State system for detection, prevention and elimination of consequences of computer attacks State system of detection, prevention and elimination of consequences of computer attacks

2024: Decentralization of State system of detection, prevention and elimination of consequences of computer attacks: Operational headquarters for cybersecurity began to appear in the regions of the Russian Federation

In March 2024, operational headquarters began to appear in the regions of the Russian Federation. information security We are talking about the decentralization of the response system (cyber attacks FSB State system of detection, prevention and elimination of consequences of computer attacks).

As Kommersant writes with reference to the decree of the government of the Tver region, the cyber incident response teams (GRIIB) will include "the most competent" representatives of the regional government agencies in responding to cyber attacks. It also follows from the document that the participants of the GRIIB will deal with the elimination of the consequences of hacker attacks in the Tver region, and will also monitor work to eliminate vulnerabilities in the infrastructure of state bodies and institutions and prepare reports on the results of the investigation of incidents.

Unsplash

In accordance with the decree of the Tver government, GRIIB will have the right to request additional information related to the incident from users of IT systems and involve employees of the affected institution in the investigation. The regional operational headquarters will coordinate actions on cybersecurity of executive structures, conduct exercises on responding to incidents in the field of information security and monitor the implementation of the recommendations of the FSB and FSTEC.

According to Sergei Kuts, head of industry cybersecurity at Positive Technologies, previously all information about cyber incidents flocked to the main center, and the creation of response teams could be the beginning of decentralization of State system of detection, prevention and elimination of consequences of computer attacks work. The expert positively assessed this process, but added that the effectiveness of GRIIB and operational headquarters on cybersecurity should "be measured in qualitative indicators, and not from the point of view of whether certain requirements of regulators are met."

As noted in the Ministry of Digital Development, by the beginning of March 2024, as part of the standardization of the work of the headquarters on cybersecurity by the regions, together with interested departments, "additional standard provisions" are being worked out^[1]

2023: Hosting providers will oblige to be connected to the State system of detection, prevention and elimination of consequences of computer attacks system

On September 14, 2023, the Ministry of Digital Development of the Russian Federation published several regulations regulating the work of hosting providers. The documents refer, in particular, to the introduction of additional requirements in terms of ensuring cybersecurity.

According to the Kommersant newspaper, Russian providers will have to connect to the state system for detecting, preventing and eliminating the consequences of computer attacks (State system of detection, prevention and elimination of consequences of computer attacks), which is controlled by the FSB. At the same time, market participants are subject to obligations to combat malicious nodes: when detecting cyber attacks, such as DDoS, conducted through resources hosted by the hosting provider, it must block them within 12 hours. In addition, companies providing site hosting services will have to provide dangerous resource identifiers to State system of detection, prevention and elimination of consequences of computer attacks on request within four hours: this is the source and target IP addresses, the amount of data sent and received, and other information.

The Ministry of Digital Development will oblige Russian providers to block resources used for cyber attacks

The documents prepared by the Ministry of Digital Development are by-laws to amendments to the law "On Information" adopted by the State Duma in the summer of 2023. The agency also published a draft government decree providing that hosting providers are obliged to participate on a par with telecom operators in exercises under the law "on sovereign runet" as part of its disconnection from the global network.

The new requirements apply to all players in the Russian market. The goal is to "ensure the safety of information and protect the infrastructure from hacks and leaks." Participants in the Russian IT industry believe that the implementation of these measures may result in an increase in tariffs for end users. In addition, the documents do not describe the regulation for canceling the blocking of resources through which attacks are carried out.

The information resource can be hacked and used for a DDoS attack, which will block it, but if the incident problem has been exhausted and fixed, it must be restored. Attackers, in fact, can get a fairly legitimate way to freeze resources, "says Andrey Arefiev, director of innovative projects at InfoWatch Group.[2]

2022

The Russian government is creating an analogue of the State system of detection, prevention and elimination of consequences of computer attacks system for the exchange of information about cyber incidents between information security companies

On September 1, 2022, it became known about the creation in Russia of a platform for the exchange of information about cyber incidents between information security companies. The implementation of the project can be hindered by non-disclosure agreements that suppliers of cyber defense tools conclude with customers.

Market participants told Kommersant about the possible appearance of a single platform for collecting information about incidents and exchanging expertise to repel cyber attacks. We are talking about both data on compromised bank cards, as well as accounts and malware. The source of the publication said that the launch of the system itself should be undertaken by the state, and profile companies will be engaged in its filling.

The Government of the Russian Federation creates an analog of the State system of detection, prevention and elimination of consequences of computer attacks system

Although there is already a system for detecting, preventing and eliminating the consequences of computer attacks (State system of detection, prevention and elimination of consequences of computer attacks), controlled by the Federal Security Service FSB (), and the Center for Monitoring and Responding to Computer Attacks in the Credit and Financial Sphere () operates FinCERT , controlled by GosSOPKA To the Central Bank"is not open to the business community" and, according to experts, is not suitable for the exchange of experience.

Pavel Korostelev, head of the Security Code products department, believes that creating a platform can increase the responsiveness to current threats. According to him, companies will be able to share the necessary data, for example, what software attackers are using or from which IP] addresses they come. However, Korostelev sees a problem in the fact that the platform participants will hide data on incidents.

The main problem is not in the platform, but in the regulation of information exchange, both numerous NDAs (non-disclosure agreement) and others, including legislative restrictions, stand in the way of implementing the project, believes Valery Baulin, regional director of Group-IB in Russia and the CIS.^[3]

FSB took up accreditation of cyber attack monitoring centers

On June 1, 2022, it became known about the FSB order, according to which the centers of the state system for detecting, preventing and eliminating the consequences of computer attacks (State system of detection, prevention and elimination of consequences of computer attacks) will have to be accredited at the National Coordination Center for Computer Incidents (NCCCA).

As Vedomosti writes with reference to this document, accreditation will be mandatory for all centers working with subjects of critical information infrastructure (CII), that is, providing information security services to banks, state institutions, telecom operators, etc.

FSB took up accreditation of cyber attack monitoring centers

By the beginning of June 2022, several thousand organizations were connected to State system of detection, prevention and elimination of consequences of computer attacks, but there were only a few dozen centers of this system, Pavel Goncharov, deputy director for business development at Solar JSOC of RTK-Solar, told the newspaper. There are such centers under federal departments, but they can also be created in commercial companies.

According to the source of the publication in an unnamed information security company, State system of detection, prevention and elimination of consequences of computer attacks centers were created under the Ministry of Defense, the Investigative Committee, the state corporations Rostec and Rosatom, Sberbank, and were also planned in Positive Technologies and Kaspersky Lab.

