Ethical hacking in Russia: will there be a transition to the legal plane

[Father]

Recently, the world has been paying more and more attention to cybersecurity and data protection. Russia also raises the issue of a law on ethical hacking, which would regulate the activities of specialists who search for vulnerabilities in information systems. But what will this law be and when can it be expected?

What is ethical hacking and why is it needed?​

Ethical hacking is the search for vulnerabilities in the customer's system or software in order to improve security. This type of hacking is important because it allows you to prevent potential cyber attacks, check computer systems for strength and readiness for attacks, and train employees in cybersecurity.

Ethical hackers can find vulnerabilities before they are exploited by cybercriminals, which helps improve system security and prevent data leaks. But from the point of view of the law, there is no difference between white hackers and cybercriminals.

Konstantin Rodin
Head of the IT Bastion Product Development Department

We in the industry have experience in using pentests and bug bounty programs designed to help businesses find vulnerabilities in their information networks and investigate software for errors by professional "white" hackers. But there is no legally established basis on which they can act.

Any researcher is now in limbo from the point of view of the law. Its actions and the software it currently uses can easily be classified under several articles of the Criminal Code of the Russian Federation. On the one hand, we want everything to be perfectly safe and secure, so that we check our systems and software for possible workarounds and bugs. But, on the other hand, we do not have clearly and specifically formulated criteria by which this can be done. I believe that if such a law appears, it will boost the pentest market and bug bounty services, as well as generally have a very positive impact on the industry.

Perhaps our legislators should study the experience of their colleagues from those countries that have already legalized and introduced clear definitions: who is a "white" hacker, what is "ethical hacking", etc. After all, analysis and testing in information systems is a really necessary process that helps them improve. However, it is important not to forget about the legitimacy of all such actions and the "pure" legal status of their perpetrators.

We can say unequivocally: until we introduce the concept of "ethical hacker" into the legal field and clearly define the limits of what is allowed for him, it will not become easier to ensure the cybersecurity of the country's infrastructure and business, and the market for such services will remain half in the shadows.

At the moment, there are no specific legislative initiatives regulating ethical hacking in Russia. However, there are some laws and regulations that may cover aspects of ethical hacking.

For example, Article 272 of the Criminal Code of the Russian Federation establishes criminal liability for accessing computer information without the owner's consent. There are also laws on personal data protection and information security that can be applied to hacking situations.

Relevance of the issue in Russia​

The issue of cybersecurity is very relevant for today's Russia. After all, every year the number of cyber attacks on public and private organizations, as well as on citizens, increases. This poses a threat to data privacy, the stability of information systems, and financial security.

In recent years, the government and private companies have been actively working to strengthen cyber defenses and respond to threats. However, prevention and control of cyber threats require constant updating and improvement of protection methods. In this regard, the issue of cybersecurity remains a priority for all participants in the information and communication environment in Russia and requires constant attention and resources for effective protection against cybercriminals.

Dmitry Khomutov
Director of Ideco

The law on ethical hackers is in demand in Russia more than ever. In 2023 alone, more than 300 million accounts were made publicly available as a result of company security breaches by hackers. Naturally, criminal liability is provided for such frauds. However, legalizing the activities of "ethical hackers" will protect them from falling under Article 272 of the Criminal Code of the Russian Federation, which provides for liability for unauthorized access to legally protected computer information.

There is no denying that attackers can pretend to be "ethical hackers" in order to gain benefits and avoid liability. However, international practice shows that regulating their work at the legislative level is beneficial both for the seekers of "gaps" in the organization's system, and for the enterprises themselves to eliminate the vulnerabilities that have appeared. Therefore, such a law is necessary in Russia.

Everyone involved in the field of information security is looking forward to the development of special laws or regulations that will regulate the activities of ethical hackers and establish rules and standards for conducting such actions within the framework of the law.

Expected changes and consequences of the adoption of the law​

Like everything else in this world, the Ethical Hackers Act can have two sides of the coin — positive and negative consequences. The advantages include the following:

1. Developing a culture of cybersecurity-the law can help raise awareness of cyber threats among companies and citizens, as well as encourage the introduction of measures to protect against cyber attacks.
2. Improving the security of information systems-ethical hackers can help identify vulnerabilities in information systems and eliminate them before attackers take advantage of them.
3. Increasing professionalism in the field of cybersecurity — creating a legal framework for the work of ethical hackers will contribute to the development of the profession in Russia and attract talented specialists in this field.
4. Improving Russia's reputation in the international community-the adoption of the law on ethical hackers can have a positive impact on the country's reputation in the eyes of the world community, showing its readiness to fight cyber threats.

But experts believe that there will be a lot of disadvantages from the introduction of such a law.

Zarema Shikhmetova
Security Analysis Specialist at Gazinformservis

Negative consequences include the following:

1. Insufficient regulation. Incorrect application of the ethical hacker status or its abuse can lead to security breaches and leakage of confidential information.
2. Lack of a single standard. Different countries may have different approaches to defining and regulating the status of an ethical hacker, which can create confusion and ambiguity.
3. Risk of fraud. Some individuals may abuse the status of an ethical hacker to carry out illegal activities under the guise of legality.
4. Most people are faced with the main problem-determining the correct understanding of legal and ethical aspects in this area.

Thus, the adoption of the law on ethical hackers may have positive consequences for cybersecurity and information security in Russia, but requires careful regulation and control by the state.

Forecasts about the timing of the law's adoption: wait or not wait

Currently, it is difficult to predict exactly when such a law will be adopted. Recently, several publications appeared in the media about the draft law. But the Ministry of Digital Resources denies promoting such initiatives. What is the reason for the delay in making a decision on what would seem to be such an important issue?

Kai Mikhailov
Head of Information Security at iTPROTECT

It should be understood that the draft laws are not aimed at creating a "portrait" of an enthusiast with good intentions, who will test the resources of organizations to the best of their abilities and point out mistakes. They are aimed at encouraging companies with CII to test security by participating in Bug Bounty projects. Solo enthusiasts who do not pre-coordinate their activities with a participating company will still remain outside the law. Activities related to bug bounty or, for example, external penetration testing have long been worked out by both state-owned companies and commercial enterprises, but the legislation on CII did not specifically state that this should be paid attention, unlike enterprises in the same banking sector. It turns out that organizations, whose primary goal is often to meet regulatory requirements, devote resources to such activities on a residual basis. Thus, the legislation links the requirements (CII subjects in certain circumstances will have to involve third-party companies in testing the infrastructure) and the generally accepted practice for such testing into a single chain.

There is no special need for legislation to clearly define the requirements, image and behavior of "white hackers". Usually, such requirements are specified in the terms of reference for the pentest, or they are already prepared on Bug Bounty sites. The federal law is not the best place for detailed small details, since each infrastructure is unique in its own way and the requirements for pentesters may vary. The best option is to describe in the law the requirements for organizations to participate in vulnerability search programs, and determine the requirements for this process on the ground.

However, given the growing threat of cyber attacks and the need to strengthen cybersecurity, we can expect that the authorities will seek to adopt a law on ethical hackers in the near future. Perhaps the issue will be updated after serious cyber attacks or incidents that show the need for appropriate measures.

Thus, the adoption of the law on ethical hackers in Russia is a matter of time and political will. And we will follow developments and public debates on this issue.