaigns or distributed-denial-of-service (DDoS) attacks. It is in this way that pirated systems present a threat to the security of individual users as well as the global cyber ecosystem.

Why Russia?

Given all the risks of pirated software, why would so many Russian people continue to download and use pirated software, especially in the wake of WannaCry? The answer is complex and multifaceted, with origins in the days of the Soviet Union.

Starting in the late-1960s, the Soviet government institutionalized the practice of software piracy in an effort to bolster Soviet technological capability, industrial productivity, and data collection and organization. The Ministry of Radio Production copied the IBM 360 range of mainframe computers, later establishing a factory in Kazan to produce the unlicensed copies of IBM’s PC software en masse. As late as 1993, entire government ministries in the former Soviet Union were thought to still be using unlicensed copies of Western software, piracy having become so second-nature over the decades preceding that many Russian people believed some popular pirated PC applications came with every computer.

In other words, corruption - a major factor in software piracy rates, as offenders are often able to buy their way out of charges or to evade government attention entirely - surrounding the software industry and regulation of intellectual property was at an all-time high, establishing a solid foundation for what would become the impressively large pirated software market that Russia knows today.

For years, the international community pressured the Soviet Union to institute intellectual property protections for computer software from both domestic and foreign producers. To ensure its continued access to Western technologies, the Soviet Union agreed to join the Universal Copyright Convention in 1973. However, this did little to change things until after the dissolution of the Soviet Union, when the Russian Federation entered into a trade agreement with the United States in which Russia agreed to join the Berne Convention for the Protection of Literary and Artistic Works and enact a series of intellectual property laws (which did finally protect computer programs) in exchange for “most-favored nation” trading status with the United States. Intellectual property rights for software in Russia changed and quickly became more in line with internationally agreed upon standards as years went on, (ostensibly) protecting these programs from piracy.

Maria Gurova:
How to Tame the Cyber Beast?

However, more than two decades after the Russian Federation joined the Berne Convention, piracy rates remain abnormally high and have become a major cybersecurity challenge for the country. While piracy was originally engaged in by the government as the most expedient way of meeting the national objective of modernization (in the form of public computer use), today it’s private piracy networks that fuel the market, with the government working to halt piracy. These private schemes operate, at least in part, as legacies of the original government-funded piracy networks of the Soviet Union; the culture of government-sanctioned infringement of intellectual property rights may not have continued in its original iteration, but this culture fueled the rise of private software pirates who would learn from the government’s history of piracy, adopting the lucrative business model. It makes sense that a country which has a history of such corruption would see its software piracy rate remain higher than the global average even when the national rate decreases, as other nations do not hold this same history.

Another often cited determining factor in national rates of software piracy is GDP per capita or average income, an attempt to measure the connection between the economic power of individual citizens and the size of the pirated software market. Generally speaking, when GDP per capita increases, piracy rates decrease. Simply put, less disposable income makes the cost of purchasing legitimate software seem much more burdensome and drives would-be legitimate consumers toward pirated software, sold for a fraction of the price and, in the eyes of the public, providing equal benefit.

In the context of the Soviet Union, this makes sense; in 1990, directly before the fall of the Soviet Union, GDP per capita in the Soviet Union was approximately USD 3,485. This meant that computer software would have been particularly costly (in terms of percentage of disposable income) for an individual in the Soviet Union, pushing consumers toward pirated software during the initial popularization of the personal computer, both during the end of the Soviet Union era and immediately following.

According to the World Bank, GDP per capita in the Russian Federation didn’t break USD 10,000 until 2008, and has struggled to maintain this growth in the years since. In other words, Russian people are taking advantage of an underground economy that bears the legacy of Soviet-era corruption because outright purchases of legitimate software are just too expensive. The Windows 10 Home software currently costs RUB 8,699 to download, about 20 percent of average monthly income in the Russian Federation. It’s easy to see how this would be prohibitive. Spending 20 percent of your income sounds like a waste of money if you can purchase (what you believe to be) the same product for far less.

In short, software piracy has persisted in the Russian Federation at rates outpacing global norms as a result of (1) a well-established market infrastructure created by the Soviet government over the course of several decades of government-sponsored piracy, leaving a solid foundation for the introduction of ever more private software pirates, and (2) the high proportion of individual income represented by the cost of any given piece of computer software, pushing consumers toward less expensive, pirated versions of these programs.

