The Ministry of Digital Transformation introduced the parameter of information security into the rating of digital transformation of government agencies

The Ministry of Digital Transformation introduced the parameter of information security (IB) into the rating of digital transformation of government agencies. Federal and state agencies are now required to provide monthly information on security measures for their IT systems, including Bug Bounty testing by white hat hackers. This program has not yet been enshrined in law due to disagreements with the security forces, but the Ministry of Digital Development hopes that its inclusion in the report can help increase attention to information security. At the same time, not all officials consider such work necessary, and experts emphasize that the problem of cyber defense of the public sector cannot be solved only with reports.

Federal and regional executive authorities will begin to report on the cybersecurity of their IT systems, Kommersant was told at the Ministry of Digital Development. They specified that the Information Security indicator was included in the digital transformation rating in July and will be calculated on a monthly basis. Among the parameters are the creation of a structural unit for ensuring information security, import substitution in the field of cybersecurity, measures to assess the level of system security (including Bug Bounty – testing IT systems for penetration by white hackers), etc.

In 2022, the Ministry of Digital Development proposed to introduce the concept of Bug Bounty into Russian legislation, ensuring the legal status of white hackers. However, the initiative raised questions from law enforcement agencies, in particular because of the risk of illegal access to significant data, says Kommersant’s interlocutor in the government, so “the relevant bill has not yet been formalized.” As a result, the ministry itself “encourages the public sector to master the testing mechanism, in particular through information security reporting.”

The Minister of Digital Development and Communications of the Nizhny Novgorod Region, Alexander Sinelobov, told Kommersant that information security reports are already being prepared there. In a number of ministries and municipal authorities of Crimea, Kommersant specified that in some of them “civil servants are trying to work in a new format in a test mode” and “tentatively, the majority consider the introduction of such reporting a necessary step.”

However, not everyone shares this point of view. So, the interlocutor of Kommersant in the government of Bashkortostan said that the region “does not see the need to prepare such reports, since all IT is already centralized in the Ministry of Digital Development.” The Ministry of Digital Development of Udmurtia simply admitted that “they do not carry out such work.”

The number of cyberattacks on Russian government agencies and infrastructure has been steadily growing since the outbreak of hostilities in Ukraine. Only the number of network attacks increased by 40% year-on-year by mid-summer (see Kommersant of July 8). At the same time, government agencies not only do not increase, but even reduce purchases of protective equipment: in the first half of the year, the volume of tenders decreased by 15% in monetary terms and by 4% in quantitative terms (see Kommersant dated August 21).

“Regular checks and ratings will allow us to move away from “paper IS” to a risk-based approach,” says Roman Prosvetov, deputy head of the security analysis department at Angara Security. Initiatives like Bug Bounty allow professionals to increase efforts to analyze the security of IT systems, agrees Pavel Kuznetsov, director of products at Garda Technologies.

But Positive Technologies cybersecurity business consultant Aleksey Lukatsky emphasizes that the search for vulnerabilities for a fee is only the tip of the iceberg: “It’s not enough to place systems on the Bug Bounty platform, you also need to have built-in processes that will allow you to eliminate detected holes in the perimeter of IT systems.” Also, experts doubt that monthly reports can seriously improve the situation with information security. The technical director of IT Bastion Dmitry Mikheev admits that “such an impact on information security is better than nothing, but at the level of authorities it will be hardly noticeable.”

Tatyana Isakova; regional editions of “Kommersant”