Legal aspects of information security.
Legal aspects of information security
The tasks of building a civil society in Russia as an information society, the increasing role of information, information resources and technologies in the development of citizens, society and the state in the 21st century bring information security issues to the forefront in the national security system. This article is devoted to this problem
Correlating the definition of information security given in the Federal Law “On Participation in International Information Exchange” (Article 2) with the concept of “security” given in the Law of the Russian Federation “On Security” (Article 1), it is proposed to understand information security as “the state of protection of the vital interests of the individual, society and the state in the information sphere from internal and external threats.”
Based on the analysis of the Action Program for 1996-2000, the annual Messages of the President to the Federal Assembly of the Russian Federation (1994-1998) and the Concept of National Security of the Russian Federation, approved by Decree of the President of the Russian Federation No. 1300 dated 17.12.97, the main tasks and principles of state policy on ensuring information security have been defined.
Tasks of Ensuring Information Protection
The main tasks in the area of ensuring information security, determined by the state, include the following:
• formation and implementation of a unified state policy to ensure the protection of national interests from threats in the information sphere;
• improving the legislation of the Russian Federation in the field of information security;
•coordinating the activities of government bodies to ensure security in the information environment;
•establishing the necessary balance between the need for free exchange of information and acceptable restrictions on its dissemination;
• improvement of the information structure, acceleration of the development of new information technologies and their widespread dissemination, unification of means of searching, collecting, storing, processing and analyzing information, taking into account Russia's entry into the global information infrastructure;
• development of the domestic industry of telecommunications and information tools, their priority distribution in comparison with foreign analogues on the domestic market;
• protection of state information resources and, above all, in federal government bodies, at defense industry enterprises;
• spiritual revival of Russia;
• ensuring the preservation and protection of cultural and historical heritage (including museum, archival, library collections, and major historical and cultural sites);
• preserving traditional spiritual values with the assistance of the Russian Orthodox Church and churches of other faiths;
• promoting through the media the national cultures of the peoples of Russia, spiritual, moral, historical traditions, and norms of public life, and best practices in this area;
• enhancing the role of the Russian language as a state and interstate means of communication between the peoples of Russia and the CIS member states;
• creating optimal economic conditions for the implementation of the most important types of creative activity.
State policy for the implementation of the stated objectives is based on the following principles:
• legality (compliance with international law, the Constitution and legislation of the Russian Federation when implementing activities to ensure information security);
• balance (maintaining a balance of interests of the subjects of legal relations, their mutual responsibility);
• reality of the tasks put forward (taking into account the available resources, forces and means);
• a combination of centralized management of forces and means of ensuring security with the transfer, in accordance with the federal structure of Russia, of part of the powers in this area to the state authorities of the constituent entities of the Russian Federation and local government bodies;
• integration with international information security systems.
The structure and development paths of legislation
Based on the proposed understanding of information security, state policy in the Russian Federation to ensure it is implemented through lawmaking, law enforcement and state participation in the development of legal awareness and legal culture of citizens. At the same time, at the present stage, lawmaking is decisive — the development of legislation.
Today, we must acknowledge the absence of a unified legal field, when the priority of the interests of the individual declared in the Constitution of the Russian Federation is replaced in laws by the priority of the interests of departments, the norms of federal laws contradict the Constitution, the legislation of the subjects of the Federation does not correspond to the federal one, and by-laws continue to be the basis for the arbitrariness of officials.
In accordance with the Constitution of the Russian Federation (clause «i» of Article 71), information and communications are within the jurisdiction of the Russian Federation, which means that responsibility for rule-making and its results in legislation and law enforcement practice on these issues lies primarily with federal government bodies.
It is obvious that the continuation of the previous practice of law-making without a unified concept of legislation in the information sphere, including in the area of implementing the constitutional rights of citizens, makes the task of building a legal state and information society in Russia difficult to accomplish.
Legislation in the information sphere includes: legislation on intellectual property, legislation on the media, legislation on communications and telecommunications, legislation in the field of ensuring information security.
Legislation in the field of ensuring information security is a set of legal norms regulating public relations to protect the vital interests of the individual, society and the state from threats in the information sphere.
These legal norms are allocated both in special regulatory legal acts on issues of ensuring information security, and are part of other regulatory acts; are contained both in federal legislation and can be in the legislation of the subjects of the Russian Federation (in terms of implementing federal legislation in accordance with the powers transferred from federal government bodies); are formalized both by federal constitutional and federal laws (primarily in terms of establishing prohibitions and restrictions on the implementation of fundamental rights and freedoms in the information sphere), and by-laws.
