- 790
- 211
According to media reports, the Russian government has prepared amendments to the Criminal Code introducing liability for DDoS attacks: the maximum penalty may include a fine of up to 2 million rubles or up to eight years in prison.
As Kommersant reports, the criminalization of DDoS attacks is part of the second package of measures to combat cybercrime, which was developed by the Ministry of Digital Development together with market participants and affects about ten federal laws. The new package includes several dozen new measures, as well as additions to the Criminal, Criminal Procedure and Administrative Codes. As a representative of the office of Deputy Prime Minister Dmitry Grigorenko
previously noted
, the document is currently undergoing interdepartmental approval and may be changed taking into account proposals from departments and the industry. In one of the proposals, the authors of the document propose adding Article 272.2 "Malicious impact on an information system, information and telecommunications network, computer information or telecommunications network" to the Criminal Code. It should determine the punishment for DDoS attacks.
The maximum penalty under the article is a fine of up to 2 million rubles, imprisonment for up to eight years, and a ban on holding certain positions for up to three years. However, the draft contains an exception for individuals who attacked resources “access to which is prohibited or restricted by law.” They are not held liable for such actions.
The document defines a punishable act as “targeted impact” on information systems that “involves blocking or destroying computer information, causing significant damage or entailing other serious consequences.”
Lawyers and information security specialists told Kommersant that the definition of “targeted impact” is an important clarification in the draft.
[td]"We need to define exactly what constitutes an attack. Any user can unintentionally create a load - it's a question of intent and technology," comments Yaroslav Šicle, head of IT dispute resolution practice at the law firm Rustam Kurmaev & Partners.[/td]For law enforcement, it is important to identify objective signs of a violation (use of botnets, abnormal requests, repeated actions from one IP address, etc.), clearly define the concept of intent (coordination of actions, use of special software, participation in cybercriminal groups) and establish a damage threshold (duration of failure, economic losses, consequences for critical systems), ADVOLAW Managing Partner Anton Pulyaev explained to the publication.
[td]“Without this, there is a risk that random or bona fide actions will be classified as a crime,” the lawyer added.[/td]In a conversation with journalists, Deputy Director of the NTI Central Committee Timofey Voronin noted that a sharp increase in the number of orders on marketplaces and online stores can also be confused with a DDoS attack, and the possible consequences of such a rush are similar to the consequences of an attack.
As Kommersant reports, the criminalization of DDoS attacks is part of the second package of measures to combat cybercrime, which was developed by the Ministry of Digital Development together with market participants and affects about ten federal laws. The new package includes several dozen new measures, as well as additions to the Criminal, Criminal Procedure and Administrative Codes. As a representative of the office of Deputy Prime Minister Dmitry Grigorenko
previously noted
, the document is currently undergoing interdepartmental approval and may be changed taking into account proposals from departments and the industry. In one of the proposals, the authors of the document propose adding Article 272.2 "Malicious impact on an information system, information and telecommunications network, computer information or telecommunications network" to the Criminal Code. It should determine the punishment for DDoS attacks.
The maximum penalty under the article is a fine of up to 2 million rubles, imprisonment for up to eight years, and a ban on holding certain positions for up to three years. However, the draft contains an exception for individuals who attacked resources “access to which is prohibited or restricted by law.” They are not held liable for such actions.
The document defines a punishable act as “targeted impact” on information systems that “involves blocking or destroying computer information, causing significant damage or entailing other serious consequences.”
Lawyers and information security specialists told Kommersant that the definition of “targeted impact” is an important clarification in the draft.