Crime and punishment for owners of critical information infrastructure of the Russian Federation

The Petya / NotPetya / ExPetr virus in 2017 was a "good" example of how large a business could suffer from this type of attack, for example , Maersk estimated the damage from Petit:

“We expect the cyber-attack will impact results negatively by USD 200–300m.”
We expect a cyber attack to adversely affect the results in the amount of 200-300 million US dollars

You remember that in mid-2017, Federal Law No. 187-FZ of July 26, 2017 “On the Security of Critical Information Infrastructure of the Russian Federation” was published and this law came into force on January 1, 2018, and with it changes to the Criminal Law came into force RF Code.

I think the issue of liability for violation of the criminal law of the Russian Federation is relevant for those whose work is related to the critical information infrastructure (hereinafter - KII).
')
Attention: in article 2 pictures (one you saw) and a lot of text.



According to Art. 14 of the Law on Security of CII: “Violation of the requirements of this Federal Law and other regulatory legal acts adopted in accordance with it entails liability in accordance with the legislation of the Russian Federation . "
We will clarify the norms of the legislation of the Russian Federation, in accordance with which criminal responsibility comes.
In order to form a regulatory framework in terms of criminal liability for violations of the Law on CII, the legislator amended the Criminal Code of the Russian Federation, by adopting a separate Federal Law N 194-FZ of 07.27.2017 “On Amendments to Certain Legislative Acts of the Russian Federation in connection with the adoption of the Federal Law of the law "On the security of the critical information infrastructure of the Russian Federation".

As owners / operators of KII, we are interested in parts 3,4,5 of Art. 274.1 of the Criminal Code. I will give the text of parts 3,4,5 of Article 274.1 of the Criminal Code of the Russian Federation in full:


I will try to analyze these norms and give a possible application of them within the judicial system.
At the end of the article are the definitions of some legal concepts necessary for commenting on the norms of criminal law.

So, for hours 3, 4 and 5, Art. 274.1 of the Criminal Code of the Russian Federation, the subject of the crime is an electronic computer (hereinafter referred to as a computer), an information carrier, a computer system, as well as computer networks that are related to the critical information infrastructure of the Russian Federation.
The object of the crime is public relations, to ensure the normal operation of the computer, the computer network, the computer system, which are related to the critical information infrastructure of the Russian Federation.
The objective side of a crime can be both action and inaction.
Violation of the rules of operation is in non-compliance with the rules for working with computers, networks and other equipment, violation of official instructions, as well as violation of the rules for handling protected computer information.
Violation of the rules of operation can be in the form of active action, a fresh example : the airport system administrator calculated bitcoins using the airport’s electrical network, or inaction, for example: the administrator does not update the anti-virus database.
The act described in Part 3 of Art. 274.1 from the subjective side is characterized by guilt in the form of intent and negligence. By analogy with art. 274 of the Criminal Code of the Russian Federation, the person foresees the infliction of damage to the Russian Federal Institute of Aviation as a result of “violation of the rules of operation by him, but without sufficient reason to do so arrogantly counts on the prevention of consequences. Either does not foresee the consequences specified in the law, although with the necessary attentiveness and forethought it should and could have foreseen “. (6)
The subject of this crime is a special one: a sane person who has reached the age of 16 years old, who has access to the Russian Federal Space Agency for Political Procedural Matters or objects belonging to the Russian Federal Aviation Institute by virtue of the performance of official duties and obliged to comply with the established rules of exploitation.
Mandatory feature h. 3 Article. 274.1 are socially dangerous consequences in the form of harm to the critical information infrastructure of the Russian Federation.

Pay attention to the wording causing “harm to the critical information infrastructure of the Russian Federation” ; here it is necessary to highlight the word “harm” .
The question arises, how much money should be a loss in order to be classified as “ harm ”?
It is also worth noting that in paragraph 2 of Art. 272 of the Criminal Code of the Russian Federation is an interesting note: “ Major damage in the articles of this chapter is recognized as damage, the amount of which exceeds one million rubles”.
At the same time, a causal link between the fact of a violation of exploitation and the infliction of harm should be confirmed.
Taking into account the above, as well as the fact that the concept of “harm” in monetary terms is obviously already the concept of “major damage” - it can be said that under the size of the “damage” of KII RF, the legislator most likely understands the damage less than one million rubles .

