Decree of the President of the Russian Federation of December 5, 2016 N 646
"On the approval of the Doctrine information security Russian Federation"
In order to ensure the information security of the Russian Federation, I decree:
2. Recognize the Doctrine of Information Security of the Russian Federation, approved by the President of the Russian Federation on September 9, 2000 No. Pr-1895, as invalid.
3. This Decree comes into force from the date of its signing.
|
President of Russian Federation |
Doctrine
information security of the Russian Federation
(approved by Decree of the President of the Russian Federation of December 5, 2016 N 646)
I. General provisions
1. This Doctrine represents a system of official views on ensuring the national security of the Russian Federation in the information sphere.
In this Doctrine, the information sphere is understood as the totality of information, objects of informatization, information systems, sites on the information and telecommunications network "Internet" (hereinafter referred to as the "Internet"), communication networks, information technologies, subjects whose activities are related to the formation and processing of information, the development and use of these technologies, ensuring information security, as well as a set of mechanisms for regulating relevant social relations.
2. This Doctrine uses the following basic concepts:
A) national interests of the Russian Federation in the information sphere(hereinafter referred to as national interests in the information sphere) - objectively significant needs of the individual, society and the state to ensure their security and sustainable development as they relate to the information sphere;
b) threat to information security of the Russian Federation(hereinafter referred to as information threat) - a set of actions and factors that create a danger of causing damage to national interests in the information sphere;
V) information security of the Russian Federation(hereinafter referred to as information security) - a state of protection of the individual, society and the state from internal and external information threats, which ensures the implementation of the constitutional rights and freedoms of man and citizen, a decent quality and standard of living for citizens, sovereignty, territorial integrity and sustainable socio-economic development Russian Federation, defense and security of the state;
G) ensuring information security- implementation of interconnected legal, organizational, operational-search, intelligence, counterintelligence, scientific-technical, information-analytical, personnel, economic and other measures to forecast, detect, contain, prevent, repel information threats and eliminate the consequences of their manifestation;
d) information security forces- state bodies, as well as divisions and officials of state bodies, local government bodies and organizations authorized to solve problems of ensuring information security in accordance with the legislation of the Russian Federation;
e) information security tools- legal, organizational, technical and other means used by information security forces;
and) information security system- a set of information security forces that carry out coordinated and planned activities, and the information security tools they use;
h) information infrastructure of the Russian Federation(hereinafter - information infrastructure) - a set of informatization objects, information systems, sites on the Internet and communication networks located on the territory of the Russian Federation, as well as in territories under the jurisdiction of the Russian Federation or used on the basis of international treaties Russian Federation.
3. This Doctrine, based on an analysis of the main information threats and an assessment of the state of information security, defines the strategic goals and main directions for ensuring information security, taking into account the strategic national priorities of the Russian Federation.
4. The legal basis of this Doctrine is the Constitution of the Russian Federation, generally recognized principles and norms of international law, international treaties of the Russian Federation, federal constitutional laws, federal laws, as well as regulatory legal acts of the President of the Russian Federation and the Government of the Russian Federation.
5. This Doctrine is a strategic planning document in the field of ensuring the national security of the Russian Federation, which develops the provisions of the National Security Strategy of the Russian Federation, approved by Decree of the President of the Russian Federation of December 31, 2015 N 683, as well as other strategic planning documents in this area.
6. This Doctrine is the basis for the formation of state policy and the development of public relations in the field of information security, as well as for the development of measures to improve the information security system.
II. National interests in the information sphere
7. Information technologies have acquired a global cross-border nature and have become an integral part of all spheres of activity of the individual, society and state. Their effective use is a factor in accelerating the economic development of the state and the formation of the information society.
The information sphere plays an important role in ensuring the implementation of the strategic national priorities of the Russian Federation.
8. National interests in the information sphere are:
a) ensuring and protecting the constitutional rights and freedoms of man and citizen in terms of obtaining and using information, privacy when using information technology, providing information support for democratic institutions, mechanisms of interaction between the state and civil society, as well as the use of information technology in the interests of preserving cultural, historical, spiritual and moral values of the multinational people of the Russian Federation;
b) ensuring the sustainable and uninterrupted functioning of the information infrastructure, primarily the critical information infrastructure of the Russian Federation (hereinafter referred to as the critical information infrastructure) and unified network telecommunications of the Russian Federation, in peacetime, during the period of immediate threat of aggression and in wartime;
c) development of the information technology and electronics industry in the Russian Federation, as well as improvement of the activities of industrial, scientific and scientific-technical organizations in the development, production and operation of information security means, provision of services in the field of information security;
d) bringing to the Russian and international public reliable information about the state policy of the Russian Federation and its official position on socially significant events in the country and the world, the use of information technologies in order to ensure the national security of the Russian Federation in the field of culture;
e) promoting the formation of an international information security system aimed at countering threats from the use of information technologies to disrupt strategic stability, strengthening equal strategic partnerships in the field of information security, as well as protecting the sovereignty of the Russian Federation in information space.
9. The implementation of national interests in the information sphere is aimed at creating a safe environment for the circulation of reliable information and resistant to various types the impact of information infrastructure in order to ensure the constitutional rights and freedoms of man and citizen, the stable socio-economic development of the country, as well as the national security of the Russian Federation.
III. Main information threats and the state of information security
10. The expansion of the areas of application of information technologies, being a factor in the development of the economy and improving the functioning of public and state institutions, at the same time gives rise to new information threats.
The possibilities of cross-border information circulation are increasingly used to achieve geopolitical, military-political, terrorist, extremist, criminal and other illegal goals, to the detriment of international security and strategic stability.
At the same time, the practice of introducing information technologies without linking it with ensuring information security significantly increases the likelihood of information threats.
11. One of the main negative factors affecting the state of information security is the build-up of nearby foreign countries possibilities of information and technical influence on information infrastructure for military purposes.
