Russian Ministry of Digital Development Sets New Rules for Hosting Providers’ Cooperation with FSB and SORM

By Riley ThompsonTechnology News

New Regulations for Hosting Providers: Cooperation with FSB and SORM Implementation

The Russian Ministry of Digital Development (MinTsifry) continues to implement the provisions of Federal Law No. 406-FZ, which introduces strict regulations for hosting providers. Previously, there was a draft government decree on the rules for forming and maintaining a registry of hosting providers. Now, four new documents from the ministry have been highlighted.

Requirements for Computing Power and SORM Installation

The first document is a draft order from the Ministry of Digital Development titled “On Approving the Requirements for Computing Power Used by Hosting Providers for Activities Conducted by Authorized State Agencies Responsible for Operational-Investigative Activities or Ensuring the Security of the Russian Federation.”

According to the explanatory note, starting December 1, 2023, hosting providers are required to:

  • Ensure the implementation of requirements set by the federal executive authority in the field of communications, in coordination with authorized state agencies responsible for operational-investigative activities or national security, regarding the computing power used by hosting providers for activities mandated by federal law.
  • Take measures to prevent the disclosure of organizational and tactical methods used during these activities.

The “OrderKom” channel explains that this refers to the installation of the System of Technical Means for Ensuring the Functions of Operational-Investigative Activities (SORM). Previously, only telecom operators were required to install SORM, but now this obligation extends to hosting providers as well.

The document’s authors state, “Implementing these measures will help authorized state agencies conduct activities necessary to fulfill their assigned tasks.”

Interaction Rules with the FSB

The second document is a draft government decree titled “On Approving the Rules for Interaction Between Hosting Providers and Authorized State Agencies Responsible for Operational-Investigative Activities or Ensuring the Security of the Russian Federation.” According to “OrderKom,” this specifically concerns cooperation with the FSB.

Also starting December 1, 2023, hosting providers must “ensure the implementation of requirements for information protection when providing computing power for hosting information in information systems that are permanently connected to the Internet, as established by the federal executive authority in the field of communications in coordination with the federal executive authority responsible for security.”

The explanatory note to the first document states, “Implementing these measures will help protect the hosting provider’s information and infrastructure from hacks and leaks, as well as prevent cyberattacks using the hosting provider’s infrastructure.”

This cooperation will be carried out using the hosting provider’s technical resources, which must enable the required actions during operational-investigative activities in the provider’s information systems.

The explanatory note also clarifies that, with the approval of the authorized FSB division, hosting providers may use technical resources belonging to another hosting provider, a technological network owner with an autonomous system number, or an information dissemination organizer.

As part of this cooperation, hosting providers must:

  • Store information about their users for three years.
  • Store information about interactions between their users and other Internet users for one year after the activity ends.
  • Provide this information to authorized agencies using technical means.

This means the “Yarovaya Law” requirements now also apply to hosting providers.

One of the rules states that technical resources used for cooperation with authorized agencies must not be located outside the territory of the Russian Federation.

Technical Measures Against Threats and Cyberattacks

The third document concerns the operation of technical means to counter threats (TSPU), which hosting providers are now required to connect. Most providers already have such equipment.

Additionally, hosting providers will participate in drills to ensure the stable, secure, and integrated functioning of the Internet and public communication networks within Russia.

They will also be connected to the State System for Detecting, Preventing, and Eliminating the Consequences of Computer Attacks (GosSOPKA), which is controlled by the FSB. Companies must provide GosSOPKA with the IP addresses of dangerous websites within four hours upon request, as required by the fourth document.

Hosting providers will also be required to block, within 12 hours, any websites that GosSOPKA deems involved in cyberattacks, such as DDoS attacks.

Public Discussion Deadlines

  • The public discussion period for the first document ends on October 4, 2023.
  • The second document will also stop being discussed on October 4.
  • The third document’s public discussion ends on September 28, 2023.
  • The fourth document’s discussion also ends on October 4.

If you have any suggestions or comments, you can leave them on the respective document pages.

Leave a Reply