National security includes the security of the state, society, and the individual. Information security in the digital age plays a key role in the national security system, because it is on it that the safety of data and the possibility of communication and coordination between the authorities and society depend.
National security system
There is a theory that one of the reasons for the destruction of the Roman Empire was the interrupted supply of papyrus from Egypt. It became difficult to transmit reports, the speed of communication between Rome and the provinces, headquarters and legions decreased. This speaks of the importance of communications for the existence of the state, and hence the role of information security in the national security system.
The national security system or the national security system (NSS) is understood as a set of bodies, forces and means. It is multi-level and involves the interaction of government agencies, public institutions, business and citizens in order to preserve the country's sovereignty, prevent encroachments on its interests, and preserve national wealth. The system is implemented within the country, in interaction between regions and within the framework of international relations, assuming simultaneous and equal protection of the interests of the state, society and the individual.
Information security in the system is one of the leading roles. In Russia, fundamental documents are being adopted in the most important spheres of the country's life support. Along with the Food Security Doctrine, the Information Security Doctrine has been developed and is operating, which has become the cornerstone in the development of a modern system of protection against digital threats. She gave a definition of the information sphere in which the implemented views of security should be applied. The information sphere is understood as a set of information, information infrastructure objects, communication and Internet networks, technologies, participants in digital relations, government agencies and other organizations working in the field of technology development, data protection. In addition, this area includes the system for regulating the relationship between its subjects.
Information security doctrine
The second edition of the Doctrine was adopted in 2016, before that, an earlier document of 2000 was in force. It was developed by the Security Council of the Russian Federation and became the theoretical and conceptual basis for the creation of regulations and the implementation of projects aimed at protecting Russia's interests from cyber attacks and other digital threats.
The threats are directly named in the document:
- the growth of the scientific and technical potential of a number of states striving to consolidate their priority in the international arena and using information resources for this. Methods used are direct digital invasion of life support infrastructure and the use of scientific and technical intelligence resources;
- strengthening the information and psychological impact on the population, the use of information technology to change the mentality and behavior of citizens;
- the use of digital attack technologies and hacker potential by extremist and terrorist groups, national and international;
- an increase in the scale of cyberattacks on infrastructure facilities, the financial sector, business and citizens;
- insufficient level of development of their own scientific and human potential.
The fixation of threats led to the implementation of projects on a national scale designed to minimize the risks arising in the field of information security as an integral part of national security.
State activities in the field of information security
Protecting state sovereignty in the digital world requires significant efforts. The role of the state in strengthening information security in the national security system is expressed in the following areas:
- normative legal regulation at the legislative and subordinate levels;
- implementation of national projects;
- regulation at the executive level;
- organization of interaction between the state and society.
If regulation and interaction are of a systemic and continuous nature, then national projects are aimed at a breakthrough solution of the most significant problems.
Digital economy
The national project "Digital Economy", implemented by the Ministry of Digital Development, Communications and Mass Media of the Russian Federation, provides for the implementation of several subprograms:
- Frames.
- Safety.
- Technologies.
- Public administration.
Their implementation is designed for the period until 2024. Within the framework of the Information Security subproject, it is planned to solve key tasks designed to ensure the sustainable development of the national information infrastructure, personnel training and technology development, increase the export potential of the industry, and guarantee full protection of the interests of the state and society.
For the period of the program implementation it is provided:
- provide support to 100 export-oriented companies, which should ensure a stable presence of national information technologies in the international arena;
- to achieve routing on the territory of Russia at least 90% of network traffic (the concept of a sovereign Runet);
- ensure that at least 97% of the population use information security means;
- to reduce the share of foreign software purchased or leased by state organizations to 10% in the structure of the total purchase price.
Within the framework of the subproject, the provision of subsidies to a number of contractors began in the fall of 2019. It is planned to spend 167 billion rubles for its implementation until 2024.
Among the indicators in numerical terms, which are expected to be achieved by 2024:
- reduce the average downtime of GIS (state information systems) as a result of information attacks from 65 hours at the end of 2018 to 1 hour in 2024, which should play a key role in the field of information protection;
- to increase the percentage of the population using domestic information protection means from 86% to 97%;
- to increase the number of specialists trained in the field of information security from 7 to 24 thousand;
- to reduce the share of foreign software in the total price of software purchases by government agencies and companies from 50% to 10%.
