Russia, hotbed of cybercrime, says nyet to ethical hacking bill – Source: go.theregister.com

Russia, home to some of the world’s most lucrative and damaging cybercrime operations, has rejected a bill to legalize ethical hacking.

The State Duma, the lower house of Russia’s general assembly, blocked the bill’s passage into law on various grounds, including concerns over how state secrets held on government and critical infrastructure systems could be made less secure as a result.

Politicians said that if vulnerabilities were found in software made by companies headquartered in hostile countries, those security holes would invariably have to be shared with them, which in turn could lead to hostile nations abusing those weak spots for strategic gain.

Other objections focused on how the bill failed to comprehensively explain the ways in which existing laws would have to be adjusted to allow provisions for ethical or “white-hat” hacking/cybersecurity research.

Discussions around making legal provisions for services such as penetration testing and bug bounties were originally introduced by Russia’s Ministry of Digital Development in 2022, with a first draft of the bill introduced in 2023.

According to Russian media outlet RBC, one of the politicians pushing for these changes, Anton Nemkin, plans to resubmit an amended draft to allay concerns.

Experts said that it is still possible for established cybersecurity companies in Russia to carry out vulnerability research, although opportunities for individuals are much less abundant.

Individuals carrying out legitimate cybersecurity research are often treated as malicious, regardless of their intentions. Since there is no legal provision for ethical hacking, researchers can be prosecuted under the Russian Criminal Code, which outlaws unauthorized access to computer systems.

Dmitry Kuramin, senior penetration tester at Jet Infosystems, told RBC that established companies have the resources available to correctly interpret software license agreements, and probe them accordingly.

For individual bug bounty hunters or hobbyist researchers, for example, the current legal restrictions in Russia mean that good-faith work can be punished, chiefly by violating copyright law, which could result in a hefty fine.

In Russia, vulnerability research is typically carried out by cybersecurity companies in collaboration with customers – who sign NDAs – and the Federal Service for Technical and Export Control (FSTEC).

These customers are usually Russian software vendors, meaning any vulnerabilities found would be unlikely to leak to hostile governments, even if an NDA was not there to prevent such a thing.

• US imposes sanctions on second Russian bulletproof hosting vehicle this year
• Four REvil ransomware crooks walk free, escape gulag fate, after admitting guilt
• Fresh strain of pro-Russian wiper flushes Ukrainian critical infrastructure
• Uncle Sam puts $10M bounty on RedLine dev and Russia-backed cronies

An additional measure taken to control the flow of vulnerability information is that researchers have to report them exclusively to FSTEC, which then disseminates the details via its Data Bank of Information Security Threats.

Conversely, Russian cybersecurity companies are heavily limited in their ability to probe software made by foreign vendors due to the widespread sanctions placed on the country following its invasion of Ukraine.

Shortly after the invasion began, many Western vendors pulled out of Russia, making their products unavailable and refusing to do business with anyone or any company in the country.

Many others that did not voluntarily withdraw from the country were forced to due to economic sanctions.

Even if Russian researchers were able to acquire a copy of US-made software, for example, the broad reach of the Computer Fraud and Abuse Act and wide sanctions slapped on Russia mean they could face criminal and financial penalties for conducting good-faith work. ®