Actual problems of legal provision of information security of the Russian Federation

Veprentseva Tatiana Alekseevna PhD in History Associate Professor, Department of Organization of Law Enforcement and Human Rights Activities, Tula Institute (branch) VGUYU (RPA of the Ministry of Justice of Russia) 300026, Russia, 71 oblast', g. Tula, ul. Pr-T lenina, 104 vt180678@yandex.ru

Today, in our country and in the world as a whole, there is a rapid strengthening of the role of information in public relations. Information and communication technologies are actively developing, the formation of the information society continues, the virtual space is expanding, which, in turn, is being introduced into various spheres of life. On this basis, various risks and threats to the security of the individual, society and the state are increasing. All this determines the relevance of considering the most important problems of legal provision of information security in the Russian Federation, to which this study is devoted.

The article analyzes legal norms, scientific doctrines reflecting a wide range of issues of legal provision of information security, as a result of which conclusions are formulated about the prospects for solving existing problems of legal provision of information security in our country in modern conditions. Methodological tools, at the same time, are a set of general scientific and special legal methods of cognition: formal-logical, comparative-legal, prognostic.

To date, researchers have accumulated significant experience in typifying the problems of legal provision of information security. V. N. Lopatin, who in 1989-1990 headed the working group responsible for information security issues as part of the Commission on Improving the National Security System, proposed the following classification of information protection objects: 1) protection of information and rights to it (including the right to access information, the right to secrecy, intellectual property rights); 2) protection of a person and society from the effects of "harmful" information; 3) protection of information systems and rights to them (including the rights and interests of the state to preserve a single information space in the country) ^{[1, p.15]}.

The developers of the Concept of the Information Code of the Russian Federation in 2014, speaking about the legal provision of information security in the Russian Federation, identified a wide range of problems in this area: legal problems of ensuring information security of society, the state, the person; cybersecurity issues; identification problems in the information sphere (primarily in the Internet environment), etc. ^{[2, Chapter 7]}.

Taking into account classical approaches to typification of problems of legal provision of information security, within the framework of this study we will define the following blocks of problems in this area in the modern period:

1. Issues of protection of information in the sphere of interests of the individual, society and the state (including cybercrime, use of personal data, development of the digital economy and the electronic state).

2. Issues of internationalization of Internet governance (balanced and effective combination of national and international governance components).

3. Problems of systematization of legislation in the information sphere, including in the field of information security (first of all, to eliminate existing contradictions and gaps in legislation in this area).

The first block of problems is the most voluminous and is regulated by a wide range of regulatory legal acts. The Federal Law "On Security" dated December 28, 2010 No. 390-FZ ^[3] enshrines the principles of ensuring the security of the individual, society, and the state, while, among others, it names information security measures, which together with other measures constitute a state policy in the field of security.

State regulation of relations in the field of information protection is carried out by establishing requirements for information protection, as well as liability for violation of the legislation of the Russian Federation on information, information technologies and information protection.

The basis of Russian legislation on information is the Federal Law "On Information, Information Technologies and Information Protection" dated 27.07.2006 No. 149-FZ ^[4]. According to Article 16 of the Law, information protection is a whole set of measures that are designed to protect information from various illegal actions, including illegal access, destruction, modification, blocking, copying, provision, distribution. Taking into account the need to respect the confidentiality of restricted access information, the Law establishes the implementation of the right to access information.

Another important document, including in the field of information protection, is the "National Security Strategy of the Russian Federation", approved by Decree of the President of the Russian Federation dated 31.12.2015 N 683 ^[5]. The Strategy calls information security one of the first in a number of different types of national security (after state and public), thereby emphasizing its importance.

The National Security Strategy of the Russian Federation describes a whole range of threats to the security of individuals, society and the state in the information sphere. The Strategy calls the main threats to state and public security activities related to the use of information and communication technologies for the dissemination and propaganda of the ideology of fascism, extremism, terrorism and separatism, damage to civil peace, political and social stability in society.

As for personal security in the information sphere, the Strategy focuses on ensuring the availability of information, including through the use of information and communication technologies, and the development of information infrastructure.

The "Information Security Doctrine of the Russian Federation", approved by the Decree of the President of the Russian Federation dated 05.12.2016 No. 646 ^[6] defines strategic goals and main directions of ensuring information security. The adoption of the Doctrine was a very important and timely step. It identifies current problems, including the need for systematic counteraction to the destructive activities of foreign elements in the field of information security of the individual, society and the state.

