Message on the topic of information security problem. Information security threats and possible solutions. Directions of regulation in the field of information security

The current state of information security in Russia is the state of a new state-public institution that is just taking shape taking into account the dictates of the times. Much has already been done towards its formation, but there are even more problems that require a prompt solution. In recent years, a number of measures have been implemented in the Russian Federation to improve information security. Let's name the most important of them.

Firstly, the formation of a legal framework for information security has begun. A number of laws regulating public relations in this area have been adopted, and work has begun to create mechanisms for their implementation. The approval by the President of the Russian Federation in September 2000 of the Doctrine of Information Security of the Russian Federation (hereinafter referred to as the Doctrine) became a milestone result and the regulatory framework for further solving problems in this area. It represents a set of official views on the goals, objectives, principles and main directions of ensuring information security in Russia. The Doctrine addresses:

· objects, threats and sources of information security threats;
· possible consequences of information security threats;
· methods and means of preventing and neutralizing threats to information security;
· features of ensuring information security in various spheres of life of society and the state;
· main provisions of state policy to ensure information security in the Russian Federation.

Based on the Doctrine, the following are carried out:

ь formation of state policy in the field of information security;

ь preparation of proposals to improve the legal, methodological, scientific, technical and organizational support for information security;

b development of targeted information security programs.

Secondly, to date, priority measures have been taken to ensure information security in federal government bodies, government bodies of constituent entities of the Russian Federation, at enterprises, institutions and organizations, regardless of their form of ownership. Work has begun to create a secure information and telecommunication system for special purposes in the interests of government authorities.

Thirdly, information security is facilitated by the following:

ь state information protection system;

b system of licensing activities in the field of protection of state secrets;

b system of certification of information security means.

At the same time, an analysis of the state of information security shows that its level does not fully meet the requirements of the time. There are still a number of problems that seriously impede the full provision of information security for individuals, society and the state.

The doctrine names the following main problems in this area.

1. Modern conditions of the country’s political and socio-economic development still maintain acute contradictions between the needs of society to expand the free exchange of information and the need for certain regulated restrictions on its dissemination.
2. The inconsistency and underdevelopment of legal regulation of public relations in the information sphere significantly complicates maintaining the necessary balance of interests of the individual, society and the state in this area. Imperfect legal regulation does not allow the completion of the formation of competitive Russian news agencies and media on the territory of the Russian Federation.
3. Insecurity of citizens' rights to access information and manipulation of information cause a negative reaction from the population, which in some cases leads to destabilization of the socio-political situation in society.
4. The rights of citizens to privacy, personal and family secrets, and secrecy of correspondence, enshrined in the Constitution of the Russian Federation, practically do not have sufficient legal, organizational and technical support. The protection of data on individuals (personal data) collected by federal government bodies, government bodies of constituent entities of the Russian Federation, and local self-government bodies is poorly organized.
5. There is no clarity in the implementation of state policy in the field of formation of the Russian information space, as well as the organization of international information exchange and integration of the Russian information space into the world information space, which creates conditions for ousting Russian news agencies and media from the domestic information market, leading to deformations of the structure of international exchange.
6. There is insufficient government support for the activities of Russian news agencies to promote their products on the foreign information market.
7. The situation with ensuring the safety of information constituting state secrets is not improving.
8. Serious damage has been caused to the personnel potential of scientific and production teams operating in the field of creating information technology, telecommunications and communications as a result of the mass departure of the most qualified specialists from these teams.
9. The lag of domestic information technologies forces federal government bodies, government bodies of constituent entities of the Russian Federation and local governments when creating information systems to follow the path of purchasing imported equipment and attracting foreign firms. Because of this, the likelihood of unauthorized access to processed information increases and Russia’s dependence on foreign manufacturers of computer and telecommunications equipment, as well as software, increases.
10. In connection with the intensive introduction of foreign information technologies into the spheres of activity of the individual, society and the state, as well as the widespread use of open information and telecommunication systems, the integration of domestic and international information systems, the threat of using information weapons against the relevant infrastructure of Russia has increased. Work to adequately counter these threats is carried out in conditions of insufficient coordination and weak budget funding. The necessary attention is not paid to the development of space reconnaissance and electronic warfare systems.

Ensuring information security requires solving a whole range of problems. The doctrine lists the most important of them:

b development of the main directions of state policy in the field of information security, as well as activities and mechanisms related to the implementation of this policy;

b development and improvement of an information security system that implements a unified state policy in this area, including improving the forms, methods and means of identifying, assessing and predicting threats to information security, as well as the system for countering these threats;

b development of federal target programs for ensuring information security;

b development of criteria and methods for assessing the effectiveness of information security systems and tools, as well as their certification;

b improvement of the regulatory framework for ensuring information security;

b establishing the responsibility of officials of federal authorities and local self-government, legal entities and citizens for compliance with information security requirements;

b coordination of the activities of government bodies, enterprises, institutions and organizations, regardless of their form of ownership, in the field of ensuring information security;

b development of scientific and practical foundations for ensuring information security, taking into account the current geopolitical situation, the conditions of political and socio-economic development of Russia and the reality of threats from the use of information weapons;

b creation of mechanisms for the formation and implementation of the state information policy of Russia;

b increasing the effectiveness of state participation in the formation of information policy of state television and radio broadcasting organizations and other state media;

b ensuring the technological independence of the Russian Federation in the most important areas of information, telecommunications and communications that determine its security, primarily in the field of creating specialized computer equipment for weapons and military equipment;

b development of modern methods and means of protecting information, ensuring the security of information technologies, primarily in systems for command and control of troops and weapons, environmentally hazardous and economically important industries;

ь development and improvement of information protection systems and state secrets;

b creation of a secure technological basis for government management in peacetime, in emergency situations and in wartime;

b expanding interaction with international and foreign bodies and organizations to ensure the security of information transmitted through international telecommunications and communications systems;

b providing conditions for the active development of Russian information infrastructure, Russia’s participation in the processes of creating and using global information networks and systems;

b creation of a personnel training system in the field of information security and information technology.

The most important task in ensuring the information security of Russia is to take comprehensive account of the interests of the individual, society and the state in this area. The doctrine defines these interests as follows:

1) the interests of the individual in the information sphere lie in the implementation of the constitutional rights of man and citizen to access information, to use information in the interests of carrying out activities not prohibited by law, physical, spiritual and intellectual development, as well as to protect information that ensures personal safety;
2) the interests of society in the information sphere are to ensure the interests of society in this area, strengthening democracy, creating a legal social state, achieving and maintaining public harmony, and the spiritual renewal of Russia;
3) the interests of the state in the information sphere lie in creating conditions for the harmonious development of the Russian information infrastructure, the implementation of constitutional rights and freedoms of a person (citizen) in the field of obtaining information. At the same time, it is required to use this sphere only to ensure the inviolability of the constitutional system, sovereignty and territorial integrity of Russia, political, economic and social stability, to unconditionally ensure law and order, and to develop equal and mutually beneficial international cooperation.

Compliance with the principle of balancing the interests of citizens, society and the state in the information sphere presupposes legislative consolidation of the priority of these interests in various areas of society, as well as the use of various forms of public control over the activities of federal government bodies and government bodies of constituent entities of the Russian Federation. The implementation of guarantees of constitutional rights and freedoms of man and citizen relating to activities in the information sphere is the most important task of the state in the field of information security.

The Doctrine combines general methods for solving key problems in ensuring information security into three groups:

1) legal;
2) organizational and technical;
3) economic.

Legal methods include the development of normative legal acts regulating relations in the information sphere, and normative methodological documents on issues of ensuring information security of the Russian Federation.

Organizational and technical methods of ensuring information security are:

· creation and improvement of information security systems;
· strengthening law enforcement activities of authorities, including the prevention and suppression of offenses in the information sphere;
· improving information security tools and methods for monitoring the effectiveness of these tools, developing secure telecommunication systems, increasing software reliability;
· creation of systems and means to prevent unauthorized access to information and impacts that cause destruction, destruction, distortion of information, changes in the normal operating modes of systems and means of information and communication;
· identification of technical devices and programs that pose a danger to the functioning of information and telecommunication systems, prevention of interception of information through technical channels, the use of cryptographic means of information protection, monitoring the implementation of special requirements for information protection;
· certification of information security means, licensing of activities in the field of protecting state secrets, standardization of methods and means of information security;
· improvement of the certification system for telecommunications equipment and software of automated information processing systems according to information security requirements;
· monitoring the actions of personnel in information systems, training personnel in the field of information security;
· formation of a system for monitoring indicators and characteristics of information security in the most important areas of life and activity of society and the state.

