This article is more than 1 year old
Moscow says writing infrastructure attack code is a thought crime
Bill suggests sending malware authors to the gulag archipelago
Malware writers whose wares are used by separate attackers to pop Russian national infrastructure could end up fined and in jail, if a new Russian bill become law.
The bill (Number 47571-7, Russian) reported by local media threatens those involved in the manufacture of malware subsequently used in damaging attacks against telecommunications, transport, or energy with up to a decade in jail, forced work for the state, or up to a million rubles (US$15,765, £12,526, A$21,145) fine.
Authors would not need to be directly responsible for attacks: merely having written "deliberately nefarious" tools required to pull off the hacks would be enough for a conviction.
Attacks are considered in scope of the bill if they involve blocking or modificating critical infrastructure data, copying it, or disabling relevant security controls.
It is unknown how such laws could impact authors of legitimate hacking tools, although the bill states wares must be deliberately built for offensive hacking.
Russia's large and vibrant information security community, like others around the world, develops tools for crucial offensive penetration testing that are equally useful to black hat criminals wanting to break into infrastructure.
It's harder to find legitimate uses for tools such as remote access trojans and booter or denial of service network stressing services, yet all are technically dual-use.
The Register has sought comment from Russian white hats hackers on how the draft bill may impact their practices.
The draft bill comes days after Russian President Vladimir Putin signed the nation's new information security doctrine [PDF] (Russian) that lists foreign spies, terrorists, and criminals as the chief threats to Moscow and the main beneficaries of technolgy vulnerabilities and weaknesses.
Russia has recently ramped up its efforts to have government agencies adopt local tech. The resulting recommended vendor list has proved permeable, but has also emboldened local vendors and cloud operators. ®