The Doctrine notes a whole range of information threats to the Russian Federation, including: increasing the information impact on the population of Russia for destructive purposes; strengthening by a number of foreign countries the possibilities of information and technical impact on the information infrastructure for military purposes; increasing the scale of computer crime; insufficient level of development of competitive information technologies and their use, etc. ^{[6, Sec. III]}.

As the tasks of state bodies within the framework of activities for the development and improvement of the information security system, the Doctrine calls increasing the effectiveness of interaction between state bodies, local self-government bodies, organizations and citizens in solving tasks to ensure information security ^{[6, section III]}.Indeed, the process of electronic interaction of federal executive authorities, which is carried out in a variety of areas, has recently intensified. Moreover, in the context of the development of the information society, electronic interaction is the main type of communication of subjects of information exchange in various areas of public life. ^{[7, p.11]}.

The protection of the sovereignty of the Russian Federation in the information space remains one of the most important national interests in the information sphere. According to S. M. Boyko, it is a systematic approach to the implementation of this national interest that allows us to successfully solve the tasks of the state national policy in the field of information security ^[8]. Defending its right to a sovereign information space, the Russian Federation takes a balanced and only correct position that can increase the chances of achieving the objectives of state policy in the field of information security.

One of the main threats to information security today is cybercrime, the scale of which is increasing, primarily in the credit and financial sphere, as well as in the field of human and civil rights and freedoms, personal data protection ^{[9, p.243]}. The number of crimes committed in cyberspace is growing in proportion to the number of users of computer networks. The development of technologies and the blurring of the lines between personal and work devices, most likely, in the future will lead to the fact that the access of intruders to personal data, to corporate confidential and secret information, will be significantly facilitated ^{[10, p.15]}.

The legislative regulation of the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation was provided by the Federal Law "On the Security of the Critical Information Infrastructure of the Russian Federation" No. 187-FZ, adopted on July 26, 2017 ^[11].

According to Article 5 of the Law, the critical information infrastructure is a single complex of forces and means for detecting, preventing and eliminating the consequences of computer attacks and responding to computer incidents.

According to the Order of the FSB of Russia dated 24.07.2018 No. 366 "On the National Coordination Center for Computer Incidents", an integral part of the forces designed to detect, prevent and eliminate the consequences of computer attacks and respond to computer incidents is the National Coordination Center for Computer Incidents (NCCC), endowed with a wide range of powers to prevent and eliminate the consequences of computer attacks and responding to computer incidents ^[12].

We agree with the opinion of researchers A. K. Kozyreva and D. A. Tarasov, who argue that countering cybercrime is possible only with the active participation of the state in regulating the process of information security in various spheres, as well as raising awareness of citizens in matters of personal information security ^{[9, p.247]}.

Following a meeting of the Presidium of the Presidential Council for Strategic Development and National Projects on December 24, 2018, the passport of the national program "Digital Economy of the Russian Federation" was approved ^[13]. The passport was developed by the Ministry of Digital Development, Communications and Mass Communications of the Russian Federation pursuant to Presidential Decree No. 204 dated May 7, 2018 "On National Goals and Strategic Objectives of the Development of the Russian Federation for the period up to 2024" and includes six federal projects: "Regulatory regulation of the digital environment", "Information Infrastructure", "Personnel for the Digital Economy", "Information Security", "Digital Technologies" and "Digital Public Administration".

The implementation period of the national program: from October 2018 to 2024 (inclusive). The key objectives of the national project are the creation of a stable and secure information and telecommunications infrastructure for high-speed transmission, processing and storage of large amounts of data, accessible to all organizations and households, the use of mainly domestic software by state bodies, local governments and organizations.

In pursuance of the Federal Project "Regulatory Regulation of the Digital Environment", it is planned to adopt 18 federal laws by the end of 2024 that will regulate the use of digital technologies in various fields.

As a result of the implementation of the Information Security project, national cybersecurity standards will be created, the work of national and regional centers for responding to computer incidents will be ensured, a unified management and monitoring system for the Russian segment of the Internet will be created, a system of measures to support Russian manufacturers of products and services in the field of information security has been developed.

According to the Federal Information Infrastructure Project, it is planned to create a global competitive infrastructure for data transmission, processing and storage, mainly based on domestic developments. For example, by December 31, 2021, it is planned to connect state and local government bodies to the Internet, and by December 31, 2024 - police precinct stations, territorial bodies of the National Guard, and units of the National Guard troops; fire posts and fire stations in small settlements.