At the same time, the activities of organizations carrying out technical intelligence in relation to Russian government agencies, scientific organizations and enterprises of the military-industrial complex are intensifying.
12. The scope of the use by special services of individual states of means of providing information and psychological influence aimed at destabilizing the internal political and social situation in various regions of the world and leading to the undermining of sovereignty and violation of the territorial integrity of other states is expanding. These activities involve religious, ethnic, human rights and other organizations, as well as separate groups citizens, while the capabilities of information technology are widely used.
There is a trend towards an increase in the volume of materials in foreign media containing a biased assessment of the state policy of the Russian Federation. Russian media are often subjected to outright discrimination abroad, and obstacles are created for Russian journalists to carry out their professional activities.
The information impact on the population of Russia, primarily on young people, is increasing in order to erode traditional Russian spiritual and moral values.
13. Various terrorist and extremist organizations widely use mechanisms of information influence on individual, group and public consciousness in order to escalate interethnic and social tension, incite ethnic and religious hatred or enmity, promote extremist ideology, as well as attract new supporters to terrorist activities. Such organizations, for illegal purposes, actively create means of destructive influence on critical information infrastructure objects.
14. The scale of computer crime is increasing, primarily in the credit and financial sphere, the number of crimes related to the violation of the constitutional rights and freedoms of man and citizen is increasing, including in terms of privacy, personal and family secrets, when processing personal data using information technology. At the same time, the methods, methods and means of committing such crimes are becoming more and more sophisticated.
15. The state of information security in the field of national defense is characterized by an increase in the use of information technologies by individual states and organizations for military-political purposes, including for carrying out actions contrary to international law, aimed at undermining the sovereignty, political and social stability, and territorial integrity of the Russian Federation and its allies and pose a threat to international peace, global and regional security.
16. The state of information security in the field of state and public security is characterized by a constant increase in complexity, increasing scale and increasing coordination of computer attacks on critical information infrastructure facilities, increasing intelligence activities of foreign states in relation to the Russian Federation, as well as increasing threats of using information technologies to cause damage sovereignty, territorial integrity, political and social stability of the Russian Federation.
17. The state of information security in the economic sphere is characterized by an insufficient level of development of competitive information technologies and their use for the production of products and provision of services. The level of dependence of the domestic industry on foreign information technologies remains high in terms of electronic components, software, computer technology and communications, which determines the dependence of the socio-economic development of the Russian Federation on the geopolitical interests of foreign countries.
18. The state of information security in the field of science, technology and education is characterized by insufficient effectiveness of scientific research aimed at creating promising information technologies, low level implementation of domestic developments and insufficient staffing in the field of information security, as well as low awareness of citizens in matters of ensuring personal information security. At the same time, measures to ensure the security of information infrastructure, including its integrity, availability and sustainable operation, using domestic information technologies and domestic products often do not have a comprehensive basis.
19. The state of information security in the field of strategic stability and equal strategic partnership is characterized by the desire of individual states to use technological superiority to dominate the information space.
The current distribution between countries of the resources necessary to ensure the secure and sustainable functioning of the Internet does not allow for joint fair management based on the principles of trust.
The lack of international legal norms regulating interstate relations in the information space, as well as mechanisms and procedures for their application that take into account the specifics of information technology, makes it difficult to form an international information security system aimed at achieving strategic stability and equal strategic partnership.
IV. Strategic goals and main directions for ensuring information security
20. The strategic goal of ensuring information security in the field of national defense is to protect the vital interests of the individual, society and the state from internal and external threats associated with the use of information technologies for military-political purposes that are contrary to international law, including for the purpose of carrying out hostile actions and acts of aggression aimed at undermining sovereignty, violating the territorial integrity of states and posing a threat to international peace, security and strategic stability.
21. In accordance with the military policy of the Russian Federation, the main directions of ensuring information security in the field of national defense are:
a) strategic containment and prevention of military conflicts that may arise as a result of the use of information technologies;
b) improving the system for ensuring information security of the Armed Forces of the Russian Federation, other troops, military formations and bodies, which includes forces and means of information warfare;
c) forecasting, detection and assessment of information threats, including threats to the Armed Forces of the Russian Federation in the information sphere;
d) assistance in ensuring the protection of the interests of the allies of the Russian Federation in the information sphere;
e) neutralization of information and psychological influence, including those aimed at undermining the historical foundations and patriotic traditions associated with the defense of the Fatherland.
22. The strategic goals of ensuring information security in the field of state and public security are the protection of sovereignty, maintaining political and social stability, the territorial integrity of the Russian Federation, ensuring fundamental rights and freedoms of man and citizen, as well as protecting critical information infrastructure.
23. The main directions of ensuring information security in the field of state and public security are:
a) countering the use of information technologies to promote extremist ideology, the spread of xenophobia, ideas of national exclusivity in order to undermine sovereignty, political and social stability, forcibly change the constitutional system, and violate the territorial integrity of the Russian Federation;
b) suppression of activities harmful to the national security of the Russian Federation, carried out using technical means and information technologies by special services and organizations of foreign states, as well as individuals;
c) increasing the security of critical information infrastructure and the stability of its functioning, developing mechanisms for detecting and preventing information threats and eliminating the consequences of their manifestation, increasing the protection of citizens and territories from the consequences emergency situations caused by information and technical impact on critical information infrastructure facilities;
d) increasing the security of the functioning of information infrastructure facilities, including in order to ensure sustainable interaction between government bodies, preventing foreign control over the functioning of such facilities, ensuring the integrity, stability of operation and security of the unified telecommunication network of the Russian Federation, as well as ensuring the security of information transmitted through it and processed in information systems on the territory of the Russian Federation;
e) increasing the safety of operation of weapons, military and special equipment and automated systems management;
f) increasing the effectiveness of preventing offenses committed using information technologies and combating such offenses;
g) ensuring the protection of information containing information constituting state secrets, other information of limited access and distribution, including by increasing the security of relevant information technologies;
h) improvement of methods and methods of production and safe use of products, provision of services based on information technologies using domestic developments that meet information security requirements;
i) increasing the efficiency of information support for the implementation of state policy of the Russian Federation;
j) neutralization of information impact aimed at eroding traditional Russian spiritual and moral values.
