It is difficult for regions to decode – Newspaper Kommersant No. 201 (7402) of 10/28/2022

Six months after the order of the Ministry of Digital Development to remove the codes downloaded from abroad, regional state sites continue to use them, follows from the monitoring of the public movement “Information for All”. Every second site of local governments uses Google services, and the function of protecting external resources from spoofing is not configured on any of them. State sites are required to follow the rules, but their violation threatens only with a fine of up to 5 thousand rubles, the authors of the study note. Experts, however, consider the requirement of the Ministry of Digital Development to be superfluous: the use of foreign code on websites does not pose risks in the case of a normal organization of information security.

“Kommersant” got acquainted with the report of the public movement “Information for All” on the cybersecurity of the websites of regional authorities. According to the study, 99% of such resources still use third-party components that are not part of the information systems on which they work. Of the 170 sites analyzed in September, 102 download third-party code from resources from countries declared unfriendly by the Russian authorities. Code for YouTube, reCAPTCHA (spam protection service) and other Google services was found on every second regional site.

The Russian authorities drew attention to the use of foreign codes on state websites after the outbreak of hostilities in Ukraine. Then massive cyberattacks were launched on the pages of Russian departments. Deputy Prime Minister Dmitry Chernyshenko instructed the Ministry of Digital Transformation to develop measures to protect the information infrastructure. The ministry ordered regional government agencies to remove codes downloaded from foreign resources from their websites by March 11 (see Kommersant on March 6). “Kommersant” sent inquiries to the office of Mr. Chernyshenko and the Ministry of Digital Development.

Now employees of departments do not bear serious responsibility for the use of unsafe components on government sites. Thus, the corresponding article of the Code of Administrative Offenses (part 1 of article 13.27) provides for a fine of 3-5 thousand rubles. “In addition, the practice of law enforcement under this article is small, mostly because until 2022 even the Prosecutor General’s Office was limited to unsubscribing or “descent” of appeals to the regions,” explains Yevgeny Altovsky, coordinator of the State Site Monitor project. According to him, the problem is exacerbated by low salaries in regional government agencies and the low qualifications of their site administrators.

From the fact that state sites use content from third-party resources, there are no problems for their visitor, says IT specialist Philip Kulin. He notes that in a normal situation, government agencies themselves do not encounter problems: “Another issue is that administrators cannot control what other people’s resources are hosting.” Problems for users may arise only when it comes to personal data leaks, but this is already the level of “the insides of the public services website”, and not downloading content from the outside, Mr. Kulin adds.

The country of origin of an Internet resource is not important from the point of view of cybersecurity, Alexey Lukatsky, a consultant at Positive Technologies, adds: “Everything can be compromised, and security must also be assessed for everything.” For example, the hacking of the “Government Site Monitoring” system (developed by the Ministry of Economy) in March allowed attackers to place an anti-war banner on the resources that used its counter. By September, the counter was preserved at five regional sites, the study said.

There is a possibility that foreign owners of resources may block access from Russia, “but this is more of an organizational risk,” added Dmitry Ovchinnikov, chief specialist of the Gazinformservice complex information security systems department. From hacking, according to him, “only competent maintenance and protection of their information resources, and not a separate technology, can save.”

Yuri Litvinenko