In addition to the indicators to be achieved, specific actions have been identified that have already been achieved and must be implemented within the framework of the national project:
1. It is assumed that the security of the information space and the Internet network is not sufficiently regulated at the level of international law, there are no documents that would eliminate the preponderance of forces in favor of individual states. As part of solving this problem, draft agreements and conventions were submitted to international organizations (UN) aimed at implementing the principle of parity in the field of information technologies, equal participation of states in Internet governance. Thus, Russia initiated the first resolution of the UN General Assembly on "Achievements in the field of information and telecommunications in the context of international security in 1998" and intends to continue moving in this direction.
2. Attacks by foreign hackers on the country's electricity supply network are recognized as one of the main threats to national and economic security. Threats were analyzed, their model was drawn up and proposals were made to change industry standards and regulations in order to create a single stable system for protecting electrical system objects belonging to different owners, which complicates the task of creating a single regulatory space for the protection system against network attacks.
3. Ensuring information security requires preferential routing of traffic within the borders of the Russian Federation. A concept and basic regulations were developed in the direction of creating a sovereign Runet, and their implementation began. The legal status of the Russian segment of the Internet is enshrined in law.
4. The quality of management and interaction of state bodies depends on the stability of communication networks. Requirements for the stability and security of communication networks and equipment both for GIS and for companies of various organizational and legal forms were legislatively enshrined.
5. Public networks can become targets of targeted attacks. A system for monitoring the state of public networks has been developed and is being implemented. Requirements for the design of public communication networks have been changed taking into account the current threat model. New public and private networks can only be created if they meet the developed parameters.
6. Information security is designed to solve the problem of ensuring law and order. A set of solutions has been developed and is being implemented for the introduction of domestic information technologies in the implementation of the Smart City program.
Among the projects already implemented that ensure the protection of the interests of the state and society, GosSOPKA, the state center for the detection and prevention of computer attacks, is of particular importance. It is supported by the FSB of the Russian Federation; the department is responsible for the key tasks of ensuring national security in the information sphere.
GosSOPKA
The state system for detecting, preventing and eliminating the consequences of computer attacks on information resources, created by decree of the President of the Russian Federation No. 620, is designed to solve four main tasks in the field of information security as part of national security:
- forecasting the risks of attacks in the information space;
- interaction between themselves and with the state of companies that own significant information resources, especially those serving critical infrastructure facilities, to identify, prevent and eliminate the consequences of digital attacks;
- control and monitoring of the level of infrastructure security against digital attacks;
- investigation of information security incidents.
The FSB of the Russian Federation is responsible for the general operating state of the system. All organizations of any form of ownership that have critical information infrastructure (CII) at their disposal are obliged to create GosSOPKA centers and equip them in accordance with the requirements of the FSB and FSTEC RF. Refusal to fulfill these requirements, in view of their importance for the life support of the country and the creation of the necessary level of information security in the national security system, provides for liability up to criminal.
From the point of view of information architecture, GosSOPKA looks like a single, but geographically distributed complex of control and monitoring centers that exchange information about cyber attacks among themselves. The task of the system is to unite critical infrastructure into a single network in order to exchange information about cyber attacks. If such an attack is made on one of the objects, it transfers its parameters to others, and they have the opportunity to prepare for the attack. The joint warning system has already proven its effectiveness.
The system consists of centers of three levels - federal, regional and local, which are divided into territorial, departmental and corporate centers. To combat computer attacks, all of them must have the following software and hardware:
- detection. The tools do not detect incidents, but rather significant information security events, most often they are implemented according to the SIEM model;
- warnings. The mechanism of warning, inventory and monitoring is implemented by software of the Vulnerability Scanner class or security scanners. In most companies with CII, such tools have already been implemented according to the recommendations of the FSTEC RF;
- liquidation of consequences. Here, the joint work of the system participants on elimination of the consequences of computer attacks is realized, implemented in the form of the Incident Response Platform;
- decryption;
- exchange of information;
- cryptographic protection of communication channels, in this case, additional development of encryption tools was not required specifically for GosSOPKI.
The development of software tools for their implementation in the centers of GosSOPKA is carried out by the largest software companies in the country, which is one of the manifestations of interaction between the state and society in the field of information security as part of national security.
Joint regulation zone
The state is authorized to adopt regulations and recommendations in the field of computer security, but they directly affect society and business, forcing adjustments to plans and budgets. The modern concept of interaction between the government and society in the field of information security suggests that practically all regulations that significantly affect public interests must go through the stage of preliminary public discussion.
