"We are in cyber warfare, there should be no illusions." Interview of the head of the Ministry of Digital Science Maksut Shadayev at the TAdviser conference

Maksut Shadayev: I would not say that significant successes have not been achieved in this direction of digitalization. It seems to me that colleagues from the Ministry of Defense are moving according to their plan, which, as far as we know, exists. At one time, we helped with the creation of a secure network and the completion of the connection of all military registration and enlistment offices to it. This was even before the start of current events. Now we are testing with colleagues a number of decisions on interaction in terms of recording in the military registration and enlistment office. Let me remind you that the Ministry of Defense belongs to departments that are not obliged to coordinate digital transformation programs with the Ministry of Digital Science. But I am sure that colleagues will move even faster in this direction.

Maksut Shadayev: As far as I know, yes.

Maksut Shadayev: In this case, I can only act as an expert, because, I repeat, the Ministry of Defense is an independent large department with a large share of autonomy, with its digital budget. I think, having closed the infrastructure level, ensuring the connectivity of the network of military registration and enlistment offices, colleagues should follow the path of digitization of military registration if they have not already done so. Taking this opportunity, I emphasize that we do not deliver any summons through the portal of public services. But we have launched a complaint mechanism. We quickly form lists, submit them daily to the General Staff for employees of those companies that have the right to be exempted from mobilization. Today we have handed over three lists to the Ministry of Defense, we will soon send a fourth. In general, our interaction is well organized.

Maksut Shadayev: There are no legal grounds for delivering subpoenas digitally today. There is no reason that the summons received through Public services were considered legally significant, and the person was considered informed. Just like the QR codes that are rumored about, allegedly the Ministry of Digital Science is developing such a service - no, we are not developing anything. For those IT professionals who may be covered by the reservation, another procedure applies.

Maksut Shadayev: Partial mobilization is a separate regime affecting everyone. And in this sense, IT and communications professionals are no exception. Employees who are involved in providing critical processes related to the functioning of communication networks or to the development, support of large applications and platforms that affect a large number of processes and people get the opportunity not to be involved in the service as part of mobilization. The law, I repeat, applies to everyone, but it was possible to convince the Ministry of Defense that there are a number of critical digital services and infrastructure whose performance depends on the specialists. And if they are called upon, then it will not be possible to guarantee the continuity of the IT infrastructure. Given the fact that without digital technologies, nothing works for us now, including in the transport and social spheres, it is possible to paralyze entire industries and areas, which we would not like. And a balanced decision was made. Thanks to your colleagues from the Ministry of Defense for hearing our arguments and aspirations. And now this process is underway, we daily transfer to the General Staff lists of employees who have the right to non-treatment in conditions of partial mobilization.

Maksut Shadayev: We see how the Ukrainian side operates. They really have an IT army, and in order to join it you do not need to spend a lot of effort - you need to download a bot, register, verify. Further down the list of targets, DDos attacks on public services begin, damage is caused to our public services - state services have been attacked many times .

Under such pressure, many companies began to strengthen their information security infrastructure. In fact, what the Ukrainian side has done for our cybersecurity is a very significant contribution to it. Many companies that had not previously thought about information security or assumed that the risks were insignificant have now realized that blocking and downtime are a serious threat to business.

And, frankly, after the Ministry of Defense has given a reprieve for our industry specialists, I receive many suggestions from employees that they are ready to benefit in workplaces. But it seems to me that now the most important thing is the safety of our resources, so that any attempts to destabilize their work are stopped and do not work. And, thank God that all attacks on Public services are stably reflected, we did not see significant violations in their functioning. This is due to the fact that for six months we have been configuring our system for countering DDOS attacks, filtering traffic and much more, and at different levels and for different types of attacks.

Therefore, task No. 1 is to ensure the stability and security of the functioning of our platforms, services and IT infrastructure as a whole, and then let's see. There are many ideas, but there are no plans to form an IT army as an army where they call. The experience of our opponents shows that the IT army is a big crowdsourcing movement. People enter there voluntarily, deliberately harm our IT infrastructure.

