Prohibition of foreign ERP: threats and risks

On March 29, 2006 deputies Gennady Gudkov and Alexander Khinshtein offered the draft of the amendment to the law "About Information, Information Technologies and Data Protection" which instantly excited country IT market. The initiative of use prohibition sounded in it "foreign program technical means in the strategic industries and on especially dangerous (important) objects of the Russian Federation" for information security support of data processing systems and their protection "from foreign foreign intervention" became the catalyst of interest in, apparently, small amendment in the law. And deputies understand as strategic and especially important objects not only the enterprises of military industrial complex, but telecommunication and the energy companies. Considering that, according to authors of the amendment, the foreign origin has 95% of the software used in Russia, it is easy to understand why "IT specialists" showed so high civil consciousness.

The lion share of discussions was devoted to the system software, first of all the Microsoft Windows operating system. Also the questions of use of foreign DBMS were raised. Actually the system software of Microsoft and Oracle, the most popular in Russia is certified on lack of not declared opportunities and can be used for work with the classified information. Problems with its application can arise only if the Russian origin of software tools is the prevailing requirement. However almost all of them can be resolved by means of use of software open source. In particular, there are Russian Linux distribution kits (ASP Linux and ALT Linux), there are operating systems based on ALT Linux intended for work with information which is the state secret (for example, OS of Yanuks). There is also Russian corporate Linter DBMS certified for work with the classified information, in case of insufficiency of its opportunities it is possible to use MySQL or Enterprise DB.

With ERP it will be more difficult

At the same time, effects of adoption of the proposed amendment for ERP systems practically were not discussed anywhere. Official SAP and Oracle were limited to comments in the spirit of "develop the Russian analogs of the systems of the similar level "it is useless and is impossible" and the western information systems "more than 30 years were developed" therefore it will be hardly possible to replace with something them. Certainly, representatives of the western vendors dissemble a little here. Especially in the light of aggressive merger of the new IT companies in recent years. Issues of integration of technologies of the purchased developers – one of key questions in this case. As the experts polled by the TAdviser Center note: "there is no century lag of Russia in respect of ERP in general".

"As for comparison of the western and domestic ERP systems, undoubtedly, in general the functionality of western is still broader. However, Russian get closer to them with great strides, often just repeating the western practices. I consider that complete leaving of the western systems from the Russian market would even be harmful to the Russian developers", – the chief expert of Kompas company, PhD in Technological Sciences Igor Jacobson comments to the TAdviser Center.

In not dependence on the aforesaid, the problem created by the patriotic legislative initiative is much wider, than just compliance or not compliance of opportunities of foreign and domestic ERP systems. According to comments of authors of the amendment, at its acceptance the domestic enterprises entering the strategic industries will be given "at least a year" on transition to use of domestic software. Certainly, regulation extends also to ERP systems. At the same time the enterprises which implemented at themselves foreign management systems (which there is a lot of), will fall into very difficult situation. It is doubtful that authors of the amendment up to the end understand all effects of emergence of such situation. Only users of the fourth and fifth releases of Baan ERP as the rights to their localized versions belong to domestic company "Alfa-Intergartor" will be immune to operation of the amendment to a case of its acceptance. As for the systems of SAP, Oracle, Microsoft, IFS, etc., all rights to them belong to foreign producers, and, therefore, they fall under operation of the amendment, with all that it implies.

What does the IT patriotism threaten with?

First of all, the client of the western vendors who was included in "black list" of the strategic industries at once loses all investments invested in IT without hope them somehow to pay back. At the same time it is important to understand that the strategic enterprises are usually rather big enterprises therefore orders of investments into IT are many millions of dollars here. Moreover, these losses, repeatedly increase because of need of implementation of other ERP system as without it the company will not be able just to work. At the same time financing sources of similar projects are not clear at all. On average, costs for implementation of the western ERP system taking into account the license and consulting make $5 – $20 thousand counting on one user. Even taking into account that implementation of the domestic systems costs cheaper, additional costs of the enterprises on data migration and reconstruction of necessary functionality on the new platform can quite lead to the fact that the total cost of similar projects will be compared or will even exceed similar costs for implementation of foreign ERP systems. For the state enterprises similar expenses are obviously not provided by the budget and hardly their research will be simple process.