24. The strategic goals of ensuring information security in the economic sphere are to reduce to the minimum possible level the influence of negative factors caused by the insufficient level of development of the domestic information technology and electronics industry, the development and production of competitive means of ensuring information security, as well as increasing the volume and quality of service provision in areas of information security.
25. The main directions of ensuring information security in the economic sphere are:
A) innovative development the information technology and electronics industries, increasing the share of products from this industry in the gross domestic product and in the structure of the country’s exports;
b) eliminating the dependence of domestic industry on foreign information technologies and information security means through the creation, development and widespread implementation of domestic developments, as well as the production of products and the provision of services based on them;
c) increasing the competitiveness of Russian companies operating in the information technology and electronics industry, development, production and operation of information security equipment that provide services in the field of information security, including through the creation of favorable conditions for carrying out activities on the territory of the Russian Federation ;
d) development of a domestic competitive electronic component base and technologies for the production of electronic components, meeting the needs of the domestic market for such products and the entry of these products into the world market.
26. The strategic goal of ensuring information security in the field of science, technology and education is to support the innovative and accelerated development of the information security system, the information technology industry and the electronics industry.
27. The main directions of ensuring information security in the field of science, technology and education are:
a) achieving the competitiveness of Russian information technologies and developing scientific and technical potential in the field of information security;
b) creation and implementation of information technologies that are initially resistant to various types of impact;
c) conducting scientific research and carrying out experimental developments in order to create promising information technologies and means of ensuring information security;
d) development of human resources in the field of information security and application of information technologies;
e) ensuring the protection of citizens from information threats, including through the formation of a culture of personal information security.
28. The strategic goal of ensuring information security in the field of strategic stability and equal strategic partnership is the formation of a sustainable system of non-conflict interstate relations in the information space.
29. The main directions of ensuring information security in the field of strategic stability and equal strategic partnership are:
a) protection of the sovereignty of the Russian Federation in the information space through the implementation of an independent and independent policy aimed at realizing national interests in the information sphere;
b) participation in the formation of an international information security system that ensures effective counteraction to the use of information technologies for military-political purposes that are contrary to international law, as well as for terrorist, extremist, criminal and other illegal purposes;
c) creation of international legal mechanisms that take into account the specifics of information technologies in order to prevent and resolve interstate conflicts in the information space;
d) promoting, within the framework of the activities of international organizations, the position of the Russian Federation, which provides for ensuring equal and mutually beneficial cooperation of all interested parties in the information sphere;
e) development of a national management system for the Russian segment of the Internet.
V. Organizational basis for ensuring information security
30. The information security system is part of the national security system of the Russian Federation.
Ensuring information security is carried out on the basis of a combination of legislative, law enforcement, law enforcement, judicial, control and other forms of activity of government bodies in interaction with local governments, organizations and citizens.
31. The information security system is built on the basis of the delimitation of powers of legislative, executive and judicial authorities in this area, taking into account the jurisdiction of federal government bodies, government bodies of constituent entities of the Russian Federation, as well as local governments, determined by the legislation of the Russian Federation in the field of security security.
32. The composition of the information security system is determined by the President of the Russian Federation.
33. The organizational basis of the information security system consists of: the Federation Council of the Federal Assembly of the Russian Federation, the State Duma of the Federal Assembly of the Russian Federation, the Government of the Russian Federation, the Security Council of the Russian Federation, federal executive authorities, the Central Bank of the Russian Federation, the Military-Industrial Commission of the Russian Federation, interdepartmental bodies created by the President of the Russian Federation and the Government of the Russian Federation, executive authorities of the constituent entities of the Russian Federation, local government bodies, judicial authorities taking part in solving problems of ensuring information security in accordance with the legislation of the Russian Federation.
Participants in the information security system are: owners of critical information infrastructure objects and organizations operating such objects, media and mass communications, organizations in the monetary, foreign exchange, banking and other areas of the financial market, telecom operators, information system operators, organizations carrying out activities for the creation and operation of information systems and communication networks, for the development, production and operation of information security means, for the provision of services in the field of information security, organizations carrying out educational activities in this area, public associations, other organizations and citizens who in accordance with the legislation of the Russian Federation, participate in solving problems to ensure information security.
34. The activities of government bodies to ensure information security are based on the following principles:
a) the legality of public relations in the information sphere and the legal equality of all participants in such relations, based on the constitutional right of citizens to freely seek, receive, transmit, produce and disseminate information in any legal way;
b) constructive interaction between government bodies, organizations and citizens when solving problems to ensure information security;
c) maintaining a balance between the need of citizens for the free exchange of information and restrictions related to the need to ensure national security, including in the information sphere;
d) sufficiency of forces and means to ensure information security, determined, inter alia, through the constant monitoring of information threats;
e) compliance with generally recognized principles and norms of international law, international treaties of the Russian Federation, as well as the legislation of the Russian Federation.
35. The tasks of government bodies within the framework of activities to ensure information security are:
a) ensuring the protection of the rights and legitimate interests of citizens and organizations in the information sphere;
b) assessing the state of information security, forecasting and detecting information threats, identifying priority areas for their prevention and eliminating the consequences of their manifestation;
c) planning, implementation and evaluation of the effectiveness of a set of measures to ensure information security;
d) organizing the activities and coordinating the interaction of information security forces, improving their legal, organizational, operational search, intelligence, counterintelligence, scientific and technical, information and analytical, personnel and economic support;
e) development and implementation of measures of state support for organizations engaged in the development, production and operation of information security means, provision of services in the field of information security, as well as organizations carrying out educational activities in this area.