 Rostelecom, the largest Russian provider of digital services and services, among others, also took part in the implementation of the national program "Digital Economy of the Russian Federation". At the meeting of the Prime Minister of the Russian Federation D. A. Medvedev with the President of Rostelecom PJSC M. E. Oseevsky on July 26, 2019, Mikhail Eduardovich spoke about the work to expand the infrastructure of access to the Internet for citizens and institutions. According to him, in 2018 Rostelecom completed the connection of medical institutions to the Internet, in 2019 a lot of work was launched to connect schools, paramedic and obstetric centers, local authorities. The plans for the next three years are quite large: to connect more than 100 thousand such objects to the global network ^[14]. 

 Taking into account the expansion of the widespread use of information and communication technologies by an increasing number of citizens, institutions, organizations, authorities and local self-government, the issue of the need to strengthen measures to protect this process is of particular relevance.

 According to M. V. Bundin, "the development of the digital economy and the electronic state... it will largely depend on what the legal regime of personal data and its main parameters will be" ^[15]. And here it is important to find the necessary balance of requirements to ensure their confidentiality in order to avoid negative consequences for the economy and the state.

 The state program of the Russian Federation "Information Society (2011-2020)" continues its operation (approved Decree of the Government of the Russian Federation No. 313 of 15.05.2014), consisting of four subprograms, the third of which is the subprogram "Security in the Information Society". The program is aimed at achieving very high results. They should directly affect the quality and diversity of communication services and information technology products, increase consumer access to the use of the Internet information and telecommunications network resources, etc. ^[16]. A number of these indicators have already been achieved, but there is still a lot of work to be done in this direction in 2020 and to create optimal conditions for achieving new higher indicators during the implementation of subsequent programs.

The Ministry of Digital Development, Communications and Mass Communications of the Russian Federation, formed by Presidential Decree No. 215 of 15.05.2018 on the basis of the Ministry of Communications and Mass Communications of the Russian Federation, is responsible for the implementation of the Program. The updated name of the Ministry indicates the changed goals and objectives of its activities: along with the activities carried out earlier, the Ministry is engaged in the development and implementation of state policy and regulatory regulation in the field of information technology (including the use of information technology in the formation of state information resources and ensuring access to them). The Ministry develops such areas of activity as: information state, electronic government, digital economy of the Russian Federation, etc. The activities of the Ministry today directly meet the needs of the time and the tasks of state policy in the field of information security. 

Judging by the results of the State Program of the Russian Federation "Information Society for 2011-2020" expected by the end of 2020, the state creates all conditions for the growth of informatization of society. However, as a result of increased informatization, the threat to the information security of the individual, society and the state inevitably increases. The transnational nature of threats leads to an aggravation of the problem of ensuring information security, which, in turn, acquires a transnational character and requires joint efforts on the part of the world community. 

 Thus, the current legislation in the field of information security is directly focused on the protection of information that is in the sphere of interests of the individual, society and the state as a whole; aspects of combating cybercrime, illegal use of personal data, effective development of the digital economy and the electronic state have found their consolidation in it.

The second set of problems is related to the peculiarities and complexities of Internet governance at the present stage and in the near future.

The Information Security Doctrine of the Russian Federation identifies difficulties that hinder the formation of an international information security system aimed at achieving strategic stability and equitable strategic partnership. Among them is the absence of international legal norms regulating interstate relations in the information space, as well as mechanisms and procedures for their application, taking into account the specifics of information technologies ^{[6, Sec. V]}.

In view of the rapid development of the Internet in recent years, and, consequently, the increasing threats to the information security of states and the impossibility of confronting them within the framework of national legislation, proposals are being made to internationalize Internet governance based on the combined efforts of the state, business and society. Since 2006, the possibility of creating an Internet governance body at the UN or transferring Internet governance to the International Telecommunication Union (ITU) has been discussed.

According to E. V. Talapina, the main obstacle to national legal regulation is the cross-border nature of the Internet. There are obvious difficulties in the distribution of national and international aspects of Internet regulation. A certain bias towards the national component may increase the risks of fragmentation of the Internet within national borders, which, in turn, will indicate a conflict with the cross-border nature of the functioning of the Internet and, undoubtedly, will negatively affect its integrity and universality ^{[17, p.73]}.