Maksut Shadayev: My assessment is as follows: this is a constant training session for us. There are no system interruptions in the operation of services. Our opponents every day plan a goal - this or that service. During the day, the degradation of the attacked service is observed, the next day a new target is announced. The format of the events is such that we have a victory every day: the service "shook" for several hours, cut off external traffic, the service recovered and functions again. Security policies are constantly being adjusted, so that the turbulence time decreases every time. Cyber attacks are unpleasant, annoying, disappointing, but it makes us stronger because owners, managers react to it and try to prevent or reduce the impact on the work of these negative moments.

In general, I see this as a big plus, because cybersecurity has received a super-impetus for development, the information security market is actively growing. Previously, companies had a long pre-sales cycle, when they had to explain to customers how important this is, and now everyone understands that it is important. Moreover, DDOS attacks are only the top layer, because there were deeper incidents, for example, RuTube, which turned out to be completely unprepared for this story, and there was a day when it just lay. I think that such unpleasant cases show the attitude of some leaders towards information security threats. But now everyone is starting to take cybersecurity more seriously. For example, we plan to announce and conduct the bug bounty program on the State Public services portal by the end of the year . We want to detect holes in our infrastructure as much as possible, and with the payment of remuneration to white hackers for their detection. I think this is a very important practice and we will go into it first.

In each structure there is someone who is formally responsible for security, and it is always very difficult for such specialists to admit their mistakes and flaws. But it is better to look at the risks openly, with a full understanding that they are present, and proactively work with them than on a certain day "lie down." I must say that we are all at risk. Especially the State Public services portal are this resource is just a tidbit for hackers, and huge resources are concentrated in this direction of cyber attacks in order to damage the infrastructure, despite its exclusively civil, social orientation. And this is a reason for us to become stronger. The state and state IT resources are in a special area of ​ ​ responsibility. Money for cybersecurity is knocked out of the budget with great difficulty, and the information is much more significant than that contained in commercial information systems. The direction of cybersecurity must be accurately prioritized.

We are already in cyber war, there should be no illusions on this score. Each of us is or may be the target of a cyber attack - it's a matter of time, so cybersecurity is the subject of constant reflection, training, stress tests and so on. And the more open, proactive the position in this direction of digitalization, the easier it will be to live on. This cannot be hushed up. I observe from many state-owned companies a position like "we are doing well," but it will be good until a certain point, and it is better to worry now than later.

Maksut Shadayev: Moscow has great respect for success in digitalization. At the same time, it is clear that everyone who has advanced in this direction further than others who are more digitalized is more likely to be attacked. For our part, we wish our colleagues to overcome all negative consequences and help them in this. I want to say again: no one is in the green zone, today you cannot be safe.

By region, the current situation as a whole is as follows. Those regions that did not have the resources for digitalization, and they did not move much in this direction, they do not represent a significant object for attacks for hackers. And those regions that have advanced in digitalization have usually invested in the protection system, or at least have the opportunity to quickly adjust it in order to stop new risks. For the future, it is clear that for many regions the transition to unified federal platforms, protected as much as possible today, will be relevant. It is very expensive for everyone to build their full-fledged infrastructure and their protection. And not even always this is a matter of resources, budget, but also timing. So for regions that do not have the financial and organizational and technical capabilities to quickly close these issues, a big transition to federal platforms will begin, where these issues are centrally resolved.

Maksut Shadayev: GosTech, Gosoblako, components of Electronic Government, the new GIS "My School," which, together with Moscow, we will soon begin to replicate by region. And this is a very correct, balanced policy in relation to the regions: those who have the opportunity to go further along the path of digitalization, they must go, cutting through certain clearances, marking prospects for others. And everyone else should follow these leaders together, on unified solutions, standards, platforms. In no way should we stop leaders.

Maksut Shadayev: Firstly, it is good that we started work on government agencies in advance, and many of them have already made a significant breakthrough, switched to Russian software and OS. Our ministry can also serve as an example. When we talk to large industrial enterprises about import substitution, they ask how we are doing, and we answer that we are already working on Linux. This is a big plus in working with subordinate institutions, because we have already developed a certain practice. When the industry regulator switches to Russian decisions, it is clear that it is easier for him to convince the subordinate industry that they should also do this. The second big, albeit forced, plus situation is that foreign solutions are no longer available.

