Cloudflare co-launches project to protect critical infrustructure, but says it will not pull out of Russia

Ukraine had recently requested Cloudflare to stop protecting Russian sites from cyberattacks

Despite multiple requests to cease operations in Russia, major web infrastructure firm Cloudflare said Monday that it would continue offering certain services in the country, as people there need greater internet access, not less.

Cloudflare CEO Matthew Prince stated in a blog post that the company has received several calls in recent days to shut down all of Cloudflare's services inside Russia. However, after consulting with government and commercial sector experts, Cloudflare has decided that people in Russia need more internet access at this time.

He added that that Cloudflare has seen a dramatic surge in requests from Russian networks to international media, showing a desire by Russian citizens to read news beyond that provided by Russia.

The statement comes days after Mykhailo Fedorov, Ukraine's digital transformation minister, urged the company to stop safeguarding Russian web resources and services from attacks.

"I am sure that you will not only listen, but also do everything possible to protect Europe, Ukraine and the whole democratic world from this bloody, authoritarian aggression," Fedorov stated in a letter to Cloudflare.

"Therefore, I demand to disable [Russian Federation] sites from Cloudflare and block the ability to use your services."

Fedorov argued that Cloudflare should not safeguard Russian web-based resources when their tanks and missiles are targeting elementary schools in Ukraine.

In addition to protecting websites against distributed denial of service (DDoS) assaults, which overwhelm servers with traffic in an attempt to prevent them from functioning, Cloudflare also helps them operate quicker.

Another major DDoS mitigation company, Akamai, stated on Monday that it would maintain its network presence in Russia, although it would suspend all sales efforts in Russia and Belarus while also terminating business with state-majority-owned Russian and Belarusian customers.

Also on Monday, Cloudflare, CrowdStrike and Ping Identity - three big cloud security and identity authentication providers - announced the launch of Critical Infrastructure Defense project, an initiative designed to bolster the cyber-preparedness of sensitive infrastructure in vital sectors in the United States, including hospitals, electricity utilities and water utilities, by providing qualifying companies with free services and assistance.

The three commercial organisations say that the project grew out of discussions with cybersecurity and government experts who have warned of an increased risk of cyberattacks from Russia, which has been subjected to major international sanctions, including its banks being barred from participating in the SWIFT financial system.

"In particular, there is a fear that critical United States infrastructure will be targeted with cyberattacks," Cloudflare said.

"While these attacks may target any industry, the experts we consulted with were particularly concerned about three areas that were often underprepared and could cause significant disruption: hospitals, energy, and water."

To help meet that demand, the three companies have agreed to provide a wide range of their products for free for at least the next four months to any hospital, energy or water company located in the United States.

Cloudflare said that US companies are not powerless in the face of cybercriminals, and organisations that have embraced a zero trust approach to cybersecurity have been successful in neutralising even the most determined of cyberattacks.

In January, the White House released a memo instructing federal agencies to officially move towards a zero trust approach to cybersecurity, to lower the risk of cyberattacks against the government's digital infrastructure.

The document spells out dozens of security measures that federal agencies must implement in the next two years to secure their systems and networks, and to limit the risk of security incidents. They include widespread encryption, multi-factor authentication, and more rigorous network segmentation.

Federal agencies have until the end of fiscal year 2024 to meet the strategy targets.