FSB submitted to the State Duma a bill on criminal liability for cyber attacks

According to the draft law “On the security of the critical information infrastructure of the Russian Federation”, unlawful access to information stored in the critical critical infrastructure may face up to 10 years in prison, reports TASS . The document was developed by the Federal Security Service and submitted to the State Duma of the Russian Federation for consideration.

In addition, the FSB has prepared several more bills that have already been approved by the government. All of them, to one degree or another, are concerned with ensuring the security of critical infrastructure and information, as well as the responsibility to obtain access to it.

“Provides for the responsibility for the creation and (or) distribution of computer programs or other computer information, deliberately intended to improperly affect the critical information infrastructure of Russia; unauthorized access to legally protected computer information contained in a critical information infrastructure; violation of the rules for the use of the storage, processing or transfer of protected computer information in this infrastructure, ”the documents state.
')
The draft law involves making amendments to the criminal code of the Russian Federation. The government noted that information technologies have penetrated into all areas of activity of both society and the state. At the same time, there is still no clear legal basis in the country regulating responsibility for attacks, hacking and theft of information.

First of all, the amendments will concern critical state information, that is, information of an economic and defense nature. At the same time, depending on the actions taken (whether there was a hacking protection or copying of information, as well as whether the attack was carried out by a loner or by a group of individuals in a preliminary conspiracy), various preventive measures are provided.

Creating software designed to break into and gain access to critical infrastructure and information (or impact on it) will entail liability ranging from a fine of 500 thousand rubles to imprisonment for 5 years.

Hacking the protection of critical infrastructure with unauthorized access to information (with or without copying) is punished more severely - a fine of one to two million rubles and imprisonment for up to six years.

Hacking by a group of persons in a preliminary conspiracy (or using an official position) will result in a punishment of three to eight years in prison.

If there are aggravating circumstances in the form of grave consequences or the creation of a threat of their occurrence, the term of imprisonment increases to 10 years.

Regulation in the field of information security and the introduction of responsibility for the attacks is necessary, however, in the current text there are quite a lot of vague wording. So, the term can be obtained simply for the creation (but not the application) of malicious software. Also, the mechanism for assessing “grave consequences” or “the threat of their occurrence” is not fully understood, for which a maximum term of 10 years imprisonment is provided.

For almost all violations, forced labor is provided as an interim measure of restraint for periods comparable to the periods of possible imprisonment. Also, so far no “critical infrastructure” is indicated and what exactly the FSB means by it, just like by “critical information”.

The explanatory note to the draft law indicates the importance of information technology in all areas of government activity. At the same time, an analysis of the infrastructure of developed countries (USA, Germany, Japan and others) showed that protection of the network only by the authorities is impossible, since a significant part of the infrastructure of critical importance is in private ownership.