These problems are designed to solve the "Fundamentals of the state policy of the Russian Federation in the field of international information security for the period up to 2020", approved by the President on July 24, 2013, No. Pr-1753 ^[18]. Due to the growing threat of the use of information and communication technologies for military and political purposes, one of the directions of state policy in the field of information security is the interaction of the Russian Federation with foreign states through the conclusion of international agreements on cooperation in the field of international information security ^{[18, paragraphs 8, 11]}.

The document notes the need to promote Russian initiatives in the international arena in the field of forming an international information security system to counter threats to strategic stability and promote equal strategic partnership in the global information space.

To promote and implement its initiatives in the field of information security, the Russian Federation participates in various international conferences. However, it is not always possible to find understanding and consensus with foreign partners. Thus, on April 23-24, 2014, an international NETmundial conference dedicated to the development of Internet governance principles was held in Sao Paulo. The Russian delegation headed by the Minister of Communications and Mass Media N. A. Nikiforov took part in the global conference on Internet infrastructure management NETmundial-2014 and proposed the creation (definition) within the UN of a separate international structure designed to promote the implementation of international legal norms in the field of Internet governance into national legislation, as well as to ensure interaction relevant international structures, institutions and organizations. Or ITU as a specialized international organization can be endowed with such functions. However, this position has not yet found proper support at the international level.

Nevertheless, the current state policy of the Russian Federation in the field of international information security makes it possible to realize national interests in the information sphere in the international arena. At the same time, Russia is increasingly striving to contribute to the formation of an international information security system capable of effectively countering threats to strategic stability in the global information space.

In response to certain actions of foreign states (first of all, the desire to minimize Russia's participation in solving urgent problems of international information security) Russia is forced to take steps to create a "spare" Internet, to promote its own initiatives to demonopolize Internet governance.

Thus, in order to counter threats to the information security of the Russian Federation when using the Internet information and telecommunications network on the territory of the Russian Federation, by Decree of the President of the Russian Federation dated 22.05.2015 N 260 "On some issues of information security of the Russian Federation", it was decided: to transform the segment of the international computer network "Internet" for federal public authorities and public authorities of the subjects of the Russian Federation, under the jurisdiction of the Federal Security Service of the Russian Federation, in the Russian state segment of the information and telecommunications network "Internet", which is an element of the Russian part of the Internet network ^[19].

According to the "Foreign Policy Concept of the Russian Federation" approved by Presidential Decree No. 640 of November 30, 2016, Russia is taking serious measures to ensure national and international information security, as well as measures to combat terrorism and other criminal threats using information and communication technologies.  Our country defends in the international arena the need to develop universal rules of responsible behavior of states in the field of international information security under the auspices of the UN. Internationalization of the management of the Internet information and telecommunication network on a fair basis is intended to play a significant role in this ^{[20, p.28]}. As already noted, the Russian Federation takes a rather active position designed to accelerate this process.

Another important document in the field of information security is the "Strategy for the Development of the Information Society in the Russian Federation for 2017-2030" (approved by Decree of the President of the Russian Federation No. 203 of 09.05.2017). The Strategy pays special attention to the development of the Internet and information infrastructure to ensure the functioning of social, economic and management systems ^{[21, p.33-34]}. That is, the Strategy developed ideas about the need for a balanced combination of national and international components in Internet governance issues and laid guidelines for the adoption of subsequent regulatory legal acts on information security issues.

On November 1, 2019, the Federal Law "On Amendments to the Federal Law "On Communications" and the Federal Law "On Information, Information Technologies and Information Protection" dated 01.05.2019 No. 90-FZ entered into force ^[22]. The law has normatively strengthened the protection of the national information security system, assigning Roskomnadzor the authority to ensure that a minimum of Russian traffic goes through foreign networks, and in critical situations a specialized center will take over their management.

Thus, the Russian Federation is clearly aware of the need to form an effective system of international information security and is taking various initiatives for this. At the same time, taking into account the need to achieve an equal strategic partnership in the global information space, the Russian Federation is strengthening the national component of Internet governance. The objective need of the time is to demonstrate the interest of all leading countries in resolving the problems of Internet governance and creating a balanced and effectively functioning system of international information security. 

