The Duma will discuss the release of "white hackers" from responsibility for cybercrime

[Carding 4 Carders]

So-called "white hackers" acting in the interests of the state can be exempted from administrative and criminal liability for cybercrime. This issue was discussed at a visiting meeting of the State Duma Committee on Information Policy, said its chairman Alexander Khinshtein.

The MP recalled that today the launch of a program to search for vulnerabilities on the Public services portal (bug bounty) was announced.

Meanwhile, according to him, during the closed meeting, other situations were cited when it would be possible to involve "white hackers"in the work.

"We also talked about the need for countermeasures. Because today we protect our resources not by counterattacking, but only by defending. Figuratively speaking, as colleagues described it: cyber attacks begin, and we lie down in the trench, cover ourselves under the parapet and wait for this attack to end. Although, of course, the most effective is counteraction, in military terms, the destruction of the enemy's firing point, " Khinshtein said.

At the present time, such actions may be subject to liability. "The destruction of an enemy firing point, the location of which we do not know, is highly likely to fall under Russian administrative or criminal legislation, because it can be qualified as a crime in the field of computer information," Khinshtein explained.

"We have just discussed, as one of the options, the need to adjust this norm," he said.

"Figuratively speaking, when there is fighting and a soldier fires back, he is not responsible for the murder. The same situation should apply here. This is also a war. They just don't shoot live ammunition, but the consequences, unfortunately, can also be very severe," the head of the committee stressed.

A similar measure is planned to be discussed in relation to "white hackers" hired by companies, said Khinshtein, answering the corresponding question.

Crimes in the field of computer information are described in Chapter 28 of the Criminal Code of the Russian Federation. In particular, according to article 272 of the Criminal Code of the Russian Federation (illegal access to computer information), if serious consequences are caused or threatened, the maximum penalty is up to 7 years in prison.

---

The adoption of the bill on "white hackers", which proposes to introduce the concept of bug bounty in the legal field and changes to the Criminal Code, may be postponed due to dissatisfaction with the FSB and FSTEC. This is reported by Vedomosti with reference to sources in cybersecurity companies and interlocutors familiar with the discussion of the draft law.

The Ministry of Digital Development has been trying to introduce the concept of bug bounty into the legal field since the summer of 2022. According to one of the interlocutors from the cybersecurity company, the bill provides for amendments to article 272 of the Criminal Code on unauthorized access to computer information. The maximum penalty under this article is seven years in prison. Liability arises if illegal access has resulted in modification and copying of computer information.

However, the promotion of the draft law in its current form has been suspended due to the position of the FSB and FSTEC. According to a source from the newspaper, these agencies oppose the liberalization of the provisions of the Criminal Code and expressed a corresponding position at one of the working meetings on the draft law.

The publication sent requests to both departments, the Ministry of Digital Resources declined to comment.

Another source indicates that the position of the FSB and FSTEC was expressed by their employees at working meetings on the draft law in the Ministry of Digital Resources. According to one of the interlocutors, the line between criminally punishable actions and legal ones is "very shaky", and "no one will change the Criminal Code".

The publication also reports that now rewards for finding vulnerabilities in information systems are offered by three Russian companies: Positive Technologies, Synclit and BI.ZONE. Artem Sychev, a representative of Positive Technologies, stressed that the bill will allow "activating those researchers who are afraid of any legal consequences," and the company participates in its discussion.

Luka Safonov, technical director of Synclit, also expressed the opinion that although his company did not participate in the discussion of the initiative on "white hackers", a bill aimed at regulating them is definitely necessary. He noted that in addition to criminal article 272 of the Criminal Code, "white hackers" may also face punishment under Article 273 of the Criminal Code ("Creation, use and distribution of malicious computer programs"). Safonov believes that the initiative may meet with opposition from law enforcement agencies "in terms of the possible legalization of computer crimes." According to him, the bill may not suit the pentesters themselves-if it requires researchers to come out of the shadows, which many of them are definitely not ready for.