Economic methods of ensuring information security include:

· development of information security programs and determination of the procedure for their financing;
· improving the system for financing work related to the implementation of legal, organizational and technical methods of information protection, creating a system for insuring information risks of individuals and legal entities.
· According to the Doctrine, the state, in the process of implementing its functions to ensure information security:
· conducts an objective and comprehensive analysis and forecasting of threats to information security, develops measures to ensure it;
· organizes the work of authorities to implement a set of measures aimed at preventing, repelling and neutralizing threats to information security;
· supports the activities of public associations aimed at objectively informing the population about socially significant phenomena of public life, protecting society from distorted and unreliable information;
· exercises control over the design, creation, development, use, export and import of information security tools through their certification and licensing of activities in the field of information security;
· pursues the necessary protectionist policy towards manufacturers of informatization and information protection tools on the territory of the Russian Federation and takes measures to protect the domestic market from the penetration of low-quality informatization tools and information products into it;
· promotes the provision of individuals and legal entities with access to world information resources, global information networks;
· formulates and implements the state information policy of Russia;
· organizes the development of a federal program for ensuring information security, combining the efforts of government and non-government organizations in this area;
· promotes the internationalization of global information networks and systems, as well as Russia’s entry into the global information community on the terms of an equal partnership.

When solving the main tasks and implementing priority measures of state policy to ensure information security, the desire to solve mainly regulatory, legal and technical problems is currently dominant. Most often we are talking about “development and implementation of legal norms”, “increasing the legal culture and computer literacy of citizens”, “creating safe information technologies”, “ensuring technological independence”, etc.

The development of a training system for personnel used in the field of information security is planned accordingly, that is, training in the field of communications, information processing, and technical means of protecting it predominates. To a lesser extent, specialists are trained in the field of information and analytical activities, social information, and personal information security. Unfortunately, many government institutions consider the technical side of the problem to be the most important, losing sight of its socio-psychological aspects.

Practical work No. 1

"Information Security Risk Analysis"

Goal of the work

Familiarize yourself with information security risk assessment algorithms.

Information security risk– the potential possibility of using a certain threat to asset vulnerabilities or a group of assets to cause harm to the organization.

Vulnerability- a weakness in the defense system that makes the threat possible.

Information security threat- a set of conditions and factors that can cause violations of the integrity, availability, and confidentiality of information.

Information asset– is a material or intangible object that:

Is information or contains information

Serves for processing, storing or transmitting information,

Has value to the organization.

Exercise

1. Download GOST R ISO/IEC TO 13335-3-2007 “METHODS AND MEANS OF SECURITY. Part 3 “Methods of information technology security management”

2. Familiarize yourself Appendices C, D And E GOST.

3. Select three different organizational information assets (see option).

4. From Appendix D GOST, select three specific vulnerabilities in the protection system of the specified information assets.

5. Taking advantage Appendix C GOST, write down three threats, the implementation of which is possible until the vulnerabilities mentioned in paragraph 4 are eliminated in the system.

6. Using one of the methods (see option) proposed in Appendix E GOST, assess information security risks.

7. The value of an information asset is assessed based on possible losses for the organization in the event of a threat being realized.

1. Title page

3. Task

4. Rationale selection of information assets of the organization

5. Assessing the value of information assets

6. Vulnerabilities of the information security system

7. Information security threats

8. Risk assessment

Options

Option – number according to the list in the magazine.

Option number	Organization	Risk assessment method (see Appendix E of GOST)
	Commercial bank branch
	Clinic
	College
	Insurance company office
	Recruiting agency
	Online store
	Center for the provision of public services
	Police Department
	Auditing Company
	Design firm
	Internet provider office
	Lawyer's office
	Third party software development company
	Real estate agency
	Tourist agency
	Charitable Foundation Office
	Publishing house
	Consulting firm
	Advertising agency
	Tax Service Branch
	Notary office
	Translation agency (documents)
	Scientific design enterprise
	Marriage Agency
	newspaper editoring
	Hotel
	Event Agency
	City Archive
	Taxi dispatch service
	Railway ticket office

Practical work No. 2.

“Building a concept for enterprise information security”

Goal of the work

Familiarity with the basic principles of constructing an enterprise information security concept, taking into account the features of its information infrastructure.

Brief theoretical information

Before the creation of information security systems, a number of domestic regulatory documents (GOST R ISO/IEC 15408 GOST R ISO/IEC 27000 GOST R ISO/IEC 17799) and international standards (ISO 27001/17799) directly require the development of fundamental documents –Information Security Concepts and Policies. If the Information Security Concept defines in general terms, WHAT needs to be done to protect information, the Policy details the provisions of the Concept and says HOW, by what means and methods they should be implemented.

The information security concept is used to:

· making informed management decisions on the development of information security measures;

· developing a set of organizational, technical and technological measures to identify threats to information security and prevent the consequences of their implementation;

· coordinating the activities of departments to create, develop and operate an information system in compliance with information security requirements;

· and, finally, for the formation and implementation of a unified policy in the field of information security .

Exercise

Using the proposed samples, develop a company information security concept (see option) containing the following main points (given exemplary plan, which can be amended if necessary):

General provisions

Purpose of the Concept for ensuring information security.

1.2. Goals of the information security system

1.3. Objectives of the information security system.

Problematic situation in the field of information security

2.1. Information security objects.

2.2. Identification of a likely violator.

2.3. Description of the characteristics (profile) of each group of potential violators.

2.4. Main types of threats to enterprise information security.

Evgenia Sergeevna FilenkoSenior Lecturer, Department of Natural Sciences,

Yuzhno-Sakhalinsk Institute of Economics, Law and Informatics. YuzhnoSakhalinsk, Russia [email protected]

Information security threats and possible solutions

Abstract. This article discusses the state of information security

in general, statistics on the use of information security tools at Russian enterprises are provided, some main problems leading to information security violations are given, and some possible means of solving these problems are given.

Key words: information security, threats, cybercrime, security protection

The issue of information security (IS) is currently the most pressing. This is explained by the global informatization of society, the transfer of all types of information into electronic versions. With unconditional positive aspects, we are faced with a large number of threats and vulnerabilities. Moreover, the specifics of the IT market are currently such that the market is flooded with all sorts of technologies, each of which is designed to improve one of the aspects of either information transmission, storage, or processing. However, the obvious fact is that the race for new developments leaves the created products undeveloped. A fairly classic point is that the release of a new version of a product entails certain vulnerabilities that are provided with the original version. This contributes to increasing penetration into other people's computer networks, theft of information and other unpleasant moments. A computer network in any configuration and technology used is a kind of red rag for everyone who wants to test their hacking skills. A huge amount of literature and even auxiliary software, distributed, including thanks to the beloved Internet, contributes to the flourishing of interest in other people's information and in the very hacking of a network, personal computer, server, system, etc., as a process. There are really a lot of threats! So-called ransomware (from the English ransom - ransom), ransomware programs, quite popular in Russia, are gaining popularity all over the world. Despite the fact that such a “business model” had already been used before, it suffered from the same disadvantages as a real kidnapping : there was no convenient way to withdraw money. But thanks to the development of online payment systems, attackers have solved this problem. Blockers will go beyond simple extortion and will be aimed at intimidation, that is

cyberbullying

(cyber attack with the purpose of causing psychological harm). Next year, criminals will take it to the next level, influencing the emotions of victims in ways that will make it much more difficult to restore the system. Here is a specific “fresh” example of a hack: At the end of 2012, Adobe was forced to close its domain connectusers.com due to hacker ViruS_HimA. Then he published publicly the personal data of only those users whose email addresses are in the adobe.com, .mil and .gov domains in order to protect individuals from harm. This fact only means that the security threat remains constant and there is no perfect protection system.

Let's consider some more facts related to the relevance of information protection. The number of infected Android devices increased by 41% in the second half of 2012, BGR reports, citing BitDefender analyst Catalin Cosoi, and the number of individual reports of the presence of malware increased by an even greater 75% in the second half of 2012. Dynamic pages are dangerous. Moreover, some standard browsers already contain support for Java applications that implement the same dynamic elements. Experts from the US Department of Homeland Security Cyber Threat Unit recommend that users disable the Java add-on in web browsers to protect against attacks by attackers who exploit a previously unknown vulnerability in the Java software platform, according to the USCERT website. earlier versions of Java, attackers may run arbitrary program code on the attacked computer. Oracle, which develops the Java platform, has not yet released an update to eliminate this vulnerability, so the only way to protect your computer from attacks is to disable the Java add-on in browsers. As USCERT experts note, an attack can be carried out when a user visits page in which a malicious Java application is embedded. Attackers can place such an application on their website, then luring users to it, and also introduce the application into a “law-abiding” site. Cybercriminals have found a new use for QR codes (quick response - matrix code (two-dimensional barcode), developed and presented by the Japanese company " DensoWave"), in which cybercriminals inject addresses of malicious sites that distribute spam viruses. Such graphic elements are located in the banners of the most frequently visited sites (Figure 1).

