Regulators are people too!

With this thesis, I will start a note in which I will share my impressions of the participation of regulators in PHDays. In general, as one might notice, I almost stopped writing about the normative, but this post will be some exception. Because if there is a normative in it, then rather as related information and in the context of it effective cybersecurity, to which the 12th PHD was dedicated. It should be noted right away that representatives of regulators, of course, are different, but they, too, it seems to me, are bored all the time talking about the regulations that they are asked about when inviting them to various events. If you do not put restrictions on them, then they are excellent interlocutors, they know how to joke, express their opinion, make predictions, etc. This could be seen with one’s own eyes both on the open and closed part of PHDays, where representatives of the Ministry of Digital Development, FSTEC, FSB, Ministry of Energy, State Duma, etc. spoke. But back to the note. I would not like to retell in detail, with quotes and direct speech, everything that the regulators said – you can do it yourself by watching the three videos that I will post in the note.

I will start, no, not with the plenary section, but with the power engineer’s day, which was closed to a wide audience, which took place the day before the official opening of PHDays, and at which, among other things, representatives of the NCCCI shared two interesting facts:

The FSB believes that there is a need establishing information security requirements for information security companies — manufacturers of security tools and information security service providers. This was said 2 days before it was hacked the site of the licensee of the FSB and FSTEC, the company “Infotex”, and there was a leak of data from users of this site. 2.5 weeks before that, hackers broke another FSB and FSTEC licensee, BI.ZONE (there is no word about this on the company’s website, unlike the Telegram channel and many third-party sites, for example, here or here). And these are far from the only cases of hacking of domestic information security companies in recent months – there are already at least seven of them, which raises the question of how the information security players themselves are protected? Therefore, it is quite natural that they will be subject to requirements that they themselves are trying to implement with their customers.
• The FSB, represented by the NKTsKI, provides (and is ready to provide) security assessment services organizations, primarily CII subjects, as well as other organizations that fall under the control of the regulator. This was unexpected – the FSB appeared as a service provider for information security.

Also at the bottom of the energy sector, Elena Borisovna Torbenko spoke about the practice of inspections of CII subjects and explained the latest amendments to the Government Decree on the categorization of CII objects. But I can’t retell the almost hour-long speech and the Q&A session.

It was simply fervent at the plenary discussion – the jokes of Maksut Shadayev (deputy minister of digital development) and Vitaly Lyutikov (deputy director of the FSTEC) can be parsed into quotes. There were no new facts, but I liked the discussion itself. Unless the Minister of Digital Development said that the idea with the deputy head of the organization in the 250th Decree turned out to be unsuccessful – instead of raising the topic of information security to the level of the first person, she slows down on his deputy, who is often appointed to this position on a residual basis, does not understand a damn thing about information security, and therefore does not want to demonstrate her incompetence to the general. But if you want to know what the leaders of the two regulators think about the future of information security in the country, the situation will get worse or better, we lose special operation in cyberspace or not, then watch the video; you will not regret.

Pro sofa Alexey Volkov, vice president of VK for information security, also turned out well 🙂

On the section “Threats 2030. What can become unacceptable? Deputy Director of the FSTEC (also Vitaly Sergeevich Lyutikov) and Deputy Minister of Digital Development (Alexander Mikhailovich Shoitov), ​​together with other participants, tried to look into our near future and talk about quantum computing, drones, Web3 decentralization, crypto-anarchists, crypto-currencies, artificial intelligence, balkanization of the Internet, lack of own microelectronics and other threats that may become relevant on the horizon of 5-7 years. No forecasts were made, but the discussion makes it clear what the regulators have already thought about and what is still out of their focus.

