State system for ensuring information security
In the harsh environment of growing cyber threats, business is interested in cooperation with the state apparatus, and this desire is mutual. A state system for ensuring information security is understood as a set of bodies, plans, programs, methods and techniques based on high-level strategic documentation and accompanying laws, aimed at preserving the country's sovereignty and public interests, and protecting them from the growing level of cyber threats. Protection against them becomes the main link in the general model of national security, ensuring the quality of communication, data safety, protection of industrial and energy assets management systems and the safety of scientific research, protection of their results.
The basis for creating and improving the system was the Doctrine of Information Security - a document developed by the Security Council of the Russian Federation and containing a strategic vision of the situation in the field of the country's sovereignty, the main types of threats and the direction of movement in order not only to protect against their growing level, but also to anticipate future risks by developing key industries economy.
The doctrine names as the main risks:
- the work of foreign intelligence services aimed at undermining the country's sovereignty, at penetrating the systems of protecting state secrets;
- aggressive psychological impact on citizens, aimed at creating panic and demoralization;
- cyber terrorism and hacker attacks;
- the country's lag behind foreign competitors in the field of software development, while the level of government support for developers is decreasing;
- lag, slow development of scientific potential in the field of information technology;
- low level of qualification of human resources in the field of IT, a limited number of training.
On the basis of the Doctrine, normative acts are adopted, intended for a practical purpose, designed to implement its provisions. One of the fundamental laws in this area has become the law on CII facilities - industrial and energy assets, an accident at which could cause damage to the population. It is devoted to the principles of protection of control systems and IP of healthcare facilities, science, transport, nuclear industry, energy, housing and communal services, network infrastructure.
Also, among the main regulatory acts containing norms related to IP security, it is necessary to name:
- Federal Law "On Security". It examines the status of the Security Council, defines the policy framework for ensuring the protection of the country's interests in general and in the data protection sector in particular;
- the law "On state secrets";
- the law "On information";
- Federal Law “On participation in international information exchange”. The regulation of relations between states at the level of normative acts adopted by international organizations has become one of the goals declared in the Doctrine. The steps to solve this problem are formulated in the plan of practical actions created for the implementation of the national project "Digital Economy".
Interestingly, the Doctrine does not speak about the state information protection system. This term first appeared in the Regulation on the protection of state secrets in the Russian Federation from foreign technical intelligence services and its leakage through technical channels, approved by the Russian government back in 1993. The regulation is dedicated to protection against knowledge-intensive methods of data theft and considers the system of organizing events in the field of managerial, scientific and industrial activities designed to minimize the risk of information leakage.
The document names actions such as:
- classification of weapons and military equipment, organizations and objects according to the degree of importance of information protection in the military, financial, industrial, political, scientific and technical spheres;
- ensuring the security of information in the preparation and implementation of international treaties and interstate agreements;
- introduction of restrictions of any level in the order of using technical means;
- creation and use of automated control systems protected from external penetration;
- development and implementation of technical solutions and data protection elements in the creation and operation of weapons and military equipment, design, construction and operation of significant facilities;
- development of software and technical means of data protection, their certification. Revealing undeclared opportunities, protectionism in relation to national software.
The regulatory framework is being improved along with the refinement of the practice of its application. government agencies change the regulation of certain areas in the field of telecommunications and data protection every year. Recently, it was supplemented by the law on the sovereign Runet, which is dedicated to the protection of information flows at the country's borders and the creation of autonomous national zones of control over Internet communication channels.
Implementation of the system at the departmental level
The President of the Russian Federation, who implements the tasks of the Doctrine and is responsible for the creation and operation of the state security model, relies in his work on federal bodies and regional governments.
Together they must achieve the following goals:
- formation and implementation of a unified technical policy, organization and coordination of work on the protection of information in the military, economic, scientific and technical and other spheres;
- creating conditions for the development of domestic software that can compete with foreign counterparts;
- minimizing the risk of obtaining information with the help of technical means by foreign technical intelligence services and other specialized units of other states;
- development, adoption and improvement of regulations governing relations in the field of information protection, public and private databases, including in the field of international law;
- creation and maintenance of structures responsible for information protection, creation of hardware and software designed to implement IS requirements, and control over the effectiveness of their application;
- control of the state of information protection in government bodies, in the banking sector, at critical infrastructure facilities;
- analysis of the state of the state management system, identification of key problems in the field of information security and communication channels;
- normative, methodological and informational support of information protection works.