Figure 1. – example of a QR code

The number of threats is enormous and is increasing every day. Problems arise at absolutely different levels of functioning of a personal computer and a computer network as a whole. The majority of Russian IT specialists consider the level of investment in IT security to be insufficient (21 percent of organizations in Russia, according to research, have an insufficient level of investment). According to the study “Cyber threats and information security in corporate sector: trends in the world and in Russia", Kaspersky Lab, 2012, the following diagram was constructed (Figure 2) Most companies have a reactive approach to information security. This fully applies to investments: organizations begin to invest money in a protection system after an incident has occurred.

However, financial distribution is often carried out without taking into account the importance of information security issues.

Figure 2. – Assessment of the level of investment in information security

The most widely used information security measures in Russia, according to 2012 data (Source: Research “Cyber threats and information security in the corporate sector: trends in the world and in Russia”, Kaspersky Lab, 2012) are shown in Figure 3.

Figure 3. – measures to ensure information security

Control over the programs launched, network activity and external devices used reduces the risk of unauthorized access to important data and prevents possible financial losses. This kind of research allows vendor companies to understand which information security problems are most painful for modern business and develop new strategic directions for the development of their products. In particular, today, when, according to IDC, the Russian market for public and private “clouds” is growing at a dizzying pace (from $35 million in 2010 to $1.2 billion according to forecast for 2015). It arises A reasonable question: how to protect information? Of course, it is possible to prohibit employees from accessing the Internet. However, the ability (and sometimes direct necessity) to access necessary resources through personal portable devices for work purposes makes such measures not relevant and not meeting the current requirements of the time. There is a whole range of various means to protect information. A “gentleman’s” set should definitely include FireWall, an antivirus (some of these products contain a program control module, with which you can prohibit or limit the launch of certain applications), active management of group policies to restrict access (for example, prohibit the use of flash drives in accounting , with the exception of the chief accountant’s flash drive, or allow the use of external hard drives only in the IT department), intrusion prevention systems (Intrusion Prevention System, IPS) to prevent attacks and detect their occurrence (this is not a complete list). If you use products from well-known manufacturers, then information security itself requires quite serious investment. Not all organizations, especially small ones, can afford this. But there is always a solution. Currently, there are a sufficient number of relatively inexpensive tools on the market that, in the hands of an experienced system administrator, can serve as a good means of protecting against the main types of vulnerabilities in computer networks. Let's look at an example of network security that is also available to small organizations. This is a Mikrotik router. The main "protective" core is provided by its operating system: RouterOS Mikrotik. By the way, it can be installed on a personal computer (PC) as a software product. We list just some of the main features: functions for working with the TCP/IP protocol: Firewall and NAT (-powerful packet filtering settings (applicable to P2P connections), excellent implementation of SNAT and DNAT, the ability to classify packets by: source MAC address; IP addresses (the ability to define networks ); port ranges; IP protocols; protocol options (ICMP types, TCP flags and MSS); interfaces; internal chains of marked packets; ToS (DSCP); by packet contents; by packet size, etc.), Routing, quality of service management QoS, HotSpot capabilities, PTP tunnel protocols, the use of IPsec, Proxy, Monitoring/Accounting, as well as an impressive set of functions for working with the second OSI layer. From the description it becomes clear why this operating system (OS) can be used. Its niche is a cheap multifunctional replacement for third-level hardware routers. It has basic capabilities that monitor malicious activity on the network; setting the maximum number of requests per unit of time also allows you to protect against DDoS attacks. We only note that it is enough to configure one interface and assign an IP address to it in order to continue configuration in graphical mode using the Winbox utility (a graphical configuration utility server) (Figure 4). The new dialog style allows you to dynamically configure all the necessary aspects and set IP address ranges (Figure 5). Allows you to set the settings of the Firewall subsection (Figure 6 – a dialog box with an open traffic filtering rules tab), for example, in point 3, port 8080 is blocked in incoming traffic to prevent intrusions from the outside. Point 4 – limits the number of incoming tcp restrictions to 100 active connections. The goal is to prevent the possibility of DDoS attacks, which are one of the most common threats to network performance. The next point dumps the remaining packets into the void. When a DDoS attack begins, this will help the network administrator gain time to counteract hackers. Because the attacker currently cannot track that his packets are “dropped” into the void. Thus, the use of this product allows you to configure protection settings and will serve as a fairly serious barrier to all kinds of threats coming from the global Internet or other subnets.

Figure 4. –Winbox

Figure 5. Dialog box interface

Figure 6. – Setting up the Firewall subsection

1. Anin B. Yu. Protection of computer information. – St. Petersburg: "BHV St. Petersburg" 2011, 384 pp.2. Gerasimenko V. A. Information protection in automated data processing systems, book. 1.M.: Energoatomizdat, 2009.400 p.3. Koneev I. R., Belyaev A. V. Information security of the enterprise. St. Petersburg: BHVP Petersburg, 2011.752 pp.: ill.4.

Kaspersky Lab: 9 out of 10 companies face external cyber threats http://www.fontanka.ru/2011/09/27/057/

Filenko ESYuzhnoSakhalinsk Institute of Economics, Law and InformaticsYuzhnoSakhalinsk, [email protected] security threats and possible solutions

This article examines the state of information security in general, is the use of statistics information security at Russia, are some of the major problems that lead to a breach of information security, are some of the possible means of solving those problems.Keywords: information security, threats, cybercrime, security protection

Keywords

National security / information space / Information society / information Technology / international information security / critical information infrastructure / public policy of the Russian Federation / Personal Information / cloud technologies/ national security / Information space / information society / information technology / / critical information infrastructure / the state policy of the Russian Federation/ personal data / cloud technologies

annotation scientific article on law, author of the scientific work - T.A. Polyakova, E.V. Akulova

The subject of the study is the process of forming a legal system for ensuring international information security, as well as information security systems within the framework of the legislation of the Russian Federation. The relevance of this topic is due to the high pace of development of the global information space and informatization of all spheres of society, as well as the difficult political situation that has developed on the world stage. All this together contributes to the emergence of new challenges and threats to information security, the problem of preventing which can be considered one of the most serious issues of both national and international security. The steady increase in such threats calls for the need to build an effective international information security system, improve national legislation in this area, and conduct scientific research. In this regard, the authors analyze trends in the development of legislation and public policy in the field of information security, and also identify the most pressing problems and issues that are subject to scientific research. The purpose of this scientific research is the formation of practical and theoretical proposals for the construction of the legal system of international information security and the modernization of the legal system of information security of the Russian Federation. The achievement of this goal was facilitated by: analysis of the formation and development of the international information security legal system in modern political conditions, analysis of the development of national legislation of the Russian Federation in the field of information security, identification of legal problems and uncertainties that influence the successful formation of the international information security system and modernization of the legislation of the Russian Federation in the field of information security safety, as well as the formulation, based on the analysis, of a number of proposals that contribute to the successful implementation state policy of the Russian Federation in the field of IIB. The methodological basis of the study is the general scientific method of cognition, deductive, comparative legal, formal legal methods and the method of system analysis. One of the main conclusions of the scientific article is the need to expand the contractual legal framework of interstate cooperation, as well as the development of general rules for the application of norms in the information sphere, the creation of a unified approach for participants in interstate entities in the field of legal regulation - harmonization and unification of the legislation of the member states of the union states, integration into the legislation of the Russian Federation recommendations enshrined in international documents.