Lawyer Maksim Matsenko, head of the Vinder Law Office criminal practice, believes that there are no problems with the vulnerability of "white hackers". He explains that the participation of a hacker in a program to search for vulnerabilities for money implies that the companies participating in the project voluntarily provide their networks to search for vulnerabilities, which completely eliminates criminal liability, provided that the hacker does not go beyond their rights.

---

The State Duma has developed a package of bills on the legalization of "white hackers".

The initiative involves amendments to the Criminal Code of the Russian Federation aimed at eliminating possible risks of bringing to criminal responsibility persons testing the security of information systems.

MOSCOW, October 13. /tass/. Anton Nemkin, a member of the State Duma Committee on Information Policy, has developed a package of bills aimed at legalizing the activities of so-called white hackers in the Russian Federation.

"We have prepared a package of bills aimed at legalizing the work of "white hackers". Amendments are proposed to the Criminal Code( CC) of the Russian Federation, the Civil Code of the Russian Federation, as well as the federal law "On Information, Information Technologies and Information Protection," Nemkin told TASS.

He stressed that today conscientious testing of the security of the information system threatens performers with criminal liability. "Despite the obvious benefits that the work of "white hackers" brings, they are in a vulnerable position from the point of view of legislation. This is very strange, because the work on protecting the digital circuit should be carried out in advance, and not responding to events that have already happened, " Nemkin said.

In this regard, he explained, the initiative proposes to amend the Criminal Code of the Russian Federation, aimed at eliminating possible risks of bringing to criminal responsibility persons testing the security of information systems in accordance with the requirements of the law on information.

In addition, the Civil Code proposes to provide for persons who legally own a copy of a computer program, the possibility of studying, investigating or testing the functioning of programs in order to identify vulnerabilities and correct obvious errors. At the same time, it is established that the persons who identified the vulnerability are required to transfer the relevant information to the copyright holder of the specified program. Thus, Nemkin stressed, the innovation "will allow to conduct vulnerability analysis in any form, without the permission of the copyright holders of the corresponding program, including the copyright holders of infrastructure and borrowed components."

"The third initiative introduces amendments to the law on information, amendments are proposed at the legislative level to fix the ability of the owner of information, the operator of information systems in the order and under the conditions determined by him, to carry out measures to identify vulnerabilities in information systems, including with the involvement of persons who are not its employees," Nemkin said. At the same time, he added, the government has the right to set requirements for the procedure and conditions for holding such events. According to Nemkin, the new rules will allow " to consolidate the mechanism for conducting measures to identify weaknesses in the security system that can be exploited by intruders, which will allow us to respond to possible threats in a timely and prompt manner."

 

[Lord777]

White hackers proposed to finalize the bill on their legalization.

Earlier this year, the State Duma developed a package of bills aimed at legalizing the activities of "white" hackers in Russia. Almost immediately, it was supported by information security companies, but faced resistance from law enforcement agencies. At the discussion held on November 10 at the Center for Strategic Research (CSR), it became known that the "white" hackers themselves generally approve the bill and have specific proposals for its revision.

Discussion of the package of bills on "white" hackers in the CSR took place with the participation of its author, deputy, member of the State Duma Committee on Information Policy Anton Nemkin, "white" hackers, as well as representatives of the Ministry of Digital Development and business. In addition to legalizing the activities of ethical hackers, the initiative allows them to study and test software to identify vulnerabilities in order to correct obvious errors when they legally own them. At the same time, it obliges "white" hackers to transfer relevant information to the software copyright holder.

In addition, the amendments to the legislation provide for the possibility for the owner of information, the operator of information systems in the order and under the conditions determined by him, to identify system vulnerabilities, involving, in particular, third-party specialists. The Government also has the right to set requirements for identifying vulnerabilities.

All these innovations involve amendments to the Criminal and Civil Codes, as well as to the Federal Law "On Information, Information Technologies and Information Protection". They certainly seem appropriate: thanks to them, "white" hackers will be able to work more calmly and will be less likely to enter the "illegal field".

