The Ministry of Digital Development has published new cybersecurity rules for hosting providers

The state is introducing new cybersecurity rules for hosting providers. They will be required to connect to the FSB GosSOPKA system for countering cyber attacks, independently block resources through which cyber attacks are carried out, and transmit data on malicious traffic to the system. Companies will also have to take part in exercises to disconnect the RuNet from the global network. Market participants emphasize that the implementation of all these measures threatens to increase tariffs for customers and even creates the threat of a new type of attack on sites – through completely official blocking.

On September 14, the Ministry of Digital Development published a number of regulations devoted to the work of hosting providers (providing virtual hosting services for websites, etc.) and ensuring their security. The documents act as by-laws to the amendments to the Law “On Information” adopted by the State Duma in the summer, which regulate the work of providers. The amendments imply, in particular, the emergence of a register of domestic providers whose facilities can host state information systems.

Documents of the Ministry of Digital Development regulate the maintenance of the register of market participants, and also clarify the requirements for the protection of information when it is placed in the systems of hosting providers connected to the network. They will have to connect to the state system for detecting, preventing and eliminating the consequences of computer attacks (GosSOPKA; controlled by the FSB). If the system detects cyber attacks, such as DDoS, carried out through resources hosted by the hosting provider, it must block them within 12 hours.

Also, companies providing website hosting services will be required to provide GosSOPKA upon request within four hours with identifiers of dangerous resources (source and destination IP addresses, volume of data sent and received, etc.).

There are ten points in total in the requirements; Kommersant’s interlocutor at one of the hosting providers confirmed that until now there have been no such requirements. The Ministry of Digital Development clarified to Kommersant that the requirements of the projects apply to all players, “they are aimed at ensuring that the provider can ensure the safety of information and protect the infrastructure from hacks and leaks.”

In addition, the Ministry of Digital Development published a draft government decree according to which hosting providers will be required, along with telecom operators, to participate in exercises under the law “on the sovereign Runet” as part of its disconnection from the global network. Most providers already have the appropriate equipment installed to filter traffic and block prohibited resources, Kommersant’s interlocutor at one of the companies clarified. In his opinion, implementing the new requirement will not be difficult.

The hosting provider RuVDS believes that the initiative of the Ministry of Digital Development “shortens the path between GosSOPKA and the real owner of the site.” It will not entail the need to recruit new employees, but may lead to increased costs for integration with the system, says RuVDS CEO Nikita Tsaplin. The requirements of the Ministry of Digital Development are quite easy to fulfill, says Rustem Khairetdinov, General Director of the Garda Group of Companies, and connecting to GosSOPKA is not a financially burdensome process. However, he emphasizes, “partial compliance with the requirements will be paid for by clients of hosting providers, since, most likely, they will be transferred to more expensive service packages that imply advanced protection.”

The main difficulty for companies is that the regulations for canceling the blocking of resources through which attacks are carried out are not described, believes Andrey Arefief, director of innovative projects at InfoWatch Group. “An information resource can be hacked and used for a DDoS attack, which will lead to its blocking, but if the problem of the incident has been resolved and resolved, it needs to be restored. Attackers, in fact, can obtain a fairly legitimate way to freeze resources; this is one of the serious risks, and there must be mechanisms that will allow decent members of the Internet community to unblock their resources,” he believes.

Tatiana Isakova