Article Details

Russia, hotbed of cybercrime, says nyet to ethical hacking bill. Politicians uneasy over potential impact on national security, local reports say. Russia, home to some of the world's most lucrative and damaging cybercrime operations, has rejected a bill to legalize ethical hacking. The State Duma, the lower house of Russia's general assembly, blocked the bill's passage into law on various grounds, including concerns over how state secrets held on government and critical infrastructure systems could be made less secure as a result. Politicians said that if vulnerabilities were found in software made by companies headquartered in hostile countries, those security holes would invariably have to be shared with them, which in turn could lead to hostile nations abusing those weak spots for strategic gain. Other objections focused on how the bill failed to comprehensively explain the ways in which existing laws would have to be adjusted to allow provisions for ethical or "white-hat" hacking/cybersecurity research. Discussions around making legal provisions for services such as penetration testing and bug bounties were originally introduced by Russia's Ministry of Digital Development in 2022, with a first draft of the bill introduced in 2023. According to Russian media outlet RBC, one of the politicians pushing for these changes, Anton Nemkin, plans to resubmit an amended draft to allay concerns. Experts said that it is still possible for established cybersecurity companies in Russia to carry out vulnerability research, although opportunities for individuals are much less abundant. Individuals carrying out legitimate cybersecurity research are often treated as malicious, regardless of their intentions. Since there is no legal provision for ethical hacking, researchers can be prosecuted under the Russian Criminal Code, which outlaws unauthorized access to computer systems. Dmitry Kuramin, senior penetration tester at Jet Infosystems, told RBC that established companies have the resources available to correctly interpret software license agreements, and probe them accordingly. Russia's views on cybersecurity Contrary to popular belief, Russia is not quite the Wild West of cybercrime as it is often made out to be. Cyberattacks against Russian entities are very much illegal and come with equally heavy consequences as they do in the Western world. The major downside here is that prosecution can mean being sent to a penal colony, which is like prison but less fun. Technically, even Russian cybercriminals such as ransomware crews launching attacks on entities located in hostile nations is a crime in Russia, and by the letter of the law they can and should be punished. However, Putin's regime is known for turning a blind eye to this kind of activity. As long as the crime is hurting Russia's enemies, it is typically allowed to continue. It is mostly a culture of ignorant permissiveness, rather than something actively encouraged. Although when it comes to certain groups, relationships between the state and cybercriminals are thought to be remarkably close. For individual bug bounty hunters or hobbyist researchers, for example, the current legal restrictions in Russia mean that good-faith work can be punished, chiefly by violating copyright law, which could result in a hefty fine. In Russia, vulnerability research is typically carried out by cybersecurity companies in collaboration with customers – who sign NDAs – and the Federal Service for Technical and Export Control (FSTEC). These customers are usually Russian software vendors, meaning any vulnerabilities found would be unlikely to leak to hostile governments, even if an NDA was not there to prevent such a thing. An additional measure taken to control the flow of vulnerability information is that researchers have to report them exclusively to FSTEC, which then disseminates the details via its Data Bank of Information Security Threats. Conversely, Russian cybersecurity companies are heavily limited in their ability to probe software made by foreign vendors due to the widespread sanctions placed on the country following its invasion of Ukraine. Shortly after the invasion began, many Western vendors pulled out of Russia, making their products unavailable and refusing to do business with anyone or any company in the country. Many others that did not voluntarily withdraw from the country were forced to due to economic sanctions. Even if Russian researchers were able to acquire a copy of US-made software, for example, the broad reach of the Computer Fraud and Abuse Act and wide sanctions slapped on Russia mean they could face criminal and financial penalties for conducting good-faith work.