- Статьи
- Internet and technology
- Hacking with penetration: the State Duma intends to regulate the activities of "white hackers"
Hacking with penetration: the State Duma intends to regulate the activities of "white hackers"
In Russia, the activities of "white hackers" are regulated by law. Deputies and senators plan to submit a package of relevant bills to the State Duma. The measures, according to the parliamentarians, will increase trust between cybersecurity experts and owners of information resources, as well as strengthen Russia's digital sovereignty. Whether it is worth relying on "white hackers" when searching for vulnerabilities is in the Izvestia article.
According to the letter of the law
A package of bills aimed at legislative regulation of the activities of "white hackers" will be submitted to the State Duma. This was stated by Anton Nemkin, a member of the State Duma Committee on Information Policy, Information Technologies and Communications.
"A new comprehensive package of bills is being prepared for submission to the State Duma aimed at regulating the activities of specialists in identifying vulnerabilities in information systems," he said, adding that these amendments were prepared with the active participation of the expert community.
The proposed measures, according to the parliamentarian, are designed to create legal conditions for the development of ethical hacking. They will also increase trust between cybersecurity experts and owners of information resources and strengthen Russia's digital sovereignty.
To achieve these goals, the authors of the initiatives have developed three documents. All of them, if successfully reviewed and adopted, can enter into force on March 1, 2026.
Nemkin noted that the first draft law amends the Civil Code of the Russian Federation. They grant users the right to study and test computer programs and databases for vulnerabilities without the consent of the copyright holder. However, this will be allowed, provided that the analysis is carried out in order to increase security and without distributing the information received.
"This step removes the risk of criminal or civil prosecution of specialists acting in good faith and in the interests of cybersecurity," the deputy explained.
The second bill, in turn, amends the provisions of the federal law "On Information, Information Technologies and Information Protection." It establishes the procedure for carrying out measures to identify vulnerabilities, including the rules for involving performers, requirements for testing platforms, the procedure for transmitting information received and interaction with authorized bodies. All this, according to Nemkin, creates a legal framework for safe interaction between resource owners and researchers.
The latest draft law amends the Criminal Code and the Code of Criminal Procedure of the Russian Federation. We are talking about responsibility for the unlawful transfer of information about vulnerabilities that was obtained during testing. This, according to the authors of the initiative, will protect critical infrastructure and prevent abuse. The transfer of data that can be used for cyber attacks will be punishable by up to imprisonment.
All this, according to Nemkin, will make it possible to create a systematic legal mechanism that involves responsible search for vulnerabilities and protection of public and private systems from unfair actions.
"It is important to legalize the work of "white hackers", create conditions for cooperation between researchers and businesses and at the same time ensure the security of critical data. This is a necessary step towards the formation of a mature cybersecurity ecosystem in our country," the parliamentarian concluded.
By the way, the Ministry of Finance is also in dialogue with the industry and colleagues on the draft laws being developed. The ministry's press service told Izvestia about this.
— The Ministry also considers it appropriate to define requirements, rules and boundaries for specialists who search for vulnerabilities at the level of industry legislation. Such rules will make it clear that the specialist is a so—called white hacker," the Ministry of Digital Affairs explained.
The planned legislative changes, according to the ministry, will make it possible to legalize the work of such specialists, which eliminates possible negative actions in carrying out their activities, subject to compliance with the rules and boundaries.
The Ministry of Finance admits that the provisions of the documents may still be changed, taking into account the discussion of proposals from the industry and interested departments.
Whitewashing of activities
Digital technologies are developing rapidly, and the more complex a digital product is, the more rows and data it consists of, Dmitry Ovchinnikov, information security architect and vCISO UserGate, draws attention to. Despite testing the software at all stages of its creation, there is a possibility that it will contain a vulnerability, he does not exclude.
— Bug hunting specialists and "white hackers" can find vulnerabilities in the software code that they will never discover with the help of test software or with the help of the developers themselves. Hackers know how to find and exploit vulnerabilities, this is their specialty and what they do to make money. Therefore, their contribution to improving security is significant," the Izvestia source believes.
Real-world security assessment audits play a major role in improving overall cyber resilience, he clarifies.
— Search for vulnerabilities, incorrect configurations, vulnerable protocols — all this can be performed by "white hackers" to increase the security of objects. Even using proven software and OS, configuration errors can be made that can lead to a cyber incident," the expert points out.
