MOSCOW, December 12The first of a package of bills aimed at legalizing the activities of “white” hackers in Russia has been submitted to the State Duma, said one of the authors of the initiative (available), member of the State Duma Committee on Information Policy, Information Technologies and Communications Anton Nemkin.
The authors of the bill — representatives of the Digital Russia party project Anton Nemkin, Gennady Panin, Igor Markov and the State Duma Committee on Information Policy Vyacheslav Petrov and Anton Tkachev — propose to make a number of amendments to Article 1280 of Part Four of the Civil Code of the Russian Federation.
“Against the backdrop of an increased number of attacks on Russian information systems, our country needs regulation that will bring work with such specialists to the legal level. “White” hackers work to determine the logic of potential criminal hackers, modify vulnerabilities and strengthen protection information systems and resources. Therefore, such specialists must be protected from the point of view of the law,» said Anton Nemkin.
As the authors of the project explain, today, in order to test the security of systems of Russian companies, “white hat” hackers need to obtain a large number of permissions from the copyright holder of each program that is part of the information system. Performing testing without such permissions may result in copyright infringement. In this case, “white hat” hackers may be required to pay compensation in the amount of 10 thousand rubles to 5 million rubles, or twice the cost of the right to use the corresponding program.
«Based on this, the bill provides for the possibility of studying, researching or testing the functioning of programs by a person who legally owns a copy of a computer program or a copy of a database, in order to identify its vulnerabilities in order to correct obvious errors,» — note the authors of the initiative.
According to the bill, “white hat” hackers must inform the copyright holder about identified vulnerabilities within five working days from the date of their discovery, except in cases where it was not possible to establish his location, place of residence or address for correspondence.
The adoption of the bill will allow vulnerability analysis in any form, without permission from the copyright holders of the relevant program, including copyright holders of infrastructure and borrowed components, the documents note.
Russia today is one of the leaders in the development of digital technologies, but our legislation does not yet correspond to modern trends — there is no possibility of testing digital services for vulnerabilities, emphasizes First Deputy Chairman of the State Duma Committee on Information Policy Anton Tkachev.
«»It looks like this — the owner of the service hires a tester, a so-called «hacker», who must find out all the weak points and provide a report on them. It would seem that these are necessary actions for the operation of a digital product, but the law provides for criminal liability for such actions. It is necessary to provide the possibility of such actions so that all test “hacks”, which are a necessary element of security, leave the gray zone,” he said.
First Deputy Chairman of the Committee on Regional Policy and Local Self-Government, coordinator of the Digital Russia party project in the Moscow region, Gennady Panin also notes that if, according to the current legislation, it is possible to test a program only to ensure general performance and adaptation to your application needs, then amendments help make focus on ensuring information security.
«» Thus, the right is granted to make changes without the permission of the copyright holder of the corresponding program, including the copyright holders of infrastructure and borrowed components and without remuneration to him. That is, legally owning the program, the user will not only be able to customize the product, but also investigate from the security side — test, how vulnerable, make the required changes. We believe this is especially important in the current situation of digital threats from unfriendly countries, intentional and accidental data leaks. The ultimate goal is to increase information security in terms of studying programs and testing,» he added.
The work of “white” hackers should become today as common and necessary a tool as, for example, an independent external audit of financial statements or third-party legal audits of various aspects of doing business commissioned by entrepreneurs themselves, one of the authors of the bill, Nemkin, is sure.
“»Today, it is important for government agencies and corporations, which often themselves have their own staff of qualified IT specialists, to systematically involve “white hat” hackers as independent professionals who, for their part, will check the security of information systems and either make sure of their reliability, or they will identify vulnerabilities and give recommendations for eliminating them… When testing IT systems for strength, a “white hat” hacker acts on behalf and with the consent of the owner of such a system and does not commit anything illegal. Our goal is to ensure that this is secured in legislation, and the specialists themselves received more freedom to work for the benefit of the state,” the deputy notes.