We deal with Russian cryptographic regulations ... using the example of the arrest of a drug lord

  • Tutorial

Mexican drug lord Joaquin Guzman Loera (El Chapo)

Not so long ago, an article flashed in the media that the Mexican drug lord El Chapo was arrested due to the fact that his IT officer sent crypto keys to the FBI, and they, in turn, were able to decrypt and listen to him telephone conversations.

Let’s fantasize and imagine that the drug lord, the IT-person and everything, everything, everyone would live in Russia ...

Presented? And now we will analyze what laws and how the use of cryptographic protection would be regulated in this phantasmagoric case.

About the story and the main characters in more detail



© shot from the movie “Gangs of New York”

Drug lord El Chapo hired 21-year-old Colombian IT specialist Christian Rodriguez to create an encrypted mobile communication system for him through which he could communicate with accomplices without fear of wiretapping special services.

Rodriguez created a similar system and, judging by the description , it was a VoIP telephony with traffic encryption. Clients of the system were installed on bandits' mobile phones, after which “it was enough to dial 3 additional digits” to talk without fear of wiretapping.

After the introduction of the system, Rodriguez accompanied her, and also was engaged in other IT projects (for example, organized wiretapping of his wife El Chapo), obeying the will of the drug lord.

After some time, Rodriguez was recruited by the FBI and that ... according to SecurityLab.ru, it leaked the encryption keys ... or according to the New York Times "it installed recording equipment on the encrypted network that sent to the FBI at midnight copies of all El Chapo's negotiations."

In a nutshell, that's all. Now let's move on to the analysis of laws.

Licensing



© screenshot from the game “Heroes of Might and Magic”

Our story begins with El Chapo hiring Rodriguez to develop a secure communications system.

In terms of paragraphs. 1 p. 1 Article 12 of the Federal Law dated 04.05.2011 N 99-ФЗ "On licensing of certain types of activities" Rodriguez, in order to implement the contract with El Chapo, must have a license "for cryptography".

If Rodriguez does not have such a license, and he got involved in the work, then for this, in accordance with Art. 13.13 Administrative Code threatens administrative, and in accordance with Article. 171 of the Criminal Code of the Russian Federation criminal liability.

The cryptography license is correctly called -a license for the development, production, distribution of encryption (cryptographic) means, information systems and telecommunication systems protected using encryption (cryptographic) means, performance of work, provision of services in the field of information encryption, maintenance of encryption (cryptographic) means, information systems and telecommunication systems protected using encryption (cryptographic) means (unless technical observance tinning of encryption (cryptographic) means, information systems and telecommunication systems protected using encryption (cryptographic) means is carried out to ensure the own needs of a legal entity or individual entrepreneur). Further, for simplicity, we will use the wrong, but more understandable and short name - the license for cryptography.

In accordance with Decree of the Government of the Russian Federation dated November 21, 2011 N 957 “On the Organization of Licensing of Certain Types of Activities”, the FSB of Russia is engaged in the issuance of licenses “for cryptography”.

The procedure for obtaining a license and licensing requirements for Rodriguez are described inDecree of the Government of the Russian Federation of 04.16.2012 N 313 (as amended on 05/18/2017) “On approval of the Regulation on licensing the activities for the development, production, distribution of encryption (cryptographic) means, information systems and telecommunication systems protected using encryption (cryptographic) means , the performance of work, the provision of services in the field of information encryption, the maintenance of encryption (cryptographic) means, information systems and telecommunication systems protected using by means of encryption (cryptographic) means (unless the maintenance of encryption (cryptographic) means, information systems and telecommunication systems protected using encryption (cryptographic) means,.

At the same time, it’s not enough for Rodriguez to “just get” a license, it should list the relevant permitted activities, the full list of which is given in the Appendix to Decree of the Government of the Russian Federation of 04.16.2012 No. 313 . Depending on the composition of the permitted activities, Rodriguez will face various licensing requirements, ranging from qualifications for education to access to state secrets.

