ST 274 of the Criminal Code of the Russian Federation.
1. Violation of the rules for operating means of storing, processing or transmitting protected computer information or information and telecommunication networks and terminal equipment, as well as rules for access to information and telecommunication networks, resulting in the destruction, blocking, modification or copying of computer information, causing major damage, is punishable a fine in the amount of up to five hundred thousand rubles or in the amount of wages or other income of the convicted person for a period of up to eighteen months, or correctional labor for a term of six months to one year, or restriction of freedom for a term of up to two years, or forced labor for a term of up to two years, or imprisonment for the same period.
2. The act provided for in the first part of this article, if it entailed grave consequences or created the threat of their occurrence, is punishable by forced labor for up to five years or imprisonment for the same term.
Commentary to Art. 274 Criminal Code
1. The objective side is characterized by an act in the form of action or inaction, consisting of a violation of the rules for the operation of means of storing, processing or transmitting protected computer information or information and telecommunication networks and terminal equipment, or the rules of access to information and telecommunication networks. These rules are mandatory technical rules developed by equipment manufacturers, software developers, equipment maintenance services, and authorized government agencies.
2. Material elements of the crime; two consequences are assumed, occurring one after another and causally related. The first is described in the law as the destruction, blocking, modification or copying of computer information (see commentary to Article 272 of the Criminal Code), which, in turn, causes the second consequence in the form of major damage (note 2 to Article 272 of the Criminal Code).
3. The subjective side can be characterized by both intentional and careless forms of guilt.
4. Special subject of the crime: a person obliged to comply with the relevant rules.
5. The grave consequences in Part 2 are similar in content to the corresponding feature in Part 3 of Art. 273 CC.
In Art. 274.1 of the Criminal Code of the Russian Federation provides for criminal liability for unlawful influence on the CII of the Russian Federation through the creation, distribution or use of computer programs. Statistically significant judicial practice on the application of Art. 274.1 of the Criminal Code of the Russian Federation does not exist yet; below is a brief overview of several court cases.
Author: Alexey Podmarev , Association of Heads of Information Security Services (ARSIB), Committee on Security of Critical Information Infrastructure
Petropavlovsk-Kamchatsky
The first case (No. 1345/2019), where a charge under this article appeared, was considered in Petropavlovsk-Kamchatsky on May 31, 2021. The affected KII facilities are two Roskomnadzor sites; special software that performs the functions of Internet load testing was used to unlawfully influence them -resources. The court defined this functionality itself as “deliberately intended for unlawful influence on the critical information infrastructure of the Russian Federation, including blocking information contained in it. As a result, access to the sites was impaired for a total of approximately 25 minutes. The defendant repented and was completely released from criminal liability.
Volgograd
A little later the same part 1 art. 274.1 of the Criminal Code of the Russian Federation appeared in case No. 1-337/2019 dated August 16, 2019 in Volgograd. The details of the criminal case are unknown, but it was dismissed during the first hearing, the defendant received a court fine, agreed to full compensation for damages and was released from criminal liability.
Vladivostok
The next two cases were considered in September of the same 2021 in Vladivostok. Both of them involve unauthorized access to protected computer information.
In case No. 1-376/2019, it was revealed that property damage was caused to a defense enterprise - a subject of KII. A group of three people, using specialized software, penetrated the computers of a defense company via RDP, encrypted the data on the hard drive and demanded a ransom, judging by the amount in rubles, in the amount of one bitcoin. The court took into account the confession and voluntary compensation for damages and in a special order imposed a sentence - two years probation for each of the defendants.
In case No. 1-368/2019 dated September 25, 2019, violations of operating rules were identified and charges were brought under Part 4 of Art. 274.1 of the Criminal Code of the Russian Federation (official position) to an employee of a KII subject. On the day of her dismissal, an employee of the sales department of a communications company copied the personal data of subscribers from the automated system and sent it by e-mail to her friend. The defendant admitted guilt, the trial took place in a special manner, and a sentence was imposed - three years of suspended imprisonment.
It should be noted that the operating rules mentioned in lawsuits mean not only internal regulations of the organization that owns the information system, but also rules defining the procedure for working with computers, regulations, state standards, instructions, rules, technical descriptions, regulations , orders, etc., established by equipment manufacturers, software developers, as well as competent government agencies. The opinion that only the CII subject (the owner of the information system) can establish the rules for operating the CII object is erroneous. Order No. 239 of the FSTEC requires the CII entity to conduct vulnerability analysis on a periodic basis and manage updates. When (and if) a successful attack on a CII facility is carried out causing significant harm, failure to comply with these requirements will be classified as a criminal offense for which responsibility lies with the CII subject. The concept of “substantial harm” is evaluative. This ambiguity, combined with a long statute of limitations, may make the article convenient for exerting pressure from the investigators. Owners of an information infrastructure object, realizing that they must independently determine whether they belong to CII subjects, prefer to indicate that they are not, or try to transfer the maintenance of existing information resources to another legal entity. The operator to whom the information resource has been transferred for operation may not be subject to the provisions of 187-FZ and may not know what processes the infrastructure is used to support. Whether the correct category of significance was assigned or no categorization was carried out at all makes no difference to criminal liability. Art. 274.1 of the Criminal Code of the Russian Federation applies even to those owners of systems who have not carried out categorization and do not consider themselves subjects of CII.