36. The tasks of government bodies within the framework of activities to develop and improve the information security system are:
a) strengthening the vertical management and centralization of information security forces at the federal, interregional, regional, municipal levels, as well as at the level of informatization objects, information system operators and communication networks;
b) improving the forms and methods of interaction between information security forces in order to increase their readiness to counter information threats, including through regular training (exercises);
c) improving the information-analytical and scientific-technical aspects of the functioning of the information security system;
d) increasing the efficiency of interaction between government bodies, local governments, organizations and citizens in solving problems of ensuring information security.
37. The implementation of this Doctrine is carried out on the basis of sectoral strategic planning documents of the Russian Federation. In order to update such documents, the Security Council of the Russian Federation determines a list of priority areas for ensuring information security for the medium term, taking into account the provisions of the strategic forecast of the Russian Federation.
38. The results of monitoring the implementation of this Doctrine are reflected in the annual report of the Secretary of the Security Council of the Russian Federation to the President of the Russian Federation on the state of national security and measures to strengthen it.
Chairman of the State Duma Committee on Information Policy, Information Technologies and Communications Leonid Levin, after the publication of Decree of the President of the Russian Federation of December 5, 2016 No. 646 “On approval of the Information Security Doctrine of the Russian Federation” noted:
“The new Information Security Doctrine, approved by the Decree of the President of the Russian Federation, reflects the changed situation in the world in connection with the development of information technology. The range of threats has expanded and is shifting to the sphere of communication networks and consumer digital technologies.
Most important point it is a recognition that the Internet is as much a space of international politics as any other medium. Accordingly, military threats and military conflicts are also possible on the network. It is directly stated that the intelligence services of individual countries on a state scale use IT for malicious purposes and this poses an obvious threat to the sovereignty of our country and the well-being of citizens. Old threats from extremists and drug dealers, computer hackers and fraudsters remain, but what is new is the emergence of network threats at the level of interstate confrontation. The concept of “cyberwar” has become not a toy of teenagers and futurists, but a factor in international relations. All this once again reminds us of the proposals expressed more than once in Russia to create an international institution for regulating the Internet at the level and according to the principles of the UN. The noble goal of preventing war, which lies at the heart of the UN ideology, becomes extremely urgent.
What is also important in the Doctrine is what actually high level expresses commitment to the principles of freedom of speech and free information exchange. Protecting the right of Russian citizens to freely receive information, and Russian journalists to ensure this right, is designated as a state task. Attention is paid to protecting the privacy of Russian citizens during the processing of personal data. Russian legislation provides for the protection of personal data of Russians from unauthorized changes by placing databases on the territory of the Russian Federation. The relevance of these provisions of the law is emphasized by the new Doctrine.
I would also like to note that the content of the Doctrine clearly indicates that the adoption in the last convocation of the State Duma of the Federal Law of June 29, 2015 No. 188-FZ “On Amendments to the Federal Law “On Information, Information Technologies and Information Protection” and Article 14 of the Federal Law “On the contract system in the field of procurement of goods, works, services to meet state and municipal needs”, regarding the introduction of state regulation in the field of use of Russian programs for electronic computers or databases, was timely and extremely necessary. The doctrine clearly indicates that the ability of foreign states to influence information infrastructure for military purposes continues to increase. The law laid the foundations for the transition of the state information system to the domestic one software and allows us to hope that Russian sovereignty in the information sphere will be ensured on the basis of Russian technologies in the same way as is the case in other areas critical to defense and security. This is especially significant for critical infrastructure facilities, which are extremely software dependent in the networking sector.”
Analysis of the provisions of the Information Security Doctrine of the Russian Federation
Alexander Antipov
Analysis of the provisions of the Information Security Doctrine of the Russian Federation, introduced by Decree of the President of the Russian Federation of December 5, 2016 No. 646.
On December 5, 2016, a decree of the President of the Russian Federation came into force, approving a new Information Security Doctrine, replacing the document that had been in force in Russia since 2000. This is a significant step aimed at regulating information security issues in our country. The doctrine reflects national interests, official views on the goals, objectives, principles and main directions of ensuring information security in the Russian Federation. We propose to consider the most significant provisions of the new document and speculate on the prerequisites for the changes made.
The doctrine not only describes the strategy of action to ensure information security in our country for the next ten years, but also explains the existing shortcomings in the effectiveness of the measures taken.
The document was filled with specifics, and the factors influencing the state of information security in Russia covered all areas of society: the credit and financial sector, defense, state and public security, science, technology and education, strategic stability and equal strategic partnership.
Definitions and general provisions
The first section of the new doctrine includes the basic concepts used in the document, which in the new edition have become fuller, broader and have acquired a more structured appearance. The doctrine is based on the Constitution, federal laws and regulations, as evidenced by the language and terms used in the documents. For example, the concept of “information infrastructure of the Russian Federation” is based on the term “website on the Internet”, which was introduced into the Federal Law of July 27, 2006 No. 149-FZ “On Information, Information Technologies and Information Protection” as amended in 2012 of the year.
National interests of the Russian Federation in the information sphere
In the time since the publication of the first doctrine, the information sphere has undergone significant changes. Information technologies have acquired a global cross-border nature and have become an integral part of all areas of human activity, and the economic development of the state has become more dependent on the effectiveness of their application.
It is not surprising that the national interests of the Russian Federation in the information sphere have expanded. Previously, there were four main components of national interests:
“Compliance with the constitutional rights and freedoms of man and citizen in the field of obtaining information and using it, ensuring the spiritual renewal of Russia, preserving and strengthening the moral values of society, the traditions of patriotism and humanism, the cultural and scientific potential of the country.”
« Information Support state policy of the Russian Federation, associated with communicating to the Russian and international public reliable information about the state policy of the Russian Federation, its official position on socially significant events in Russian and international life, and ensuring citizens’ access to open state information resources.”
