Russian Law Enforcement Opposes Legalization of White Hat Hackers

By Riley ThompsonTechnology News

Russian Law Enforcement Opposes Legalization of White Hat Hackers

The Ministry of Internal Affairs (MVD), the Investigative Committee (SK), and the Prosecutor General’s Office have come out against proposed amendments to the Russian Criminal Code that would legalize the creation and use of malicious software by white hat hackers at the request of clients. This initiative was discussed in the State Duma at the end of November 2023, according to RBC.

Background of the Initiative

The public discussion about legalizing white hat hackers began in the summer of last year. At that time, the Ministry of Digital Development started exploring the possibility of introducing the concept of bug bounty (reward-based vulnerability searching) into the legal framework.

Sources revealed the current version of the proposed amendments. The changes would affect the law “On Information, Information Technologies and Information Protection,” as well as the Civil and Criminal Codes. The legislative adjustments propose to:

  • Allow white hat hackers to create and use malicious software at the request of a client;
  • Permit white hat hackers to study and test software to identify and fix vulnerabilities;
  • Require white hat hackers to report discovered vulnerabilities to the software’s copyright holder;
  • Enable information owners and system operators to hire external specialists to identify vulnerabilities;
  • Give the government the authority to set requirements for vulnerability identification, which are currently determined by the client.

Law Enforcement’s Position

Alexey Alborov, head of the information security department at the Prosecutor General’s Office, stated during the Duma meeting that criminal law is only applied when a software developer intentionally creates and uses software for unauthorized access and causing harm. In cases where work is done by order, there is no harm or violation of public relations or the rights of the copyright holder, Alborov added.

Konstantin Komardy, head of the cybercrime and high-tech crime investigation department at the Investigative Committee, noted that although it is technically possible to prosecute someone for testing another’s information system for vulnerabilities, in practice, this does not happen. He added that if a programmer is contracted or requested by the system owner to test their system, their actions are legal and do not constitute a crime. A crime requires intentional actions aimed at causing negative consequences, he emphasized.

The Investigative Committee concluded that amendments to the Criminal Code are unnecessary, a position supported by the Ministry of Internal Affairs.

Concerns and Industry Opinions

Meeting participants pointed out that if the amendments are adopted, malicious hackers could present documents showing a contract for system testing to prove their innocence, making prosecution difficult.

Vladimir Bengin, Director of Product Development at Solar Security, noted that over 50% of Russian ethical hackers avoid legal work due to fear of criminal liability. “If the amendments are adopted and white hat hackers see this provision in the Criminal Code, it will change the situation,” Bengin said.

Anton Nemkin, one of the amendment’s authors and a State Duma deputy, said that a working group including representatives from the Ministry of Digital Development, FSB, MVD, and FSTEC continues to discuss the proposal. He hopes the bill can be finalized within a year. Nemkin believes that to mitigate risks, white hat hackers should be required to register before testing, declare their intentions, and provide their IP address.

Leave a Reply