With this in mind, Rodriguez was engaged not only in the development of the system, but also in its implementation and maintenance, then offhand in his license should include the following activities (numbering in accordance with Decree of the Government of the Russian Federation of 16.04.2012 No. 313):
3. Development of secure telecommunication systems using encryption (cryptographic) means.
4. Development of tools for the production of key documents.
5. Modernization of encryption (cryptographic) means.
6. Modernization of key documents production tools.
7. Production (replication) of encryption (cryptographic) means.
9. Production of telecommunication systems protected using encryption (cryptographic) means.
10. Production of key documents production tools.
12. Installation, installation (installation), adjustment of encryption (cryptographic) means, with the exception of encryption (cryptographic) means of protecting fiscal data, developed for use as part of cash registers certified by the Federal Security Service of the Russian Federation.
14. Installation, installation (installation), adjustment of telecommunication systems protected using encryption (cryptographic) means.
15. Installation, installation (installation), adjustment of the means of manufacturing key documents.
16. Repair of encryption (cryptographic) means.
18. Repair, maintenance of secure telecommunication systems using encryption (cryptographic) means.
19. Repair, maintenance of the means of manufacturing key documents.
20. Work on the maintenance of encryption (cryptographic) facilities provided for by the technical and operational documentation for these facilities (unless the indicated operations are carried out to ensure the personal needs of a legal entity or individual entrepreneur).
21. Transfer of encryption (cryptographic) means, with the exception of encryption (cryptographic) means of protecting fiscal data, developed for use as part of cash registers certified by the Federal Security Service of the Russian Federation.
23. Transmission of telecommunication systems protected using encryption (cryptographic) means.
24. Transfer of means for the production of key documents.
Immediately, we note that the use of encryption for their own purposes is not licensed in Russia and, accordingly, no El Chapo license for cryptography is required.

Further, we assume that Rodriguez has a “cryptography” license with related activities.

Development and production



© Internet pictures

In accordance with the licensing requirements, namely paragraphs. b Clause 6 of Decree of the Government of the Russian Federation of 16.04.2012 N 313 Rodriguez is obliged in his work to be guided by the relevant regulatory and methodological documents issued by the FSB of Russia, the main among which is the Order of the FSB of the Russian Federation of 09.02.2005 N 66 (as amended of 12.04.2010) On approval of the “Regulation on the development, production, sale and operation of encryption (cryptographic) means of information protection (Regulation PKZ-2005)” (Registered in the Ministry of Justice of the Russian Federation 03.03.2005 N 6382) " (hereinafter PKZ-2005).

In accordance with this document the process of creating a secure mobile system communication consists of the following steps:

  1. Development.
  2. Production.
  3. Spread. Despite the fact that Rodriguez did custom-made / custom development, the process of its transfer to the customer is treated as distribution.

All these stages imply close cooperation with the FSB of Russia and the coordination of technical tasks and documentation for the system being produced.

Operation of a secure mobile communications system



© Internet pictures

We assume that the operation of a secure mobile communication system is El Chapo's area of ​​responsibility. Rodriguez is involved in this only as those. support.

From the description of the history of El Chapo, we remember that the system was created to protect against wiretapping by law enforcement agencies. This basis is weakly correlated with the current legislation, therefore, we assume that the purpose of the system is: “information protection for personal and family needs”. With this purpose of operation, El Chapo has no restrictions, and he can do whatever he wants and how he wants with the system.

For our article, this is too simple and not interesting.

Based on the investigation, it was established that in a telephone conversation El Chapo gave commands to bribe and bribe officials and most likely called their names, surnames and other personal information, that is, personal data (hereinafter - PD).

Let’s imagine that El Chapo, having read Federal Law of July 27, 2006 N 152-ФЗ “On Personal Data” , understood that he is a personal data operator and that he actually uses personal data not for personal needs, but for entrepreneurial activity, and that required by law to protect them.