As the chairman of the State Duma Committee on Information Policy Alexander Khinshtein said in May 2022, the deputies plan to discuss with business and adjust the amendments to the law "On Personal Data" so that personal data operators do not incur the cost of connecting to the state system for detecting, preventing and eliminating the consequences of computer attacks. Khinshtein proposed to transfer all the necessary information from personal data operators to State system of detection, prevention and elimination of consequences of computer attacks via e-mail. It is assumed that this option will not require additional costs from companies.^[4]

The first went: Ministry of Digital Development launched an industry information security center under the law on critical infrastructure. On the approach of the Ministry of Energy and the Ministry of Health

Fulfilling the requirements of No. 187-FZ "On the security of the critical information infrastructure of the Russian Federation," Russian departments have begun to create industry centers for information security. The ministries and their subordinate structures have state information systems (GIS), which are classified as critical information infrastructure (CII). According to the law, departments are obliged to transmit [1] information about cyber attacks on KII to the National Coordination Center for Computer Incidents of the FSB of the Russian Federation (NCCCA). The first department that has already created an industry cybersecurity center was Ministry of Digital Development.

The ministry launched an industry center for the state system for detecting, preventing and eliminating computer attacks (OC State system of detection, prevention and elimination of consequences of computer attacks) on the basis of the subordinate FSUE MNII Integral. The project for its creation started in 2019, the winner was determined on the basis of the competition. For three years, 272.5 million rubles have been invested in the project, the Ministry of Digital Development press service told TAdviser. From December 2021, the SC State system of detection, prevention and elimination of consequences of computer attacks included in the information exchange system with the NCCC.

The Ministry of Digital Development launched an industry information security center. Photo - Rostelecom

According to TAdviser in the Ministry of Digital Development, in 2022 the industry center will be empowered by the departmental center of State system of detection, prevention and elimination of consequences of computer attacks, and its area of ​ ​ responsibility will include organizations subordinate to the ministry. The State system of detection, prevention and elimination of consequences of computer attacks DC will provide information security services to GIS operators, including transmitting incident reports to the NCCC. In total, the structure of the Ministry of Digital Development includes 27 subordinate organizations and enterprises. In the future, the center should establish the exchange of information about cyber attacks with leading industry enterprises that own CII facilities.

In 2022, according to Ministry of Digital Development plans, a multi-platform structure, a phishing monitoring system and an early warning system for information security threats should be created in the State system of detection, prevention and elimination of consequences of computer attacks OC.

A similar industry center Energy CERT is created by the Ministry of Energy. The project started in 2020 with the organization of a departmental center for the detection, prevention and elimination of computer attacks of the Ministry of Energy and the construction of an information security system. In 2021, on the basis of the departmental center, together with Rostelecom, a pilot project for the creation of an industry center was launched. It involves 12 companies in the energy industry.

The creation of industry information security centers is a world practice. They are necessary, since cyber attacks often have industry specifics and response to them requires specialized expertise. We participate in the creation of such a structure on the basis of the Departmental Center of the Ministry of Energy of Russia. We have signed a strategic partnership agreement with FSUE Integral, and we are ready to offer our expertise for the development of the information security center, Ministry of Digital Development Mikhail Adonyev, GR Director of Rostelecom-Solar, told TAdviser.

The head of the departmental center for the detection, prevention, elimination of the consequences of computer attacks of the Ministry of Energy of Russia Denis Novikov clarified that the creation of Energy CERT will allow countering cyber attacks, taking into account industry specifics, promptly inform the profile business and the expert community about vulnerabilities, provide methodological support, develop industry regulatory and administrative documents (policies, regulations, etc.) on cybersecurity.

The basis of the Russian energy infrastructure is the Unified Energy System, gas supply systems and trunk pipelines for the transportation of oil and petroleum products, which are simultaneously interconnected and interdependent. In the Russian economy, the fuel and energy complex occupies a significant place and plays the role of the basic infrastructure, the basis for the formation of revenues of the budget system of Russia, the largest customer for other industries. Ensuring cybersecurity of the fuel and energy complex is one of the key tasks for the sustainable functioning of the Russian economy as a whole, which is a prerequisite for launching a unified cybersecurity management system in the fuel and energy complex, "said Denis Novikov.

In 2021 , the Ministry of Health of the Russian Federation announced its intention to create an industry center while the concept is under approval (More). At the same time, Alexander Dubasov, Advisor to the Director of the Federal State Budgetary Institution TsNIIOIZ of the Ministry of Health of Russia, in February 2022 at a conference on information^[5] that the industry center of the Ministry of Health would not be able to connect all GIS operators and industry systems in the healthcare sector, but would do it selectively. According to him, the SC will become a monitoring center for GIS located directly in the area of GIS of responsibility of the Ministry of Health and some GIS subordinate organizations, which will be determined by the ministry.

At the same time, the RC of the Ministry of Health will act as a competence center for industry representatives and a developer of methodological recommendations. In addition, the Ministry of Health intends to launch advanced training courses for chief doctors in 2022, at which doctors will be introduced to the basic principles of information security. And next year, departments for the training of information security specialists for the healthcare industry will appear on the basis of medical universities.

The representative of the NKCKI Andrei Rayevsky , during a speech at a conference on information security in February 2022, said that Rostec, Rosatom and Roscosmos were among the first to comply with requirements No. 187-FZ "On the security of the critical information infrastructure of the Russian Federation ." In the summer of 2021, they launched competence centers for cybersecurity of KII facilities. And these corporate centers, he said, have essentially become industry-specific.

"SearchInform SIEM" implements the ability to directly export data to State system of detection, prevention and elimination of consequences of computer attacks

On January 25, 2022, SearchInform announced a large-scale update of SearchInform SIEM with the support of a RFRIT grant .

As reported, for companies that must report on the state of information security to the regulator, the ability to directly transfer reports to the NCCSC in a standardized format has been implemented. SIEM implements the functionality of direct export to State system of detection, prevention and elimination of consequences of computer attacks, which allows you to inform the regulator not about events or intermediate results of investigations, but to present the entire picture of the attack/failure. Read more here.

2020

Hundreds of thousands of companies want to oblige to report cyber attacks to the FSB

On December 9, 2020, it became known that hundreds of thousands of companies want to oblige to notify the FSB of cyber attacks. We are talking about a bill submitted to the State Duma on the confidentiality of data of law enforcement officers.

As Kommersant writes with reference to the document, its authors propose to oblige personal data operators, the number of which in Russia exceeds 400 thousand, including small and medium-sized businesses, to report cyber incidents to the State System for the Prevention, Detection and Elimination of the Consequences of Computer Attacks (State system of detection, prevention and elimination of consequences of computer attacks). The main goal of the proposed law is to limit the dissemination of information about the military, law enforcement and control officers.

Personal data operators may be required to report incidents to the FSB

This initiative threatens business with additional costs - you need to buy software and hire employees or spend money on the services of commercial centers, says business security consultant Cisco Systems. Alexey Lukatsky These services in the Russian Federation are provided by Rostelecom-SolarInformzaschitaJet Infosystems,,,,,,. Positive Technologies Kaspersky Lab Orange Business Services Lukatsky admits that even objects () critical information infrastructure CUES experience difficulties with connecting to State system of detection, prevention and elimination of consequences of computer attacks: this requires support software with data encryption according to the requirements of the FSB, automation of round-the-clock data transfer, and in some cases access to closed information.

