FAPSI and ENSURING REGIONAL INFORMATION SECURITY.
FAPSI and ENSURING REGIONAL INFORMATION SECURITY
The widespread use and relative cheapness of computing equipment and information on methods of obtaining information have led to the fact that the threat to confidential information from individual criminals and organized criminal groups can now be compared with the threat of information constituting a state secret from foreign technical intelligence services.
The rapid development and implementation of information technologies have an increasing impact on all aspects of the life of the state and society. The social, political, economic and military spheres are directly dependent on the operation of computing and information networks, communication systems, control and intelligence, which form the technical basis of the information space of Russia.
At the same time, as this base develops, the vulnerability of the information space also increases. The main reason for this is the widespread use of computer technology with software for processing information, which makes it relatively easy to modify, copy and destroy the information being processed, as well as the ease of access to modern open information and telecommunication systems.
In this regard, the number of crimes related to the use of computer technology has been growing recently throughout the world, and in particular in Russia. Thus, according to the Ministry of Internal Affairs of the Russian Federation, if in 1997 309 such crimes were committed, then in 1998 — over 500.
The information space of Russia includes federal and regional components. Moreover, these components are closely interconnected and are often built using similar technical means. It follows from this that the task of ensuring the information security of these components can be effectively solved within the framework of a single state policy at both the federal and regional levels. The most important component of this policy, in our opinion, should be the widespread use of cryptographic methods.
It is a generally recognized fact that the use of cryptographic methods and means of information protection at the current level of development of cryptography and electronic technologies has already become economically more preferable compared to other technical and organizational measures of protection. In a number of cases, the use of cryptographic methods is the only possible way to protect promising information and telecommunication technologies.
In accordance with the current legislation, the protection of information using cryptographic methods is within the competence of FAPSI, and we are making constant efforts in this direction. Currently, the Federal Agency and FAPSI licensees have created a range of cryptographic information protection tools that allow for the protection of many modern technologies for processing information constituting a state secret. Their implementation, primarily at enterprises working for the defense industry, allows for solving problems related to this aspect of regional information security. For this purpose, reliable cryptographic information protection tools have been created that operate in speed ranges from tens of bits to tens and hundreds of megabits per second and provide the ability to protect information processed under various operating systems and transmitted via all kinds of communication channels in accordance with various protocols.
At the same time, the problem of protecting information constituting a state secret, although important, is only one of the problems of ensuring information security of regions. Another important aspect of information security of regions is the protection of confidential information.
The widespread use of modern information technologies for processing confidential information creates a serious source of threats to regional information security. Thus, information from law enforcement agencies and financial structures is of great interest to criminal communities, the press may try to read the electronic correspondence of a famous person, a company may intercept the mail of competitors, etc. All this poses an urgent problem of cryptographic protection of technologies used to process confidential information.
A specific feature here is that in many cases it is impossible to ensure the implementation of strict security and organizational measures. At the same time, the widespread use and relative cheapness of computing equipment and information on methods of obtaining information, in particular on methods of decryption, have led to the fact that the threat to confidential information from individual intruders and organized criminal groups can now be compared with the threat of information constituting a state secret from foreign technical intelligence services.
In this regard, the task of protecting confidential information is no less important than protecting information constituting a state secret, and requires high qualifications and considerable experience. Unfortunately, this is often underestimated, which leads to unnecessary expenses and sometimes to tragic consequences. Thus, the widely advertised cryptographic protection tool «Cobra» is decrypted by FAPSI specialists within 20 minutes on a Pentium-class personal computer, which anyone can buy at any store selling electronic computing equipment. Last year, during an inspection of the office of one of the governors by FAPSI employees, a device purchased on the open market was found, which was supposedly intended to protect information, but in fact carried information out of the office for several hundred meters. Many such examples could be given. Unfortunately, a box with a weak encryption program looks the same as a box with a strong one. Two e-mail encryptors can have the same user interface, but one provides security, and the use of the other leads to information leakage. Moreover, the use of cryptographic protection tools with one software and hardware information processing tool reliably protects this information, and with another leads to its leakage. An experienced cryptographer will be able to determine the difference between these systems, but an ordinary user will never. What to do in this situation? Usually, we trust the protection of our security and peace of mind to government agencies, especially where we lack the knowledge for an independent assessment, for example, in aviation, medicine, pharmacology. The same is true for cryptography. That is why licensing of information security companies by FAPSI and certification of developed products have been introduced. To date, FAPSI has licensed 153 organizations, including 86 regional organizations, which have been granted the right to develop, produce and operate cryptographic protection tools.
These organizations, together with FAPSI, have launched work to protect confidential information in regional divisions of a number of government agencies. A secure mail system is being deployed to protect the exchange of confidential information between the central office of the Ministry of Taxes and Duties and all regions of Russia. Work is in the final stage on the first stage of creating a territorially distributed system that unites the automated systems of the central and territorial departments of the federal treasury bodies of the Ministry of Finance. Work is underway to create secure information systems: ISINPOL for the Federal Tax Police Service and «Zanaves» for the Ministry of Internal Affairs of Russia. A number of similar projects are planned as part of the 2nd stage of creating the Special Purpose Information and Telecommunications System of Russia (ITKS). This includes ensuring the information security of regional information systems and integrating them into the ITKS based on the use of standard solutions and certified security tools developed by FAPSI.
