Use of e-mail in the state infrastructure of the Russian Federation

E-mail plays an important role in optimization of work of state institutions which owing to the powers and duties, regularly deal with the data which are not subject to disclosure. It can be personal information on citizens, confidential information and, at last, confidential data. Therefore questions of information security of government institutions is important very much.

According to the research conducted by New cloud technologies company with expert support of ANO Informatsionnaya kultura in 2016, 78% of public institutions use public mail in spite of the fact that similar services are essentially unsafe, and their operators do not bear any legal responsibility for correspondence date leak.

97% of the state organizations using web mail are distributed between the largest Russian providers of public mail services: Mail.ru, Yandex.ru and Rambler.ru. These services already owing to the scale of the audience constantly are exposed to the hacker attacks. And it means that, in addition to purposeful cyber attacks, the state organizations using public services risk to become the victims of the general attacks.

Besides, within the research the analysis of mail servers of 72 federal executive authorities (FEA) was carried out. It became clear that mail services of Microsoft enjoy the greatest popularity, they are used by more than 30 departments, generally with the organization of access on the Internet (Outlook Web App). It makes 42% of number of all considered organizations and nearly 70% of the organizations on which data on use of mail servers were available. The situation with dominance of Microsoft is probably explained by the fact that this company - the leading player in the market.

Use of e-mail by law enforcement agencies which as obliges need to observe privacy is of separate interest: FSB, FSO, Investigative Committee, FDCS and Courier service. During the research it became known that 63% of these organizations use public web mail. Despite access to funds of special communication and the mode of the increased privacy, nearly a half of the centers of Special Communications and Information Service of the FSO uses public mail for contact with suppliers. It can be fraught, at least, with leak of personal data of employees. Detailing on FSB, FDCS, Investigative Committee, Courier service is also given in a research. It is visible that at all these services the share of use of public services exceeds a share of internal services.

It is possible will study the complete version of this research below.

Introduction

Methods of exchange of e-mails began to be developed in the 1960th in the Massachusetts Institute of Technology: the first email client was written in 1965 and allowed to send electronic messages between two remote computers connected by means of a telephone network. By the end of 1971 the programmer Ray Tomlison created already full-fledged email client using the system of the personal addresses in their modern type with a letter @ in the middle.

With development of the Internet in the 1990th services of e-mail began to be used in large quantities in network. By 2011 the number of e-mail accounts made more than 3 billion 25% from them fell to the share of legal entities, and number of the entering and outgoing messages reached 107 trillion messages a day. By the end of the last 2015 the number of mail accounts reached 4.1 billion, and during 2016 the 7% gain is predicted. The scale of a scope of the user audience mail services and need of observance of national interests of Russia was brought to life by the new rules regulating use of this type of communication. On December 31, 2014 federal law No. 531-FZ "About introduction of amendments to Articles 13 and 14 of the Federal law "About Information, Information Technologies and on Data Protection" and the Russian Federation Code of Administrative Offences" according to which technical means of the information systems used by state bodies, local government authorities state both municipal unitary enterprises or the public and municipal authorities, should be placed in the territory of the Russian Federation was adopted.

The real risks connected with use of "unsafe" services and transmission media of information are realized at the highest level of the leadership of Russia today. August 26, 2015. The Secretary of the Security Council of the Russian Federation at the meeting with heads of regions of the Far Eastern Federal District and representatives of the federal ministries and departments devoted to questions of data protection in information systems of public authorities and local government authorities critically spoke concerning use of such foreign services by authorities as Google, Yahoo and WhatsApp.

At the same time regarding use of domestic public mail services as, for example, Mail.ru, Yandex, etc., is present no regulating specification at the level of regulatory legal acts and cannot be as the existing regulatory legal acts do not set such regulations. It is also possible to note that the documents of title in information security field accepted in a number of regions of Russia did not change since 2000 when the Information security doctrine of the Russian Federation was approved. Provisions of these documents repeat Doctrine provisions.

At the same time e-mail plays an important role in optimization of work of the state organizations. The specifics of online communication of state institutions consist that they, owing to the powers and duties, regularly deal with the data which are not subject to disclosure. It can be personal information on citizens, confidential information and, at last, confidential data. Special attention to security of correspondence of government institutions seems extremely important as mass personal data leakages and other information became almost daily phenomenon today in this light. It is enough to remember a large-scale personal data leakage of 4 million government employees in the USA.

The question of information security of government institutions of Russia became a subject of this research.