The system will not be able to protect data from leaks from employees of companies that have access to information, added lawyer Alexander Savelyev. At the same time, the capabilities of State system of detection, prevention and elimination of consequences of computer attacks itself are also limited, and they will have to be expanded, believes Alexandra Orekhovich, director of legal initiatives at the Internet Initiatives Development Fund.

According to Boris Edidin, Deputy Director General for Legal Affairs of the Institute for Internet Development, it is more logical to extend the requirements for connecting to State system of detection, prevention and elimination of consequences of computer attacks only to the largest operators whose data arrays form the country's CII.^[6]

DialogueNauka has carried out research and development to create a vertically integrated system for interaction between the MHIF and State system of detection, prevention and elimination of consequences of computer attacks

On September 21, 2020, DialogueNauka JSC, a system integrator in the field of information security, announced the completion of research work in the field of compulsory health insurance for the needs of the Federal Compulsory Health Insurance Fund (hereinafter referred to as the MHIF) to develop proposals for the creation of a vertically integrated system of interaction between the MHIF and TFCMI with State system of detection, prevention and elimination of consequences of computer attacks. Read more here.

The center for monitoring and response of the "Security Code" received the right to perform the functions of the State system of detection, prevention and elimination of consequences of computer attacks center

On March 5, 2020, the Security Code company announced the launch of the Security Code Monitoring and Response Center, as well as the signing of a cooperation agreement with the National Coordination Center for Computer Incidents (NCCC), the purpose of which is to organize interaction in the field of detection, prevention and elimination of computer attacks within the State system of detection, prevention and elimination of consequences of computer attacks. Read more here.

Jet CSIRT received the status of the Corporate center State system of detection, prevention and elimination of consequences of computer attacks

On February 25, 2020, Jet Infosystems announced the conclusion of an agreement on the interaction of the IBJet CSIRT Incident Monitoring and Response Center with the National Coordination Center for Computer Incidents (NCCC) to provide expert services for organizing interaction with State system of detection, prevention and elimination of consequences of computer attacks. Read more here.

2019

Subsidies for the creation of State system of detection, prevention and elimination of consequences of computer attacks centers will be allocated by a specially created competition commission

On November 15, 2019 TAdviser , it became known that Ministry of Digital Development, Communications and Communications of the Russian Federation it would create special competition commissions that would determine who and how would receive subsidies for the creation of industry centers for State the detection, prevention and elimination of consequences (computer attacks State system of detection, prevention and elimination of consequences of computer attacks) and its inclusion in the system of automated exchange about information current cyber threats.^[7] recently published on the Official Portal of Legal Information. Government of the Russian Federation

The document also determines the procedure for consideration by the competition commission of applications submitted for competitive selection: in particular, it is indicated that the winner must be named no later than 20 working days after the end of the deadline for accepting applications.

Legal entities are entitled to participate in the competition - organizations whose charter contains provisions providing for the provision of scientific, technical and information services, the creation and use databases of information resources. Such organizations must also have a license to work with information constituting state secrets. Another prerequisite should be the organization's successful experience in implementing projects in the field information security over the past three years, "including their conclusion to the planned payback and (or) ensuring the achievement of the planned economic efficiency indicators." The criterion is also the applicant organization's right to obtain a mandatory copy of programs for electronic computers and databases. data

In addition to the application, the organization planning to participate in the competition will have to submit documents confirming the organization's compliance with the competitive selection criteria, as well as the cost estimate, the calculation of which is carried out using the rationing of certain types of expenses, in particular, expenses related to the remuneration of employees, the purchase and lease of software and hardware, the purchase of equipment and components. "

The winner is determined by the sum of the points awarded by the members of the commission. According to the algorithm described in the document, the key criteria determining the victory or loss of an application will be the success of the implementation of projects over the past three years and the validity of the cost estimate. Only these criteria imply the variability of the score (from 0 to 3 points). Everything else - the presence in the charter of the applicant organization of the necessary provisions, a license to work with information constituting state secrets, the right to a mandatory copy of programs for computers and databases - is evaluated only by two values ​ ​ - "0" or "5."

{{quote 'author = points out Dmitry Gvozdev, CEO of Information Technologies of the Future|State system of detection, prevention and elimination of consequences of computer attacks is a strategically important part of the infrastructure. And the implementation of projects related to the creation of centers - in fact - can be entrusted only to really trusted companies that are not only able to implement the project, but also tested by domestic special services along and across. Accordingly, mechanisms for granting preferences to such companies are being created with the formal observance of the work of market mechanisms. This is an absolutely normal practice for any state when it comes to protecting national interests: the involvement of "random" players can pose more than a serious threat to national security, }}

The refusal to participate in the competitive selection, if it is submitted, should be sent to the applicant within the next three working days, the document says.

If no submitted application meets the established criteria, the competitive selection is declared invalid.

Angara Professional Assistance received the right to act as an operator State system of detection, prevention and elimination of consequences of computer attacks

Angara Professional Assistance on October 11, 2019 announced the signing of an agreement on interaction with the "National Coordination Center for Computer Incidents" (NCCCA) as part of the functions of the State system of detection, prevention and elimination of consequences of computer attacks operator for the subjects of the critical information infrastructure (CII) of the Russian Federation in accordance with Federal Law No. 187 of July 26, 2017 "On the Security of the Critical Information Infrastructure of the Russian Federation" and its by-laws in all branches of CII. Read more here.

The government finally approved the rules for subsidizing industry centers of State system of detection, prevention and elimination of consequences of computer attacks

On October 9, 2019, TAdviser became aware that the Government of the Russian Federation published^[8] "resolution, which approves the rules for granting subsidies for the creation of" industry "centers of the State system for detecting, preventing and eliminating the consequences of computer attacks (State system of detection, prevention and elimination of consequences of computer attacks) and its inclusion in the system of automated exchange of information about current cyber threats.

The decree is dated October 7, 2019.

Subsidies from the state budget for the creation of industry centers will State system of detection, prevention and elimination of consequences of computer attacks provide Ministry of Digital Development of the Russian Federation based on the results of competitive selection.

The allocated funds will have to partially cover the costs of subsidized organizations in such areas as remuneration of workers directly related to the creation of an industry State system of detection, prevention and elimination of consequences of computer attacks center; purchase and lease of software, hardware and components.

It is stipulated that more than 60% of the subsidy amount should not be spent on the remuneration of employees, and more than 30% on the purchase and lease of software and hardware.

