Regions of the Russian Federation create response teams to cyber attacks

On the basis of cybersecurity headquarters in the regions, special incident response groups (SIRT) began to be created. In early March, such a project was approved in the Tver region, and they plan to launch it in other regions in the near future. The process may be preparation for the decentralization of the FSB cyberattack response system (GosSOPKA) to improve its operation, experts believe. However, they emphasize that the effectiveness of response teams has yet to be tested in practice.

In the regions of Russia, response teams for information security incidents are appearing within the framework of cybersecurity operational headquarters. The resolution on the creation of such a group dated March 5 was published on the website of the Tver region government. The IRTI will include representatives of government agencies in the region who are “most competent” in responding to cyber attacks.

The document says that the group should take part in eliminating the consequences of computer attacks in the region, monitor work to eliminate vulnerabilities in the infrastructure of government agencies and institutions, and also prepare reports on the results of incident investigations. IRIIB has the right to request additional information related to the incident from users of information systems and to involve employees of the affected institution in the investigation. The operational headquarters will coordinate cybersecurity actions of executive bodies, conduct exercises to respond to information security incidents and monitor the implementation of recommendations from the FSB and FSTEC. The government of the Tver region did not answer Kommersant.

In Moscow, the practice of creating operational response groups is already quite common, says RAD COP offensive security expert Nikita Kotikov. Their functionality, he said, includes detection of potential threats and investigation of attacks. A monitoring and response center has already been created in the Novosibirsk region; it is part of the State Budgetary Institution “Information Protection Center of the Novosibirsk Region”, which has been operating since March 2023, the regional government said. A Kommersant source in the government of the Ulyanovsk region clarified that a similar project is being prepared there: “Everything is being done according to the recommendations of the Ministry of Digital Development.” According to Kommersant-Udmurtia, the region is also discussing the creation of the IRIB.

At the same time, Deputy Minister of Digital Development and Communications of the Amur Region Alexey Torutantov told Kommersant that he “knows nothing about such innovations.” Kommersant’s interlocutor, close to the government of Bashkortostan, only noted that “it is very strange to see such a resolution in the public domain.”

The Ministry of Digital Development reported that at the moment, in order to standardize the work of cybersecurity headquarters, regions, together with interested departments, are working on “additional standard provisions.”

The idea of ​​creating regional cyber headquarters was the government’s response to the sharp increase in hacker attacks on Russian IT infrastructure after the outbreak of hostilities in Ukraine. Regional governments, on behalf of Deputy Prime Minister Dmitry Chernyshenko, were supposed to complete the process by the summer of 2022, but not all of them made it on time.

Until now, the overall state system for ensuring cybersecurity, including within the framework of the GosSOPKA system (controlled by the FSB), has been consolidated, all information on incidents has flowed to the main center, notes Sergei Kuts, head of industry cybersecurity at Positive Technologies. According to the expert, the creation of response groups is a preparation for the decentralization of the work of the State Specialized Surveillance Agency, which can become a positive factor. However, the effectiveness of the State Investigative Institute and cybersecurity operations headquarters, Mr. Kuts emphasizes, “should be measured in terms of quality indicators, and not from the point of view of whether certain regulatory requirements have been met.” There is currently no available data on the results of the groups’ work.

Tatyana Isakova, correspondent network