When forming legislation in the information sphere into an independent branch of Russian law — information law — the forming legislation in the field of ensuring information security will be a sub-branch of information law, and when it is codified, in the event of the adoption of the Information Code of the Russian Federation, it will become its integral part.
Currently, the subcommittee on information security of the State Duma of the Russian Federation is completing work on the concept of developing legislation in the field of ensuring information security. The author's main proposals on this issue were approved earlier at a meeting of the Interdepartmental Commission of the Security Council of the Russian Federation on information protection.
Objects of protection
In order to more clearly define the subject area of legislation and build a holistic system in the field of information security, it is proposed to designate three main objects of protection:
1) protection of individual rights and interests of society in the information sphere;
2) protection of information;
3) protection of information systems.
In the first case, four main elements should be highlighted: creating conditions for citizens to exercise their right to access information; protecting citizens' rights to privacy (the freedom of some is determined by the degree of freedom of others); protecting human health, their psyche and society from harmful information, including that distributed via computer networks or using computer technologies (an example of this is the recent incident in Japan, when 700 people, after watching a computer animation, were hospitalized with symptoms of epilepsy), and, finally, protecting rights to the results of intellectual activity, primarily in the interests of the state. Our legislation should be built with a focus on achieving and maintaining a balance of the rights and interests of citizens, society and the state. Hence the bills on the work plan: «On the Right to Information» (adopted by the State Duma in the first reading); «On Personal Data»; «On Information-Psychological Security»; «On the Implementation of State Rights to Intellectual Property Objects»; «On Amendments and Supplements to the Codes of the Russian Federation».
In the second case, we should be talking about protecting information with limited access.
In his Address to the Federal Assembly on February 16, 1998, the President of Russia listed the reduction of departmental secrets as the main task of the authorities. The state needs to establish prohibitions by law and determine the extent of its participation in protecting this information with limited access. Apparently, there should be 100% participation in the area of protecting state and official secrets, and partial participation in ensuring the protection of other confidential information (commercial, banking, professional, in compliance with the guarantee of the inviolability of personal data). The degree of participation is determined by the laws adopted, legal prohibitions, and established standards of liability for violating these prohibitions. Everything that is not prohibited by law must be permitted.
Now the situation is as follows: the state says — protect your own information, but ask the state for permission each time.
In such a suspended state, no self-respecting owner will dare to make serious investments in developing means of protecting his confidential information, for which he and only he is responsible, because, firstly, in the absence of legislative restrictions, an official can change the rules at any time, and secondly, in the case of encryption, the state, having a duplicate key in the person of the same official, can see what is happening with the owner of the information and use it without the owner's knowledge. This situation forces users of protection tools to protest as much as they can, in the hope that the authorities will hear their arguments.
Currently, there are more than 30 types of secrets. Their concepts are often not defined, the relationships between them are not defined either, responsibility for violating the regime of one or another type of secrets is not always present in the Criminal Code or the Code of Administrative Offenses. Nevertheless, the state requires their observance. Therefore, we propose to reduce 32 types of secrets to five main ones, to adopt a law for each of them, to establish prohibitions and the degree of state participation in the protection of information with limited access.
Hence the package of laws: «On State Secrets» (currently in effect as of 1997), «On Commercial Secrets» (adopted in the first reading), «On Banking Secrecy» (draft), «On Professional Secrets» (plan), «On Official Secrets» (plan). Along with this, it is proposed to exclude a special chapter from the current Federal Law «On Information, Informatization and Protection of Information» with the simultaneous adoption of a special law «On the Protection of Confidential Information» and a law «On Counteracting Foreign Technical Intelligence».
Finally, in the third case, it is necessary to determine which information systems need to be protected and how best to do this with the participation of the state, where necessary.
Let me give you an example. There is an article in the Constitution of the Russian Federation (clause 2, article 23) that the state guarantees every citizen of Russia the secrecy of telephone conversations, postal, telegraphic and other communications. The question arises: who in the person of the state guarantees the secrecy of telephone conversations? From conversations with the management of the State Communications Committee of Russia, it turns out that this structure is not responsible for this, because the telephone network is an open system. But this department does not supervise closed systems either, since FAPSI is responsible for government communications. In turn, FAPSI is not responsible for open systems. Then who in the state guarantees a citizen the right to the secrecy of telephone conversations? It turns out that no one!
Does this mean that all telephone networks need to be encrypted? Of course not. We need to look for other ways and means of protecting this information.