The published edition of the rules also states that subsidized projects are selected on the basis of competitive selection, which is carried out by the Ministry of Digital Development. Only those organizations in whose statutes there are provisions can take part in the competition, Providing for the provision of scientific, technical and information services, the creation and use of databases and information resources, have a license to work with information constituting state secrets and have successful experience "in the implementation of projects in the field of information security over the past 3 years, including their conclusion on the planned payback and (or) ensuring the achievement of the planned indicators of economic efficiency. "

The topic of selection of organizations engaged in strengthening the country's critical information infrastructure is at the intersection of the information security market and national security issues. In this regard, the use of non-market mechanisms to select key suppliers may be justified, but provided that all these mechanisms were transparent, understandable and did not allow ambiguous and dubious interpretations, believes Dmitry Gvozdev, CEO of Information Technologies of the Future

The draft rules were first published at the end of July 2019

Immediately after the publication of the project - and even before its approval - the Ministry of Digital Development, Communications and Mass Media of the Russian Federation announced the start of a competitive selection of projects (activities) aimed at bringing the security level of significant Ministry of ^[9] of critical information infrastructure of the Russian Federation to the requirements established by law.

The Announcement^[10] was separately indicated, that to participate in the selection, it is necessary to send an application to the Ministry of Telecom and Mass Communications by August 20, "prepared in accordance with the attached^[11] of the Rules for the Provision and Distribution of Subsidies." The link led to the newly proposed draft rules, which took another two months to approve. Despite this, the results of the competition were published [^[12] Federations] as early as</ref> August 30th.

The Ministry of Digital Development, Communications and Mass Media suggested to subsidize creation of the "industry" centers State system of detection, prevention and elimination of consequences of computer attacks

On July 30, 2019, it became known that Ministry of Digital Development, Communications and Mass Media it published draft resolution# Governments of the Russian Federation^[13], which regulates the rules for allocating subsidies for the creation of an industry center State for the detection, prevention and elimination of consequences computer attacks (State system of detection, prevention and elimination of consequences of computer attacks).

While the document describes in great detail the procedure and conditions for allocating funds, it does not define the "industry" centers of State system of detection, prevention and elimination of consequences of computer attacks. Previously, it was only about private (corporate) and state centers of competence - at least such a division is present in the methodological documents of the FSB. It would be rather strange to assume a reservation in the draft government decree, so if it is not about assigning another name to the corporate centers of State system of detection, prevention and elimination of consequences of computer attacks, then it is possible that "sectoral" means some other kind of competence centers.

The classification of State system of detection, prevention and elimination of consequences of computer attacks centers is regulated by FSB documents, and there are no "sectoral" centers. On the other hand, it is likely that we are talking about organizations that will provide the functions of such centers for a large number of customers. In particular, some large system integrators specializing in information protection have already concluded an agreement with the FSB and received the right to perform the functions of State system of detection, prevention and elimination of consequences of computer attacks centers for government agencies. It is logical to assume that activities of this kind have grounds for receiving subsidies from the state,

The draft resolution refers to the federal project "Information Security" of the national program "Digital Economy of the Russian Federation." The provision of subsidies is directly engaged in the Ministry of Communications.

The document, in particular, provides the following passage:

The subsidy is provided to the Ministry of Digital Development of the Russian Federation on a competitive basis within the budget allocations, provided for by the federal law on the federal budget for the relevant fiscal year and for the planning period, and the limits of budgetary obligations brought in accordance with the established procedure to the Ministry of Digital Development, Communications and Mass Media of the Russian Federation as a recipient of federal budget funds in order to fulfill the result "An industry center of the State System for Detecting, Preventing and Eliminating the Consequences of Computer Attacks has been created (State system of detection, prevention and elimination of consequences of computer attacks) and its inclusion in the system of automated exchange of information on current cyber threats "of the federal project of the Program.

Organizations engaged in the provision of scientific, technical and information services, as well as the creation and use of databases and information resources will be admitted to the competition, has a license to work with information constituting a state secret, and in addition, "in accordance with the Federal Law of 29.12.1994 No. 77-FZ" On the mandatory copy of documents "is entitled to receive a mandatory copy of software."

It is also stipulated that the recipient of the subsidy is not in the process of reorganization, liquidation or bankruptcy. This indicates that this is mainly about commercial firms.

The amount of the subsidy is defined as the amount of the recipient's expenses in three areas: employee remuneration; the costs of the organization for the purchase and lease of software and hardware and the costs of the organization for the purchase of equipment and components. At the same time, it is stipulated that more than 60% of the subsidy amount should not go to the remuneration of employees, and more than 30% for the purchase and lease of software and hardware. Restrictions on the purchase of equipment and components are not specified in the document.

In case of failure to achieve the result - that is, if the center of competence has not been created - the subsidy is subject to return.

InfoTeCS connected the Government of the Republic of Tyva to the State system of detection, prevention and elimination of consequences of computer attacks system

On July 11, 2019, the InfoTeCS group of companies announced the connection of the Republic of Tuva to the State System for Detecting, Preventing and Eliminating the Consequences of Computer Attacks (State system of detection, prevention and elimination of consequences of computer attacks). This is the first connection of a constituent entity of the Russian Federation through a third-party State system of detection, prevention and elimination of consequences of computer attacks center using the technical infrastructure of the National Coordination Center for Computer Incidents (NCCCI). Read more here.

Infosecurity acquired the right to execute functions of the State system of detection, prevention and elimination of consequences of computer attacks center for subjects CUES of the Russian Federation

The company "Infosecuriti" (part of the Civil Softline Code) on July 4, 2019 announced the signing of a cooperation agreement "National Computer Incident Focal Point" with (NCCCA), the purpose of which is to organize cooperation in the field of detection, prevention and liquidation computer attacks within the framework of State system of detection, prevention and elimination of consequences of computer attacks. The agreement gives the Center for Monitoring and Incident Response " INFORMATION SECURITY Infosecuriti" (I)SOC the right to perform the functions of the GosSOPKA center for subjects. critical information infrastructure RUSSIAN FEDERATION More. here

FSB formulated requirements to means of State system of detection, prevention and elimination of consequences of computer attacks

May 6, 2019 Federal Security Service issued an order "On approval of requirements for means intended for the detection, prevention and elimination of consequences computer attacks and response to computer incidents"^[14] of the^[15]

The order is based on the Federal Law of July 26, 2017 No. 183-FZ "On the Security of Critical Information Infrastructure of the Russian Federation" and specifies the requirements for State system of detection, prevention and elimination of consequences of computer attacks means to be used for protection. CUES RUSSIAN FEDERATION

In particular, the order lists the requirements that are imposed "on technical, software, software and hardware and other means" used to search for signs of computer attacks, their detection, prevention and elimination of consequences, as well as for information exchange systems necessary for subjects of critical information infrastructure if a cyber incident takes place. The requirements for cryptographic means of protecting such information are also described.

The FSB demands to exclude the possibility of remote control of State system of detection, prevention and elimination of consequences of computer attacks funds by persons who are not employees of a subject of a critical information infrastructure or an organization licensed to protect information.

The possibility of unauthorized transfer of the processed information to unauthorized persons should also be excluded.

It is further indicated that State system of detection, prevention and elimination of consequences of computer attacks funds should be able to be modernized by Russian organizations "not under the direct or indirect control of foreign individuals and (or) legal entities," and be provided with warranty and technical support by Russian organizations that are also not under the control of foreign individuals and legal entities.