Criminal Code of the Russian Federation Article 274.1. Unlawful influence on the critical information infrastructure of the Russian Federation
- Creation, distribution and (or) use of computer programs or other computer information knowingly intended for unlawful influence on the critical information infrastructure of the Russian Federation, including destruction, blocking, modification, copying of information contained in it, or neutralization of means of protecting said information - punishable by forced labor for a term of up to five years with or without restriction of freedom for a term of up to two years, or by imprisonment for a term of two to five years with a fine in the amount of five hundred thousand to one million rubles or in the amount of wages or other income convicted for a period of one to three years.
- Unlawful access to protected computer information contained in the critical information infrastructure of the Russian Federation, including using computer programs or other computer information that is deliberately intended to unlawfully influence the critical information infrastructure of the Russian Federation, or other malicious computer programs, if it caused harm harm to the critical information infrastructure of the Russian Federation - is punishable by forced labor for a term of up to five years with a fine in the amount of five hundred thousand to one million rubles or in the amount of wages or other income of the convicted person for a period of one to three years and with restriction of freedom for a term up to two years or without it, or imprisonment for a term of two to six years with a fine in the amount of five hundred thousand to one million rubles or in the amount of wages or other income of the convicted person for a period of one to three years.
- Violation of the rules for operating means of storing, processing or transmitting protected computer information contained in the critical information infrastructure of the Russian Federation, or information systems, information and telecommunication networks, automated control systems, telecommunication networks related to the critical information infrastructure of the Russian Federation, or rules of access to the specified information, information systems, information and telecommunication networks, automated control systems, telecommunication networks, if it entailed causing damage to the critical information infrastructure of the Russian Federation - is punishable by forced labor for up to five years with deprivation of the right to hold certain positions or engage in certain activities for up to three years or without it, or imprisonment for a term of up to six years with deprivation of the right to hold certain positions or engage in certain activities for a term of up to three years or without it.
- Acts provided for in part one, two or three of this article, committed by a group of persons by prior conspiracy or by an organized group, or by a person using their official position, are punishable by imprisonment for a term of three to eight years with deprivation of the right to hold certain positions or engage in certain activities. activities for a period of up to three years or without it.
- Acts provided for in parts one, two, three or four of this article, if they entail grave consequences, are punishable by imprisonment for a term of five to ten years with or without deprivation of the right to hold certain positions or engage in certain activities for a term of up to five years.
Second commentary to Art. 274 of the Criminal Code of the Russian Federation
1. Since the disposition of the article is blanket, when qualifying it is necessary to refer to the relevant paragraphs of various rules, which may be contained in by-laws: Decree of the Government of the Russian Federation of September 10, 2007 No. 575 “On approval of the Rules for the provision of telematic communication services”; departmental acts: “Methodological document. Information protection measures in state information systems" (approved by FSTEC of Russia on February 11, 2014); Order of the FSB of the Russian Federation No. 416, FSTEC of the Russian Federation No. 489 dated August 31, 2010 “On approval of the Requirements for the protection of information contained both in public information systems” and local acts ensuring information security at specific enterprises and organizations, for example, “Policy information security "Gazprombank" (Open Joint Stock Company)".
2. The objective side is expressed in actions or inactions that violate the rules of operation of the specified facilities, networks and terminal equipment or the rules of access to information and telecommunication networks, and the consequences in the form of major damage from the destruction, blocking or copying of computer information caused by violation of the relevant rules.
3. The crime is completed with the onset of consequences in the form of destruction, blocking or copying of computer information (consequences of the first order), which causes large property damage (over 1 million rubles), i.e. second order consequences.
4. The subjective side can be expressed in both intentional and careless forms of guilt.
5. The subject of the crime is a special one: a person who is obligated to comply with the rules of operation of the specified facilities, networks and terminal equipment or the rules of access to information and telecommunication networks,
6. The qualifying feature is the infliction of grave consequences or the creation of a threat of their infliction (see commentary to Part 4 of Article 272 of the Criminal Code).