Of course, the state should take on the protection of the information systems of the highest authorities, public administration, combat weapons control systems, systems that ensure banking and financial stability. But it should also bear full responsibility for this.
Problems of information protection in open systems
In the area of open systems, including the Internet, the state must also define its role in protecting them. The highest bodies of state power have tried several times to define their attitude to open systems, including the Internet. At the end of 1996, parliamentary hearings were held under the title «Russia and the Internet: Choosing the Future.» Of course, we said «yes» to the Internet in Russia, but at the same time we listed the problems that cannot be ignored. Recently, there was a meeting of a group in the Government of the Russian Federation, where the draft resolution «On state regulation of the Internet in Russia» was discussed. To the credit of the group members, they abandoned the original version of the title, choosing another one — «On the role of the state in the development of the Internet in Russia.» There are similar decisions or their projects in other government structures. Today, the state's attitude to the Internet is generally positive.
Abroad, it is widely practiced to post laws and bills on the Internet. In Italy, even court decisions have begun to be published via the Internet. In the USA, in Florida, voting in the elections in the fall of 1998 is to take place via the Internet. In Japan, electronic trade and electronic exchanges are actively developing. In the State Duma of the Russian Federation, following other government bodies, a publicly accessible server has been opened in this network. Saying «no» to the new opportunities that computer networks open up for us means saying «No» to the 21st century, since the next century is the century of information technology.
At the same time, we should not close our eyes to the problems that this century brings with it. Today, the United States, being the birthplace of the Internet, has realized the degree of danger that the development of computer networks, along with progress, brings to the country, primarily from hackers, both private individuals and «state».
We must understand today that no one will simply allocate colossal amounts of money for planning information wars, for developing information weapons (in some countries these amounts exceed the budgets for developing missile and nuclear technologies and space programs). Does this mean that we should stop further development of open systems? Of course not. But the state must take measures to minimize the consequences of such dangers.
The Internet as a means of spreading information weapons
Many crimes committed using the Internet are very similar to ordinary ones, such as dissemination of confidential information without the consent of its owner, slander, hacking computer networks, theft of information, piracy, fraud, etc. At the same time, the Internet also gives rise to some specific problems that do not exist in other computer networks operating on the territory of one state.
The first problem is that cyberspace does not recognize national laws and state borders. Laws in force in one state regarding computer crimes are quite difficult to implement in another country if its legislation does not have similar norms. Unification of legislation is needed. That is why the CIS has a concept for the development of national legislation through model laws.
The second problem: international information exchange networks, including the Internet, dramatically expand the possibilities of using information weapons, which in their effectiveness are comparable to weapons of mass destruction. The range of action of such weapons can extend from harming people's mental health to introducing viruses into computer networks and destroying information. Today, the directives of the US Department of Defense detail the procedure for preparing for such information wars; units of cyber warriors have been graduating for the third year already. This is no longer science fiction, but the reality of our days. What can be done in this area? It is unlikely that it will be possible to achieve a complete ban on information weapons. But it is possible and necessary to introduce restrictions on the production and circulation of these weapons, an international ban on waging information wars.
In 1997, the author put forward an initiative that was supported by the parliamentary committees of the State Duma of the Russian Federation, and in December 1997 it turned into a political initiative of the parliaments of the CIS states. The leaders of the parliaments of our countries adopted an appeal to the UN with a proposal to include in the agenda of the General Assembly the issue of preparing and concluding an international convention «On the prevention of information wars and limiting the circulation of information weapons.» On March 30, 1998, at a meeting with UN Secretary General Kofi Annan in the Russian parliament, the author asked him to use his personal authority to ensure that this issue was included in the agenda of the UN General Assembly. This convention must be prepared and adopted so that we do not spend the funds necessary for the development of our telecommunications and information systems first on developing information weapons, then on protecting against them, and then on destroying them, as was previously the case with nuclear, chemical and bacteriological weapons in the 20th century. The law «On International Information Exchange» also requires changes in this part.
Finally, it is necessary to establish rules and norms for the relationship between the state and the information institutions of civil society. But for this, this information society must organize itself, structure itself, develop its own code of honor (like the Hippocratic oath for doctors or journalistic ethics) and mechanisms for ensuring it, and offer the state some rules without waiting for the government to develop its own. Among them should be mandatory broad public participation in the preparation and discussion of bills so that state rule-making becomes truly safe for society and citizens, and power is limited by law as much as possible. Only in the case of successful development of the non-state component can we count on a successful solution to all problems in the field of ensuring information security.