A very significant point of requirements: the work of State system of detection, prevention and elimination of consequences of computer attacks funds should not lead to violations of the functioning of information resources located on the territory of the Russian Federation and its diplomatic missions or consular offices of the country abroad. It is stipulated that the impact on the achievement of goals and the functioning of CII facilities by State system of detection, prevention and elimination of consequences of computer attacks facilities should be excluded.

In addition, the order requires the implementation of a number of security functions in State system of detection, prevention and elimination of consequences of computer attacks tools, including the identification and authentication of users, delimitation of access rights to information and functions, registration of information security events, updating software components and service databases, backup and restoration of their performance, adjustment of time settings and software integrity control.

It is stipulated that user passwords, if used for authentication, must be stored in encrypted form, and that users will have to receive notifications about the need to change passwords.

Other - quite standard, but often overlooked - security procedures are also prescribed, such as blocking a session after a given idle time, notifying of unsuccessful attempts to access the management of State system of detection, prevention and elimination of consequences of computer attacks tools and recording all user actions from the moment of authorization in an electronic log.

For APCS tools, the need to maintain electronic logs of technical condition and protect these logs from editing and deleting information in them is specifically indicated.

The document also stipulates the possibility of "regular self-testing of software during operation."

In general, the order of the FSB stipulates in detail every aspect of the functioning of State system of detection, prevention and elimination of consequences of computer attacks facilities, and, according to experts, there can be no excessive detail in this case.

State system of detection, prevention and elimination of consequences of computer attacks funds are the main protection of the critical information infrastructure of the Russian Federation. Their implementation should be regulated in as much detail as possible, without any uncertainty of the possibility of a double interpretation. The task of the order is to determine the functions and capabilities that must be present in the State system of detection, prevention and elimination of consequences of computer attacks systems, as well as indicate what should not be there. In any document, you can find flaws, but in this case everything looks very clear: organizations that will deal with the final implementation of State system of detection, prevention and elimination of consequences of computer attacks funds have established a specific framework in which they will have to fulfill the tasks assigned to them, 'notes Dmitry Gvozdev, CEO of Information Technologies of the Future '

Separately, the requirement related to ensuring the security of information during its exchange with participants in information interaction (National Coordination Center for Computer Incidents) deserves attention: the cryptographic information protection tools (CIPF) used in GoSOPKA must be certified in the CIPF certification system.

General requirements for State system of detection, prevention and elimination of consequences of computer attacks facilities are presented in Sections 2, 8 and 9 of the document under consideration, which, accordingly, define general requirements, requirements for the implementation of safety functions, requirements for the construction and visualization of reports, respectively.

Thus, the requirements listed in Section 2 imply the exclusion of the possibility of managing State system of detection, prevention and elimination of consequences of computer attacks funds by third parties and unauthorized transfer of information to such persons. In addition, it is worth paying attention to the requirements for persons carrying out the modernization of State system of detection, prevention and elimination of consequences of computer attacks funds and their technical support - Russian organizations that are not under the control of foreign persons.

In section 8, the regulator describes in detail the requirements for safety functions that State system of detection, prevention and elimination of consequences of computer attacks means should provide. The requirements are grouped into the following categories:

• 1. Identification and authentication of users of means of State system of detection, prevention and elimination of consequences of computer attacks.
• 2. Delimitation of access rights to information and means of GoSOPKA.
• 3. Registration of information security events.
• 4. Update of software and service databases of GoSOPKA tools.
• 5. Reservation and restoration of means of State system of detection, prevention and elimination of consequences of computer attacks.
• 6. Control of integrity of the software of means of State system of detection, prevention and elimination of consequences of computer attacks.
• 7. Network time synchronization.

Finally, the State system of detection, prevention and elimination of consequences of computer attacks tools should provide functionality for visualizing all processed information: information security events, incidents, vulnerabilities, and so on. Such information should be collected in reports (graphs, tables) in "manual" mode or automatically, stored for a specified period and, if necessary, exported and corrected to direct recipients.

"Informzaschita" received the right to act as a State system of detection, prevention and elimination of consequences of computer attacks center for government agencies, legal entities and individual entrepreneurs of Russia

The FSB of Russia and the Informzaschita company, a system integrator in the field of information security, on January 18, 2019 announced the signing of an agreement on interaction in the field of detection, prevention and elimination of computer attacks within the framework of State system of detection, prevention and elimination of consequences of computer attacks. Read more here.

2018

"Subsidiary" of Sberbank will connect small business to State system of detection, prevention and elimination of consequences of computer attacks

On September 17, 2018, it became known that the "daughter" Sberbank Secure Information Zone (Bison) will be engaged in connecting small businesses state to the protection system against computer attacks (State system of detection, prevention and elimination of consequences of computer attacks). Writes about this with Kommersant reference to the action plan for the information security national project. "Digital Economy"

Sberbank confirmed its intention to use its experience for cyber defense of small companies. The credit institution calls Bison the "visionary" of the Russian cybersecurity market, among whose clients are "the largest companies" from the fields of finance, power, air transportation , etc.

Connecting small companies to the state system of protection against computer attacks (State system of detection, prevention and elimination of consequences of computer attacks) will be engaged in the "subsidiary" of Sberbank "Safe Information Zone" ("Bison")

According to Dmitry Kuznetsov, director of Positive Technologies for Methodology and Standardization, by October 2018, State system of detection, prevention and elimination of consequences of computer attacks centers are created only in federal authorities and large corporations, and the cost of connection can be measured in tens of millions of rubles.

Many companies, including rather big ones, in which 1-2 thousand people work, will not be able to afford to create such a center and find themselves "practically without support from the State system of detection, prevention and elimination of consequences of computer attacks," he added.

Bison's corporate centers for small and medium-sized businesses should reduce the cost of connection, while allowing Bison to "make stable money on the foreign market, covering the costs of orders from Sberbank," the newspaper writes, citing Rustem Khairetdinov, CEO of Atak Killer.

Losses of small and medium-sized businesses in Russia from hacker attacks in 2017 amounted to 12 billion rubles, estimates Valentin Krokhin, Marketing Director of Rostelecom-Solar. Such companies, according to the expert, due to small budgets for information security, are noticeably worse protected from cybercriminals compared to big business.

The source of the newspaper at the information security market notes that a large amount of money was poured into Bison, and now it somehow needs to be recouped.^[16]

FSB has determined a list of information for mandatory sending to State system of detection, prevention and elimination of consequences of computer attacks

As it became known on September 10, 2018, the Federal Security Service determined a list of information that should be sent without fail to the state system for detecting the prevention and elimination of the consequences of computer attacks (State system of detection, prevention and elimination of consequences of computer attacks). The order is dated July 24, 2018, but was only published in the first decade of September.

Building of the FSB of the Russian Federation

According to the first appendix to the FSB order, information directly or indirectly related to the functioning of the facilities of the critical information infrastructure of the Russian Federation should be sent to State system of detection, prevention and elimination of consequences of computer attacks.