What to expect from judicial practice under Article 274.1 of the Criminal Code of the Russian Federation
Predicting judicial practice is a thankless task, but sometimes it is possible with a high degree of confidence in the result. The CII subject is primarily interested in who and in what case can be held accountable under Parts 3-5 of Article 274.1 of the Criminal Code of the Russian Federation (“Unlawful influence on the critical information infrastructure of the Russian Federation”). For a crime to occur under these elements, two factors are required: damage must be caused to the CII and the cause of this harm must be the culprit’s failure to comply with the rules for operating “ means of storing, processing or transmitting protected computer information contained in the CII
". CII is defined in Federal Law-187 as a set of critical information infrastructure objects and telecommunication networks used to organize the interaction of such objects. Accordingly, causing harm to any CII object will cause harm to the CII as a whole.
The subject area under consideration can be characterized as follows:
- There are objects, incidents with which can lead to resonant consequences (people may die, production may stop, environmental consequences may occur, etc.)
- There are rules for the operation of these facilities; someone can violate these rules intentionally or out of ignorance, and this violation can cause such an incident. However, it is not clear what rules are being discussed in the article.
- Only a very specific person can become the culprit of the violation - the investigation must establish and prove that the inaction of this person or certain actions of this person became the cause of the incident and the harm caused by it. Accordingly, it is unclear who could be considered such a culprit in the event of a real incident.
There is no statistically significant judicial practice on the application of this article and is not expected in the near future. But there is Article 274 of the Criminal Code of the Russian Federation (“Violation of the rules for operating means of storing, processing or transmitting computer information and information and telecommunication networks”), which at first glance is completely similar and on which there is judicial practice. Here is what is said about it in the methodological recommendations of the Prosecutor General's Office of the Russian Federation:
- “The subject of this crime is the means of storing, processing or transmitting protected computer information, information and telecommunication networks and terminal equipment.”
Everything is clear here: for a crime to occur, the harm must be caused by an impact on the technical component of the object. - “This norm is blanket and refers to specific instructions and rules establishing the procedure for working with means of storing, processing or transmitting protected computer information, information and telecommunication networks and terminal equipment in a department or organization.”
Those. there are no abstract rules known to everyone by default - only the requirements of specific documents can be violated. - “These rules must be set by the authorized person.”
Here, too, it is clear: no one is obliged to carry out the instructions of a person who has not been given such powers by anyone. Only requirements established by an authorized person are taken into account. - “A causal connection must be established between the fact of the violation and the significant harm that has occurred, and it must also be proven that the consequences that have occurred are the result of a violation of the operating rules... The rules referred to in Art.
274 of the Criminal Code of the Russian Federation, should be aimed only at ensuring information security.” . Obviously. - “Rules of access and operation related to information processing are contained in various regulations, instructions, charters, orders, GOSTs, project documentation for the corresponding automated information system, contracts, agreements and other official documents.”
Those. A violation of operating rules is considered to be a violation of any mandatory requirements in general, no matter what documents and regulations they are contained in.
I want to especially note the last point: I often hear the opinion that operating rules refer only to internal regulations of the organization that owns the information system - they say, only the owner of the information system can establish rules for its operation. This does not correspond to the position of the Prosecutor General’s Office cited above, which clearly names state standards as one of the sources of operating rules - they are in no way internal regulations of the organization. This error in interpretation is due to two factors
When retelling someone else's opinion, people tend to omit or distort what they consider to be insignificant details. Thus, in textbooks the concept of “rules of operation” is retold in simpler language and, for example, to students of the University of the Prosecutor’s Office of the Russian Federation it is presented as follows:
These rules must be established by an authorized person and adopted in the proper manner, for example, approved by a written order, with which the performers must be familiarized with signature. In addition, operating rules can not only be established by an authorized person, but also determined by technical descriptions and instructions transmitted by the employer to the employee, as well as by the user from the manufacturer when purchasing the corresponding device or software, or by the rules of access to information and telecommunication networks in certain cases.
As we can see, the meaning of the explanations of the Prosecutor General’s Office is preserved here, but GOSTs and other official documents have disappeared from the examples, only internal regulatory documents remain, which the user or employee is familiar with. It is not surprising that in the future graduates do not turn to primary sources, but retell the material they have learned once.
The second factor is the negligible number of cases of application of Article 274 of the Criminal Code of the Russian Federation: according to the Judicial Department under the Armed Forces of the Russian Federation, in 2017-2018, all courts of the Russian Federation issued 2 (in words “Two”) sentences, and in both cases this article was additional to the main act . According to other sources (thanks to Valery Komarov), in 2010-2017, law enforcement agencies opened only 21 criminal cases with the qualification of the act under this article. Therefore, when talking about judicial practice regarding violations of operating rules, we are dealing with a statistically insignificant sample, which mainly included crimes against commercial companies initiated at the request of their owners. To qualify the act, it was enough that the internal rules of the victims were violated.