Text of scientific work on the topic “Development of legislation in the field of information security: trends and main problems”

Development of legislation in the field of information security: trends and main problems

T.A. Polyakova

Professor of the Russian State University of Justice, Head of the Information Law Sector of the Institute of State and Law of the Russian Academy of Sciences, Doctor of Law, Honored Lawyer of the Russian Federation. Address: 117418, Russian Federation, Moscow, Novocheryomushkinskaya st., 69. E-mail: [email protected]

postgraduate student of the Department of Information Law, Informatics and Mathematics of the All-Russian State University of Justice. Address: 117638, Russian Federation, Moscow, st. Azovskaya, 2/1. Email: [email protected]

H=UI Abstract

The subject of the study is the process of forming a legal system for ensuring international information security, as well as an information security system within the framework of the legislation of the Russian Federation. The relevance of this topic is due to the high pace of development of the global information space and informatization of all spheres of society, as well as the difficult political situation that has developed on the world stage. All this together contributes to the emergence of new challenges and threats to information security, the problem of preventing which can be considered one of the most serious issues of both national and international security. The steady increase in such threats calls for the need to build an effective international information security system, improve national legislation in this area, and conduct scientific research. In this regard, the authors analyze trends in the development of legislation and public policy in the field of information security, and also identify the most pressing problems and issues that are subject to scientific research. The purpose of this scientific research is the formation of practical and theoretical proposals for the construction of the legal system of international information security and the modernization of the legal system of information security of the Russian Federation. The achievement of this goal was facilitated by: analysis of the formation and development of the international information security legal system in modern political conditions, analysis of the development of national legislation of the Russian Federation in the field of information security, identification of legal problems and uncertainties that influence the successful formation of the international information security system and modernization of the legislation of the Russian Federation in the field of information security security, as well as the formulation, based on the analysis, of a number of proposals that contribute to the successful implementation of the state policy of the Russian Federation in the field of international information security. The methodological basis of the study is the general scientific method of cognition, deductive, comparative legal, formal legal methods and the method of system analysis. One of the main conclusions of the scientific article is the need to expand the contractual legal framework of interstate cooperation, as well as the development of general rules for the application of norms in the information sphere, the creation of a unified approach for participants in interstate entities in the field of legal regulation - harmonization and unification of the legislation of the member states of the union states, integration into the legislation of the Russian Federation recommendations enshrined in international documents.

E.V. Akulova

Keywords

national security, information space, information society, information technology, international information security, critical information infrastructure, public policy of the Russian Federation, personal data, cloud technologies.

Bibliographic description: Polyakova T.A., Akulova E.V. Development of legislation in the field of information security: trends and main problems // Law. Journal of the Higher School of Economics. 2015. No. 3. P. 4-17

JEL: K 10; UDC: 349

The intensity of development of information technology during the transition of humanity to a radically new stage of development - the era of the global information society, the introduction of such a phenomenal invention as the Internet into all spheres of human life, leads to the emergence of new challenges and threats associated with the illegal use of achievements in the field of information technology. In this regard, the relevance of the problems of ensuring information security both at the national level within individual states and international information security (hereinafter referred to as IIS) is currently recognized by the entire world community. In the conditions of globalization and information development of society, as I.L. rightly notes. Bachilo, the impulses to revitalize international law are intensifying. The idea of forming planetary law—the development and obligatory observance of universal legal norms1—is growing stronger.

In addition, globalization and the “web-Internet” networks spread widely throughout the world are blurring state borders. The information space today is not limited to the territory of just one state, associations of states and even entire continents, which necessitates the development of radically new approaches to the legal regulation of social relations that currently arise in all spheres of life.

In the Russian Federation, state policy in the field of ensuring international information security is reflected in a strategic document, which identifies the main threats in the field of international information security, goals, objectives and priority directions of state policy in this area. Such a strategic planning document is the Fundamentals of State Policy in the Field of Ensuring International Information Security until 20202 (hereinafter referred to as the Fundamentals of State Policy).

Considering the multifaceted and global nature of the concept of international information security, it is important to determine what it includes. This document contains the concept of information security - this is a state of the global information space in which the possibility of violating the rights of the individual, society and state rights in the information sphere, as well as destructive and unlawful influence on elements of the national critical information infrastructure, is excluded.

Bachilo I.L. Information law: Textbook for masters. M.: Publishing house Yurayt, 2013. 564 p. Approved President of the Russian Federation July 24, 2013 No. Pr-1753 // SPS ConsultantPlus.

Legal thought: history and modernity

At the same time, it is especially important to note that the goal of the state policy of the Russian Federation is to promote the establishment of an international legal regime aimed at creating conditions for the formation of an international investment system. Thus, the relevance of the development of international information law as part of the system of international law is obvious. One of the main tasks contributing to the achievement of this goal is the formation of an international information security system not only on a global scale, but also at the bilateral, multilateral, and regional levels based on the use of international legal mechanisms and means.

In order to implement the course of development of international relations in the field of information security outlined in the Fundamentals of State Policy, active work continued in multilateral and bilateral formats in 2014-2015, and despite the introduction by European countries of a sanctions policy towards Russia, characterized by the cancellation and postponement of a number of planned consultations on information security issues. security, Russia continues active interaction in the above areas within the framework of such international organizations as BRICS, SCO, CSTO, CIS.

In the context of complex political relations developing with the United States and European countries, the need to strengthen relationships in other international formats comes to the fore, and in the age of high technology, characterized by the possibility of waging war in cyberspace, special attention should be paid to the issue of ensuring international security when concluding alliance agreements . For example, according to the Concept of Russia’s participation in the BRICS association, approved by the President of the Russian Federation on February 9, 2013, one of the main goals of cooperation with the BRICS member states on international security issues is cooperation in the interests of ensuring international security, as well as using the capabilities of BRICS to promote initiatives in this direction within the framework of various international forums and organizations, primarily the UN, strengthening cooperation in the BRICS format in the field of countering the use of information and communication technologies for military-political, terrorist and criminal purposes, as well as for purposes contrary to ensuring peace, stability and security3 .

In order to implement the political course outlined in the Concept, in July 2014, thanks to Russia’s initiative, the Final Declaration of the 6th BRICS Summit (Fortaleza) included two sections devoted to issues of international information security and the internationalization of Internet governance. The participating states expressed their intention to cooperate with each other in identifying opportunities for joint action to solve common security problems in the use of information and communication technologies, and also took into account and noted the Russian proposal on the need to develop a consolidated position on this issue and jointly develop an agreement between the BRICS countries on cooperation in the field of ensuring international information security. However, a declarative reflection of the desire of the BRICS member states to conclude an international agreement on the above issue should not be the end point, and therefore a wide range of work opens up in the organizational and legal spheres to develop an agreed position that would satisfy the interests of each of the parties to the agreement.

3 Concept of participation of the Russian Federation in the BRICS association, approved. President of the Russian Federation // SPS ConsultantPlus.

TA. Polyakova, E.V. Akulova. Development of legislation in the field of information provision... P. 4-17

In the formats of such international organizations as the SCO, CSTO, CIS and others, multilateral international agreements in the field of ensuring international information security were also concluded at different times (Agreement between the governments of the member states of the Shanghai Organization on cooperation in the field of ensuring international information security4 (Ekaterinburg, June 16, 2009 g.), Regulations on cooperation of the member states of the Collective Security Treaty Organization in the field of information security5 (Moscow, December 10, 2010), Decree of the Government of the Russian Federation dated November 15, 2013 No. 2120-r on the signing of a Cooperation Agreement was signed member states of the Commonwealth of Independent States in the field of information security6, in 2014 active work was carried out to promote the entry into force of this Agreement, and on June 4, 2015 it came into force for the Russian Federation, the Republic of Belarus and the Republic of Tajikistan.

Another result of the implementation of state policy in the field of international information security was the presentation at the 69th session of the UN General Assembly on behalf of the SCO member states as an official UN document of the updated version of the Rules of Conduct in the Field of International Information Security (hereinafter referred to as the Rules of Conduct) - document , which is a serious step towards the formation of a culture of information security, the new edition of which differs from concepts that involve the regulation of cyber wars, in a peacekeeping nature aimed at preventing conflicts in the information space.

The updated version of the “Rules of Conduct” differs from the previous one in the expanded section on human rights, the presence of a separate paragraph devoted to the internationalization of Internet governance, as well as attention to the issues of “capacity building” in the field of information security and assistance to developing countries in bridging the “digital divide” 7.

An important aspect in the issue of ensuring information security is that the formation of a global information society and the rapid development of integration entail the need to expand the legal framework for interstate cooperation. The development of general rules for the application of norms in the information sphere, first of all, can be facilitated by the creation of a unified approach for participants in interstate entities in the field of legal regulation - harmonization and unification of the legislation of the member states of the union states. Confirmation of the relevance of this issue is the position of I.L. Bachilo: “...the main task in ensuring relations and information interaction in a single state, in a union state, in a union of states or in another form of coordination of interests remains the problem of harmonizing the legislation of the participating countries on those positions that determine the development of the economy, social and cultural life, management of common affairs”8.

4 Bulletin of International Treaties. 2012. No. 1. P. 13-21.

5 Decision on the Regulations on cooperation of member states of the Collective Security Treaty Organization in the field of information security // SPS ConsultantPlus.

6 Official Internet portal of legal information // http://www.pravo.gov.ru (access date: 07/01/2015)

7 Official website of the Ministry of Foreign Affairs of the Russian Federation // http://www.mid.ru (access date: 07/01/2015)

8 Bachilo I.L. Op. op.

Legal thought: history and modernity

Realizing the need to bring uniformity to the legislative framework of the union states within the framework of the CIS organization, at the 38th plenary meeting of the Interparliamentary Assembly of the CIS Member States on November 23, 2012, Recommendations for improving and harmonizing the national legislation of the CIS member states in the field of information security were adopted9 . The purpose of the Recommendations is to establish common approaches of the CIS member states to the legal regulation of information security, strengthening and ensuring balance of national legal systems in the context of informatization of society, as well as aimed at developing international information exchange, ensuring the security of information conditions for economic and customs cooperation, and stimulating the use information and communication technologies in the social and cultural sphere.

