Russia's Federation Council takes a closer look at cybersecurity

In the words of Ruslan Gattarov, head of the Federation Council Information Policy Commission, the overall purpose of the strategy must be to ensure Russia's “digital sovereignty.”

The preliminary cybersecurity strategy focuses on three main areas. The first relates to threats posed to citizens: the leakage and disclosure of personal information; fraud; the distribution of harmful content; the impact on individuals “through the collection of personal data” and “attacks on infrastructure used by citizens in their everyday life.” The online banking system, ticketing systems, online commerce, geographic information systems, and private sites have all been highlighted as potential targets of cyberattacks that could harm Russian business.

As an example of a typical threat faced by civilians, Gattarov cited foreign-based Internet services: “The user agreement with Gmail, for example, allows Google to read emails so that the company can target its advertising. Hypothetically, everything the user posts online can be used by third parties.” He believes that even blackmail and commercial espionage could result. “If, for example, Yandex goes down, people who use it for email, maps, adverts, etc., will blame not only the company and the hackers who did it, but also the authorities,” Gattarov told Kommersant.

In terms of strategy, five key threats have been identified with the potential to harm the entire country. They are “attacks on key government control systems” (e-government sites and government agencies), “economic siege” (the mass blocking of payment and reservation systems), “hardware-controlled attacks on individual and company computers and smartphones,” attacks on everyday facilities controlled through information and communication technologies, and “critical infrastructure.” 

According to the plan, security infrastructure should include hardware and software platforms. This does not mean that everything down to the nuts and bolts must be made in Russia, but the country must have access to the underlying source code, so that it is clear how it can be used and for what purpose. This issue was raised by the FSB back in 2011. They made particular reference to the fact that foreign Internet services such as Gmail and Skype pose a threat to national security: law enforcement agencies are unable to quickly decrypt messages on such services, and they are actively used by extremists and other organizations (see Kommersant, April 9, 2011). The plan also envisions Russia's cyber infrastructure covering the “root infrastructure” and “media structure” of the Internet.

“In other words, the system must not depend on a single cable, and be able, in case of emergency, to distribute the load so that the Russian Internet remains operational at all times,” said Gattarov. That is to say, the strategy has to ensure “digital sovereignty.” 

The preliminary strategy has already been sent to representatives of government agencies and the IT market. “When the working group adds its own proposals, the project will be posted for discussion on a special website,” the deputy said. As a result, the strategy will spell out, in detail, all the threats, how to localize them, plus recommendations for businesses, citizens, and government structures, and what to do in each particular case.

“The information security strategy needs to be upgraded, and it's great that the Federation Council is taking the right steps,” the Russian Ministry of Communications informed Kommersant. Moreover, Kommersant's source noted that the government is conducting its own secret work in the field of IT. Sergei Zheleznyak, deputy secretary of the General Council of United Russia and member of the State Duma Information Policy Commission, told Kommersant that work on IT security was being carried out at multiple sites, and that the resulting proposals would be used to “form the most pragmatic solution to the issues at hand.” 

Infowatch CEO Natalya Kasperskaya stated in an interview with Kommersant that the doctrine of information security, signed by President Putin back in 2000, needs to be updated, “because new threats have emerged.” However, Indem Foundation head Georgy Satarov told Kommersant that, as a member of society, he does not require the protection of the state, which hardly exists. Saratov noted that he had no recollection of the government ever considering the rights of citizens in drawing up such documents. 

First published in Kommersant.

All rights reserved by Rossiyskaya Gazeta.