In CII, in relation to significant objects, we have a fundamentally different situation: there are a number of legal norms that define the responsibilities of the CII subject during the operation of a significant CII object - see, for example, section 13 of FSTEC Order No. 239. The question arises: what will happen if the cause of a high-profile incident at a significant CII facility is ignoring the regulator’s requirements?
Judicial practice under Article 274 of the Criminal Code of the Russian Federation does not help us here, but there is another subject area that has exactly the same characteristics - fire safety:
- There are objects where fires can lead to resonant consequences (people may die, production may stop, environmental consequences may occur, etc.)
- There are fire safety rules for these facilities; someone can violate these rules intentionally or unknowingly, and this violation can cause such an incident. At the same time, it is just as unclear what rules are being discussed in the article.
- Only a very specific person can become the culprit of the violation - the investigation must establish and prove that the inaction of this person or certain actions of this person became the cause of the incident and the harm caused by it. Accordingly, it is unclear who could be considered such a culprit in the event of a real incident.
In the review of judicial practice, we see that the Plenum of the RF Armed Forces interprets the concept of “fire safety rules” in the same way as the Prosecutor General’s Office interprets the concept of “operation rules”:
As you know, the disposition of this article is blanket. The legislator does not disclose the concept of “fire safety rules” in it and refers us to the norms of special legislation. At the same time, in the Federal Law “On Fire Safety” one of the types of regulatory documents in this area is called “fire safety rules”. At the same time, this Federal Law classifies as regulatory documents on fire safety standards, norms, instructions and other documents, the violation of which upon the occurrence of those specified in the disposition of Art. 219 of the Criminal Code of the Russian Federation entails criminal liability.
As we can see, in both subject areas, by “rules” the judicial system of the Russian Federation understands the totality of all norms establishing the responsibilities of a subject in a given subject area, regardless of which document specifically establishes these responsibilities. This means that we should expect that when applying Article 274.1 of the Criminal Code of the Russian Federation, the judicial system will also include the regulatory requirements of the FSB and FSTEC, which define the responsibilities of the CII subject during the operation of the CII facility, as operating rules.
Simply put, if clauses 13.2 and 13.3 of FSTEC Order No. 239 require the CII subject to periodically analyze vulnerabilities and perform update management, then failure to comply with these requirements in the event of a successful attack on the CII object of a ransomware virus will become an independent criminal offense, the responsibility for which lies with subject KII. And here an interesting question arises: who exactly will bear this responsibility?
And here again judicial practice in fire safety cases comes to the rescue. Here is one typical example. The organization rented a landing stage and equipped a dormitory on it. A person responsible for fire safety was appointed, but in fact, fire safety requirements were not met or were not met in full (the verdict lists only violations). There was a fire and a person died. Court sentenced:
- Despite the fact that by order of the director, a person responsible for fire safety was appointed, it was the director who “ did not ensure that the responsible employees were trained in the fire-technical minimum in terms of knowledge of the requirements of regulatory legal acts regulating fire safety, in terms of the fire regime, as well as techniques and actions in the event of fire in the organization, allowing them to develop practical skills in preventing fire, saving lives, health and property in case of fire, did not test employees’ knowledge of fire safety requirements
. - It was the director who “ failed to ensure that fire safety signs were in good working order, including those indicating evacuation routes and emergency exits, as a result of which the evacuation lighting did not turn on automatically when the power supply to the working lighting was cut off.
” - It was the director’s fault that “ the landing stage superstructure building, being a public facility, was not equipped with an automatic fire alarm system with smoke detectors installed in the premises,
” etc.
The court ruled that all the violations listed in the verdict were committed by the director, consciously, for the sake of economy, with an understanding of the possible consequences. The director was found guilty, and the fact that he got off with a suspended sentence, which was removed from him due to the amnesty, is a completely different story.
This practice is quite applicable to significant CII objects. If an attack on a CII facility leads to resonant consequences, someone must take the plunge. Following the logic that guided the court when rendering the sentence discussed above, personnel responsible for ensuring security, whether it is fire or information security, are responsible only for the performance of those duties that are clearly established for them by external or internal regulations. If the head of the organization did not appoint those responsible, did not define their responsibilities, or did not provide the opportunity for them to fulfill these responsibilities (did not organize training, did not allocate a budget, etc.), then he himself bears responsibility for the consequences.
This is not the only such sentence, it was just the first one that appeared in the search results. It is not a fact that the investigation and the courts will always adhere to this logic. But this example shows that in cases where the loss of life or other equally resonant consequences are involved, the head of the organization is often responsible for the consequences jointly with the responsible employees, and in some cases, individually.