That is, firstly, this is information about the objects themselves enrolled in the register of critical infrastructure, as well as about their possible exclusion from this register.

Secondly, this is information about computer incidents affecting the functioning of CII objects, with all available details: date, time, location of the object; the existence of a "causal relationship between a computer incident and a computer attack"; possible communication with other incidents; composition of technical parameters of computer incidents and its consequences.

In addition, State system of detection, prevention and elimination of consequences of computer attacks should receive information on the identification of significant violations of safety requirements for significant CII facilities, if they create prerequisites for computer incidents.

A separate item is "other information" in the field of detection, prevention and elimination of the consequences of cyber attacks and incident response. It can be provided by both KII subjects and other bodies and organizations that are not part of the critical infrastructure of the Russian Federation, including international ones.

The second appendix to the order describes the procedure for providing information to State system of detection, prevention and elimination of consequences of computer attacks. In particular, it is stipulated that general information from the register of CII and information on the results of state control should be sent to the National Coordination Center for Computer Incidents (NCCSC) at least once a month and no later than the monthly period from the moment of inclusion of the CII object in the register of significant objects or exclusion from it, changing the category of its significance or drawing up an inspection report based on the results of state control (if violations are detected).

The format in which the authorized body sends this information is determined by the authorized body itself.

With regard to specific incidents, they should be sent in accordance with the formats defined by the NCCC and using the technical infrastructure of the Coordination Center designed to receive and process incident data.

If there is no access to this infrastructure at the CII facility for any reason, then the information is sent via any other channel, including postal, facsimile or electronic communication to the addresses or telephone numbers of the NCCC.

The information should be received by the NCCCC no later than 24 hours after the incident was discovered. Another 24 hours are given to NCCCI to notify the subject of the CII about the receipt of this information.

The list of information received by State system of detection, prevention and elimination of consequences of computer attacks could be supplemented with the results of past security audit activities carried out at KII facilities by commercial structures specializing in finding vulnerabilities in digital infrastructure, "said Dmitry Gvozdev, General Director of Information Technologies of the Future. - Also in State system of detection, prevention and elimination of consequences of computer attacks it would make sense to regularly enter data on what vulnerabilities could be identified in the software used at CII facilities, and which of them are fixed. This will help with the prevention of computer incidents and cyber attacks.

You can get acquainted with the text of the Order of the FSB of the Russian Federation dated 24.07.2018 No. 367 "On approval of the List of information submitted to the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation, and the Procedure for submitting information to the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation" here.

The Law on the Security of the CII of the Russian Federation obliged the subjects of the CII to inform government agencies about cyber incidents

Federal Law No. 187 "On the Security of Critical Information Infrastructure (CII) of the Russian Federation," which entered into force on January 1, 2018, obliges CII subjects to carry out measures to inform about computer incidents of federal executive bodies and ensure the implementation of the procedure and technical conditions for the installation and operation of infrastructure facilities CII; respond to computer incidents in accordance with the procedure specified in the law, take measures to eliminate the consequences of computer attacks carried out on significant objects of CII and continuously interact with State system of detection, prevention and elimination of consequences of computer attacks. CII subjects can build and operate State system of detection, prevention and elimination of consequences of computer attacks centers independently, or perform this task with the involvement of authorized companies within the framework of an agreement with the FSB.

2017

Putin made the FSB responsible for combating cyber attacks

The Federal Security Service (FSB) will be responsible for detecting and preventing cyber attacks on Russian networks from 2018. The corresponding decree was signed by President Vladimir Putin and posted on the website of the official publication of legal acts publication.pravo.gov.ru. Decree number 620 is called "On improving the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation." The date of entry into force - January 1, 2018^[17].

This legal act assigns to the FSB the authority to ensure the operation of the state system for detecting the prevention and elimination of the consequences of computer attacks (State system of detection, prevention and elimination of consequences of computer attacks). This refers to computer attacks on information systems, information and telecommunication networks and automated control systems that are located in Russia itself, as well as in diplomatic missions and consulates.

Tasks which State system of detection, prevention and elimination of consequences of computer attacks has to carry out are listed in the decree. These include forecasting the information security situation in the country, ensuring cooperation between telecom operators and owners of information resources in the field of cybersecurity, monitoring the security of Russian information resources and establishing the causes of information security incidents.

In addition to directly ensuring and monitoring the functioning of State system of detection, prevention and elimination of consequences of computer attacks, the FSB will be engaged in the formation and implementation of the state scientific and technical policy in the field of combating cyber attacks, as well as develop methodological recommendations for their detection, prevention, identification of causes and elimination of consequences.

Positive Technologies and Solar Security have taken over the creation of turnkey State system of detection, prevention and elimination of consequences of computer attacks centers

The companies Solar Security Positive Technologies launched in November 2017 a joint business direction to create departmental and corporate centers of the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation (State system of detection, prevention and elimination of consequences of computer attacks) on the basis of a set of technologies and expertise of Positive Technologies, as well as Solar Security services for monitoring and responding to incidents.

According to research by Positive Technologies, in the second quarter of 2017, attackers showed increased interest in government organizations, the financial industry, defense enterprises and industrial companies, in total, 24% attacks were directed at them. Attacks on CII are characterized by high professionalism of the attackers, as well as a long and secretive presence in the victim's infrastructure. At the same time, the Solar JSOC report for the first half of 2017 shows that compliance with the methodological recommendations for the operation of departmental and corporate centers of State system of detection, prevention and elimination of consequences of computer attacks allows us to identify about 80% of external attacks.

In accordance with the federal law of 26.07.2017 N 187-FZ "On the Security of the Critical Information Infrastructure of the Russian Federation," state authorities, state corporations and other organizations related to CII must create departmental or corporate centers of State system of detection, prevention and elimination of consequences of computer attacks. To do this, organizations need appropriate technical solutions and high expertise of analysts, which will allow monitoring, analysis and investigation of incidents, as well as performing a number of other functions in accordance with the methodological recommendations of the FSB of Russia.

To help Russian organizations solve this problem, Positive Technologies and Solar Security have combined proven Russian products with the experience and expertise of the largest commercial center for monitoring and responding to cyber attacks.

Within this area: · Positive Technologies provides the customer with a set of technological solutions necessary to create the State system of detection, prevention and elimination of consequences of computer attacks center. It includes products for building information interaction with the main center of State system of detection, prevention and elimination of consequences of computer attacks, incident management, monitoring the security of the internal infrastructure and perimeter, protecting critical web services of the organization, detecting and blocking malicious mailings; · Solar Security operates these solutions, controls infrastructure security, monitors and responds to information security incidents, as well as interacts with the main center of State system of detection, prevention and elimination of consequences of computer attacks; · investigation of incidents is carried out using a cumulative examination of partners.

The use of this service allows organizations to quickly increase the overall level of security of critical infrastructure, as well as ensure compliance with the requirements of N 187-FZ and methodological recommendations for the creation of departmental and corporate centers of State system of detection, prevention and elimination of consequences of computer attacks.