Let's consider the third set of problems related to the need to systematize legislation in the field of information. The intensification of lawmaking in the information sphere in the last few years inevitably leads to an increase in the number of legal acts, which often contain conflicting norms of law. Many researchers who note various aspects of the imperfection of information legislation are convinced of the expediency of its systematization in order to eliminate these contradictions by codifying legislation in this area, which should go in parallel with the process of rulemaking. Thus, T. A. Polyakova rightly argues that the codification of legislation in the information sphere should be carried out in order to streamline legal norms, eliminate existing "gaps", eliminate contradictions, and transform normative material. At the same time, an important place in the new codified act should be given to information security, which has already become a sub-branch of information law ^{[23, pp.41-42]}.

Indeed, understanding all the difficulties of codifying information legislation (for example, the fact that the legal norms regulating information legal relations are scattered across various normative legal acts in the field of constitutional, civil, administrative law, etc.), it should be recognized that this is the best option for systematization and radical revision of current legislation - through the preparation and adoption of a new codified act.

The imperfection of legislation in the field of information is predetermined by a number of reasons: the incompleteness of the process of formation of the information society in our country, the relative youth of the branch of information law itself and its continuing dynamic development, some lag of legislative actions from the needs of the time.

We can give some examples of such legislative "imperfections" directly in the field of information security. For example, there is a serious gap in the legislative regulation of the issue of personal information security, given that the development of the global information society generates problems of legal regulation of information security in this area ^{[24, p.11, 42]}.

Also, the need to develop and apply new regulatory legal acts is due to the existing specific problems of legal support for the functioning of the global information society. At the same time, for example, the criminal use of the Internet is complicated by "insufficient study of the legal specifics of the relations arising in connection with its functioning" ^{[25, p. 42]}. 

The question of the need to improve and modernize the regulatory legal framework also arises when it comes to territorial jurisdiction in the case of an offense committed on the territory of another state, since it is necessary to bring the attacker to justice both from the State on whose territory he used technical devices when committing illegal actions, and from the State to which, or whose citizens have been harmed ^{[26, p. 91]}.

It should also be noted that the lack of legislative consolidation of the official secrecy regime, despite numerous references to the prohibition of its disclosure in various federal laws, negatively affects the state of legal protection of the interests of the individual, society and the state in the information sphere ^{[27, p.8]}. Undoubtedly, the legislator will have to do serious work in the future to create a legal basis for the effective regulation of this information regime.

For a long time, there has been a discussion in scientific circles about the need to adopt the Information Code of the Russian Federation, which could synthesize and systematize the current legislation in the field of information security. However, recently the intensity of the discussion around this problem has somewhat weakened due to the fact that many researchers do not see the possibility of creating such a code in the near future, at least, for example, due to the complexity of information law, complicating any codification ^{[28, p. 44]}. 

Taking into account all the existing difficulties of creating the Information Code of the Russian Federation, we note that in our opinion, this is the most optimal way to resolve numerous problems and contradictions in information legislation and work on its creation must certainly continue and systematically lead to the desired result - the creation of a new codified act in the field of information, an important place in which will take various aspects of information security.

Thus, the analysis of the current legislation in the field of information security has shown that in regulatory legal acts the greatest emphasis is placed on creating legal conditions for ensuring state and public information security. At the same time, personal information security issues still require serious legislative revision.

The legislator's enormous efforts have recently been directed at combating cybercrime. At the same time, there is an active participation of the state in regulating this aspect of information security, which, in our opinion, is an absolutely correct and justified position. 

A huge layer of problems in the field of legal provision of information security is planned to be resolved during the implementation of the national program "Digital Economy of the Russian Federation", the state program "Information Society for 2011-2020". However, this will become possible only as a result of strengthening protection measures when using information and communication technologies in the context of the ongoing informatization of modern society.

To date, the Russian Federation continues to pursue a policy in the field of information security, which defends the sovereign information space, and also initiates the activity of the world community aimed at creating effective mechanisms for ensuring international information security through the activities of international organizations and expanding the coverage of international law. 

Considering that the main obstacle to the national legal regulation of the Internet is its cross-border nature, the Russian Federation is trying to cope with this through new documents adopted for the purpose of cooperation with foreign states to create an effective system of international information security and optimize Internet governance.  At the same time, our country demonstrates a balanced position of increasing the share of independence in Internet governance issues while maintaining a proper balance between national and international components.

The existing gaps and contradictions in the current Russian legislation in the field of information security, the state is trying to solve by improving it, strengthening the interaction of state authorities, local governments and citizens. At the same time, it is necessary not to abandon the idea of systematization of information legislation through its codification. This process must be combined with active law-making in the field of information security in order to bring it in line with the needs of the time.