Russia, Hotbed of Cybercrime, Says Nyet to Ethical Hacking Bill

Russia, a country infamous for being a hotbed of cybercrime, has dealt a significant blow to efforts aimed at legalizing ethical hacking. The State Duma, the lower house of Russia's general assembly, has rejected a bill that would have made provisions for white-hat hacking and cybersecurity research. This move has left many in the industry feeling uneasy about the potential impact on national security.

The bill, which was first introduced by Russia's Ministry of Digital Development in 2022, aimed to provide a framework for services such as penetration testing and bug bounties. However, concerns over how state secrets held on government and critical infrastructure systems could be compromised led politicians to block its passage into law.

One of the main objections raised by politicians was that if vulnerabilities were found in software made by companies headquartered in hostile countries, those security holes would inevitably have to be shared with them. This could lead to hostile nations abusing those weak spots for strategic gain, compromising national security.

Another concern was that the bill failed to comprehensively explain how existing laws would need to be adjusted to allow provisions for ethical or "white-hat" hacking/cybersecurity research. Experts say that even if established cybersecurity companies in Russia were able to carry out vulnerability research, opportunities for individuals are much less abundant.

Individuals carrying out legitimate cybersecurity research are often treated as malicious, regardless of their intentions. Since there is no legal provision for ethical hacking, researchers can be prosecuted under the Russian Criminal Code, which outlaws unauthorized access to computer systems. Dmitry Kuramin, senior penetration tester at Jet Infosystems, says that established companies have the resources available to correctly interpret software license agreements and probe them accordingly.

Contrary to popular belief, Russia is not quite the Wild West of cybercrime as it is often made out to be. Cyberattacks against Russian entities are very much illegal and come with equally heavy consequences as they do in the Western world. However, prosecution can mean being sent to a penal colony, which is like prison but less fun.

Technically, even Russian cybercriminals such as ransomware crews launching attacks on entities located in hostile nations is a crime in Russia, and by the letter of the law they can and should be punished. However, Putin's regime is known for turning a blind eye to this kind of activity. As long as the crime is hurting Russia's enemies, it is typically allowed to continue.

For individual bug bounty hunters or hobbyist researchers, the current legal restrictions in Russia mean that good-faith work can be punished, chiefly by violating copyright law, which could result in a hefty fine. In Russia, vulnerability research is typically carried out by cybersecurity companies in collaboration with customers – who sign NDAs – and the Federal Service for Technical and Export Control (FSTEC).

These customers are usually Russian software vendors, meaning any vulnerabilities found would be unlikely to leak to hostile governments, even if an NDA was not there to prevent such a thing. An additional measure taken to control the flow of vulnerability information is that researchers have to report them exclusively to FSTEC, which then disseminates the details via its Data Bank of Information Security Threats.

However, Russian cybersecurity companies are heavily limited in their ability to probe software made by foreign vendors due to the widespread sanctions placed on the country following its invasion of Ukraine. Many Western vendors pulled out of Russia shortly after the invasion began, making their products unavailable and refusing to do business with anyone or any company in the country.

Even if Russian researchers were able to acquire a copy of US-made software, for example, the broad reach of the Computer Fraud and Abuse Act and wide sanctions slapped on Russia mean they could face criminal and financial penalties for conducting good-faith work. Despite this, experts say that it is still possible for established cybersecurity companies in Russia to carry out vulnerability research, although opportunities for individuals are much less abundant.

The Future of Cybersecurity Research in Russia

Anton Nemkin, one of the politicians pushing for these changes, plans to resubmit an amended draft to allay concerns. Experts say that it is still unclear whether this will lead to a change in policy, but it marks a positive step towards making provisions for ethical hacking and cybersecurity research.

The rejection of the bill has left many wondering what the future holds for cybersecurity research in Russia. Will individuals be able to conduct vulnerability research without fear of prosecution? Only time will tell, but one thing is certain – the lack of clarity on this issue poses a significant challenge for the country's efforts to combat cybercrime and protect its citizens.