It is not for nothing that ethical hackers have already been legalized in many countries, including the United States. Moreover, there are even special platforms that unite white-hat hackers and companies that want to investigate their infrastructure for vulnerabilities.

The community of "white" hackers at the discussion, in particular, was represented by Marcel Dandamaev, who is engaged in ethical hacking. He voiced the main problems faced by "white" hackers. The main one, according to him, is the inability to fully interact with companies after the discovery of vulnerabilities.

"From the very beginning of my work, I regularly tried to contact employees of the companies whose infrastructure I researched, in particular, with support service specialists, looking for the necessary contacts. Sometimes I could reach them, sometimes I couldn't. Every year it becomes more and more difficult to interact with companies. As a rule, it is not possible to find the required communication channel in both public and private organizations. I will give a vivid example: I did not get in touch with one state organization for more than ten years and it turned out to be completely accidental," said Marcel Dandamayev.

Another problem, according to him, is the lack of the necessary response on the part of companies to reports of vulnerabilities discovered by "white" hackers. Only a fraction of organizations completely fix vulnerabilities after receiving information about them, while the rest live with the discovered vulnerabilities until the incident occurs. Moreover, companies that have fixed vulnerabilities often stop interacting with hackers, despite the fact that they could continue to receive messages about vulnerabilities from them.

"In turn, hackers are interested not so much in rewards, but in understanding that they are generally grateful, as well as in personal development. For example, I was once very pleased to receive a T-shirt from the company after reporting a vulnerability. I would like to point out that organizations that don't respond to my notifications often end up among those affected by leaks. Therefore, I sincerely do not understand why such interaction is not regulated now," said Marcel Dandamayev.

According to him, in Russia it is necessary to create a platform that could simplify the interaction of "white" hackers with companies as much as possible. This system should verify them, determine their reliability, and, if they have passed through these procedures, allow them to post vulnerability reports. After receiving appropriate notifications, companies should contact hackers to clarify details or to thank them. At the same time, it is important that the specialists themselves are confident that the interaction with companies is completely safe.

Another problem of "white" hackers, according to Marcel Dandamaev, is their lack of confidence in the security of providing state institutions with data on vulnerabilities. In addition, they would be much more comfortable working if companies always treated their work correctly, knowing that they often find vulnerabilities by accident.

The position of the information security industry was voiced during the discussion by Aidar Guzairov, CEO of Innostage, an integrator and developer of services and solutions in the field of digital security.

"In fact, we are now in a state of undeclared cyber war, when unscrupulous hackers break into almost everything they can reach. In these circumstances, we understand that when building a defense, we must check its security in practice. It is extremely difficult to do this without attracting "white" hackers. In fact, their work is a time phenomenon that we cannot ignore. Therefore, the information security industry is very interested in developing regulations that allow creating conditions for expanding the scale of activities of "white" hackers," said Aidar Guzairov.

In a conversation with a journalist Anti-Malware.ru After the discussion of the draft laws, Anton Nemkin gave details of the work on the draft laws. According to him, the working group, which, in particular, includes representatives of the Ministry of Digital Development, the FSB, the Ministry of Internal Affairs and the FSTEC of Russia, discusses issues that arise for everyone who is related to the draft laws and ideas for their revision. In general, now no one is against the initiative, so with a detailed study of all scenarios for the implementation of bills, according to the deputy, it will be possible to make them optimal for everyone. However, this process will take at least a year.

"Having come up with this initiative, we proposed to start discussing its adjustments and additions. Of course, we can clearly see what risks it can entail. The main thing that is needed to exclude them is to oblige "white" hackers to register somewhere before testing, indicating at least an IP address, and leave a message about their intention to participate in it," said Anton Nemkin.

According to him, this procedure may also have its own nuances that need to be taken into account when adding bills. For example, related to a VPN. However, there is no need to overcomplicate everything, otherwise there will be a bureaucracy that will prevent the initiative from achieving its original goal of freer activity of "white" hackers in the country.