“The development of modern information technologies, the domestic information industry, including the industry of information technology, telecommunications and communications, meeting the needs of the domestic market with its products and the entry of these products into the world market, as well as ensuring the accumulation, preservation and effective use of domestic information resources».
“Protection of information resources from unauthorized access, ensuring information security of information and telecommunication systems, both already deployed and those being created in Russia.”
The first two components, despite changes in wording, have retained their significance, since they are based on the foundations of the constitutional rights and freedoms of a citizen:
“Ensuring and protecting the constitutional rights and freedoms of man and citizen in terms of obtaining and using information, privacy when using information technologies, providing information support for democratic institutions, mechanisms of interaction between the state and civil society, as well as the use of information technologies in the interests of preserving cultural , historical, spiritual and moral values of the multinational people of the Russian Federation.”
“Bringing to the Russian and international public reliable information about the state policy of the Russian Federation and its official position on socially significant events in the country and the world, the use of information technologies in order to ensure the national security of the Russian Federation in the field of culture.”
As for other categories of national interests, the authors of the doctrine took into account the current situation in the world of information technology and did not ignore the problem of computer attacks aimed at the industrial sector. As Positive Technologies experts have repeatedly noted in their publications, national security depends on the security of critical information infrastructure facilities. Government regulators, in turn, have already developed requirements aimed at improving safety in critical and potentially dangerous objects(for example, FSTEC order No. 31 and FSTEC guidance documents on the protection of key information infrastructure systems). And now security industrial systems has become one of Russia's national interests in the information sphere.
The priorities of the Russian Federation were also named:
“Ensuring the sustainable and uninterrupted functioning of the information infrastructure, primarily the critical information infrastructure of the Russian Federation and the unified telecommunications network of the Russian Federation, in peacetime, during periods of immediate threat of aggression and in wartime.”
“Development of the information technology and electronics industry in the Russian Federation, as well as improvement of the activities of production, scientific and scientific-technical organizations in the development, production and operation of information security means, provision of services in the field of information security.”
“Promoting the formation of an international information security system aimed at countering threats from the use of information technologies to disrupt strategic stability, strengthening equal strategic partnerships in the field of information security, as well as protecting the sovereignty of the Russian Federation in the information space.”
The last direction also cannot be ignored. Physical borders separating states do not stop computer attacks, which means that measures taken only within our country are not enough to ensure Russia’s information security. Joining efforts with other states, planned and coordinated joint activities is an important step towards ensuring information security.
Main information threats and the state of information security
As already stated, a new version doctrines are more specific. Thus, when describing the main information threats and the state of information security, the published document provides characteristics and negative factors affecting the state of information security in various areas.
Among the main information threats were the “increasing by a number of foreign countries the capabilities of information and technical influence on the information infrastructure for military purposes” and the strengthening of “the activities of organizations carrying out technical intelligence in relation to Russian government agencies, scientific organizations and enterprises of the military-industrial complex.”
Indeed, Positive Technologies' experience in investigating information security incidents has shown that public sector organizations have been the target of cyber espionage on multiple occasions over the past couple of years. For example, in the summer of 2016, a group was discovered that used Remsec malware to spy on a large Russian corporation.
The problems of “squeezing out Russian news agencies and mass media from the domestic information market and deformation of the structure of international information exchange” and “manipulation of information” that the 2000 doctrine dealt with have been replaced by the threat of an increase “in foreign media the volume of materials containing a biased assessment state policy of the Russian Federation". Confirmation of this can be seen in the events of recent years. The media, mainly published on the Internet, today become a weapon for manipulating public opinion, provoking various kinds of conflicts, and inciting information wars. In addition, falsification of historical events is often found in foreign publications. This problem was not ignored by the authors of the new doctrine, which states that “Russian media are often subjected to discrimination abroad”, “the information impact on the population of Russia is increasing”, including aimed at “undermining the historical foundations and patriotic traditions associated with the protection of Fatherland." This means that taking measures aimed at protecting against information and psychological influence on society becomes necessary.
The new document identifies the following areas that are most susceptible to destructive influences due to certain shortcomings:
Credit and financial
The damage caused by computer attacks on financial organizations is constantly growing.
Defense
The scale of application of information technologies for military-political purposes is increasing.
State
The number of targeted attacks on critical information infrastructure facilities is growing, and the intelligence activities of foreign intelligence services are intensifying.
Scientific
The effectiveness of scientific research aimed at creating promising information technologies is insufficient, and measures to ensure the security of information infrastructure using domestic technologies and products often do not have a comprehensive basis. Nevertheless, in comparison with the previous edition, significant changes are visible in the situation with domestic information technologies. Questions about the forced purchase of imported equipment and the involvement of foreign firms in the creation of information systems are no longer raised in government bodies.
Separately, it is worth highlighting the problem of “insufficient staffing in the field of information security,” which over the past 16 years has not only not been resolved, but has also worsened. In addition, “low awareness of citizens in matters of ensuring personal information security,” according to Positive Technologies experts, is one of the main shortcomings in the security system of any organization and the main reason for the success of attacks carried out using social engineering methods.
Strategic goals and main directions for ensuring information security
The description of the strategic goals of ensuring information security in the new doctrine was reduced to a minimum, but retained the main directions.
Thus, in the economic sphere, “the development and production of competitive means of ensuring information security, as well as increasing the volume and quality of services in the field of information security” are highlighted. In addition to the development of the information technology industry, it is planned to increase the share of domestic developments in the structure of the country’s exports and eliminate dependence on foreign technologies.
In the field of defense, ensuring information security should be aimed at containing and preventing military conflicts, “improving the information security system of the Armed Forces of the Russian Federation and other troops, military formations and bodies” of the Russian Federation, neutralizing information and psychological impact.