Within the research use of mail services by federal executive authorities on the basis of data from open sources, including the official sites of FOIV, Bus.gov.ru and Budget.gov.ru was analyzed. Certainly, exclusively parent organizations as their information policy is a guide for subordinates of structures, and manifestations of chaotic trends were investigated (structures of violations of information security policy, insufficiently responsible attitude to the service and classified information, admissible in terms of the management, and so forth) accrue in process of expansion of a system. In other words, on a situation in the ministry it is possible to judge a situation in most organizationally the structures subordinated to it, in view of "organizational entropy" - growth of number of violations in process of removal from the leading center.

Also for objectives of this research the contact information provided by organization in the system of public procurements was used. It is possible to assume that for more responsible tasks of organization safer instruments of communication use. However in the presence of own reliable mail service it would be necessary to expect that organization or structure will use this tool for the solution of all the official tasks. Use of public mail services speaks about lack of own internal mail and about the relation to information security policy in general: at application of "unsafe" mail in the field of purchases in case of cracking there can be a leak not only personal information about the employee who created the account but also the materials containing a trade secret – requests from suppliers and requests from them, information on competitors, on distribution of the budget of government institution and so forth.

Thus basic materials of this research became:

• the official e-mail addresses of government institutions (the official postal addresses of 72 federal executive authorities were analyzed),
• the most actively used e-mail addresses of government institutions (259,750 organizations of different level).

This selection does not cover all set of the e-mail addresses of government institutions of the Russian Federation, however is rather representative to draw serious organizational conclusions and to plan expansion and continuation of research in this direction.

Our research, despite its scale, certainly, is not comprehensive and covers only a visible part of an iceberg of not settled situation in the field of the state informatization and non-regulated use of external services. Beyond its limits remain: use of the e-mail addresses of officials not within the state order, placement of official Web servers and mail servers of authorities and state institutions abroad, use of personal cloud services of file sharing being an official secret and many other things.

Before to pass to the description of results of a research, it is necessary to emphasize that first, at this investigation phase the technical resistance of services to cyber attacks which can vary depending on the operator, and secondly was not estimated, basic materials gathered only from open sources as tracking of use of the free e-mail addresses by other methods belongs to the sphere of methods which application is impossible without sanction of the relevant power organs.

Assessment of level of information security of government institutions

Security in this research is understood as compliance to the following criteria:

• 1. These correspondences are stored on the server which management is guaranteed interested in that these data of the organizations remained safe and confidential (in a case with public mail services of such guarantee, in principle, cannot be).
• 2. In case of use of mail services out of own server access to personal, commercial and confidential information is strictly regulated, and in case of violation of regulations the operator of a mail service bears responsibility.

In a research we understand conditions in which these correspondences with guarantee are not disclosed as safety guarantees, and the service provider bears responsibility for violation of confidentiality. From this point of view, public mail services are represented obviously unsafe for official government institutions as they do not answer, at least, two of three characteristics. Of course, any public mail service undertakes to save confidentiality and to protect personal data, but no guarantees at the same time are provided. Motivation to accomplishment of obligations in such cases, first of all, reputation. However the operator of a public mail service does not bear legal responsibility for correspondence date leak.

Thus, it should be noted that public mail services are essentially unsafe.

Public web mail is understood as public webmail services on which any user can create to himself the mail account. The known examples of such services - Mail.ru, Yandex.ru, Rambler.ru, Gmail.com and also many others.

Apparently from the chart, the overwhelming number of the organizations (nearly 76%) uses public web mail.

All other types of the specified real addresses which do not belong to public belong to "internal" mail services. It can be the hostings, own servers, services provided by Internet service provider. In each case there can be defects, however they are integrated that those defects of security which inevitably characterize public services are unreliable inherent in them.

Nevertheless, only 16% of the considered organizations use such mail services. Another 2% of the organizations use public mail with a binding to own domain. The binding to the domain does the e-mail address more "official" and image, but actually conditions of provision of services (and, therefore, the security level) - the same, as in a case with public web mail. Thus, it is possible to note that 78% of the state organizations use public mail.

Analysis of base of official contacts of the state and municipal authorities and budgetary institutions

The most complete material for the analysis of use of public mail is provided by base of public procurements. As show data, the public mail service of Mail.ru enjoys the greatest popularity. It is also visible that foreign mail services (for example, Google) are significantly less popular. Meanwhile, a variety of public web services is very small. 97% of the organizations using web mail (i.e. almost all these organizations), are distributed between the largest Russian providers of public mail services: Mail.ru, Yandex.ru and Rambler.ru. These services already owing to the scale of the audience constantly are exposed to the hacker attacks. It means that, in addition to purposeful cyber attacks, the state organizations using public services risk to become the victims of the general attacks. Because of their scale, they constantly are exposed to the hacker attacks.