 

[Brother]

Domestic law enforcement agencies opposed the legalization of "white" hackers who search for vulnerabilities in software and services for money and by order of developers. This hinders the development of Bug Bounty programs in Russia – "white" hackers are quite justifiably afraid of criminal prosecution.

In Russia, white is not in fashion

Russian law enforcement agencies have issued a united front against the legalization of so-called "white" hackers in the country, writes RBC. This is the name of hacking specialists who use their skills for the benefit and at the request of developers – they search for vulnerabilities in their software and services so that they can fix them in advance. This is done so that they are not found and exploited by ordinary hackers. Bug Bounty programs are built on the work of "white" hackers all over the world – many large companies have such programs, they pay "white" hackers to search for vulnerabilities. This, for example, is officially done by Microsoft and Amazon. A common symbol of the white hacker movement is the white hat.

There are also entire Bug Bounty aggregators to make it easier for customers and performers to find each other. The most famous one is HackerOne, which after February 24, 2022 does not treat Russian specialists very well. Similar projects are also available in Russia – one of these aggregators was previously launched by the information security company Positive Technologies.

The Criminal Code should not be changed

The Ministry of Internal Affairs and the Prosecutor General's Office of Russia, as well as the Investigative Committee, jointly oppose the legalization of "white" hackers. All of them claim that there is no need to make any amendments to the Criminal Code of the Russian Federation that could legalize ethical hackers.

This attitude of the security forces to "white" hackers, according to RBC, became known during the discussion of these amendments in the State Duma on November 28, 2023.

In fact, the security forces opposed the initiative of the Ministry of Digital Development – the agency in the spring of 2022 began to promote the idea of legalizing such specialists. In March 2022, it came up with an idea to financially support ethical hackers, and in July 2022, it received a proposal to legalize them.

Further – more. In January 2023, it became known about the plans of the Ministry of Digital Development to launch a Bug Bounty program to search for vulnerabilities in state information systems by "white" hackers. But the first signs indicating that it will not be easy to implement the idea of legalizing ethical hackers in Russia appeared back in March 2023. As reported by CNews, the Federal Security Service (FSB) and the Federal Service for Technical and Export Control (FSTEC) expressed their opinion "against".

In November 2023, CNews wrote that the Ministry of Digital Development will pay up to 1 million rubles to "white" hackers for hacking "Public Services". The agency plans to launch an annual program of testing "State services" and nine other information services by "white" hackers by the end of 2023.

Hackers are outlawed

Currently, the activities of ethical hackers as such are not regulated by Russian law. However, Article 272 of the Criminal Code of the Russian Federation ("Illegal access to computer information"), which implies up to seven years in prison, may well be applied to them. CNews wrote that "white" hackers do not particularly want to work in Russia, for fear of criminal prosecution under this article.

The head of the State Duma Committee on Information Policy, Alexander Khinshtein, also spoke out in favor of legalizing the activities of ethical hackers. In February 2023, he argued that such specialists should be released from responsibility, and added that there are plans to work out this issue.

However, the interim result is disappointing – after more than a year and a half since the first initiatives of the Ministry of Digital Development concerning "white" hackers, the bill on legalizing such specialists has not yet been submitted to the State Duma for consideration. The document itself, according to RBC, contains a whole list of eases: for example, its authors propose to provide ethical hackers "the opportunity to study and test software to identify vulnerabilities and fix them, but oblige them to report the found "holes" to the software copyright holder; provide the opportunity "for the owner of information and the operator of information systems to attract third-party specialists to identify vulnerabilities." allow the Russian Government to "set requirements for identifying vulnerabilities" (currently they are set by the direct customer).

To implement the proposed draft law, the authors propose to amend not only the Criminal Code of the Russian Federation. Changes should also be made to the Civil Code of the Russian Federation and the law "On Information, Information Technologies and Information Protection".