Recommendations

The next logical question is, what is there to be done about it? The first step would be to implement strict anti-piracy laws, a direction in which the Russian Federation has been steadfastly moving for years. Already, the government retains authority to block websites that serve as markets for pirated goods (including pirated movies, television shows, music, books, and software), with enhancements to the Information Law as well as the Civil Procedure Code introduced as recently as May 2015. Under the Criminal Law of Russia, the potential punishments for “the acquisition, storage or carriage of counterfeited copies of works … for the purpose of sale” include a fine up to RUB 200,000, or a fine equalling up to 18 months of the convicted person’s income, or 480 hours of obligatory labor, or two years of imprisonment. It is safe to say that the Russian Federation no longer remains mired in the Soviet history of piracy toleration, and is taking legal steps to stamp out the pirated software market in Russia.

Dmitry Stefanovich:
Nuclear-Cybernetic Systems

Increasing GDP and income per capita would also, based on studies of the determinants of software piracy, lower rates of software piracy in the country. This can be achieved through greater educational opportunities, increases in government spending, increases in consumption, and engagements with new economic opportunities (such as the digital economy, in which Russian companies like Yandex are trying to become major players), to name a few methods. The Russian government is certainly focused on increasing national GDP, with Putin setting goals for the country for his current term that include becoming one of the world’s five biggest economies, maintaining GDP growth above the global average, and halving poverty. This, in theory, would have a significant (and potentially devastating) effect on the Russian pirated software market, as consumers would no longer see a need to seek out pirated software.

Until Russia is able to meet these targets, the private sector may be able to step in with innovative methods of halting software piracy. Austrian company Denuvo became notorious among video game pirates for creating a system that made a pirated game virtually unplayable. In this system, a unique key is generated for each copy of an Internet-enabled game and used as a method of verifying that it is being run on the correct (that is to say, original) machine. Game developers specify checkpoints in the game where this key would be authenticated, and if the key attached to the software doesn’t match the original purchasing machine, the game is assumed to be pirated and becomes unplayable.

Innovative upgrades to software protection systems like these have been proposed since the advent of blockchain technology. Some researchers suggest a transfer of a uniquely coded digital token (like an individual bitcoin) to each legitimate purchaser from the website of purchase, held in the individual’s digital wallet and used as verification of purchase of that particular software. Verification of each purchase in the blockchain theoretically prevents piracy by maintaining an unalterable, verifiable record of purchases and purchase locations in the ledger. It therefore becomes significantly more challenging to falsify a purchase.

It is difficult, however, to imagine software piracy disappearing when the public has no idea why it should. When we picture public anti-piracy campaigns, we typically conjure images of posters touting the unfairness of software piracy, or legal warnings about the consequences of software piracy before a DVD movie begins. While psychological studies often show that perceived deterrence is a big determining factor in an individual’s decision-making, laboratory studies on the likelihood of an individual to pirate software given varying likelihoods of being caught and punished have produced mixed results. This suggests that decisions regarding software piracy may fall outside of typical cost-benefit decision-making processes because of its long history of normalization. While considerations of ethics may deter individuals from pirating software, efforts in that direction have thus far remained largely unsuccessful, with consumers often arguing that their piracy does such imperceptible damage as to be considered negligible. A more effective anti-piracy campaign would focus on the dangers of pirated software, informing the public on their vulnerabilities to malware and ransomware due to security holes in pirated software. Software piracy should be presented as less an ethical quandary and more a question of personal, national, and global safety. It is not for large software companies that we ask you to stop purchasing pirated software, but for yourself, your data, and global cyber security. This is far more persuasive.

All of this being said, software piracy will likely never be completely eradicated. There will always be those who see the benefit of lower software prices as far higher than the cost of exposure to malware, and there will always be those who do not know that this cost is involved. To sit idly by, however, and make attacks like WannaCry that much easier for the perpetrators is to prematurely admit defeat. Not only as individual nations, but as an international community, work must be done to undercut the market for pirated software in order to protect the evolving international cyber security framework and the individuals that exist within and rely on it every day.