By Resolution of the Parliamentary Assembly of the Collective Security Treaty Organization dated November 27, 2014 No. 7-6 (St. Petersburg), Recommendations similar to the above were adopted for the approximation and harmonization of the legislation of the CSTO member states.

The adoption of these acts indicates that in the era of the formation of a global information society, states should develop their legal potential in the field of ensuring information security, focusing on the achievements and successes of countries more developed in this area, and states that are members of allied organizations should also bring the national legislative framework to common denominator, thereby simplifying cooperation and interaction in the information sphere at the cross-border level. In our opinion, it is true that in modern countries the integration of national and international information legislation is of primary importance, since the application of the legal norms of only one’s own country can lead to partial or complete isolation of the state in the international arena10. In this regard, we believe that the mentioned Recommendations should be taken into account when developing new strategic planning documents in the field of information security in the Russian Federation, since the currently valid Information Security Doctrine was approved on September 9, 2000.

An important step in international legal cooperation in the field of developing common approaches to the issue of international information security was the bilateral Agreement on cooperation in the field of ensuring international information security concluded between the Government of the Russian Federation and the Government of the Republic of Cuba11 (Havana, July 11, 2014), which entered into force on January 2, 2015. , as well as a similar Agreement with the Government of the Republic of Belarus12 (Moscow, December 25, 2013), which entered into force on February 27, 2015. The participating states identified the main threats to the IIB, identified the main directions, general principles, forms and mechanisms of cooperation, which is undoubtedly , outputs to

9 Information bulletin. Interparliamentary Assembly of the CIS Member States. 2013. No. 57 (part 2). pp. 162-179.

10 Bulgakova E.S., Akimov V.S. Proceedings of the international scientific and practical conference “Current issues of legal regulation of the use of information resources on the Internet.” M.: RPA Ministry of Justice of Russia, 2014. P. 68.

11 Official Internet portal of legal information // http://pravo.gov.ru (date of access: 01/14/2015)

TA. Polyakova, E.V. Akulova. Development of legislation in the field of information provision... P. 4-17

a new level of attitude of states in this area and at the same time creates a regulatory framework for practical interaction.

But especially noteworthy is the importance of developing international legal relations in this area with the PRC. On May 8, 2015, guided by the provisions of the Treaty on Good Neighbourliness, Friendship and Cooperation between the Russian Federation and the People's Republic of China13 dated July 16, 2001, signed in Moscow, an Agreement on Cooperation in the Field of International Information Security14 was also concluded between the Governments of the Russian Federation and the People's Republic of China, which will come into force after compliance with all necessary procedures provided for in this Agreement.

In the above Agreement, the states identified the special importance of joint work within the SCO, as well as the need to further deepen trust and develop interaction in the field of use of information and communication technologies, noted the desire to form a multilateral, democratic and transparent international system for managing the information and communication network Internet for the purpose of real internationalization management of the Internet and ensuring equal rights of states to participate in this process, including democratic management of the main resources of the Internet information and communication network and their fair distribution. As M. Kasenova rightly notes, today the Internet integrates material, financial, intellectual, social and other resources, influences national and international processes and provides communication links on a planetary scale, and therefore issues of Internet governance cannot be considered and resolved outside the global context15 .

The issue of internationalization of Internet governance has long been discussed, is controversial and is perceived differently - from complete rejection to full support. In this regard, it should be noted the special importance of promoting Russian initiatives related to the adoption at the UN of the draft Convention on International Security, the concept of which was the result of many years of work by Russian experts in the field of international information in cooperation with our foreign colleagues. In modern political conditions, it is necessary to enshrine in an international legal act the provisions of the Convention’s concept that define the rules of conduct in cyberspace, as well as those relating to the internationalization of the Internet governance system. The principle of non-interference in each other’s information space and the right of each state to establish sovereign norms and manage its information space in accordance with national laws, and the duty of states to protect freedom of speech on the Internet16 require international legal codification.

It seems that not only these international legal documents indicate certain steps aimed at implementing state policy in this area, but also the development of national legislation in Russia

13 Bulletin of International Treaties. 2002. No. 8. P. 56-62.

14 Agreement between the Government of the Russian Federation and the Government of the People's Republic of China on cooperation in the field of ensuring international information security // SPS ConsultantPlus.

15 Kasenova M.B. Cross-border Internet governance: basic terms and concepts // Legal World. 2014. No. 2 P. 58-63.

16 Official website of the Security Council of the Russian Federation // http://www.scrf.gov.ru/ documents/6/112.html (date of access: 07/01/2015)

Legal thought: history and modernity

skoy Federation, in which in 2014-2015. Significant changes have already taken place aimed at its modernization.

Today in Russia, the basic document for planning the development of a national security system, which sets out the procedure and measures to ensure national security, determining that the country’s national security significantly depends, among other things, on ensuring information security, is the National Security Strategy of the Russian Federation to 202017. At the same time, in the field of information security, the main political and legal document representing the totality of official views on the goals, objectives, principles and directions of ensuring information security in Russia, as already noted, remains the Information Security Doctrine of the Russian Federation18. Currently, the course towards the formation and development of the information society, defined in the Strategy for the Development of the Information Society of the Russian Federation19, is being implemented.

In 2013, the orders of the Russian Government approved action plans, the so-called “road maps” “Improving the quality of the regulatory environment for business” (06/11/2013 No. 953-r (as amended on 08/17/2013)) and “Development of the information technology industry” 07/20/2013 No. 1268-r, which also reflect current organizational and legal issues related to ensuring information security. It should be noted that for the first time, not by order, but by Decree of the Government of Russia dated April 15, 2014 No. 313, a new edition of the state program “Information Society”20 was approved, in which special attention is paid to security issues in the information society.

Today, there is no longer any doubt about the relevance of implementing measures to create domestic operating systems and secure technologies for storing and processing information. It is obvious that the intensification of geopolitical confrontation causes serious threats in the field of information security. Currently, government authorities are actively discussing the issues of reducing the dependence of the functioning of the Internet on elements of its infrastructure, which are controlled by foreign companies and determined by their policies.

In order to counter threats to information security of Russia when using the information and telecommunications network Internet, Decree of the President of the Russian Federation dated May 22, 2015 No. 26021 ordered the transformation of the segment of the international computer network Internet for federal government bodies and government bodies of the constituent entities of the Russian Federation, which is under the jurisdiction of the Federal security services, into the Russian state segment of the Internet, providing connection to the Internet of state information systems and information systems intended for interaction with it.

18 Approved President of the Russian Federation September 9, 2000 No. Pr-1895 // Russian newspaper. 2000. No. 187.

19 Approved President of the Russian Federation February 7, 2008 No. Pr-212 // Russian newspaper. 2008. No. 34.

20 Approved Decree of the Government of the Russian Federation dated April 15, 2014 No. 313 / Official Internet portal of legal information // http://www.pravo.gov.ru (date of access: 04/24/2014)

21 SZ RF. 2015. No. 21. Art. 3092.

TA. Polyakova, E.V. Akulova. Development of legislation in the field of information provision... P. 4-17

but telecommunication networks of government bodies, as well as information systems and information and telecommunication networks of organizations created to carry out the tasks assigned to federal government bodies. This Decree also approves the procedure for connecting information systems and information and telecommunication networks to the Internet and placing (publishing) information on it through the Russian state segment of the Internet.

Until recently, one of the problems of ensuring information security remained the placement on foreign servers of websites of government bodies and institutions, municipalities, which in turn does not exclude the possibility of destruction, blocking, or changing information on official websites, which cannot be promptly eliminated and will remain virtually unpunished22 . The amendments to Art. that came into force on July 1, 2015 are aimed at solving this problem. 13, 14 of the Federal Law of July 27, 2006 No. 149-FZ “On information, information technologies and information protection”23 (hereinafter referred to as Federal Law No. 149-FZ), according to which the technical means of information systems used by government authorities, local government bodies, state and municipal unitary enterprises or institutions must be located on the territory of Russia. On September 1, 2015, amendments to the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”24 came into force, providing that the recording, accumulation and storage of personal data of Russians is permitted only on the territory of the Russian Federation.