Particular attention in the new doctrine is paid to ensuring state and public security. Particularly highlighted are the areas of increasing the “security of critical information infrastructure and the sustainability of its functioning”, “preventing foreign control over the functioning” of information infrastructure objects, “suppressing activities that are detrimental to the national security of the Russian Federation” carried out by special services and organizations of foreign states, improving methods and methods production based on the use of domestic developments.
In the field of science, a strategic goal is highlighted to support the innovative and accelerated development of the information security system.
By participating in the formation of an international information security system, protecting Russia's sovereignty in the information space, developing a national system for managing the Russian segment of the Internet, it is expected to ensure information security in the field of strategic stability and equal strategic partnership.
conclusions
The key to the high effectiveness of measures to ensure information security is the awareness of citizens in matters of ensuring personal information security. The doctrine allows people to focus on this problem.
It is impossible not to note the state’s focus on “increasing the competitiveness of Russian companies operating in the information technology and electronics industry, the development, production and operation of information security means, including through the creation of favorable conditions for carrying out activities on the territory of the Russian Federation,” on development of human resources.
“Ensuring the sustainable and uninterrupted functioning of information infrastructure, especially critical information infrastructure” is the most important task for all of us. Changes in this area are dictated by the increase in the number of attacks on government agencies and industrial facilities, which has been observed in recent years.
The provisions reflected in the new doctrine are truly relevant, since they reflect the current state of information security in Russia and highlight the problems and information threats aimed at all areas of society. The information security strategy of 2000 was based on assumptions about potential cyber attacks from criminals, international terrorist organizations, and intelligence agencies of foreign states. The new doctrine takes into account real events that have occurred in the field of information security over the past 16 years. For example, warning Federal service Security, published in December last year, about the plans of foreign intelligence services to use hackers to destabilize the Russian financial system - is in good agreement with the provisions of the doctrine, emphasizing the state's focus on increasing the security of the critical information infrastructure of the Russian Federation. The document included such concepts as “website”, “Internet”, “personal information security”, which are most relevant for citizens today, and took into account the current level of development of information technology.
The state is doing tremendous work to ensure the information security of the Russian Federation at the legislative, executive and judicial levels. Reworking the provisions of the 2000 doctrine is one of the steps to improve the information security system. And although the doctrine itself is not a normative legal act, it determines the strategy of the Russian Federation in the information sphere for the coming years and serves as the basis for improving the legal, methodological, scientific, technical and organizational support for information security of the Russian Federation, and therefore changes in legislation will not keep you waiting. This was confirmed by the publication on December 6 of the bill “On the Security of Critical Information Infrastructure of the Russian Federation,” which establishes the organizational and legal framework for ensuring the security of critical information infrastructure in our country.
M.Yu. Paklyachenko
New information security doctrine: issues legal protection information
The article provides a comparative legal analysis of the content of the information security doctrines of the Russian Federation in 2000 and 2016. from the point of view of the completeness of disclosure in them of the category of legal protection of information. The advantages and disadvantages of the editions of the current and expired documents are noted. The opinion on a more complete and comprehensive disclosure of the legal institution of the category of interest within the framework of the Doctrine, which has lost force, is substantiated.
Keywords: information security, legal protection of information, Doctrine of information security.
With a certain degree of confidence, it can be stated that by now Russia has already formed a significant set of legal acts, normative documents and national standards in the field of information security, including in the area of regulating various information relations and informatization of the legal system.
It is obvious that lawmaking is a dynamic category, and current confirmation of this is the new Information Security Doctrine (hereinafter referred to as IS), approved by Presidential Decree No. 646 of December 5, 2016. The previous Doctrine, approved on September 9, 2000, was declared invalid.
There is no doubt that, despite the preliminary nomination of the draft Doctrine by the Security Council of the Russian Federation for public discussion, the adopted system of official views on ensuring the national security of the Russian Federation in the information sphere will be criticized by experts, which is already confirmed on the Internet. It is also inevitable that research papers will be published that address issues
© Paklyachenko M.Yu., 2017
analysis of the essence of the new Doctrine, its structure, as well as comparison of the contents of the invalid and current editions.
This article is devoted to the issues of legal protection of information (hereinafter - LIP) within the framework of their doctrinal description. The importance of this category, considered specifically from the perspective of the Information Security Doctrine, is due to the fundamental importance of this document strategic planning, which is the basis for the formation of public policy and the development of public relations in the field of information security, as well as for the development of measures to improve the information security system.
The essence and content of legal information protection
First of all, it should be noted that the definition of PZI is not found either in the previous or in the current Doctrine. Strict definition this concept gives GOST 50922-2006: “Legal protection of information: protection of information by legal methods, including the development of legislative and regulatory legal documents (acts) regulating the relations of subjects on the protection of information, the application of these documents, as well as supervision and control over their implementation”1 .
By referring to the Federal Law of July 27, 2006 No. 149-FZ “On Information, Information Technologies and Information Protection,” you can expand the content of the PZI, supplementing it with a description of measures that constitute information protection and are aimed at ensuring the protection of information from unauthorized access, destruction, modification, blocking, copying, provision, distribution, as well as from other unlawful actions in relation to such information, maintaining the confidentiality of restricted information and exercising the right to access information2. Legal measures as provided in Art. 16 of the Federal Law “On Information, Information Technologies and Information Protection” the list is preceded by organizational and technical ones when listed.
Together with the description in the Federal Law “On Information, Information Technologies and Information Protection” of PZI measures, the description of the content of the category under consideration was harmoniously complemented by the no longer valid Information Security Doctrine, in the second chapter of which methods of ensuring information security were disclosed. So, in paragraph 5 among common methods Along with organizational, technical and economic ones, legal ones were also noted (Fig. 1).
Rice. 1. Structure of legal protection of information and its consolidation in various sources
“Legal methods for ensuring information security of the Russian Federation include the development of normative legal acts regulating relations in the information sphere, and normative methodological documents on issues of ensuring information security of the Russian Federation.