In order to implement a unified scientific and technical policy in the field of building an ITCS, including the development of standard unified solutions to ensure information security in it, an express version of the system project of the new edition of the ITCS Program has been sent to almost all regions of the country. The system project and, accordingly, the new edition of the ITCS Program are supposed to reflect and take into account the comments and suggestions of the regions, and in particular, those related to ensuring the information security of regional information and telecommunications structures, taking into account their interaction with interregional and central systems and centers for various purposes.
One of the important aspects of ensuring the organization of information interaction between regions at all levels (intraregional, interregional, communication between regions and the center, etc.) is the problem of connecting to the Internet in the so-called information-secure version. For this purpose, work is underway to create the Russian segment of the Internet — RSNET.
By now, a pilot area of the RSNET network has been created and is functioning, consisting of a central node, two interregional nodes in St. Petersburg and Nizhny Novgorod, and three regional nodes in Moscow, Krasnodar, and Kirov.
Thus, a telecommunications basis for building the RSNET network has been created. In total, within the framework of creating the Russian segment of the RSNET Internet network, it is planned to create a Central node, two interregional nodes, and 40 regional access nodes.
In accordance with the approved Concept for the creation of the RSNET network, it is also planned to carry out appropriate work to ensure information security in it based on the introduction of promising domestically developed means of protection, primarily firewalls.
Another aspect of information security in the regions is to ensure protection of electronic documents from counterfeiting. If an intruder makes changes to the software of payment systems that allow even small amounts to be transferred to his account from each transaction, it is possible to steal large amounts of money.
Such cases are well known in world practice. They have appeared in our country as well. Thus, in 1995, a case of a system programmer introducing a software bug that allowed illegal operations was discovered in the Main Directorate of the Bank of Russia for the Tula Region. With the help of this bug, money was transferred to a commercial bank for cashing. In general, according to the Ministry of Internal Affairs, in 1998, 73 cases of fraud using computer technology were discovered in the Russian credit and financial system; 50 criminal cases were closed and transferred to court, 96 people were brought to justice. The amount of damage caused by the criminals amounted to 34.3 billion rubles.
FAPSI has developed and successfully implemented an electronic digital signature and a number of other cryptographic protection tools that allow avoiding possible forgery of electronic documents and thereby protecting banks from financial losses. And where information security issues and the recommendations of the Federal Agency are taken seriously, reliable protection of electronic transactions is ensured. This is the case, for example, in the Central Bank of Russia, which works closely with FAPSI and pursues a consistent policy of introducing information protection tools certified by the Agency into regional payment systems. Unfortunately, there are many opposite examples, when financial institutions focus on imported or uncertified domestic information protection technologies, which results in serious financial losses.
Let me give you one example. The use of foreign-made smart cards equipped with uncertified information security tools in the Zolotaya Korona payment system deployed in the Siberian region allowed the attacker to identify weaknesses in the algorithmic protection mechanisms, develop an attack scenario taking into account the real characteristics of the system's ATMs and payment terminals, make duplicates of real plastic cards, and successfully carry out an information attack, causing significant financial damage to the payment system.
This would not have happened if the payment system had used a smart card developed by FAPSI jointly with a number of Russian organizations and enterprises with an operating system and security core based on domestic cryptographic algorithms.
An important aspect of regional information security is the ability of regional authorities to obtain reliable information on the actual volumes of product sales (in particular, sales of alcoholic beverages) to ensure control over tax revenues. In our opinion, the means of such control developed by FAPSI as part of the conversion will help to a large extent solve this important regional problem. We are talking about a cash register machine with cryptographically protected fiscal memory and a cryptographically protected system for monitoring the production and sale of alcoholic beverages. These developments are practically ready for widespread implementation. Thus, the cash register machine has been included in the state register of cash register machines, and the aforementioned system for monitoring alcoholic beverages has been deployed in the Leningrad and Chita regions, the Republic of Karelia, and the Taimyr and Khanty-Mansi Autonomous Okrugs. Now it is up to the initiative of the relevant services in other regions.
Thus, FAPSI has technological and intellectual resources that can help solve a number of problems of ensuring regional information security. To do this, it is necessary to ensure close interaction between the Federal Agency and the regional leadership. This problem can be solved by regional departments and Government Communications Centers of FAPSI, which are available in all regions and currently solve a large range of issues on ensuring the functioning of government communications, the functioning and development of regional information and analytical centers and legal informatization centers. These same departments are already currently solving a number of problems related to ensuring information security in the regions. However, this area of their activity, taking into account the needs of the regions, currently needs to be expanded.
We hope that strengthening the interaction between the regional leadership and FAPSI will soon lead to strengthening the real information security of the regions of Russia.