In this sense the Russian public services are safer, than foreign. 97% of the state organizations use public services, so, risk to become the victims of cyber attacks. These data are based on contract data, but here it is possible to remember that nearly 70% of a federal executive authority on which data on use of mail services from other open sources were available use mail of Microsoft.

At all levels the share of the organizations using public mail makes, at least, about 50%.

Use of mail services on regions of the Russian Federation

Analysis of the websites of federal executive authorities

Within the research the analysis of mail servers of 72 federal executive authorities (FEA) was carried out. Data were collected from open sources, in particular, the postal addresses posted on the official sites of the organizations were used. At 43 of the considered organizations web interfaces for mail servers were found.

The table for visualization:

The analysis showed that mail services of Microsoft enjoy the greatest popularity, they are used by more than 30 departments, generally with the organization of access on the Internet (Outlook Web App). It makes 42% of number of all considered organizations and nearly 70% of the organizations on which data on use of mail servers were available.

Other services are much less popular. 3 federal services (FSTEC, Rosaviatsiya and Federal Agency for Ethnic Affairs) use services of mail for the domains Mail.ru, Nic.ru and Yandex'a respectively. One federal agency (Rostourism) uses mail of the Internet service provider.

At last, some departments, for example, the Rossleskhoznadzor, continue to specify as a contact address on services of free mail for example on the domains bk.ru, gmail.com, yandex.ru. The situation with dominance of Microsoft is probably explained by the fact that Microsoft - the leading player in the market. The problem of mass use of services of Microsoft is connected with the same. It means that its services inevitably become a target for purposeful cracking, and methods of cracking are constantly improved. Indirectly it is confirmed by the fact that in Network at discussions of methods of email hacking methods of email hacking of Microsoft especially make a reservation.

Thus, the analysis of the official addresses federal executive authorities gives the grounds for the same outputs, as the analysis of a contact information from base of state procurements: in each case not less than 70% of the state organizations, data on which were available, use the mail services or which do not have formal agreements with authorities (free services of mail), or created based on software and services of foreign vendors.

The relation to questions of information security in different structures

The level of responsibility and privacy of information can have correlates at the level of the choice of a mail service. So, for example, 70% of the judicial organizations use internal mail servers. However, among courts there is no uniformity too. Arbitration courts are most inclined to use internal mail services: only 11% of organizations use public. At the same time 75% of warships, on the contrary, prefer public services. In other types of vessel use of public and internal services is distributed approximately equally. Generalizing, it is possible to conclude that many courts are not neglected the principles of cyber security, however their essential share uses "unsafe" services (or not having official agreements with authorities, such as services of free e-mail or created based on software of foreign commercial vendors). It is also possible to note that the vast majority of departments of Department of Internal Affairs (81%) from which it would be possible to expect special attention to a digital security too uses public mail.

Use of e-mail by law enforcement agencies which as obliges need to observe privacy is of separate interest: FSB, FSO, Investigative Committee, FDCS and Courier service. 63% of these organizations use public web mail. Despite access to funds of special communication and the mode of the increased privacy, nearly a half of the centers of Special Communications and Information Service of the FSO uses public mail for contact with suppliers. It can be fraught, at least, with leak of personal data of employees.

Detailing on FSB, FDCS, Investigative Committee, Courier service is also given in a research. It is visible that at all these services the share of use of public services exceeds a share of internal services. Especially it concerns FSB (70% use public services) and Investigative Committee (86% use public services).

With respect thereto it is interesting to look at distribution of use of public and internal services by IT services which owing to the specialization should be the most competent of questions of cyber security, and their preferences in respect of use of mail technologies.

Here it is possible to make two observations. First, it is indicative that 83% of IT departments use internal services. Secondly, it should be noted that 13% of such organizations nevertheless use public mail. The administration of presidents provided in base does not use public services at all. Along with it noticeable dominance of public services over internal in such large and responsible federal services as the MFA, FMS and the Ministry of Internal Affairs is observed.

Conclusion

During the research exclusively high level of use of public web mail among authorities of all levels, including federal is detected. The share of the organizations using public services made 78% of number of all considered organizations and more than 80% of number of the organizations which provided the valid e-mail addresses.

On this background it is possible to select a number of departments and ministries at which use of internal mail services, on the contrary, prevails over use of public services. The Ministry of Finance, the Ministry of Economic Development, departments on informatization is among such institutes. On the one hand, it is natural, in terms of the fact that it is necessary to expect great attention to questions of information security from such departments. On the other hand, it should be noted that even at the organizations relating to such departments, often the share of use of public services is not lower than 15%.