Import substitution issues also deserve close attention in order to ensure information security. In the face of the risk of introducing large-scale sanctions that may be associated with stopping the provision of support services for software used in the Russian Federation, the Russian Ministry of Telecom and Mass Communications approved the Software Import Substitution Plan25, according to which domestic software is expected to be provided with preferences when purchasing at public expense. However, along with the creation of domestic analogues of Western products, in our opinion, the issues of developing and creating new and promising software based on the existing scientific and technical potential of the country, and ensuring the competitiveness of domestic developments on the world market, deserve special attention, which is possible with the direct participation of Russia in development of international standards, as well as on the basis of cooperation with foreign IT companies of the allied states of BRICS and SCO.

One of the priority areas of Russian state policy in the field of information security related to overcoming the negative consequences of the sanctions policy towards Russia is the creation of a national payment card system (hereinafter referred to as NSPK). A new impetus for the promotion and implementation of this project was an incident that occurred in the financial and credit sector in March 2014 and was associated with blocking without prior

22 Explanatory note “To the draft Federal Law “On Amendments to Certain Legislative Acts of the Russian Federation” // SPS ConsultantPlus.

23 Russian newspaper. 2006. No. 165.

Legal thought: history and modernity

notifications by international payment systems VISA and MasterCard of payments using cards of four Russian banks. Already in February 2015, NSPK began work, indicated by the connection of the first five operators to it. Despite the fact that there are certain problems that require further elaboration (the predominant share of imported software, the absence of a number of provisions for the implementation of measures to combat cybercrime), one cannot fail to note the emerging ones in connection with the adoption of Federal Law of June 27, 2006 No. 161-FZ “On the National Payment System”26 a positive trend in the field of ensuring information security in the banking sector.

It is important to note that the Central Bank of Russia, along with the federal executive authorities exercising management in the field of security, is vested with the right of regulatory regulation in the field of information security by the specified Federal Law. The Bank of Russia, in turn, at the stage of constructing the NSPK, presented special requirements for the information security of the national payment system (presentation of certain conditions when using foreign equipment), since the information payment system of the Central Bank of Russia, as well as the information payment systems of credit and financial organizations, stores and significant amounts of information are processed, the cessation or disruption of the functioning of which could lead to negative consequences for the state and society. Of course, the totality of such systems can be classified as critical information infrastructure.

In this regard, the development and adoption of the bill “On the Security of Critical Information Infrastructure”, aimed at creating a legal foundation for regulating this issue, which will help protect critical information infrastructure from damage that could lead to serious and even catastrophic consequences, deserves special attention.

Since 2014, other positive trends have emerged in the rule-making activities for the implementation of state policy in the field of information security, such as amendments to certain legislative acts of the Russian Federation on the issues of streamlining the exchange of information using information and telecommunication networks. Thus, in 2014, new articles 10.1, 10.2 and 15.4 were added to Federal Law No. 149-FZ, in accordance with which the list of responsibilities of the organizer of information dissemination on the Internet, the features of the blogger’s dissemination of publicly available information, as well as the procedure for restricting access are determined. to the information resource of the organizer of information dissemination on the Internet, which in turn helps ensure the information security of Internet users27.

In addition, in accordance with Article 15.1 of the Law on Information, in order to limit access to sites on the Internet containing information the dissemination of which is prohibited in Russia, an automated information system has been created “Unified Register of domain names, indexes of pages of sites on the Internet and network addresses that allow identification Internet sites containing information the distribution of which is prohibited in the Russian Federation.” The specified register, in accordance with the criteria and rules approved by the Government of Russia, includes domain names

26 Rossiyskaya gazeta. 2011. No. 139.

27 SZ RF. 2006. No. 31 (1 part). Art. 3448.

TA. Polyakova, E.V. Akulova. Development of legislation in the field of information provision... P. 4-17

Names and (or) indexes of pages of sites on the Internet containing information the distribution of which is prohibited in Russia, as well as network addresses that allow the identification of sites on the Internet containing information the distribution of which is prohibited in Russia. The powers to create, form and maintain the register today are assigned to the Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communications - Roskomnadzor.

It is important to note that on May 1, 2015, Art. 15.6, which determines the procedure for restricting access to sites on the Internet on which information containing objects of copyright and (or) related rights, or information necessary to obtain them using information and telecommunication networks, including the Internet, has been repeatedly and unlawfully posted. From September 1, 2015, Art. 15.5 of the said Federal Law, which establishes the procedure for limiting access to information processed in violation of Russian legislation in the field of personal data. The wording of this article provides for the introduction of restrictions on access to information processed in violation of the legislation of the Russian Federation in the field of personal data, as well as the creation by Roskomnadzor of an automated information system “Register of violators of the rights of personal data subjects.”

Such changes are due to the need to ensure the security of personal data used in various information systems. It is important to note that Russia has completed an almost seven-year procedure related to the ratification of one of the most relevant international legal acts in the field of human rights protection in the process of using modern information and communication technologies - the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Strasbourg, January 28, 1981 G.). Thus, a significant step has been taken towards Russia’s full participation in the efforts of Council of Europe member states to strengthen human security in cyberspace and the pan-European legal space. However, the process of modernization of this Convention, in which Russia is involved as a full participant, is still ongoing, which has caused the dynamic development of by-laws of the Russian Government and federal executive authorities.

Another pressing problem in the field of information law is the protection of copyright and related rights. As correctly noted in the work of B.N. Miroshnikov, “copyright, which is in force today everywhere on a global scale (with various national variations), has been taking shape for centuries in developed countries, and is just emerging in developing countries. Everything would be fine, but the Internet brought everyone to a single level of the global information space and was the source of a major global problem in the 21st century... Thanks to the Internet, the losses of copyright holders are astronomically huge - in literature, music, software, and so on”28.

Issues related to attempts to protect subjects of copyright and related rights from illegal use of the results of their activities are reflected in the new article. 15.2 (entered into force in 2013) of the Law on Information, which establishes the procedure for limiting access to information distributed in violation of exclusive rights to films, including films, television films, according to which the rights

28 Miroshnikov B.N. Network factor. Internet and society. Sight. M.: Inforos, 2012. 208 p.

Legal thought: history and modernity

the owner, in the event of discovering films (movies, television films) in information and telecommunication networks, including the Internet, that are distributed without his permission or other legal basis, has the right to apply to Roskomnadzor with an application to take measures to limit access to information resources distributing such films or information based on a judicial act that has entered into force. The adoption of such changes (the so-called “anti-piracy law”) received a wide response, and during the process of public discussion of this bill, proposals were actively made to improve Art. 15.2 of the Law on Information and Expansion of Its Scope. On May 1, 2015, changes came into force according to which the current procedure for restricting access to information applies to all objects of copyright and related rights, except for photographic works and works obtained by methods similar to photography, and in the new Art. 15.7 of the Law on Information provides for extrajudicial measures to prevent violation of copyright and (or) related rights in information and telecommunication networks, including the Internet, taken at the request of the copyright holder.

Within the framework of this article, it should also be noted the importance of the problem of ensuring information security when using cloud computing and the approval of the necessary security standards for cloud environments and tools for measuring the level of risks and threats. Legal issues of ensuring information security when using cloud technologies are undoubtedly relevant and, in our opinion, which is also supported in the monograph by A.V. Morozova and T.A. Polyakova, “deserve special attention, since the use of cloud computing is becoming increasingly popular and profitable, and cloud computing itself is already emerging as a separate area of the information technology market. At the same time, it is obvious that in proportion to the rapid growth of the capabilities of these technologies and the obvious advantages of using this type of technology, the number of new risks and threats to information security of a technological, organizational and legal nature is also growing. This is confirmed by the statement made at the end of 2012 by experts from Trend Micro, one of the leading providers of comprehensive cloud security tools, that the security tools available today are not yet capable of protecting data in cloud infrastructures”29.

Particularly noteworthy is the widespread use of information and communication technologies in the judicial system, in particular, the use of “cloud computing”, which is provided for by the Federal Target Program “Development of the Russian Judicial System for 2013-2020”, approved by the Government of Russia in December 2012. Currently The reform of the judicial system is actively underway, changes are being prepared to procedural legislation related to the use of electronic documents and the use of electronic signatures (corresponding changes were made by the Federal Constitutional Law of June 8, 2015 No. 5-FKZ “On Amendments to the Federal Constitutional Law “On the Constitutional Court” Russian Federation").

However, it should be recognized that the main limiting factor in the use of cloud technologies in the activities of government agencies, as well as their wider distribution in general, is the insufficient regulation of the basic rules for the use of cloud technologies, in particular those related to ensuring

29 Morozov A.V., Polyakova T.A. Organizational and legal support of information security. M.: RPA of the Ministry of Justice of Russia, 2013. 276 p.

TA. Polyakova, E.V. Akulova. Development of legislation in the field of information provision... P. 4-17

consideration of the security and confidentiality of information transferred to the cloud service provider (the legislation does not establish rules defining the administrative and civil liability of the cloud service provider, as well as the responsibility of managers and employees of organizations providing cloud services). These trends in the development of legislation in the field of ensuring information security are certainly diverse and diverse, often at the intersection of various specialties both in the field of law and information technology and require scientific research related to ensuring information security.