Cryptographic protection of personal data



© Internet pictures

Since during telephone calls PDs are transmitted in the clear via the public communications network, El Chapo thought and decided that there was a high risk of PD being intercepted by intruders, and therefore the information needed to be encrypted.

For cryptographic protection of personal data, in accordance with

El Chapo must build a model of the intruder, on the basis of which to determine the required class of cryptographic protection. Since El Chapo is afraid of special services, he needs a means of protection of the maximum class - KA .

El Chapo opened the list of cryptocurrencies certified by the FSB of Russia and, not finding anything suitable, turned to Rodriguez. Here our story, like many projects in information security, makes a loop, and we again return to the development stage. Without going into details, we assume that Rodriguez made and certified in the FSB for the corresponding class in the FSB.

Since El Chapo protects personal data, the requirements of PKZ-2005 are mandatory for him.for execution. There is nothing supernatural in these requirements, and in fact they only force El Chapo to comply with the requirements of the technical documentation for the system, which Rodriguez prepared and agreed with the FSB of Russia.

In addition to the above documents, El Chapo is obliged to be guided by the “Instructions on the organization and security of storage, processing and transmission through communication channels using cryptographic protection means of information with limited access that does not contain information constituting a state secret”, approved by order of the FAPSI of June 13, 2001 years N 152 (in common people - FAPSI 152).

According to this document, El Chapo will need to build internal processes related to the operation of cryptocurrencies, among which are:
  • the organization of training and admission of bandits to use the equipment of secure mobile communications (in science - the admission of users to independent use of cryptocurrencies);
  • per-instance accounting of system software clients and crypto keys;
  • the organization of security facilities in which telephone maintenance will be carried out and the formation of crypto keys;
  • and etc.

Export of secure mobile phones abroad



© Internet Pictures

Since El Chapo conducted “international business”, protecting communications while communicating with foreign “partners” would be no less relevant for him than protecting negotiations within the country. To do this, whatever one may say, he would need to transfer to foreigners either software for his mobile communication system, or a phone with already installed and configured software clients.

Both of them, according to Russian law, are interpreted as the export of encryption (cryptographic) funds abroad and, in accordance with the Regulation on the import into the customs territory of the Eurasian Economic Union and the export of encryption (cryptographic) means from the customs territory of the Eurasian Economic Union (Appendix N 9 to Decision of the Board of the Eurasian Economic Commission of April 21, 2015 N 30), limited (except for personal use, but this is not our case).

Before going through customs, El Chapo would have to get an export permit, which are of two types:
  1. Notification
  2. Licensing

Notification - a simplified form of import / export permits - is used for “weakened” or “everyday” cryptography. The list of funds subject to notification is defined in Appendix No. 4 to the Regulation on the Import into the Customs Territory of the Eurasian Economic Union and the Export from the Customs Territory of the Eurasian Economic Union of Encryption (Cryptographic) Means (Appendix No. 9 to the Decision of the Board of the Eurasian Economic Commission of April 21, 2015 . N 30)

Since El Chapo’s secure mobile communication system has a spacecraft cryptographic protection class , it will not cost notification, and he will have to obtain a license for export. To do this, he will have to go through the quest, the task for which is described inDecision of the Board of the Eurasian Economic Commission dated 06.11.2014 N 199 (as amended on 04/19/2016) “On the Instructions on the application for issuing an export license and (or) import of certain types of goods and on the issuance of such a license and the Instructions on issuing an export permit and (or) import of certain types of goods ” , and it’s far from the fact that he can do it ...

Conclusion


I hope that with this phantasmagoric example, you could get general ideas about the main directions of cryptography regulation in the Russian Federation. For further development, I recommend that you familiarize yourself with the list of basic legislative and regulatory acts governing information security in Russia.

Disclimer . The author, like all progressive humanity, strongly condemns the illegal drug trade and other criminal activities. The sun, air and water are our best friends.

Also popular now: