The government and the FSB may have the right to independently determine the procedure and time for checking IT systems for vulnerabilities

The State Duma Committee on Information Policy and IT is preparing another bill aimed at legalizing the work of “white hat hackers.” In particular, it standardizes testing of information systems in the public sector and critical information infrastructure (CII). According to the document, the government and the FSB will have the right to independently determine the procedure and time for checking IT systems. Cybersecurity market participants welcome the initiative, but CII companies are wary of additional liability for the work of “white hat hackers.”

Kommersant got acquainted with the bill aimed at legalizing the work of “white hat hackers”, which is being developed by the State Duma Committee on Information Policy, IT and Communications in addition to the document already submitted to the State Duma in December 2023. The first project concerned the rights of companies to attract such specialists, but not the organization of the process. The new bill proposes to amend Art. 16 149-FZ “On Information” and clarifies on what grounds companies, including those with CII status, and government agencies have the right to attract “white hackers” and use Bug Bounty platforms (penetration testing of systems).

According to the document, companies will be able to organize such a check both through a direct agreement with persons hired for testing (“white hat hackers”), and by placing a public offer agreement to attract specialists. The government will have the authority to “establish requirements for the procedure and conditions” for testing by “white hackers.” They will apply to government agencies, including constituent entities of the Russian Federation, local governments and subjects of CII.

All activities will have to be approved by the federal security authority, the bill says. Kommersant’s interlocutor in the cybersecurity market believes that this body means the FSB.

The legalization of the work of “white hat hackers” has been discussed since 2022 against the backdrop of a sharp increase in cyber attacks on Russian IT systems after the outbreak of the conflict in Ukraine. At first, the idea of ​​introducing “legal hackers” into the legal field raised questions among law enforcement agencies: the Prosecutor General’s Office, the Ministry of Internal Affairs and the Investigative Committee opposed it (see Kommersant, November 29, 2023). Nevertheless, in December 2023, the State Duma received the first draft (amendments to Article 1280 of the fourth part of the Civil Code of the Russian Federation).

As Anton Nemkin, co-author of the project, member of the State Duma Committee on Information Policy, IT and Communications, reported in an interview with Kommersant in December, the first bill on “white hat hackers” changes the provisions of the law that do not allow such specialists to test information systems without permission from the copyright holder of each program ( see “Kommersant” dated December 29, 2023).

Mr. Nemkin clarified to Kommersant that “the second draft is ready for submission, it is undergoing final approvals.” “You need to understand that now the legalization of white hat hackers is a necessity, since companies are already using their services,” he emphasized. However, Anton Nemkin clarified, the Russian Bug Bounty market is in its infancy and is still very small – its volume in 2023 did not exceed 200 million rubles. The Ministry of Digital Development told Kommersant that they “have no information about another bill on this topic.”

Angara Security says that more than 40% of attacks on departmental IT infrastructure are related to malware, phishing and DDoS attacks on network equipment, websites and servers. “Controlled “white hat” hacking of government organizations, along with access to Bug Bounty, will allow us to identify critical problems more quickly and focus on investments in strengthening the security of the public sector,” the company believes.

However, representatives of KII companies call the initiative controversial. “Today, both the enterprises themselves and the contractors have already done a lot to ensure the safety of the CII, supplied domestic hardware and programs from the registry, and assembled trained teams,” emphasizes commercial director of Uralenergotel Igor Golenky. If new requirements begin to be introduced, he believes, enterprises “will be forced to find money for modernization, allow “white hat hackers” into their systems, and most importantly, bear responsibility if they violate something.”

Tatiana Isakova