The most important areas of this activity are:
Introducing amendments and additions to the legislation of the Russian Federation regulating relations in the field of information security, in order to create and improve the information security system of the Russian Federation, eliminate internal contradictions in federal legislation, contradictions related to international agreements to which the Russian Federation has joined, and contradictions between federal legislative acts and legislative acts of the constituent entities of the Russian Federation, as well as for the purpose of specifying legal norms establishing liability for offenses in the field of providing information security of the Russian Federation;
Legislative division of powers in the field of ensuring information security of the Russian Federation between federal government bodies and state authorities
subjects of the Russian Federation, defining goals, objectives and mechanisms for participation of public associations, organizations and citizens in this activity;
Development and adoption of regulatory legal acts of the Russian Federation establishing the responsibility of legal and individuals for unauthorized access to information, its illegal copying, distortion and illegal use, deliberate dissemination of false information, illegal disclosure confidential information, use of official information or information containing trade secrets for criminal and personal gain;
Clarification of the status of foreign news agencies, media and journalists, as well as investors when attracting foreign investment for the development of the information infrastructure of Russia;
Legislative consolidation of the priority of development of national communication networks and domestic production space satellites communications;
Determination of the status of organizations providing services of global information and telecommunication networks on the territory of the Russian Federation, and legal regulation of the activities of these organizations;
Creation of a legal framework for the formation of regional IS support structures in the Russian Federation”2.
The postulates of the first chapter, concerning the state of information security in the Russian Federation and the main tasks to ensure it, seemed to be advantageous (in the field of information security) in the expired Information Security Doctrine.
Thus, the start of the formation of a legal framework for information security was noted: the adoption of a number of fundamental laws (for example, federal laws “On information, informatization and information protection”, “On participation in international information exchange”, Law of the Russian Federation “On State Secrets”) and dynamic work to create mechanisms for their implementation, preparation of bills regulating public relations in the information sphere.
In addition, the Doctrine also revealed shortcomings in this area. It was noted that the level of information security in the Russian Federation does not fully meet the needs of society and the state. The following negative points were cited:
Inconsistency and underdevelopment of legal regulation of public relations in the information sphere;
The insufficiency of normative legal regulation of relations in the field of implementing the possibilities of constitutional restrictions on freedom of mass information in the interests of protecting the foundations of the constitutional system, morality, health, rights and legitimate interests of citizens, ensuring the country's defense capability and security;
Imperfection of normative legal regulation of relations in the field of mass media.
The document contained a description of tasks requiring urgent solutions. In terms of information security, such a task was to improve the regulatory legal framework for ensuring the information security of the Russian Federation, including mechanisms for implementing the rights of citizens to receive information and access to it, forms and methods of implementing legal norms regarding the interaction of the state with the media.
Thus, the disclosure of the category of PZI within the framework of the Doctrine of 09.09.2000 can be characterized as sufficient and complete: positive and negative aspects of the state of information security of the Russian Federation were noted, goals and objectives in this area were defined, and legal methods were characterized. Separately, the priority of the direction of state policy in the field of ensuring information security of the Russian Federation was determined by improving the legal mechanisms for regulating public relations.
It can be argued that with a comprehensive perception of the entire content of the Doctrine of 09.09.2000, the value of the prerogative of the legal aspect, if not dominant, is confidently among the most important factors in ensuring state information security.
Let's move on to the analysis of the Doctrine of December 5, 2016.
The first noticeable change affects the structure of the document - an additional fifth chapter appears. The content of the “Basic Provisions” includes the definition of the Doctrine, the basic concepts used in it, the legal basis, the essence and significance of this document for public policy and public relations in the field of information security.
Such a presentation, common in the structure of most legislative acts, seems preferable from the point of view of ease of perception of the purpose of the document in the general field of legislation, as well as the assimilation of its conceptual and categorical apparatus.
Provisions affecting information security issues appear in paragraph 2 of the first chapter of the Doctrine, where information security means include
along with technical and organizational legal means (see Fig. 1).
In contrast to the systematized presentation of the four main components of the national interests of the Russian Federation in the information sphere and the list of actions following each such component to achieve them, as presented in the 2000 Information Security Doctrine, the document approved by Presidential Decree No. 646 of December 5, 2016 distributes areas national interests in the information sphere3, as well as strategic goals and main directions for ensuring information security according to the chapters of the same name.
I would especially like to note the lack of description in the new Doctrine of sources of information security threats. The first paragraphs of the third chapter of the document outline the current state of information security, mainly from the perspective of international legal relations. What follows is a description of the state of information security and information threats in various areas and spheres of the state (state and public security, economics, science, technology and education, etc.).
It seems that this style of presentation is justified primarily by a change in state policy priorities in the field of information security. If previously the importance of elaborating the legal aspects of information security as one of the components of the national security of the Russian Federation was not in doubt, now the state’s desire to bring the entire information sphere, of which information security is a component, to a qualitatively higher level is obvious. new level within the framework of international relations.
In conclusion, I would like to note that it is possible to compare the content of the doctrines of 2000 and 2016 in many categories, since these documents, being a system (set) of official views, are complex and multidimensional in nature. In this article, an attempt was made to conduct a comparative legal analysis of doctrines regarding PZI (Fig. 2), which showed the following.
From the point of view of disclosing the concept of PZI, the Doctrine of Information Security, approved by the President of the Russian Federation on September 09, 2000 and no longer in force, seems more suitable, since it notes the prerogative of the legal aspect of information security, which is expressed in the description of the state of information security and the main tasks for its provision in terms of law -
making changes and additions to the legislation of the Russian Federation: legislative consolidation of the priority of the development of national communication networks:
development and adoption of regulatory legal acts; creation of a legal framework; inconsistency, underdevelopment, insufficiency and imperfection of legal regulation
IS Doctrine 2016
creation of international legal mechanisms; organization and coordination of information security support forces, improvement of their legal support
Rice. 2. Excerpts from the information security doctrines of the Russian Federation, affecting issues of legal protection of information
regulation, characterization of internal threats caused by shortcomings in the legal framework, listing of legal methods for ensuring information security of the Russian Federation, as well as goals and objectives in terms of improvement legislative framework RF.