The implementation of the main provisions of the state strategy at the federal, regional, sectoral and subject levels is carried out by the FSTEC of the Russian Federation, which is endowed with the powers of a regulator and organizer of system elements. The civil service ensures the functioning of three elements of the system:
- licensing the activities of software development companies and manufacturers of technical means in the field of information security;
- certification of information security means and certification of objects of informatization;
- certification of premises in accordance with data protection requirements.
The doctrine sets the development of competitive national software as one of the main goals in the field of protecting information sovereignty, and the Digital Economy project assumes the creation of several development companies, industry leaders domestically and internationally. FSTEC activities in the field of licensing and certification are designed to help solve this problem.
Other federal structures are also responsible for the functioning of the system. Thus, the FSTEC board includes representatives of key government departments in order to coordinate jointly implemented programs and projects. Bodies and working groups for the protection of information are created at the federal level and in regional subdivisions of state structures.
In cooperation with the FSTEC of the Russian Federation, in the organization of the state information protection system, economic entities are actively involved in building their own systems for protecting the objects of key information infrastructure. The key role is played by companies that develop software and offer information security services for enterprises.
The main provisions of the strategy were implemented through the adoption and implementation of the national project "Digital Economy". Now it is being revised with the aim of transferring the main activity from the private to the public sphere, but the main tasks remain unchanged. It provides for the solution of the following tasks set by the Doctrine:
- overcoming the country's lag in terms of the human resources of information security specialists;
- creation of high-quality Russian software in various areas of its application - from ensuring the inviolability of databases of government agencies to neural networks and artificial intelligence;
- increasing the level of information security of state information systems.
The most important step towards strengthening the level of the country's information sovereignty was the adoption of the law on the sovereign Runet and the gradual implementation of its provisions.
The doctrine and the information security system based on it set as their goal, among other things, the protection of the interests and rights of citizens, the inviolability of property and business.
The most important tasks in this area of public administration are:
- protection of citizens from negative information impact used to undermine traditional values;
- protection of personal data of citizens, prohibition of their storage on foreign servers, establishment of general rules for protecting personal data from theft and other forms of encroachment;
- protection of citizens' property from assassination attempts using information technology and social engineering;
- protection of citizens from the consequences of incidents that occurred at transport and industrial facilities and associated with the rejection of a high level of vigilance and risk control;
- protecting businesses from cybercrimes and unfair competition from foreign companies relying on data from technical intelligence and other services to solve political problems.
Ensuring the protection of the banking sector, personal personal data stored there, information about accounts, deposits, bank cards is becoming one of the most important tasks of state bodies and international organizations. The importance of international cooperation in this area is evidenced, for example, by the fact that recently Russian and German police officers, operating under the auspices of the European Union, jointly uncovered a multinational hacker group that stole the data of tens of thousands of people from Russian and European banks.
Increasingly, international hacker groups attack industrial enterprise management systems (ICS). More than half of Russian ICS have already been tested for strength, withstanding or failing to cope with hacker attacks or viruses that exploit gaps in operating systems. It is quite difficult for one enterprise to monitor all new types of threats and to promptly resist them; a system of industry cooperation is needed. In this regard, the most important task of business in terms of protecting the population from the consequences of cyber incidents at industrial enterprises was to connect to the capabilities of the GosSOPKA program.
It is implemented at the levels of regions and within industries and is intended for:
- coordination of activities of owners of CII in the field of risk protection;
- implementation of common risk management standards;
- creation of a mechanism for the exchange of information between system participants;
- informing participants about how to counter threats;
- analyzing the consequences of incidents and making recommendations for improving the response;
Active involvement of enterprises in the work of the state information security system helps to prevent cyber incidents, reduce the risk of damage to business and ensure the safety of citizens. Business also participates in the international agenda on the joint fight against cyber risks, actively interacting with colleagues from other countries in the development of ethical measures designed to reduce the use of modern advances in science and technology for the purpose of unfair competition.