The second aspect of a problem is the term determined for replacement of information systems which is one year. During this time it is possible to implement "easy" and, in some cases, even a "average" ERP system at rather small enterprise. As for implementation of complex automation of the large companies and holdings, about similar terms out of the question. Large ERP projects are implemented in terms from three to five years, and sometimes more. So that to correspond to objective reality, legislative initiatives of type offered by Gudkov and Khinshtein should provide a transient period not less than five years, and ideally it should correspond to "lifetime" of the ERP system. Then transition to domestic solutions will happen in the planned mode in process of technical obsolenscence of the used systems of foreign production. Besides, the accurate and detailed translation program of the strategic enterprises on the domestic software should be developed. "not pushchat the solution in style" will not yield any results, except negative.

Besides, it is worth returning to a question whether ERP systems of domestic production have in general a necessary functional filling which could provide requirements of the modern enterprises. Judging by examples of implementations, including at the defense enterprises, domestic goods are capable to solve the main objectives facing the systems of the class ERP. Among the specified solutions "Galaktika ERP", Parus and Compass are most known. At the same time, there is no complete confidence that they have scalability, necessary for large enterprises.

"Offers of deputies are made without any accounting of realities. And realities are like that that many strategic enterprises invested millions of dollars in purchase and implementation of foreign business applications. No economic cases for transition on, as a rule, weaker domestic software exist. Moreover, such transition is simply impossible as even domestic ERP systems "are ground" under western infrastructure software, DBMS and operating systems. The idea about what used on strategic objects of software should be transparent is clear. And here existence of an open source code is essential that is fair for some systems, in particular IFS Applications", – the head of marketing of IFS Russia&CIS Sergey Novikov noted in the comment to the Center.

However, the Russian developers are rather confident in the forces. As Mr. Jacobson considers: "Replacement of any software product is painful and labor-consuming and if there is no urgent need, then it is better not to do it. But if it is necessary, then I am sure that the domestic systems will be able perfectly to replace western. Certainly, something should be completed, but also foreign solutions in the course of implementation undergo significant completions. Besides, in the majority of projects rather small part of functionality of the western solutions which the domestic systems perfectly implement is implemented".

And things are right where they started

In addition, not clearly, on what in the draft of the amendment the main accent becomes: on the Russian origin of information systems, absence in them not declared opportunities or the level of information security provided with them. If only the question "origins", then domestic ERP systems, though with clauses is at the center raised, but will be able to apply for replacement of foreign solutions. If two other requirements, then "nationality" of their developers are imposed to information systems will not have absolutely any value. There are no reasons to believe that the ERP system of the Russian development automatically will not contain not declared opportunities and will provide the high level of information security. Truly and the return – only that the information system is developed abroad it cannot be considered as a priori of vulnerable and containing "tab".

To guarantee compliance of a system to requirements for reliability and on work with the classified information, it is necessary to perform the procedure of its certification on the conforming standards. In particular, are certified by Oracle E-Business Suite and SAP R/3 Enterprise 4.7 on compliance to requirements for protection against NSD, on lack of not declared opportunities only iRenaissance 5.1 is certified. And here domestic ERP systems in the register of FSTEC are not registered. Thus, study by legislators of the question of information security support at the strategic enterprises, raises serious doubts.

It is necessary only to hope that the amendment in its current form will not be adopted, and further will approach information security support and technology independence of the Russian Federation more deliberately and deeply. Most likely, initiatives of the similar plan should include a technical and economic case and be implemented in the form of the whole packet of bylaws, but not one prohibiting instruction. In an opposite case the note: "The severity of the Russian laws is compensated by non-obligation of their execution", will remain in force.

Sergey Sereda