Figuratively speaking, the work of "white hackers" is similar to fishing — they launch an "autopoisk" and see what gets caught, explains Konstantin Ilinykh, head of the system administration department at the IT company Simpl Group.
— In practice, independent "white hackers" take a pool of IP addresses and automatically scan them for vulnerabilities. If they find something, they try to hack it and see if access is coming in," he notes.
Researchers today act on behalf of companies within the framework of contractual relationships for the provision of security audit services or as individuals in bug bounty programs (a program in which companies pay independent researchers to find and provide information about vulnerabilities in their software or systems), Ovchinnikov recalls.
Today, "white hackers" work in two formats — as full-time employees of companies and as external contractors, confirms Oleg Zhigalov, technical director of R7. And their key task is to conduct controlled testing of security systems according to a pre-agreed plan and a clear contract.
"Therefore, this approach is already moving their activities out of the gray zone and creating a legal framework, including protecting the specialists themselves from violating the law," the expert explains.
The same bug bounty programs have a clear description of the scope and a transparent remuneration procedure in the form of an official "white" payment, Ovchinnikov adds.
Any actions outside of this framework, even harmless hacking for research purposes without the permission of the owner of the resource, is a departure from the legal field and falling under criminal and administrative responsibility for illegal actions, he warns.
Konstantin Ilyinykh is convinced that the possibility of receiving punishment for hacking the system is the main fear of "white hackers".
— Where is the very edge of the offense? Did he hack the system? Yes, I hacked it. Did he steal something? No, I didn't steal anything. Where should a white hacker highlight the problems in this organization so that it is safe and not criminalized? — the specialist asks questions.
With all responsibility
It is worth noting that the activities of "white hackers" have turned from just an important into an absolutely necessary component of cybersecurity, says Ivan Ryabov, a pentest expert and a leading engineer at Gazinformservice. Many information security solutions that exist today cannot guarantee complete security.
— The work of "white hackers" allows companies not only to maintain a high level of security, but also to maintain the trust of customers, preventing financial losses, — emphasizes the interlocutor of Izvestia.
The importance of the work of "white hackers" lies in the fact that the more people check the systems, the more vulnerabilities will be identified and closed, Konstantin Ilyinykh believes.
— They allow you to find vulnerabilities in unexpected places and thereby enhance overall security. In order for this process to be ethical and regulated, we need a set of rules, something like a professional code," the expert believes.
This code should define who can scan the infrastructure and how, how to document the findings and where to safely report them, so that this does not result in criminal consequences for the researcher, the specialist lists.
It is also possible to create a special authorized body that would check vulnerability reports and confirm the fact that the problem was identified in good faith, Ilinykh suggests. Formal procedures for hiring and accrediting hackers are important, he says.
It is extremely important for the activities of "white hackers" to understand the boundaries of the target within which vulnerability can be searched, Dmitry Ovchinnikov notes.
"These boundaries should be clearly delineated in the bug bounty program or the security audit agreement," he said.
Oleg Zhigalov sees three provisions as the most important in the legislative regulation of the activities of "white hackers" — a clear distinction between permitted and prohibited actions, the mandatory receipt of the official consent of the owner of the IT product for its verification and the creation of a clear procedure for actions when critical vulnerabilities are detected.
At the same time, it is necessary to maintain legal certainty for all participants in the process, Ryabov points out. A vulnerability disclosure process is required to protect the researcher from legal liability while complying with established rules.
Betting on reputation
By the way, there are also risks when working with "white hackers," Oleg Zhigalov draws attention. The key one is the potential impact of hackers on business workflows. But it is offset by the introduction of strict regulations on the work of researchers, the expert is convinced.
A striking example of the risks when working with "white hackers" are bug bounty programs, Ivan Ryabov points out.
— To reduce potential threats when providing external researchers with access to their systems, most companies do not start with public programs, but with closed ones. At this stage, only top "white hackers" with an already good reputation on the site and in the community are invited to test," he notes.
Konstantin Ilyinykh is sure that another risk when working with hackers is human motivation.
— It is important to understand whether he came to help or to collect information and then use it for selfish purposes. You can't rely entirely on NDAs and formal subscriptions, you need time testing, access control, and a gradual build—up of trust," explains Izvestia's interlocutor.
Information leakage or misinformation, such as database substitution, can be a serious threat, the expert adds.
— Therefore, when hiring "white hackers", careful personnel support, reputation verification and careful management of authority are important, — sums up Ilyinykh.
Переведено сервисом «Яндекс Переводчик»