What the security forces don't like

According to RBC, law enforcement agencies protesting against the idea of legalizing ethical hackers give the same arguments. So, the head of the Department for the investigation of cybercrime and high-tech crimes of the Department for the investigation of certain types of crimes of the Main Investigative Department of the Investigative Committee, Konstantin Komardy, claims that in Russia there is indeed a legislative opportunity to bring "white" hackers to justice, for example, for testing a particular information system commissioned by its owner. However, he stressed that "in practice, no one does this." "If a person enters into a contract, or he has an application for testing from the copyright holder of an information system or network, he is legally involved and creates a program for a specific case, his actions do not constitute a crime," he added.

Komardy claims that the main factor for bringing a "white" hacker to justice is the presence of guilt behind it. According to him, a hacker should commit a crime consciously, in an effort to cause harm – only in this case will there be a crime. "The Investigative Committee examined the amendments to the Criminal Code and concluded that they would be unnecessary," he concluded.

Alexey Alborov, Head of the Information Security Department of the Main Department of Legal Statistics and Information Technologies of the Prosecutor General's Office of Russia, shares an absolutely similar point of view. According to RBC, he was present at the discussion of amendments legalizing the activities of ethical hackers. He also says that such a specialist will only be blamed if he commits hacking with the aim of causing damage. "If we are talking about activities in the interests of the customer, this is not unauthorized access — there is no violation of the will of the copyright holder. Such activities do not apply to criminal liability, there is no fact of causing damage or violating public relations," Alborov said.

The opinion of Alborov and Komardy is also shared by the Interior Ministry, the newspaper writes. An unnamed participant of the meeting drew attention to the fact that if the amendments are adopted, ordinary hackers will pretend to be ethical, present a contract for testing the security of information systems in order to whitewash themselves in advance, and then break them for their own purposes.

It is worth noting that cooperation with hackers does not always benefit corporations. At the end of November 2021, CNews covered the situation in which Microsoft found itself. Offended by her "white" hacker published the secret of turning any Windows user into an administrator. In his opinion, the corporation significantly underpaid him as part of the program for finding errors in the products of the Windows ecosystem. Many of his "colleagues" agree with him.

Opinion of the opposite party

"White hackers" bring tangible benefits to the state, despite the fact that they are threatened to pass a year or two in places not so remote or get a suspended sentence and a criminal record. For example, in May 2023, the Ministry of Digital Development reported that over 30 vulnerabilities of various levels of danger were identified by such specialists during the official Bug Bounty program on the public services portal.

But "white" hackers could work much more efficiently if their activities in Russia were given legal status. According to Vladimir Bengin, Director of product Development at Solar Security (who was also present at the discussion of the amendments), more than half of all current Russian ethical hackers avoid entering the legal field. The reason is banal – they don't need criminal prosecution. "The possibility of such practices frightens industry representatives terribly, they are not lawyers. If amendments are made, and "white" hackers see this line in the Criminal Code, it will change the situation," Bengin said.

The "white" hackers themselves are very happy to be legalized and speak openly about it. On November 12, 2023, the Center for Strategic Research (CSR) held a meeting attended by ethical hacker Marcel Dandamaev, writes RBC. Dandamaev said that in the current reality, both private organizations and various state structures are very reluctant to contact "white" hackers, as a result of which it becomes difficult for the latter to inform them about the "holes" found in their systems.

According to Dandamaev, among the companies that have contacted ethical hackers, those that do not respond to their information about vulnerabilities and do not eliminate them until ordinary hackers use them for their own purposes predominate.

 

[Brother]

The Duma introduced amendments to the Civil Code of the Russian Federation aimed at legalizing “white hat” hackers.

According to the bill, if deficiencies in the safe use of a computer program are identified, it is necessary to report them to the copyright holder within five working days.

MOSCOW, December 12. /TASS/. A group of State Duma deputies led by Anton Nemkin, a member of the House Committee on Information Policy, submitted to the Duma a project aimed at legalizing the activities of so-called white hackers in the Russian Federation. The text of the document is posted in the Duma electronic database.

