Large IT companies are asking to postpone the new requirements of the Ministry of Digital Development for the security of hosting providers

Large IT companies providing virtual hosting services for data and websites (hosting providers) have prepared comments to the order of the Ministry of Digital Development, which tightens their responsibility for the actions of hackers. Providers believe that the entry into force of the order in December will not provide the opportunity to implement all the necessary measures, and will also entail additional costs. But the Ministry of Digital Development sees no reason to postpone the deadline.

“Kommersant” got acquainted with the reviews of large IT companies and telecom operators on the draft order of the Ministry of Digital Development, which strengthens the security requirements for hosting providers, and also, from December 1, makes them responsible for the use of traffic by attackers for cyber attacks.

We are talking about amendments to the changes to the law “On Information” adopted by the State Duma in the summer, which regulate the work of hosting providers. By-laws outlining new responsibilities for companies were published in September. According to them, providers are required to connect to the FSB GosSOPKA system for countering cyber attacks and themselves block the resources through which cyber attacks are carried out and transmit data on malicious traffic to the system. If an attack organized through clients’ resources is detected, the provider must block them within 12 hours (see Kommersant of September 15).

MTS, which also provides hosting provider services, fears that in its current form, the amendments threaten companies with liability for “the actions or inactions of persons to whom computing power is provided if they are used for computer attacks.” This follows from the company’s conclusion, published on the draft order page. In the event of a successful attack on IT systems, if they have the category of significance of a critical information object, those responsible at the hosting provider face criminal liability (Article 274.1 of the Criminal Code of the Russian Federation), MTS emphasizes. However, conceptually the company does not criticize the order, but only proposes to postpone its entry into force to January 1, 2025.

The implementation of all measures requires the design of a protection system for hosting providers, the allocation of additional funds, carrying out procurement procedures for the required additional equipment and software, their installation and commissioning, recruiting and training the necessary specialists to operate additional software and hardware, MegaFon says in its review. . The company also believes that the date of entry into force of the order should be postponed to 2025.

Yandex believes that a number of amendments need to be made to the project, which will allow providers to independently determine how to optimally build a response to the actions of hackers and avoid additional costs for traffic analysis tools. For example, leave in the order only the requirement to “identify” intrusions into IT systems through traffic transmission channels, removing from it the requirement to “prevent” them. Yandex and MTS declined to comment; MegaFon did not respond to Kommersant.

“We consider comments and proposals, in particular on delaying the entry into force of the order, to be logical – the market needs time to build up and integrate into new realities,” says RUVDS General Director Nikita Tsaplin. He considers the ideas of market participants reasonable and “without significant excesses in anyone’s direction.” According to the expert, they “could be the basis of a compromise between the market and the state.”

However, the Ministry of Digital Development told Kommersant that they saw no reason to adjust the order: “The project posted by the ministry was worked out with the industry, the expert community and interested authorities. Based on the results of public discussion, it has already been adjusted taking into account the proposals.”

Tatiana Isakova