Another serious direction on the path to building an information security system is the training of highly qualified personnel. In this regard, the conclusion stated in the article by T.A. seems completely correct. Polyakova and A.I. Khimchenko that “the most appropriate ways to increase the level of competencies in the Russian Federation in the field of information security are the targeted training of highly qualified specialists in specialized educational institutions, as well as the continuous process of developing general literacy skills, culture when handling official and personal information (a special place is occupied by personal data ) and trans-border, as well as propaganda of security policy in this area”30.

Ensuring the listed priority, in the opinion of the authors, areas of ensuring information security constitutes a theoretical and practical basis for the development of national and international information law, as well as the direct formation of an international information security system.

1^1-1 Bibliography

Bachilo I.L. Information law. 3rd ed.. M.: Yurayt, 2013. 564 p.

Bachilo I.L. Legal platform for building an electronic state // Information law. 2008. No. 4. P. 41-45.

Bulgakova E.S., Akimov V.S. Integration of national and international information legislation // Materials of the international scientific and practical conference “Topical issues of legal regulation of the use of information resources on the Internet”. M.: RPA Ministry of Justice of Russia, 2014. P. 67-71.

Kasenova M.B. Cross-border Internet governance: basic terms and concepts // Legal World. 2014. No. 2. P. 58-63.

Miroshnikov B.N. Network factor. Internet and society. M.: Inforos, 2012. 208 p.

Morozov A.V., Polyakova T.A. Organizational and legal support of information security: monograph. M.: RPA of the Ministry of Justice of Russia, 2013. 276 p.

Morozov A.V. Legal support of information security. M.: RPA of the Ministry of Justice of Russia,

Polyakova T.A. Improving information legislation in the context of the transition to an information society // Journal of Russian Law. 2008. No. 1. P. 62-69.

Polyakova T.A., Khimchenko A.I. Current organizational and legal issues of cross-border transfer of personal data // “Pravo”. Journal of the Higher School of Economics. 2013. No. 1. P. 113-122.

30 Polyakova T.A., Khimchenko A.I. Features of personnel training in the field of organizational and legal support of information security” // Information Law. 2013. No. 3. pp. 21-23.

Legal Thought: History and Modernity

Polyakova T.A., Khimchenko A.I. Features of personnel training in the field of organizational and legal support of information security // Information law. 2013. No. 3 P. 21-23. Talimonchik V.P. World Summit on the Information Society in the Development of International Information Exchange // Information Law. 2006. No. 2. P. 3-6.

Tereshchenko L.K. Modernization of information relations and information legislation: monograph. M.: Institute of Legislation and Comparative Law under the Government of the Russian Federation, INFRA-M, 2013. 227 p.

Tikhomirov Yu.A. International legal acts: nature and methods of influence // Journal of Russian Law. 2002. No. 1 // http://www.center-bereg.ru/o5845.html (date of access: 05/01/2015) Federal reference book “National Security of Russia”. T.1. M.: Center for Strategic Partnership, 2014. 566 p.

Sherstyuk V.P. The threat to international information security in the context of the formation of a global information society and areas of cooperation // Law and Security. 2010. No. 4 (37). http://dpr.ru/pravo/pravo_33_8.htm (access date: 05/01/2015)

The Development of Legislation in the Field of Information Security: Trends and Key Issues

’ i=l Tat’ana A. Polyakova

Professor, Moscow State University of Justice, Head, Information Law Center, Institute of State and Law, Doctor of Legal sciences, Merited Lawyer of the Russian Federation. Address: 69 Novocher-emushkinskaya Str., Moscow, 117418, Russian Federation. Email: [email protected]

Elena V. Akulova

Postgraduate student, Department of Information Law, Informatics and Mathematics, All-Russia State University of Justice. Address: 2/1 Azovskaya Str., Moscow, 117638, Russian Federation. Email: [email protected]

national security, Information space, information society, information technology, International information security, critical information infrastructure, the state policy of the Russian Federation, personal data, cloud technologies

Tatyana A. Polyakova, Elena V. Akulova. The Development of Legislation in the Field of Information Security... R. 4-17

Citation: Polyakova T.A., Akulova E.V. (2015) The Development of Legislation in the Field of Information Security: Trends and Key Issues. Pravo. Zhurnal Vysshey shkoly ekonomiki, no 3, pp. 4-17 (in Russian)

1^1=1 References

Bachilo I.L. (2013) Information noe pravo. Moscow: Yurayt, 564 p. (in Russian) Bachilo I.L. (2008) Pravovaya platforma postroeniya elektronnogo gosudarstva. Information pravo, no 4, pp. 41-45.

Bulgakova E.S., Akimov V.S. (2014) Integratsiya natsional"nogo i mezhdunarodnogo informatsionnogo zakonodatel"stva. Materialy mezhdunarodnoy konferentsii. Moscow: Russian Legal Academy, pp. 67-71.

Kasenova M.B. (2014) Transgranichnoe upravlenie Internetom: osnovnye terminy i ponyatiya. Yuridicheskiy mir, no 2, pp. 58-63. Miroshnikov B.N. (2012) Setevoy faktor. Interneti obshchestvo. Vzglyad. . Moscow: Inforos, 208 p. (in Russian)

Morozov A.V., Polyakova T.A. (2013) Organizatsionno-pravovoe obespechenie informatsionnoy bezo-pasnosti: monografiya. Moscow: Russian Legal Academy, 276 p. (in Russian)

Morozov A.V. (2012) Pravovoe obespechenie informatsionnoy bezopasnosti: uchebnoye posobie. Moscow: Russian Legal Academy, 346 p. (in Russian) Polyakova T.A. (2008) Sovershenstvovanie informatsionnogo zakonodatel "stva v usloviyakh perekhoda k informatsionnomu obshchestvu. Zhurnal rossiyskogo prava, no 1, pp. 62-69.

Polyakova T.A., Khimchenko A.I. (2013) Aktual"nye organizatsionno-pravovye voprosy transgranichnoy peredachi personal"nykh dannykh. Pravo. Zhurnal Vysshey shkoly ekonomiki, no 1, pp. 113-122.

Polyakova T.A., Khimchenko A.I. (2013) Osobennosti podgotovki kadrov v oblasti organizatsionno-pravovogo obespecheniya informatsionnoy bezopasnosti. Information pravo, no 3, pp. 21-23.

Talimonchik V.P. (2006) Vsemirnyy summit po informatsionnomu obshchestvu v razvitii mezhdunarodnogo informatsionnogo obmena [International Summit on Information Society in the Development of the International Information Exchange]. Information pravo, no 2, pp. 3-6.

Tereshchenko L.K. (2013) Modernizatsiya informatsionnykh otnosheniy i informatsionnogo zakonodatel’stva: monografiya. Moscow: INFRA-M, 227 p. (in Russian)

Tikhomirov Yu.A. (2002) Mezhdunarodno-pravovye akty: priroda i sposoby vliyaniya. Zhurnal rossiyskogo prava, no 1. Available at: // http://www.center-bereg.ru/o5845.html (accessed: 01 May 2015).

Federal"nyy reference book. National"naya bezopasnost" Rossii. (2014) T. 1. Moscow: Tsentr strategicheskogo partnerstva. 566 p. (in Russain) Sherstyuk V.P. (2010) Ugroza mezhdunarodnoy informatsionnoy bezopasnosti v usloviyakh formirovaniya global"nogo informatsionnogo obshchestva i napravleniya sotrudnichestva. Pravo i bezopasnost’, no 4 (37). Available at: http://dpr.ru/pravo/pravo_33_8.htm (accessed: 01 May 2015)

Legal problems of ensuring information security

The problem of ensuring information security is one of the most acute today not only in our country, but also in developed countries of the world. Experience in operating information systems and resources in various spheres of life shows that there are various and very real threats of information loss, leading to material and other damage. At the same time, it is almost impossible to ensure 100% security of information.

Interest in information security problems is determined by the increasing role of information in various spheres of society (for example, economic, political spheres).

The problem of ensuring information security is one of the pressing problems facing the world community. Significant events in the field of ensuring information security and combating computer crimes were the International Conferences of representatives of government and commercial structures of the G8 countries on security and trust in cyberspace, which took place in 2000 in Paris and Berlin. These conferences addressed the following important issues: protecting electronic commerce, critical infrastructure and increasing trust in cyberspace through threat assessment and crime prevention; improving the ability to detect and identify criminals using information technology; improving partnerships between government agencies, the private sector, and users to ensure security and trust in cyberspace; as well as the signing by the heads of the G8 on July 22, 2000 of the Okinawa Charter for the Global Information Society, in which the leading countries once again emphasized the importance of taking all necessary measures aimed at creating a safe and crime-free global cyberspace. The need to find effective political solutions to such pressing problems as, for example, unauthorized access and computer viruses was noted.