The reasons for the deviation from a thorough description of the legal regulation of information security in the text of the 2016 Doctrine, the obvious highlighting of the issues of developing national information technologies at a qualitatively new level, as well as Russia’s desire for a leading position in the international arena may be as follows. The difference in the approval of the Doctrines is 16 years, and it is obvious that during this time colossal work has been carried out in all areas of national interests and priorities of the Russian Federation, which are also outlined in the 2000 Doctrine.
The development of the state predetermines the dynamics in updating legislative documents affecting the list of priority areas for providing information security. One way or another, it will be possible to discuss the real value and specific results of the adoption of the new Doctrine in more detail based on the monitoring results reflected in the annual report of the Secretary of the Russian Security Council on the state of national security.
Notes
GOST R 50922-2006 “Information protection. Basic terms and definitions" (approved by Order of Rostechregulirovanie dated December 27, 2006 N 373-st) [ Electronic resource] // Website of JSC "Kodeks". URL: http://docs.cntd.ru/document/1200058320 (date accessed 12/15/2016).
Doctrine of information security of the Russian Federation (approved by Decree of the President of the Russian Federation of September 9, 2000 No. Pr-1895) [Electronic resource] // SPS “Consultant-Plus”. URL: http://www.consultant.ru/document/cons_doc_LAW_ 28679/ (accessed 12/15/2016).
Yesterday (December 5, 2016) the updated Information Security Doctrine of the Russian Federation was finally approved (here is a link to the text). Let me remind you that old version The document dates back to 2000, and by now it is, of course, outdated. It’s strange that the final version differs significantly from the previously discussed project, but ok...
In my opinion, the document turned out to be quite sensible and concise (only 16 pages), but rather it received only cosmetic edits. Unfortunately, the document is not very convenient to use, certain topics (import substitution, protection of CII, response to incidents, etc.) are blurred, important provisions need to be collected...
When I first read the document, I noticed this (in comparison with the 2000 edition):
1. Updated terms
The basic term “information security of the Russian Federation” has changed (expanded).
Was:
Information security of the Russian Federation is understood as the state of protection of its national interests in the information sphere, determined by the totality of balanced interests of the individual, society and the state.
Became:
Information security of the Russian Federation is a state of protection of the individual, society and the state from internal and external information threats, which ensures the implementation of the constitutional rights and freedoms of man and citizen, decent quality of life of citizens, sovereignty, territorial integrity and sustainable socio-economic development of the Russian Federation , defense and security of the state.
All terms are even highlighted in a separate paragraph, and they give definitions to the following concepts: “national interests of the Russian Federation in the information sphere”, “threat to information security of the Russian Federation”, “information security of the Russian Federation”, “ensuring information security”, “forces for ensuring information security ", "information security means", "information security system", "information infrastructure of the Russian Federation".
2. The security of critical information infrastructure (CII) appeared, and they began to talk about the need for its uninterrupted functioning
Now they talk about CII explicitly, but there are few specifics. I would, of course, like to hear about GosSOPKA, but there are only echoes of it:
…
c) increased security critical information infrastructure and the sustainability of its functioning, the development of mechanisms for detecting and preventing information threats and eliminating the consequences of their manifestation, increasing the protection of citizens and territories from the consequences of emergency situations caused by information and technical impacts on critical information infrastructure objects;
d) increasing operational safety information infrastructure objects, including for the purpose of ensuring sustainable interaction between government bodies, preventing foreign control over the functioning of such facilities, ensuring the integrity, stability of operation and security of the unified telecommunication network of the Russian Federation, as well as ensuring the security of information transmitted through it and processed in information systems on the territory of the Russian Federation Federations;
They specifically mention the Russian segment of the Internet:
29. The main directions of ensuring information security in the field of strategic stability and equal strategic partnership are:
…
e) development of a national management system for the Russian segment of the Internet.
3. They talk a lot, a lot about informational and psychological influence.
They mention the need to “bring to the Russian and international public reliable information on public policy”, focus attention on “the scale of use of means of providing informational and psychological impact aimed at destabilizing the internal political and social situation” and “aimed at undermining the historical foundations and patriotic traditions associated with the defense of the Fatherland”, they write about “the tendency towards an increase in the volume of materials containing biased assessment state policy”, they fear “the erosion of traditional Russian spiritual and moral values". The questions are, of course, important and correct, they were mentioned in the old edition, but there’s something too much about it...
4. Focus on ensuring information security in the credit and financial sector
They also mention PD:
14. The scale of computer crime is increasing, primarily in credit and financial sector, the number of crimes related to the violation of the constitutional rights and freedoms of man and citizen is increasing, including in terms of privacy, personal and family secrets, when processing personal data using information technology. At the same time, the methods, methods and means of committing such crimes are becoming more and more sophisticated.
5. They talk about the problem of IT implementation without taking into account information security issues
At the same time, the practice of introducing information technologies without linking it with ensuring information security significantly increases the likelihood of information threats.
This unfortunately happens often...
6. As expected, there is a lot of text about import substitution.
I will write a separate note with quotes about this.
7. The development of information security services has become a national priority
8. National interests in the information sphere are:
…
c) development of the information technology and electronics industry in the Russian Federation, as well as improvement of the activities of industrial, scientific and scientific-technical organizations in the development, production and operation of information security means, provision of services in the field of information security;
Hello, consulting and outsourcing!
8. Finally they started talking about crime prevention and combating
23. The main directions of ensuring information security in the field of state and public security are:
…
e) increasing the effectiveness of preventing offenses committed using information technologies and combating such offenses;
This is just a preliminary analysis of the final document; I will study it more carefully.
Loading...