This is especially true of significant bills. Thus, the draft law on a sovereign Runet went through a lengthy public discussion until the main comments were taken into account. The same applies to a number of recommendations of the FSTEC of the Russian Federation related to software certification, the department listens to business arguments and makes adjustments to its projects. It is impossible to resolve issues of such a level as restricting Internet use without taking into account the interests of the individual, therefore, not only Rostelecom and Kaspersky Lab, but also the public took part in the discussion of the concept of digital security. The draft law was published on the Internet for open discussion, which made it possible to adjust a number of directions of state policy, since the state of information security of a citizen also presupposes his awareness of those actions of the state that may affect his behavior.
International legal interaction between the state and society
The state cannot act alone, it needs stable interaction with civil society institutions and business, this allows achieving synergy in creating information security in the national security system of the Russian Federation. The largest manufacturers of computer technology understand that in the modern world the state's power tools are often at the service of large corporations, and cyber weapons of foreign states will largely be used against Russian business. Thus, at the beginning of 2019, France adopted a new cybersecurity doctrine that permits “preventive cyber attacks”, thereby recognizing the fact that cyber weapons are being developed. She was not the first, China had previously recognized the fact of such developments.
Based on the passport of the Information Security project presented by the Ministry of Telecom and Mass Communications, the critical infrastructure is not yet ready to purposefully repel a massive attack on life support systems, the power grid, and the largest industrial enterprises. Business is fully ready to cooperate with the state, seeing the common danger. The most significant problem is the possibility of external penetration into the systems of industrial control systems. Evgeny Kaspersky claims that in 2018 such attempts were carried out against 48% of ICS systems. This prompts the development of new protective solutions, an accident on the oil pipeline can completely paralyze the region. This encourages businesses to more actively engage in national work in the field of information security in protecting their interests.
Today, public-private interaction in the field of cybersecurity is developing in various directions. Despite the sanctions regime, there is active communication between scientists and entrepreneurs of Russia and European countries. Society is rapidly implementing the model of "network diplomacy", in which businessmen from our and foreign countries are actively negotiating the creation of a code of ethics, under which information attacks on economic infrastructure will turn out to be an unacceptable method of competition that is not recognized by the world's economic community.
The risk of cyber incidents, inspired by international terrorist groups and dangerous to society and business, has led to the emergence of Computer Emergency Response Teams and Computer Security Incident Response Teams (CERTs / CSIRTs). The Global Forum on Internet Governance in 2017 showed that corporate CERTs from various countries are actively cooperating with each other, building their own cross-border interaction system and assisting states in the fight against global computer threats. In Russia, RU-CERT, the Russian center for responding to computer incidents, has become a participant in the global trend.
Business puts forward the idea of creating a kind of common cybersecurity environment, in which the intertwined interests of the state and society would be realized. Thus, in October 2019, a meeting of the Information Security in Industry Club was held, which was attended by Russian business leaders - Norilsk Nickel, Severstal, Lukoil, Unipro, Gazprom Neft, Phosagro, NLMK ". An example of such interaction was the consideration at the international level of the Charter on Information Security of Critical Industrial Facilities by the OSCE and the Barents Euro-Arctic Council, developed by the Norilsk Nickel company.
Recognized by potential participants in the Charter, information security in the national security system acts as a guarantor of the refusal of not only businesses, but also states from conflicts with the use of cyber weapons, the consequences of which may be critical. The Norilsk Nickel Charter condemns the use of information technology for the purpose of unfair competition and damage to industrial facilities and “welcomes the efforts of the international community to give the backbone information and communication infrastructures, which form the basis of the global network, the status of a demilitarized zone, free from forceful confrontation of political actors”.
This document is not the only one, business has been taking initiatives for several years to strengthen joint regulation of the fight against cyber weapons:
- Microsoft proposed the Digital Geneva Convention in 2014, which includes six core principles of international cybersecurity applicable in peacetime. The company demanded that states limit the cyber arms race;
- Cybersecurity Agreement (Proposed by Cybersecurity Tech Accord in 2018);
- Siemens Charter of Trust, also 2018. The company has formulated the basic principles for organizing a joint cybersecurity policy;
- two documents were proposed in the same year by the Global Commission on Cyber Stability (GCCS), they relate to the protection of the "public core" of the Internet and the security of infrastructure used for elections and referendums.
So far, none of the named documents has left the stage of discussion, this also applies to similar documents in the field of international law, proposed by other international actors.
The issues of information security of the Russian Federation can be resolved only in close interaction of the state, business and society, where large corporations and software developers become interested participants in the dialogue. The digital era creates new challenges, in which the state retains the role of organizer and regulator, and business becomes a co-executor of tasks.
16.12.2020
