how the State Duma and the information security industry are looking for methods to legalize their work

The State Duma has begun discussing a bill aimed at developing the work of the state and business with cybersecurity specialists in the field of testing information systems – the so-called white hackers. The initiative is aimed at legalizing the conduct of such testing for companies. But due to the novelty of the topic itself in the legislation and the just beginning growth in demand for the services of “white hat hackers,” the project is causing controversy even in the IT industry. Some issues, however, can be resolved by additional initiatives, which are also currently being discussed in the State Duma.

A bill that would legalize the activities of “white hat hackers” in Russia was submitted to the State Duma in December 2023 by a group of deputies led by Anton Nemkin, a member of the Committee on Information Policy, Information Technologies and Communications. The draft amends Art. 1280 part 4 of the Civil Code of the Russian Federation.

According to the text of the project, a “white hat hacker” is defined as “a person who has identified deficiencies in the safe use of a computer program or database,” and the client company ordering the research is “a person lawfully in possession of a copy of the program.” Thus, the authors of the text intend to enshrine in legislation both the concept of an information systems tester and the rights of companies to involve such experts in testing software solutions installed on their infrastructure. And in general, to legitimize activities that help organize testing—Bug Bounty programs (searching for vulnerabilities in information systems for a fee).

The adoption of the bill will allow vulnerability analysis in any form, without the permission of the program’s copyright holders, as follows from the explanatory note to the project. They also prohibit the transfer of information about identified vulnerabilities to third parties, except for software owners and ultimate copyright holders. As conceived by the authors, “white hat hackers” involved in testing will have to inform the copyright holder about identified vulnerabilities within five working days from the date of their discovery. The only exceptions are cases in which it is physically impossible to contact the copyright holder (it was not possible to establish his location or place of residence).

The initiative to develop the legislative framework for the work of “white hat hackers” and the protection of their clients appeared in the summer of 2022. Its author was the Ministry of Digital Development, which is actively developing Bug Bounty programs in the public sector. However, the lack of appropriate regulation did not prevent the ministry from launching the program on the State Services portal in February 2023: testing lasted three months, and in November the ministry decided to restart the program for a year, expanding to the Unified Biometric System, the Unified Identification and Authentication System and others (see . “Kommersant” dated November 9, 2023).

In general, the need for businesses and companies to attract testers arose due to a sharp increase in cyber attacks on Russian IT infrastructure after the outbreak of the conflict in Ukraine. Since February 2022, this trend has not slowed down: according to Positive Technologies, in the fourth quarter of 2023, the number of incidents increased by 8% compared to the previous quarter and by 19% compared to the fourth quarter of 2022. Malware remains the main tool of attackers: it was used in 73% of successful attacks on organizations. Such software includes ransomware, spyware and malicious software for remote control. Vulnerabilities in the infrastructure of companies can lead to a successful attack and events unacceptable for business (work stoppage, data leakage, etc.), experts from the information security company believe.

Participants in the cybersecurity market, which are directly affected by the regulation discussed in the State Duma, generally support it. “White hackers” are respectable participants in the cybersecurity market, but today their activities do not have a clear regulatory status, explains Innostage CEO Aidar Guzairov: “From the point of view of the law, strictly speaking, they are no different from cybercriminals, and methods such as pentest (penetration testing) and Bug Bounty do not have a legal basis.” This creates uncertainty and risk for “white hat hackers,” including criminal liability, the expert warns. In many countries, he says, cybersecurity legislation is stricter than in Russia, but as long as the rules are followed, white hat hackers are protected.

“We hope that the law under discussion will eliminate some of the gray areas in the legislation and will introduce into the legal field the relationships that arise when working with such “white hat hackers,” agrees Yegor Zaitsev, director of the department for countering cyber threats at Informzashita. This, in his opinion, will allow companies to attract such specialists more widely, and specialists will feel more protected and work more efficiently.

Just needs some work

Despite the positive response from the industry, many of its representatives see inaccuracies in the bill and a number of important but overlooked issues that need to be resolved before its adoption. For example, they say at Informzashita, there are no limits to safe testing. “Imagine that during testing there will be a denial of service or an attack on the customer’s internal infrastructure, especially if this is done by a novice security researcher,” explains Egor Zaitsev. This can also be solved by a well-developed Bug Bounty policy, for example, a public offer agreement published on the vendor’s website or the platform itself (if this process is outsourced), says Mr. Zaitsev.

“White hackers” are a completely new phenomenon for society, and therefore an important step when working with the bill should be the study and understanding on the part of legislators of the details and features of the work of specialists, says Sergei Zolotukhin, a cybersecurity consultant at FACCT. For example, what is the difference between and how teams of vulnerability researchers and pentesters are structured within, how they operate, what risks they face in their work, etc. But if this is taken into account, the law will really help solve important security problems, he believes.

However, Kommersant’s interlocutor in the cybersecurity market, familiar with the development of the bill, said that researchers from a number of large companies in the information security market, including those who have expertise in Bug Bounty, participated in its writing. At the same time, he reminds that it is impossible to involve all market participants in the development of the initiative.

Decided to split the demands

The comments of market participants are answered by the second bill, which is now just being prepared for submission to the State Duma. The State Duma Committee on Information Policy, IT and Communications is also working on it. He clarifies on what grounds companies and government agencies will have the right to attract “white hat hackers” and use Bug Bounty platforms for testing. One of the options is to place a public offer on the resources of a company interested in testing. The main proposed change is the ability of the government to independently determine the time and procedure for testing state information systems and systems of critical information infrastructure subjects (CII), but only in agreement with the FSB (see. “Kommersant” dated April 2).

“One of the main goals of the initiative is precisely the introduction of Bug Bounty into the legal field,” continues Kommersant’s interlocutor. But the bill does not oblige everyone to conduct Bug Bounty, nor does it introduce any restrictions on the platforms on which Bug Bounty can be held. “The bill proposes to establish rules for testing, but only for government agencies and significant KII facilities,” explains Kommersant’s interlocutor.

However, the activities of testers in general and “white hat hackers” are now regulated by Art. 272 and 273 of the Criminal Code: under them, any specialist whose actions resulted in changes in computer information can be held accountable, notes Kirill Lyakhmanov, chief legal adviser of the intellectual property practice of the EDB law firm. “Decriminalization of the activities of such specialists can greatly affect the success of attracting hackers to work for the state,” the expert believes.

State Duma deputies are also working on amendments to the Criminal Code, Anton Nemkin told Kommersant: “I am confident that when our amendments to the legislation come into force, the popularity of “white hat hackers” will increase exponentially among Russian companies, and they themselves will more quickly improve their methods work.”

Tatiana Isakova