Friend
Professional
- Messages
- 2,653
- Reaction score
- 851
- Points
- 113
The new registry may become a target for geopolitical opponents.
The Federation Council, the Federal Security Service, the Ministry of Internal Affairs, and information security companies are discussing the possibility of creating a registry of white hackers and their certification. Three sources close to various information security companies told Vedomosti about this. According to them, the issue was discussed at a closed meeting of representatives of departments in early August.
Artem Sheikin, a member of the Federation Council Committee on Constitutional Legislation and state Construction, confirmed that this issue is being worked out within the framework of the bill on white hackers. In September, the decision of the section of the Council for the Development of the Digital Economy under the Federation Council on this topic is expected to be signed.
Legalization of the activities of white hackers who check the reliability of information security protection of corporate and state IT systems is being discussed from the summer of 2022. Then the Ministry of Digital Affairs began to work out the possibility of introducing the concept of bug bounty into the legal field. It was supposed to amend the law "On Information, Information Technologies and Information Protection" and Article 272 of the Criminal Code "Illegal access to computer information".
However, in 2023, a number of law enforcement agencies opposed the legalization of white hacking. Law enforcement agencies were concerned that if the amendments were adopted, malicious hackers would start presenting documents about the conclusion of an information system testing contract in order to prove their innocence. In this case, it will be difficult to punish them.
In December 2023, a version of the bill developed by a group of deputies was submitted to the State Duma. The project introduced changes to the Civil Code of the Russian Federation, introducing the concepts of "white hacker" and bug bounty, and also defined the time frame for notifying the company in case of vulnerability detection. However, the bill has not yet reached even the first reading in the State Duma.
Currently, infrastructure vulnerability tests are conducted under a contract with the customer or as part of the bug bounty program, the rules of which are spelled out in the public offer. A number of large IT and information security companies have such programs. For example, in 2023, testing of "Public Services" was conducted, during which 34 vulnerabilities were found, most of them with medium and low level of criticality. The maximum payout for an error found was 350,000 rubles.
A source of Vedomosti in one of the major information security companies notes that the proposed measures to create a registry and certification should secure the work of bug bounty with significant objects, including critical information infrastructure (CII). In his opinion, this will allow legalizing many areas related to offensive and preventive security, as well as eliminate the gray areas where white hackers are currently located.
However, the interlocutor points out the weak points of the initiative. In the current geopolitical situation, a publicly available registry of white hackers can become an important source of information for the enemy. In addition, strict bureaucratic requirements for the procedure for joining the ranks of white hackers to participate in bug bounty programs can scare off potential participants. There is a concern that in this case, hackers will sell the found vulnerabilities not to companies for a fee, but to intruders.
Experts also note that the state does not yet have sufficient tools to monitor compliance with certification rules. In their opinion, this is where market instruments come into play. Experts assume that the community will be against the proposed regulation, but those who want to work legally will be certified. The presence of a certificate can be the basis for companies and individuals to accept the expertise of such hackers.
Other experts consider the idea ill-conceived. In their opinion, this will lead to the fact that no one will want to seriously analyze the security of CII and other systems, if this requires being in the registry. They also express concern that registers in Russia are often subject to leaks, which can pose a serious danger to the people who are in them. There are concerns that such specialists may be subject to personal sanctions imposed by the United States and other countries, and their lives may be in danger.
Source
The Federation Council, the Federal Security Service, the Ministry of Internal Affairs, and information security companies are discussing the possibility of creating a registry of white hackers and their certification. Three sources close to various information security companies told Vedomosti about this. According to them, the issue was discussed at a closed meeting of representatives of departments in early August.
Artem Sheikin, a member of the Federation Council Committee on Constitutional Legislation and state Construction, confirmed that this issue is being worked out within the framework of the bill on white hackers. In September, the decision of the section of the Council for the Development of the Digital Economy under the Federation Council on this topic is expected to be signed.
Legalization of the activities of white hackers who check the reliability of information security protection of corporate and state IT systems is being discussed from the summer of 2022. Then the Ministry of Digital Affairs began to work out the possibility of introducing the concept of bug bounty into the legal field. It was supposed to amend the law "On Information, Information Technologies and Information Protection" and Article 272 of the Criminal Code "Illegal access to computer information".
However, in 2023, a number of law enforcement agencies opposed the legalization of white hacking. Law enforcement agencies were concerned that if the amendments were adopted, malicious hackers would start presenting documents about the conclusion of an information system testing contract in order to prove their innocence. In this case, it will be difficult to punish them.
In December 2023, a version of the bill developed by a group of deputies was submitted to the State Duma. The project introduced changes to the Civil Code of the Russian Federation, introducing the concepts of "white hacker" and bug bounty, and also defined the time frame for notifying the company in case of vulnerability detection. However, the bill has not yet reached even the first reading in the State Duma.
Currently, infrastructure vulnerability tests are conducted under a contract with the customer or as part of the bug bounty program, the rules of which are spelled out in the public offer. A number of large IT and information security companies have such programs. For example, in 2023, testing of "Public Services" was conducted, during which 34 vulnerabilities were found, most of them with medium and low level of criticality. The maximum payout for an error found was 350,000 rubles.
A source of Vedomosti in one of the major information security companies notes that the proposed measures to create a registry and certification should secure the work of bug bounty with significant objects, including critical information infrastructure (CII). In his opinion, this will allow legalizing many areas related to offensive and preventive security, as well as eliminate the gray areas where white hackers are currently located.
However, the interlocutor points out the weak points of the initiative. In the current geopolitical situation, a publicly available registry of white hackers can become an important source of information for the enemy. In addition, strict bureaucratic requirements for the procedure for joining the ranks of white hackers to participate in bug bounty programs can scare off potential participants. There is a concern that in this case, hackers will sell the found vulnerabilities not to companies for a fee, but to intruders.
Experts also note that the state does not yet have sufficient tools to monitor compliance with certification rules. In their opinion, this is where market instruments come into play. Experts assume that the community will be against the proposed regulation, but those who want to work legally will be certified. The presence of a certificate can be the basis for companies and individuals to accept the expertise of such hackers.
Other experts consider the idea ill-conceived. In their opinion, this will lead to the fact that no one will want to seriously analyze the security of CII and other systems, if this requires being in the registry. They also express concern that registers in Russia are often subject to leaks, which can pose a serious danger to the people who are in them. There are concerns that such specialists may be subject to personal sanctions imposed by the United States and other countries, and their lives may be in danger.
Source