By analogy with art. 274 of the Criminal Code of the Russian Federation: the deliberate actions that entailed harm to the Russian Federal Institute for Examination of the Russian Federation (theft of individual components, damage to or destruction of equipment) are not crimes under Art. 274.1 of the Criminal Code of the Russian Federation - in this case, the acts must be qualified under the relevant articles of Ch. 21 of the Criminal Code.

Responsibility for the crimes described in Part 3 of Art. 274.1 of the Criminal Code of the Russian Federation without qualifying signs, differentiated, and the choice remains with the court:
- forced labor for a period of up to five years with the deprivation of the right to hold certain positions or engage in certain activities for a period of up to three years or without it;
- or imprisonment for up to six years with the deprivation of the right to occupy certain positions or engage in certain activities for up to three years or without it.
In fact, the court may, in one option, be brought to forced labor with deprivation of special rights (to engage in certain activities or hold certain positions) or to imprisonment for up to six years with deprivation of special rights (engage in certain activities or hold certain positions).

Parts 4 and 5 of Article 274.1 of the Criminal Code of the Russian Federation possess a number of qualifying signs, we consider them.
Part 4 of article 274.1 of the Criminal Code of the Russian Federation reads as follows: “The acts provided for in part one, two or three of this article, committed by a group of persons in a preliminary conspiracy, or by an organized group, or by a person using his official position” .
In this part, the qualifying signs will be:
- by a group of persons by prior agreement or by an organized group;
- face;
- using his official position.
Here it is necessary to clarify the concept of “ using one’s official position”. The position of the Plenum of the Supreme Court of the Russian Federation in the general case is as follows: persons using their official position should be understood as officials, employees, and also persons performing managerial functions in commercial and other organizations. More details can be found in the article .
As you can see, in this corpus delicti there must be a group of persons previously, conspiring, or an organized group that is preparing or has already committed a crime. It should be understood that the public danger of such acts increases significantly, and the legislator introduces a qualifying qualifying attribute: “using his official position” . In the aggregate, a group of persons using their official position can cause more substantial harm.
It is worth noting that the organization of a group to commit a crime, and participation in such a group is a separate corpus delicti, and within the framework of the prosecution will be considered as an aggravating circumstance, see paragraph (c) of art. 63 of the Criminal Code, as well as Article. 35 of the Criminal Code and Art. 210 of the Criminal Code, respectively, the punishment will be more severe.
As already noted above in Part 4 of Art. 274.1. There is another qualifying attribute: “a person using his official position” .
This design says that under Part 3 of Art. 274.1. The person who can be held accountable is not only the direct perpetrator, but also the leader, in whose actions there is such a crime.
Therefore, the legislator introduces more severe responsibility for crimes with such qualifying features:
is punished by imprisonment for the term from three up to eight years with deprivation of the right to hold certain posts or to engage in certain activities for up to three years or without it.

Due to the fact that in the context of the issue being studied, it is worth paying attention to the presence of such a risk as: committing a crime using one’s official position and at the same time creating a criminal group using one’s official position, i.e. there is such a person as the organizer. These acts will be separate elements of crimes, with appropriate responsibility, which will be taken into account by the court according to the rules of art. 69 of the Criminal Code.