According to this document, information and communication technology is one of the most influential and powerful forces that define the contours of the 21st century. Its revolutionary influence concerns everyday life, education, work, as well as the ways in which councils and civil society interact. As an accelerator of economic growth, this technology has great potential for various social transformations.

In this regard, in some European countries the concept of “information security” has been legislated. Thus, in the legislation of the Russian Federation there is a specific definition of this concept, namely: “the information security of the Russian Federation is understood as the state of protection of its national interests in the information sphere, determined by the totality of balanced interests of the individual, society and the state.”

At the legislative level of Ukraine, the concept of “information security” does not exist.

So what is “information security”? Let us consider the content of the concept of “security” as such.

Throughout the history of world civilization, security has been one of the most important goals and an integral component of the activities of people, social groups, societies, states and the world community. Concern for safety is inherent in every particle of the social structure of society, from a specific individual to an extremely broad association of people.

The term “safety” means the absence of danger, safety, reliability, or a situation in which there is no danger to anyone or anything. Safety issues are also considered at the legislative level, namely: the Laws of Ukraine “On High-Danger Objects”, “On the Use of Nuclear Energy and Radiation Safety”, “On Road Traffic”, “On Fire Safety”.

So, we can conclude that security is a state of protection of the vital interests of the individual, society and state from internal and external threats.

Information is the main object of the information society and its role today is very great. The term “information” comes from the Latin word “informatio”, which means explanation, message. Information consists of messages. A message is a form of presenting information.

According to Article 1 of the Law of Ukraine “On Information”, information should be understood as documented or publicly disclosed information about events or phenomena that occur in society, the state or the natural environment.

An important feature of information is the possibility of its almost unlimited replication, distribution and transformation of the forms of its recording.

It follows that information security is a state of protection of the individual, society, state in the information sphere from internal ones (sources are: unfavorable crime situation, accompanied by trends in the merging of government and criminal structures; criminal structures gaining access to confidential information; increasing the influence of organized crime on life society; reducing the degree of protection of the legitimate interests of citizens, society and the state; insufficient funding for measures to ensure information security; insufficient economic power of the state; critical state of domestic industries) and external (activities of foreign intelligence and information structures directed against the interests of the state; worsening international competition for the possession of information technologies and resources) threats. Note that the information sphere is a field of activity that is associated with the creation, distribution, processing and consumption of information.

Sources of information hazards are divided into natural (of natural origin) and artificial (created by man in the process of his life).

The most obvious sources of information security are:
1) lack of a unified state policy in the field of information security;
2) imperfection of the regulatory legal framework regulating relations in the field of information security, as well as insufficient law enforcement practice;
3) insufficient control over the development of the information market by government agencies and society;
4) low level of informatization of government and commercial structures;
5) low level of protection of the interests of individuals and legal entities in the information sphere;
6) merging of state and commercial structures in the field of credit and financial sphere with criminal structures;
7) obtaining access by criminal structures to confidential information;
8) increasing the influence of organized crime on the life of society;
9) smuggling and illegal sale of computer equipment and radio communications, obtaining uncontrolled profits.

The objects to be protected from information threats and dangers include the consciousness, psyche of an individual, social communities (team, social groups, nations, nationalities, civil society, state); information technology systems for various purposes and information flows that connect all elements into a single social or technical system.

Threats to the security of information tools and systems may include:
- illegal collection and use of information;
- development and distribution of programs that disrupt the normal functioning of information systems, including information security systems;
- information leakage through technical channels (visual-optical, acoustic, electrical, radio engineering, material and material);
- introduction of electronic devices for intercepting information into technical means of processing, storing and transmitting information via communication channels, as well as in the office premises of government bodies, enterprises, institutions and organizations, regardless of the form of ownership;
- destruction, damage, destruction or theft of computer and other storage media;
- interception of information in data networks and communication lines;
- unauthorized access to information located in banks and databases (can be targeted or accidental);
- violation of legal restrictions on the dissemination of information.

The central point of the use of information computer technologies in Ukraine is the presence of adequate information legislation. Information legislation should be understood as a set of laws and regulations that regulate legal relations in the field of collecting, processing, storing and using information. However, today the current laws of Ukraine (for example, the laws of Ukraine “On Information”, “On State Secrets”, “On Information Agencies”, “On the State Register of Individuals Paying Taxes and Other Obligatory Payments”) and other regulations that directly or indirectly related to these issues, do not cover the entire range of problems and do not form an integral system. Therefore, the implementation of effective measures of legal support for information security is vital for the development of Ukraine, because an information society can only be created in a rule-of-law state.

One of the components of information security is the protection of information in computer systems and networks. At the legislative level of Ukraine, the protection of information in computer systems and networks was not considered. And only in connection with the adoption of the new Criminal Code of Ukraine in 2001, computer security was placed under the protection of criminal law (Section XVI of the Criminal Code “Crimes in the field of use of electronic computers (computers), systems and computer networks”). However, the legislative consolidation of these issues in itself does not contribute to their suppression. As A.A. noted about this. Matveeva: “Criminal legal norms are only a legislative framework, a necessary (in a rule-of-law state), but not the only condition. The main importance is their correct and timely application. As the main principle of criminal liability, one must recognize its inevitability. At the same time, before considering organizational and technical difficulties, one should first of all evaluate how perfect (and, therefore, effective) the existing criminal legislation is.

As a result, it seems necessary to further improve the legal framework, in which criminal law occupies a special place, and the practice of its application. In this case, first of all, it is necessary to achieve unity of norms of various branches of law, to minimize their imbalance.

Ensuring information security is not limited to the adoption of legal measures, but includes a wide range of organizational, technical and other nature (creation and improvement of an information security system; development, use and improvement of information security tools and methods for monitoring the effectiveness of these means, development of secure telecommunications systems, increasing the reliability of special software; certification of information security means, licensing activities in the field of protecting state secrets, standardization of methods and means of protection). Therefore, the implementation of the entire range of measures is possible if there is a developed legislative framework and provision of their financing.

Literature:

1. Doctrine of information security of the Russian Federation // Andreev B.V., Pak P.N., Horst V.P. Investigation of crimes in the field of computer information. – M: Publishing House “Yurlitinform”, 2001. – P.89.
2. Dal V. Explanatory dictionary of the living Great Russian language. T.1. – M., 1978. – P.67.
3. Ozhegov S.I. Dictionary of the Russian language. – M., 1986. – P.38.
4. Law of Ukraine “On Information” dated 10/02/1992 // Vidomosti Verkhovna Radya – 1992. - N 48. - Art. 650.
5. Civil law. Textbook. Ed. Sergeeva A.P., Tolstoy Yu.K. – M.: Prospekt, 1997. – P.214-215.
6. Orlov P.I. Information and informatization: Regulatory and legal security: Scientific and practical handbook. – Kharkiv: Publishing House of the University of Internal Affairs, 2000. – P.9.
7. Russian criminological encyclopedia. Under the general editorship of A.I. Debt. – M.: Publishing house NORMA (Publishing group NORMA – INFRA-M), 2000. – P.67.
8. Methods and means of information security: Guidelines. – K: KMUGA, 1997. – P.17.
9. Kiselov M. About the unified information system of the justice authorities of Ukraine // Law of Ukraine. – 1997. - No. 3. – P.53.
10. Matveeva A.A. Information security and problems of improving criminal legislation // Criminal law in the 21st century: Materials of the International scientific conference at the Faculty of Law of Moscow State University. M.V. Lomonosov May 31 – June 1, 2001 – M.: “LexEst”, 2002. – P.181-186.

Popular

ZTE Blade L3 - Specifications

« Equipment The smartphone from ZTE is sold in a nice branded blue and white box. Minimum equipment: power supply, cable and manual.... »

What to do if your Android device is not updated?

« The Android operating system is much more susceptible to viruses than Apple's iOS. In addition, like any other OS,... »

How to install mods on minecraft How to install mods on a computer

« Hello everyone, I'm back. I passed the test, but didn’t pass physics, in short, I don’t know what will happen, but while there is time before they decide what to do with me, I decided... »

Message on the topic of information security problem. Information security threats and possible solutions. Directions of regulation in the field of information security

annotation scientific article on law, author of the scientific work - T.A. Polyakova, E.V. Akulova

Related topics scientific works on law, the author of the scientific work is T.A. Polyakova, E.V. Akulova

Text of scientific work on the topic “Development of legislation in the field of information security: trends and main problems”