By Khatuna Mshvidobadze
Copyright © 2012 Potomac Institute for Policy Studies
As Americans debate how to protect critical infrastructure from cyber attacks, Russia has—on paper at least—moved to protect its strategic assets. The Security Council of the Russian Federation has released a document aimed at creation of a unified government system to detect, warn against and prevent cyber attacks. Unlike America, in Russia there is little debate about who will be in charge—the FSB, of course.
The Security Council document takes a step toward implementation of the National Security Strategy of Russia until 2020, which calls for IT infrastructure improvements. In particular, the document calls for protection of the industrial control systems of strategically important facilities—roughly what we would call critical infrastructure. These are defined as assets whose malfunction could negatively affect a region’s or the country’s economy. Interestingly, there is no public mention of national security or loss of life in this definition.
The plan is to be implemented in three phases: 2012 to 2013, 2014 to 2016 and 2017 to 2020. The first phase involves development of an action plan. During the second phase, the Russian state should develop legal regulations, specific organizational responsibilities and the means to “liquidate” cyber incidents. (To “liquidate”—a commonly used word in Russian—could involve just about any kind of cyber measures.) The plan for the second phase also calls for establishment of a unified government situation center for detection and prevention of cyber attacks on critical information infrastructure. This center sounds like some kind of a national CERT. The third stage, among other things, involves integration of security systems at the strategically important facilities.
Many Russian experts are skeptical. Consultant Mikhail Emelyannikov, for example, told Russian IT Review, “It is unclear how technological independence from other countries in terms of automated control system security will be maintained when most of them are produced abroad.”
It is almost certainly not a coincidence that, a few days after the Security Council document was released, Kaspersky Lab posted job vacancies for personnel with SCADA experience. The posting says that Kaspersky Lab is developing a new secure operating system. “The vacancies,” writes Russian IT Review, “are perhaps the first testimony to the Lab’s intentions to enter the industrial IT system market.” By the way, Russian President Vladimir Putin has been expressing security concerns over foreign-produced hardware and software since he took office in 2000 and the matter is addressed in the 2000 Information Security Doctrine.
Emelyannikov also wonders why the Security Council document makes no mention of the Russian Federal Service for Technical and Export Control (FSTEC). “All the features of the program are assigned to the FSB…Meanwhile, the implementation of the policy guidelines requires a large number of regulations, some of which, in accordance with the current documents, are in the competency of the Federal Technical Committee.”
Apparently, just two months into his third term as Russia’s president, Putin is acting on matters that have concerned him for over a decade. The Security Council has identified cyber attacks against critical infrastructure as a national security threat—and the FSB is Russia’s security service.