Let us proceed to the consideration of Part 5 of Art. 274.1 of the Criminal Code:
“The acts provided for in the first, second, third or fourth part of this article, if they have entailed heavy consequences”
As you can see, there is another qualifying sign of “grave consequences”.
A brief analysis of judicial practice shows that there is no single approach to the definition of the concept of “grave consequences” in terms of the amount of damage in monetary terms (more details can be found in the article ), in each case the court should establish the amount of harm / severity of consequences, based on the circumstances the case, as well as the context of current law enforcement practice and the uncertainty of the interpretation of the extent of the damage, it is often extremely difficult to accurately determine the category of consequences.
However, it is worth noting that the category of “grave consequences” obviously describes more dangerous consequences than “major damage” , which was discussed above and defined as “damage whose sum exceeds one million rubles” .
At the same time, the following events can undoubtedly be attributed to grave consequences: the death and serious injuries of people, destruction of infrastructure, damage to buildings and structures, harm to the security of the state, etc.
The described part defines even more substantial responsibility for acts with such consequences:
“Shall be punished with imprisonment for a term of five to ten years with the deprivation of the right to occupy certain posts or to engage in certain activities for a term of up to five years or without it” .

I think it is also worthwhile to dwell on the wording in the sanctions part of the norms of part 3,4,5 of Art. 274.1 of the Criminal Code: "with the deprivation of the right to occupy certain positions or engage in certain activities for a period of ... years or without one . "
With the notion of “deprivation of rights” everything is obvious, an injunction can be issued to fill certain positions, for example: management positions or to engage in certain activities - for example, to provide information protection services. The term of the ban may be either temporary or unlimited. At the same time, the court has the option not to include in the verdict a judicial ban on the right to occupy certain positions or engage in certain activities.

In conclusion, it should be noted that with the complexity and imperfection of the legislative base and the absence of judicial practice for the commission of crimes described in part 3,4,5 of article 274.1 of the Criminal Code of the Russian Federation, both the direct perpetrators and the management of legal entities / state bodies may be responsible.
The legislator logically makes the size of responsibility dependent on the severity of the damage / consequences of the crime, but does not establish rules for determining the severity of consequences, leaving the issue to the judicial system, which in turn can interpret the law quite broadly.
The figure below presents the main points reflected in the article.



Terms and Definitions
The subject of a crime is a concrete material thing in which certain properties of social relations (the object of the crimes) manifest themselves, through physical or mental impact on which socially dangerous harm is caused in the sphere of social relations. (one)
The object of a crime is those public relations under criminal law protection against which the crime is directed.
The objective side of a crime is an external manifestation of a specific socially dangerous behavior, carried out in certain conditions, place, time and harmful to social relations.
The subjective side of a crime is the mental attitude of a person to the crime he commits, which is characterized by a particular form of guilt, motive and purpose.
The subject of a crime is recognized as a sane person who has reached the age specified by the legislator, who has committed a socially dangerous act prohibited by law and has caused harm to the object of criminal law protection. (Art. 19 of the Criminal Code of the Russian Federation).

PS: added the name.
Leges intellegi ab omnibus debent (lat.) - the laws should be clear to everyone.

Sources
Regulations
(1) Federal Law of 18.07.2017 N 187- “On the Security of the Critical Information Infrastructure of the Russian Federation”.
(2) “Criminal Code of the Russian Federation” of 13.06.1996 N 63-FZ (as amended on 12/20/2017) (as amended and added, entered into force on 01/01/2018).
(3) FZ N 194-FZ of 07/26/2017 “On Amendments to Certain Legislative Acts of the Russian Federation in Connection with the Adoption of the Federal Law“ On the Safety of Critical Information Infrastructure of the Russian Federation ”.

Literature
(1) s. 17, Korzhansky N.I. - The subject of a crime. - Volgograd, 1975.
(2) “Commentary to the Criminal Code of the Russian Federation” (itemized) (7th edition, revised and supplemented) (ed. By G. A. Esakov) (“Prospect”, 2017)
(3) Criminal law of Russia. General part: Textbook / Ed. F.R. Sundurov, I.A. Tarkhanov. - 2nd ed., Pererab. and add. - M .: Statute, 2016. - 864 p.
(4) Criminal law of Russia. The special part: the Textbook / Ed. F.R. Sundurov, M.V. Talan M .: Statute, 2012. - 943 p.
(5) Article: The onset of serious consequences as a result of abuse of authority. www.s-yu.ru/articles/2012/6/5903.html
(6) Comment to the Criminal Code of the Russian Federation: stykrf.ru/274