For us, the main risk was that many companies treat this as follows: we have implemented a foreign solution, it works. We do not put updates, but even so you can live - it is enough to learn how to install patches, and you don't have to worry about this topic. Thus, the main risk is the conservation of foreign solutions, such a scenario for the development of the situation, when many companies that have invested significant funds in the purchase and implementation of Western software products will remain on them.

Therefore, the government took the initiative, and soon a lever will appear in the context of the sectors of the economy to determine which systems relate to CII. After all, now enterprises themselves determine which system belongs to KII and which does not. Business understands that CII is a whole set of serious burdens, and classifies information systems as solutions of not paramount importance. The government will be able to determine the CII, introduce classifiers of IT systems, and then import substitution will be mandatory. An important point is that the government will be able to set the timing of the transition of these facilities to Russian solutions. Naturally, I hope that the process will be adequate to the situation, the deadlines will be set based on the readiness of Russian decisions based on the results of the first large implementations. It will be a certain system of coercion and at the same time positive motivation.

Now products are being considered across all industries. And where Russian IT solutions have insufficient maturity in comparison with Western systems, the state is ready to finance up to 80% of the customer's costs for their refinement. Thus, we understand that we cannot completely pass on the costs associated with the refinement of the IT product to the business, and are ready to cover most of these costs. The Customer, for its part, having received financial support, undertakes to implement this revised solution. As a result, we get a good, reference implementation for the market in order to show the cases of a successful domestic solution. At the same time, the rights to the modified IT product remain with the commercial developer company - this is very important. In our country, many companies, especially state-owned ones, like to build their full-fledged IT verticals. We believe that an independent IT company that is not affiliated with the customer should refine the IT product, and the rights to the product should remain with it. Let's see how this formula will be implemented. Once again, the scheme is as follows: a large customer receives money from the state, he has an obligation to introduce a full-fledged product, finalized at home, the rights to the product remain with the developer, who is not affiliated with the customer.

Maksut Shadayev: We have more than 30 industries in which this work is being carried out. The big plus is that we saw many Russian small companies, which, despite the total dominance in some industries of foreign products, survived and were even able to occupy niches in the market. And now is the perfect time for them when customers turned to them. They get the opportunity to grow into big players in the Russian IT market. We support financially large customers, but at the same time we control, as I said above, so that customers do not buy vendors and the developed product remains on the market, and does not become an internal custom development.

I hope that by the end of October 2022 we will decide on a list of priority projects that we can support with resources based on our capabilities. It is gratifying to see that there are many Russian developers on the market. Approximately 80% of niches on the market - a little more than 400 categories of solutions - have Russian solutions of medium maturity. These solutions do not meet all international requirements, best international practice and foreign counterparts, but we have something to develop, and this is a great blessing. We have a base with which you can work, this is a big plus.

Maksut Shadayev: There are a lot of them. For me, the ideal case of total import substitution is bailiffs.

Maksut Shadayev: Yes, they took up earlier, put Linux in all workplaces and work successfully, solve their problems. We have very good joint projects with them. Rosgvardia is also actively going in this direction. There are a lot of examples. I can say that the presence of foreign solutions in large federal systems is already isolated cases today.

Maksut Shadayev: Russian Railways is just to switch to Russian software, because they have the largest SAP installation in the world, which has been implemented for 15 years. The transition to Russian software will be a difficult moment for the company. It is very gratifying that Oleg Valentinovich Belozerov headed the committee of large Russian customers, who are now formulating the requirements for finalizing the 1C core. Having extensive experience in operating SAP, they understand what the Russian platform lacks. It is very cool that 1C will do all the improvements necessary for large customers to migrate to their solution for their own money. This is an example of proper cooperation. Not just: here's our product, get in line, and want - buy, not want - don't buy. Russian Railways is now under the requirement of switching to domestic software, and 1C understands perfectly well that the product requires refinement and additional investments for large customers, and takes on such obligations. I hope that by the end of 2022 we will sign a roadmap for the revision of 1C to meet the requirements of large customers sitting on SAP, so that in the foreseeable future in 2-3 years they can transfer their companies to 1C solutions.

We now have many positive examples when Russian developers are responsible for investing in the development of their products and occupying the niches vacated on the market. In this sense, we are now working on an initiative so that companies ready to refine their products for their own money will have access to soft loans. Perhaps they will receive a separate status of systemically significant companies and additional preferences - for example, access to the government order market.