Federation Council approves criminal liability for attacks on critical IT infrastructure

On July 19, it became known that Federation Council it approved the law "On Security," critical information infrastructure developed Federal Security Service (FSB) and introduced State Duma Government in December 2016. The document will enter into force from the beginning of 2018^[18]

Photo: amurmedia.ru

The law introduces the classification of objects of critical information infrastructure and provides for the creation of a register of such objects, while determining the rights and obligations of both owners of objects and the bodies that protect these objects. The body, which will be responsible for ensuring the safety of infrastructure, has not yet been appointed.

The document also provides for the creation of a state system for the detection, prevention and elimination of the consequences of computer attacks on information security resources of Russia (State system of detection, prevention and elimination of consequences of computer attacks), which will ensure the collection and exchange of information about computer attacks.

Simultaneously with the approval of the law "On the Security of Critical Information Infrastructure of the Russian Federation," amendments to the laws "On Communications," "On State Secrets," "On the Protection of the Rights of Legal Entities and Individual Entrepreneurs in the Implementation of State Control (Supervision) and Municipal Control," as well as amendments to the Criminal Code of the Russian Federation. Thus, in chapter 28 of the Criminal Code "Crimes in the field of computer information" article 274.1 will appear, which provides for punishment for harm caused to objects of critical information infrastructure.

The State Duma approved the bill on the safety of critical infrastructure

In early July 2017, the State Duma adopted in the second reading the law "On the Security of Critical Information Infrastructure." The document was developed by the Federal Security Service (FSB) and submitted to the Duma by the Government in December 2016. In January 2017, the bill was approved on first reading. The document involves the creation of the State system of detection, prevention and elimination of consequences of computer attacks system, which should ensure the collection and exchange of information about computer attacks.^[19]

The system is already working - in particular, contractors of the recently held Confederations Cup were connected to it. However, the norm on mandatory connection to the system has not yet been.

In addition, the President will need to determine the authorized body for ensuring the security of critical information infrastructure. The preparation of the relevant decree will be carried out by the FSB and the Federal Service for Technical and Export Control (FSTEC). CNews interlocutors in the information security market believe that the FSB will become such an authorized body.

Critical Infrastructure Entities

Subjects of critical information infrastructure will be state organizations, legal entities and individual entrepreneurs who own or rent information systems, information and telecommunication networks and automated control systems from a certain list of industries. The list of affected areas included power, transport, communications, science, health care, the fuel and energy complex, banking and other financial sectors, nuclear power, defense, rocket and space, mining, metallurgical and chemical industries.

Subjects of critical infrastructure (SCS) will have to create security systems based on state-developed requirements. Also, the SCI will have to immediately report to State system of detection, prevention and elimination of consequences of computer attacks about computer attacks on them, take measures indicated by the authorized bodies to repel attacks and allow special services officers to their facilities.

In the event of an attack on objects of the financial sector, the Central Bank will also need to be informed. To coordinate the activities of the SCI to repel computer attacks, the FSB will create a National Coordination Center for Computer Incidents.

The body authorized to ensure the security of critical information infrastructure will maintain a register of SCS. This register awaking to collect information for State system of detection, prevention and elimination of consequences of computer attacks. When entering the CMS into the register, the category of its significance will be determined - from the first to the third. The category will be assigned based on the economic, social, political, environmental significance of this object, as well as taking into account its significance for defense.

The authorized body will also be able to conduct scheduled and unscheduled inspections of the CMS included in the register.

Criminal punishment for attacks on CII facilities

At the same time, amendments are being made to the Criminal Code to strengthen the punishment for causing harm to objects of critical information infrastructure (CII). The creation of programs for COMPUTER which are deliberately intended for illegal access to CII facilities will be punishable by forced labor for up to five years with restriction of liberty for up to two years or imprisonment for a term of two to five years with a fine of 600 thousand to 1 million rubles.

Unlawful access to legally protected computer information stored in CII facilities, will punish forced labor for up to five years with a fine of 500 thousand to 1 million rubles. and restriction of freedom for up to two years or imprisonment for a term of two to six years with a fine of 500 thousand to 1 million rubles.

Violations of the rules for the operation of means for storing, processing and transmitting information from CII facilities or automated control networks and communication networks, classified as CII will be punished with forced labor for up to five years with deprivation of the right to hold certain positions for up to three years, or imprisonment for up to six years with deprivation of the right to hold certain positions for up to three years.

2016

Over the past year, State system of detection, prevention and elimination of consequences of computer attacks has come out of infancy. Firstly, the first public swallows appeared - the Center for the Detection, Prevention and Elimination of the Consequences of Computer Attacks () of CCOPL the state corporation, Rostec government of Samara region the tender, AFK Sistema the intention to FSO involve GosSOPKU to create and ensure the operation of a closed network. state RSNet Secondly, the first at least somehow similar to the guiding document "Methodological Recommendations for the Creation of Departmental and Corporate Centers of State system of detection, prevention and elimination of consequences of computer attacks"^[20]

The rapid development of the cybersecurity market at the expense of GosSOPKI did not happen, and this is unlikely to happen before 2018 - the state budget is sequestered in real terms from year to year, and the economy shows rather weak signs of growth. By the way, in private conversations, market participants admit that the State system of detection, prevention and elimination of consequences of computer attacks (central segment) is not only not ready for full-fledged work, but will also begin to be fully implemented only after the adoption of the legislative framework for critical information infrastructures (CII). The corresponding law, passing the authorities, has pretty much "lost weight," and now, for example, the food industry is not included in the CII. Perhaps the immediate effect of problems with the food industry will not be noticeable, but still - in case of large-scale problems there is something that we will, colleagues? Moreover, geographically the nearest and most powerful suppliers of agricultural products from the EU are cut off from the Russian consumer by Russian sanctions.

Only in the spring of 2017, the approval by the President of the Russian Federation of the Regulation on GosSOPK is also planned, the aforementioned Methodological Recommendations are likely to be finally approved, which means that it is quite possible for prudent departments to wait - and implement their cyber attack monitoring centers according to already approved regulatory documents.

2015: System Concept

In December 2014, President Vladimir Putin approved the concept of a state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation. In March 2015, the FSB published an extract from this document (download PDF) containing data on how this system will be arranged.

According to the document, the system is a single centralized geographically distributed complex, including forces and means of detecting, preventing and eliminating the consequences of computer attacks, a federal authority authorized in the field of security of the critical infrastructure of the Russian Federation and a authority authorized in the field of creating and ensuring the functioning of the system.

By "means" in the concept is meant mainly technological solutions, and by "forces" - special units and employees from the federal authority responsible for the system, as well as telecom operators and other organizations engaged in licensed activities in the field of information protection.

The National Coordination Center for Computer Incidents created in the FSB will function as part of the system

The main organizational and technical component of the system is the centers for detecting, preventing and eliminating the consequences of computer attacks, which will be divided according to territorial and departmental characteristics. In particular, the main center, regional, territorial centers of the system, as well as centers of government agencies and corporate centers will be organized. The functioning of the latter will be provided by the organizations that created them.