Amendments are being made to the article of the Civil Code (Civil Code) of the Russian Federation, which regulates the right of the user of a program for electronic computers (computers) and a database. Thus, it is proposed to establish that a user who lawfully owns a copy of such a program can, without the permission of the author and without paying additional remuneration, study, research or test its functioning in order to identify shortcomings for their safe use. These actions can also be entrusted to other persons. At the same time, it is clarified that study, research or testing of the program can only be carried out in relation to copies of computer programs or databases operating on the user’s technical means. In addition, it is indicated that information about shortcomings identified by the user cannot be transferred to third parties, with the exception of the copyright holder. The bill also clarifies that if deficiencies in the safe use of a computer program are identified, it is necessary to report them to the copyright holder within five working days.

According to current standards, a user who lawfully owns a copy of a computer program, without the permission of the author and without paying remuneration, can only carry out actions necessary for the functioning of this program, as well as make a copy of the program, provided that it is intended for archival purposes.

As the authors of the initiative note, currently, in order to test the security of systems of Russian companies, “white hat” hackers need to obtain a large number of permissions from the copyright holder of each program that is part of the information system. “Performing security testing without such permissions may entail a violation of the copyrights of the relevant copyright holders and, accordingly, the need for compensation for losses or payment of compensation in the amount of 10 thousand rubles to 5 million rubles, or twice the cost of the right to use the corresponding program,” it is stated in explanatory note to the bill.

The new standards will allow “to conduct vulnerability analysis in any form, without the permission of the copyright holders of the relevant program, including the copyright holders of infrastructure and borrowed components,” the authors of the initiative note. As Nemkin previously told TASS, the bill was developed in a package with two other initiatives aimed at legalizing the activities of so-called white hackers in the Russian Federation. According to him, amendments will also be proposed to the Criminal Code of the Russian Federation and to the law “On Information, Information Technologies and Information Protection.”

 

[Friend]

A separate registry can be created for white hat hackers

The Federation Council, the FSB, the Ministry of Internal Affairs and information security (IS) companies are discussing the possibility of creating a register of white hackers and their certification. Three sources close to various information security companies told Vedomosti about this. According to them, the issue was discussed at a closed meeting of representatives of departments in early August.

Artem Sheikin, a member of the Federation Council Committee on Constitutional Legislation and State Building, confirmed that this issue is being worked out within the framework of the bill on white hackers. In September, the decision of the section of the Council for the Development of the Digital Economy under the Federation Council on this topic is expected to be signed.

The legalization of the activities of white hackers who check the reliability of information security protection of corporate and government IT systems has been discussed since the summer of 2022. Then the Ministry of Digital Development began to work on the possibility of introducing the concept of bug bounty into the legal field. It was planned to amend the law "On Information, Information Technologies and Information Protection" and Article 272 of the Criminal Code of the Russian Federation "Illegal Access to Computer Information".

However, in 2023, a number of law enforcement agencies opposed the legalization of white hacking. The law enforcement agencies were concerned that if the amendments were adopted, malicious hackers would begin to present documents on the conclusion of a contract for testing the information system in order to prove their innocence. In this case, it will be difficult to punish them.

In December 2023, a version of the bill developed by a group of deputies was submitted to the State Duma. The project amended the Civil Code of the Russian Federation, introducing the concepts of "white hacker" and bug bounty, and also determined the terms for notifying the company in the event of a vulnerability. However, the bill has not yet even reached the first reading in the State Duma.

Currently, vulnerability tests of the infrastructure are carried out under an agreement with the customer or as part of the bug bounty program, the rules of which are spelled out in the public offer. A number of large IT and information security companies have such programs. For example, in 2023, Gosuslugi was tested, during which 34 vulnerabilities were detected, most of which were of medium and low criticality. The maximum payout for the error found was 350,000 rubles.

A Vedomosti source in one of the large information security companies notes that the proposed measures to create a registry and certification should secure the work of bug bounty with significant objects, including critical information infrastructure (CII). In his opinion, this will legalize many areas related to offensive and preventive security, as well as eliminate the gray areas in which white hackers are now located.

However, the interlocutor points out the weaknesses of the initiative. In the current geopolitical situation, a publicly available registry of white hat hackers can become an important source of information for the enemy. In addition, the rigid bureaucratic requirements for joining the ranks of white hat hackers to participate in bug bounty programs can scare off potential participants. There is a fear that in this case, hackers will sell the vulnerabilities found not to companies for a fee, but to attackers.

Experts also note that the state does not yet have sufficient tools to monitor compliance with certification rules. In their opinion, this is where themarket tools. Experts suggest that the community will be against the proposed regulation, but those who want to work legally will be certified. The presence of a certificate can become the basis for the acceptance of the expertise of such hackers by companies and individuals.

Other experts consider the idea ill-conceived. In their opinion, this will lead to the fact that no one will want to seriously engage in the analysis of the security of critical information infrastructure and other systems, if this requires being in the register. They also express concern that in Russia, registries are often the target of leaks, which can pose a serious danger to the people in them. There are fears that personal sanctions by the United States and other countries may be imposed against such specialists, and their lives may be endangered.

• Source: https://www.vedomosti.ru/technology...lih-hakerov-mozhet-bit-sozdan-otdelnii-reestr

 

[Man]

"White Hackers" on the Way to Legalization: What Will Change in Russian Cybersecurity?

The State Duma supported the bill in the first reading.

The State Duma of the Russian Federation adopted in the first reading a bill that will allow software testers to check it for vulnerabilities without the prior consent of the developers, the Parliamentary Newspaper reports. The bill provides an opportunity for companies to hire information security specialists, known as "white hat hackers", to identify and eliminate potential threats in security systems. It is important to note that information about the detected vulnerabilities will be transferred to software developers only if they are not located in countries recognized as unfriendly to Russia.

Anton Nemkin, a member of the Committee on Information Policy, Information Technology and Communications, stressed the importance of this bill in the context of the current "information war". According to him, "37 percent of domestic companies face computer attacks once a month," and in the first half of 2024, 350 thousand attacks were recorded, which is 16% more than for the entire previous year.

Nemkin compared the work of "pentesters" (penetration testing specialists) to an independent financial audit or third-party legal audits. He stressed the need to "systematically conduct an independent audit of the security of systems with the help of independent information security professionals".

The bill proposes to amend the Civil Code of the Russian Federation to allow the legal owners or users of programs to study, investigate or test their functioning without obtaining numerous permits from copyright holders. This will greatly simplify the process of identifying vulnerabilities, which can currently be considered copyright infringement, entailing fines from 10 thousand to 5 million rubles.

To protect the interests of software developers, the bill prohibits the transfer of information about the identified shortcomings to third parties. "White hackers" are required to report the vulnerabilities found to the copyright holder within five business days, except for cases where the copyright holder is a representative of an unfriendly state.

Anton Tkachev, First Deputy Chairman of the IT Committee of the State Duma, noted that the new law will allow software buyers to "check the quality of the product in the legal plane," which is especially important in the context of complex modern information systems.

Anatoly Wasserman, a member of the Education Committee and a former programmer, compared finding and fixing vulnerabilities to repairing a car or fitting clothes, stressing the "vital necessity" of such actions to ensure the security of software systems.

The bill is seen as a response to the growing threat of cyberattacks, many of which, according to Nemkin, are funded by unfriendly countries. The purpose of these attacks is to obtain personal data of citizens and disable critical systems.Irina Yarovaya, Deputy Speaker of the State Duma, expressed concern about the possible impact of the changes on the protection of important databases. However, the developers of the bill assured that the risks are minimal, since only its legal owners will be able to study the software.

In conclusion, Wasserman suggested that developers and software buyers should use open source software as a safer alternative.