Not provided for in Criminal Code: Russia proposes to criminalise DDoS attacks
But there are several “buts”
The Ministry of Justice has proposed to criminalise DDoS attacks. As experts told Realnoe Vremya, at present, the Criminal Code of the Russian Federation does not provide for liability for such attacks — there are only indirect articles. The criminalisation of such actions would be an important step in improving legislation amid rapidly developing technologies. However, it is crucial to protect the innocent from false suspicion, since DDoS attacks are anonymous and identifying their real source is extremely difficult. More on the significance and pitfalls of the Russian Ministry of Justice’s initiative — in Realnoe Vremya’s report.
Criminalisation of DDoS attacks
The Russian Ministry of Justice has proposed expanding criminal liability for DDoS attacks. This was announced by the deputy head of the ministry Vadim Fedorov at the XIII St. Petersburg International Legal Forum.
He also touched upon the issue of the spread of cashless payments, which allows fraudsters to instantly transfer funds between different individuals’ accounts and withdraw stolen money. At the same time, the mechanisms currently available to law enforcement agencies are not designed to counter such threats.
“In this regard, it is planned to introduce a new enforcement measure — the restoration of monetary operations. It envisages the suspension of debit transactions on accounts for 10 days if they are used in criminal activity,” said the deputy head of the ministry.
According to Fedorov, this will make it possible to prevent fraudsters from withdrawing stolen funds.
Liability for DDoS attacks not provided for in the Criminal Code of Russia
As Maria Troshikhina, the managing partner at Pravo Prosto, told Realnoe Vremya, at present, the Russian Criminal Code includes several articles concerning encroachments on the stability of information infrastructure. However, they do not specifically address DDoS attacks:
“They do not cover the elements of a DDoS attack — unlawful interference with information infrastructure for the purpose of obtaining another’s property or committing other actions that cause harm to an individual or organisation under the threat of prolonged disruption of their information systems, destruction, or unlawful access to and/or dissemination of information.”
Troshikhina noted that at present, there are several separate articles that are applied when considering cases of cyberattacks:
- For extortion (Art. 163): “However, it does not provide for threats involving the deliberate suspension of access to another’s equipment or infrastructure”;
- For unlawful access to information (Art. 272): “However, DDoS attacks do not always involve access to information, but rather restrict third-party access to information”;
- For the use of malicious computer software (Art. 273): “However, the use of such software in the commission of a DDoS attack must be proven”;
- For unlawful interference with Russia’s critical information infrastructure (Art. 274.1): “This provision is the closest in nature to the act of committing a DDoS attack, but as of today it may only be applied to critical information infrastructure (CII) objects.”
“Thus, liability for committing a DDoS attack is not provided for in the Criminal Code of the Russian Federation. It seems necessary to criminalise the full range of actions by offenders in carrying out DDoS attacks,” the lawyer concluded.
“The main challenge with DDoS attacks is their anonymity”
DDoS attacks are one of the most popular tools used by cybercriminals, Alexander Simonenko, the executive director of the cybersecurity company Xilant and AppSec evangelist, told Realnoe Vremya.
“DDoS attacks are capable of causing serious damage, up to disrupting the operation of critical infrastructure. For example, if a successful attack targets power units supplying hospitals and maternity wards, it poses a risk to human lives,” he said, citing an example.
At the same time, cyberattacks are more often used as a tool for extortion or sabotage, the expert believes. They can lead to financial losses:
“Criminal liability is a clear signal to society and potential offenders that such actions are unacceptable, as well as an additional tool for law enforcement. Furthermore, the presence of a specialised article will allow for precise qualification of crimes and the delivery of fairer court decisions.”
At the same time, Simonenko stressed the need to clearly define the law to prevent any network activity from being labelled as a DDoS attack.
“Introducing criminal liability is a step in the right direction, but it must be accompanied by comprehensive changes: the development of technical means for detecting attacks, improving the qualifications of specialists, and international cooperation. Without these components, the risk of remaining at the level of a ‘paper fight’ is very high. It is also important to devise a mechanism for proving guilt so that the real organisers of attacks do not go unpunished, and the innocent are not harmed by false accusations. The main challenge with DDoS attacks is their anonymity and distributed nature,” Simonenko said confidently.