The system also includes the National Coordination Center for Computer Incidents, created in the FSB, which organizes and exchanges information about them with legal entities that own critical IT infrastructure facilities in the Russian Federation, telecom operators that ensure the interaction of critical IT infrastructure facilities, as well as with foreign government agencies and other organizations working in the field of responding to cyber incidents.

The main functions of the system, indicated in the concept, are to identify signs of computer attacks, determine their sources and other related information, predict the situation in the field of information security of the Russian Federation, collect and analyze information about computer attacks in relation to information resources of the Russian Federation, carry out measures to promptly respond to attacks and eliminate their consequences, etc.

Also, within the framework of the system, it is planned to organize interaction with law enforcement and other government agencies, owners of information resources of the Russian Federation, telecom operators and Internet providers at the national and international levels. It will include the exchange of information about identified computer attacks and the exchange of experience in the field of identifying and eliminating vulnerabilities in software and equipment and responding to computer incidents.

For the functioning of the system, it is planned to create an appropriate legislative framework, determine the procedure for fixing and exchanging information about computer attacks, the activities of system entities in the field of detection, prevention and elimination of the consequences of attacks.

Technical problems of State system of detection, prevention and elimination of consequences of computer attacks

These include^[21]:

• the absence of its own ON many classes, both system-wide (operating systems, database management systems) and application (for example, software for modeling deposits), for example, the system CENTRAL BANK OF THE RUSSIAN FEDERATION uses 40% of application software of foreign production, foreign databases, OS, hardware -software 95%;
• lack of its own element base;
• practical absence of domestic telecommunication equipment throughout the country;
• the topology of the country's transport network in terms of ensuring its survivability requires improvement.

Possible approaches to design of State system of detection, prevention and elimination of consequences of computer attacks

An approach is possible based on the classification of information assets of organizations by their degree of value, importance for ensuring the management of the state and preserving the knowledge necessary for the development of the country. Differentiated requirements for the protection of information assets classified in this way can be established by law, assigning responsibility to the departments themselves, in whose management information resources are - without involving organizations accredited by the FSTEC of Russia.

In this case, it will be possible to create an arbitrary structure of State system of detection, prevention and elimination of consequences of computer attacks (segments of the system by ministries. departments, organizations, constituent entities of the Russian Federation) and significantly reduce the cost of work (you do not need to create your own software and hardware). Reliability will not suffer - the isolation of the most important elements of the IT infrastructure will be safer than connecting through trusted means.

An organic drawback of this approach is the isolation of part of the system, which entails a decrease in the efficiency of the system and inconvenience for users.

An alternative approach is to find critical infrastructure locations and protect them with trusted means. In this case, the classification of information resources by the degree of their importance is irrelevant, but a domestic software and technical platform is necessary (or, at least, highly desirable).

The advantages of the second approach are significant. Firstly, there is no need to isolate system segments and a single secure information space with "transparent" administration is created. As a result, efficiency increases, control of all processes improves. Secondly, the protection of the entire infrastructure of the country is provided by domestic software and hardware with the highest level of protection.

The payback for these advantages is the high cost of the project and the long development time.

To what threats State system of detection, prevention and elimination of consequences of computer attacks has to resist

The most dangerous cyber attacks, behind which are well-organized groups of cybercriminals and/or states. But the combined damage caused to the economy by numerous less dangerous attacks can eventually be seen as a serious threat to the country.

2013

FSB has prepared bills on the security of KII

In August 2013 , the FSB published draft laws prepared by the department regarding the security of Russia's critical information infrastructure.

The first of the bills determines how the security of critical IT infrastructure is ensured in Russia and establishes the principles for ensuring such activities, as well as the powers of government agencies in this area.

A significant part of critical IT systems is not owned by the state, so the bill also provides for "additional encumbrances" for persons who own such systems on property rights.

The authors explain the need for the above law by the fact that the stability of the socio-economic development of Russia and its security are, in fact, directly dependent on the reliability and security of the functioning of information and communication networks and IT systems, and at the same time there are no existing laws governing security relations of critical IT infrastructure. This, according to the FSB, leads "to inconsistency and insufficient effectiveness of legal regulation in this area."

The second bill defines measures of responsibility for violation of legislation on the security of critical information infrastructure. At the same time, along with disciplinary, civil and administrative for violation of the law developed by the FSB, criminal liability is also provided.

For example, Article 272 of the Criminal Code ("Illegal access to computer information") of the FSB proposes to supplement with part five, which establishes responsibility for illegal access to computer information protected by law, which entailed damage to the security of critical information infrastructure or created a threat of its onset. The punishment provided for for this will be up to 10 years in prison.

Criminal liability of the bill also provides for violation of the rules for the operation of means of storing, processing or transferring protected computer information or information and telecommunication networks and equipment, as well as for violation of the rules for access to such networks, resulting in damage to the security of critical information infrastructure or creating a threat of its onset. For this, the FSB proposes to punish with imprisonment for up to 7 years.

As conceived by the FSB, after signing by the president, both bills should enter into force in January 2015.

Details of work on the project from the FSB

The FSB expects that most of the legislative acts concerning the creation and functioning in Russia of a unified state system of protection against computer attacks will be developed and published by the end of 2013, a source in the department told TAdviser on April 12, 2013. He notes that now the FSB is actively working in this direction.

The architecture of the system itself, according to the source, has not yet been worked out. Most likely, it will use an existing Russian solution, which will be finalized specifically for this project, the interlocutor of TAdviser believes. Then it is planned to deploy this solution at the sites of telecom operators, he adds.

"There is no ready-made solution in Russia that can fully compete with foreign products like Arbor," said a TAdviser interlocutor from the FSB. "And developing such a solution from scratch would take a long time."

DDos attacks cause the greatest damage to the state, a source in the FSB said in a conversation with TAdviser, so a solution that is suitable for use in the state system for preventing and eliminating the consequences of computer attacks should be especially effective in this area.

According to the interlocutor of TAdviser, Kaspersky Lab software can be used to refine for use in the system: "In my opinion, from Russian companies, it has advanced farthest in developing solutions that can effectively protect against DDoS attacks."

President Putin's decree on the creation of the system

In January 2013, President Vladimir Putin signed a decree on the creation in Russia of a system for detecting, preventing and eliminating the consequences of computer attacks on information resources located in the country and in diplomatic missions and consular offices of Russia abroad.

Its key tasks, in accordance with the presidential decree, should be to predict situations in the field of [[information security, ensure the interaction of IT resource owners in solving problems related to the detection and elimination of computer attacks with telecom operators and other organizations engaged in information protection activities. The list of tasks of the system also includes assessing the degree of protection of critical IT infrastructure from computer attacks and establishing the causes of such incidents.

Putin instructed the FSB to organize work on the creation of a state anti-hacker system .

Notes