At the same time it was established that a number of departments from which it would be possible to expect special vigilance in respect of Internet security nevertheless prefers to use public services. It is, first of all, about law enforcement agencies where the share of the organizations using public mail can reach and it is even essential to exceed 50%. In particular, the share of use of public services at FSB makes 70%, and the Investigative Committee has 86%.

These observations are confirmed by a research of use of mail servers by federal public authorities on the basis of the contact information provided, in particular, on the official sites. 70% of the organizations, relevant data on which were available, use mail servers of Microsoft that does them by a potential target for purposeful cyber attacks.

On the basis of earlier published researches 2012 and 2014 of years it is possible to conclude that the lack of the protected mail services at public authorities is universal and invariable.

Summing up the research results, it is possible to draw the following short conclusions:

• Public institutions in Russia are under the threat of cracking and information leak which is an official secret.
• Nearly 80% of organizations use uncontrollable public mail services.
• The vast majority of organizations, including federal level, uses the "unsafe" public mail services (which do not have official agreements with authorities).
• Only 7% of the state organizations use special departmental mail services.

Ivan Begtin, the director of ANO Informatsionnaya kultura, notes: "Development and deployment of internal mail services, the safest and completely under control of the organizations which use them becomes the vital task for the state. Data of correspondences should be stored on the server managed by the party which is guaranteed interested in that these data remained safe and confidential. In a case with public mail services of such guarantee, in principle, cannot be".

Dmitry Komissarov, the CEO of New cloud technologies company, the developer of the mail server and the MyOffice Mail application, comments: "Use of public mailboxes is caused by the clear need for convenient services in a workplace, however it is severe violation of rules of information security. The main objectives need to be solved by method, usual for users, at the same time office correspondence at any stage should not get out of hand" - Komissarov continues, - "In public sector it is necessary to create demand for new generation of the services intended for application in the protected environment of the organizations and departments".

Research methodology

Analysis of use of mail services by the federal executive authorities (FEA)

In the analysis of a federal executive authority data from open sources, first of all the Bus.gov.ru and Budget.gov.ru resources and also the official sites of a federal executive authority were used. The list of the websites is given in the Appendix.

In total 72 organizations were analyzed. Determination like the used service of e-mail was the purpose of the analysis. Information necessary for this analysis was detected on 43 of the considered organizations. Determination of type of service was carried out on a basis:

• the analysis of official contacts on the official site (detection of the basic domain for e-mail);
• the analysis of mail servers of the domain using public online databases, such as censys.io, scans.io and others;
• the analysis of DNS/MX of records of the domain used by this authority as the basic;
• the indirect analysis of certificates of SSL/TLS associated with this domain on the basis of censys.io base.

On analysis results the classification system of Web servers and identification of their vendors was developed.

Description of selection of base of public procurements

The analysis of use of e-mail was also carried out on the basis of data from the register of the organizations from the Official portal of public procurements. The basis of selection was formed by the organizations which are bought according to 44-FZ3, i.e. financed from the budget of the Russian Federation. At the time of March 31, 2016 269,619 organizations were presented in the register. As FZ-44 was entered in 2014, in a research only that contact information of the organizations which is used with 2014 and till present are analyzed.

Further selection was filtered on an organization type. In it were left:

• public authorities;
• governing bodies of public foundations (pension and compulsory health insurance);
• budget, state and autonomous state institutions.

The unitary enterprises, the enterprises having a share with the state participation, natural monopolies and other enterprises were deleted from selection. Also 628 duplicated records are deleted from selection (in cases when at the organization only the check point exchanged, but the name and the e-mail address did not change, this record appeared in initial selection twice).

E-mail, domain names and mail services

Use of e-mail by organization was determined by the e-mail address specified in contacts of organization on the Official portal of state procurements.

E-mail mail always consists of two parts: imya_polzovatel @ imya_domena.

It is necessary to distinguish the domain name entered in e-mail and a name of the mail server processing this domain. The mail server is defined at a request to special DNS service by name the domain and can differ from a domain name in the address. Further mail servers were classified on different groups in dependence of type of service and the owner of the domain. The owner of the domain decided on the help of Whois5 service issuing information on registration of the domain.

Interpretation of results

At interpretation of the received results it is necessary to consider that for the analysis a contact information from the portal of state procurements, but not, for example, from own website of organization undertook. Thus, if it is fixed that organization used public web mail on the website of state procurements, it not necessarily means that organization does not use own mail server for acceptance of citizens' appeals or for internal correspondence. It means only that for contact with suppliers the responsible person in organization preferred to use personal or public web mail. Nevertheless this fact is self-sufficient for an output about IT infrastructure of organization too. Also it is necessary to consider that though it was in some cases fixed that control of organization over the server was lost, the specified e-mail addresses generally were not checked for validity and relevance. It can be a subject of a separate research.