Do you need to worry about blocking web access to specific countries?
Have you ever wondered if you should be blocking access to websites from certain countries in your business? The answer is it depends on a few things.
What type of business are you and do you regularly do business with those countries? I have always tried to be very careful with this topic because people are very important, and a lot of people get wrongly caught up in a lot of stereotypes, especially in cybersecurity. The fact that some threat actors originate in China, DPRK, and Russia does not mean that the people from those countries are innately nefarious. There are many threats that originate from US based systems. It is very possible a threat actor physically in location A can appear to come from location B, and compromise a system in location C. So, I want to be very clear that the advice I am giving in the post is objective and based purely on guidance from the US government for US based entities.
Let’s be clear, it is not illegal to sell something to most countries and it is not illegal to generically view a web page hosted in a certain country. There is content on websites, there are transactions, and there are certain business interactions that are sanctioned, governed or restricted.
I’m going to focus on two primary sources. OFAC and DOJ 28 CFR Part 202. These are the two government regulations you should be interested in. Especially if any of the following are true about your business:
You do business with any country on the OFAC list
You collect consumer information of US persons
You store, transmit, or process US government information
eCFR :: 28 CFR Part 202 -- Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons
Source: https://www.ecfr.gov/current/title-28/chapter-I/part-202
Essentially two scenarios are restricted here:
Sending bulk data (varies by type of data (e.g., 1,000+ for biometric data)) of US persons to, or allowing it to be accessed from, China (including Hong Kong and Macau), DPRK, Iran, Russia, Cuba, or Venezuela
Sending any US government data to or allowing it to be accessed from the same countries
If it’s possible that either of those could apply to you, it is probably in your best interest to block geolocation for web browsing to those locations. This could be web traffic, SFTP, cloud storage services like Box, Dropbox, email, etc. This does not meet the requirements of the rule in and of itself, but is a strong mitigating control.
But we do business in those countries
The best thing to do here would be to restrict access by default, then allow it for specific users that understand the regulations.
OFAC
There is no broad ‘country list’ from OFAC. There are lists of countries with embargoes, and there are sanctions that apply to geographic regions and there are sanctions that apply to certain persons or entities that happen to be in those regions. OFAC does not restrict communication web browsing necessarily, but can range from any dealings with them to transferring money. In this case, you should consult an attorney to understand when, where, and how this could apply to your business. If you’re a bank, you should be aware of this from a fraud and financial transaction monitoring standpoint. If you’re not a financial institution, then it really depends on your type of business and who and where you are doing business if this applies. Here is more info about OFAC: https://ofac.treasury.gov/sanctions-programs-and-country-information