Here at the next session, without questions agreed in advance, in the open microphone mode, the regulators represented by the Ministry of Digital Development (Director of the Cybersecurity Department of the Ministry of Digital Development Vladimir Bengin) and the FSTEC (again Vitaly Sergeevich Lyutikov), as well as the State Duma represented by Andrey Svintsov (Deputy Head of the IT Committee), answered questions from the audience and some of my comments on them. Key highlights of the session:

• Timing import substitution according to the 166th and 250th Decrees, as well as the requirements for trusted PAKs, no one plans to transfer. Yes, possible separate and justified decisions, yes, they can meet, but this story will not be massive. 2025/26 is just around the corner!
• It will not punish the use of foreign means of protection without the active support of the FSTEC, and even introduced amendments to its regulatory legal acts (the Ministry of Justice is passing), allowing the use of such means, subject to the availability of compensatory measures to neutralize exploitation of vulnerabilities (the video says what these measures may be) that are in the means of protection, but cannot be eliminated due to the departure of foreigners from Russia.
  

  If the security tool without technical support does not fix the vulnerability and compensatory measures are not applied, then appropriate administrative measures will be taken against such organizations!

• If in tenders and competitions you see a disproportionately high price for funds from the domestic register compared to funds similar in function from the “non-registry”, then you need to write to FAS or the State Duma, a specific deputy who will be able to raise this issue through their channels on specific cases.
• Requirements to NGFW The FSTEC has already been developed and sent to the Ministry of Justice, but they received comments and are now being eliminated.
  

  The only thing that I did not have time to clarify, will the requirements for NGFW partially duplicate the requirements for the ITU (replacing them) or supplement them?

• None of the means of protection from friendly countries (first of all, it seems to me, we are talking about China) has passed inspections for trust requirements in the FSTEC.
• FSTEC will not introduce a procedure bugbounty in the procedure for certification of protective equipment.
  

  But if the vendors themselves do this, then this will be a demonstration of their maturity and confidence in the secure development process.

• Bug bounty is also not planned to be introduced into other forms of compliance assessment on a mandatory basis, since immature companies will simply constantly pay remuneration to bug hunters. It is better to first build or improve information security processes, and then require them to be checked for bugbounties.
• Law enforcement agencies, according to a representative of the State Duma, are against the whitewashing of bugbounty, believing that programmers will start to deliberately mow and write clumsy codeso that later you can be rewarded for discovering vulnerabilities in it.
• The FSTEC believes that there is no need to change anything in the criminal law to “whitewash” the bugbounty, since this can already be done now, and the experience of the Ministry of Digital Development and the public services portal proves that this is possible.
• Mintsifra does not plan to cancel the 152nd instruction FAPSI (why this question arose – watch the video).
• The issue of abolishing item-by-instance accounting is being worked out CIPF in certain scenarios; but the task is not easy.
• The right to form industry lists of objects is planned KII by the state to move it from the level of the Government Decree to the level of FZ-187.
• The idea of ​​a ban remote work in sensitive areas from abroad continues to hover in the State Duma and sooner or later it will be adopted in the form of a bill.

There were two more sections, in which only Vladimir Bengin (Mintsifry) participated. The first one was devoted to the readiness of information security companies and CISO to take responsibility for the result, which they implement with their customers or in their own organizations. An interesting experience was voiced by the Ministry of Digital Transformation – to prescribe penalties in contracts with information security service providers for downtime as a result of an incident. And these are not just some ridiculous figures, but tens of percent of the contract amount. True, in this case, the amount of the contract can be increased, and this is justified and understandable to the management. But in itself, the idea of ​​paying for results disciplines.

And at the section about bugbounty, Vladimir Bengin spoke about the experience of the Ministry of Digital Transformation in terms of placing the State Services portal on bugbounty platforms, lessons learned, results, development plans, etc.

In general, I liked the way regulators participated in PHDays this year. Clearly, to the point, a good speech “without a piece of paper”, answers to questions that no one required to coordinate in advance, without references to any points of orders, focus on performance, a story about one’s own experience, etc. Test 🙂

The note Regulatory track on PHDays: news and insights was first published on Business without danger .