U.S. officials recently warned about pro-Russian hackers targeting poorly secured water systems around the country. While the U.S. was issuing this notice, the Russian government was advancing its own cyber measure: a final-stage bill to legalize white hat hacking.
White hat hacking, sometimes described as ethical hacking, generally refers to security researchers and cybersecurity firms going into company and government networks to probe for vulnerabilities. It’s a widespread practice in the U.S. and elsewhere to ultimately better protect targets.
Alongside water system attacks, the Russian war on Ukraine and sanctions on Russia’s technology sector, a white hat hacking law may seem pointless or even an item that should be at the bottom of Moscow’s to-do list. But the Kremlin’s nearly finalized white hat hacker rules expose the profound challenges facing Russia’s tech sphere — and Moscow’s path to cement its future cyber power.
Prior to February 2022, when the Russian government launched its full-scale invasion of Ukraine, there was great entanglement between technology firms in Russia and the West. Despite U.S. government restrictions on the use of Kaspersky, the Russian antivirus software, Russian businesses had access to many technology and cybersecurity services from abroad — and vice versa.
That has changed dramatically since the war. Russia is greatly struggling with import substitution for Western software (like Microsoft Windows) and hardware (like semiconductors and smartphones) and in keeping its cyber talent in-country amid a persistent brain drain. Foreign companies continue to suspend or terminate tech services in Russia of their own volition.
The impacts of tech isolation, brain drain and sanctions have hit Russia’s cybersecurity sector, too, across everything from talent to hardware procurement. Companies providing defensive services to the private sector as well as offensive and defensive services to the state are feeling the impacts.
Moscow’s new white hat hacking law is an attempt to help reverse the tide. At Russia’s largest hacking conference last year, the minister of digital development, communications and mass media spoke at length about the importance of businesses investing in cybersecurity and in the state cultivating Russia’s cyber talent base.
“I don’t sleep peacefully” when thinking about Russian cybersecurity, he said.
In the year since, Russian tech firms like VK and cybersecurity giants like Positive Technologies have built out bug bounty programs for ethical hackers to report security flaws for payment. The nearly finalized bill seeks to legalize such activities against Russian companies.
Giving the green light for white hat hacking will enable the build-out of these bug bounty programs and efforts to bolster companies’ cyber defenses against foreign actors (including foreign governments). Such a law is one way the Russian government shapes the cyber ecosystem.
In certain areas and on certain issues, such as hacking Russians or targeting foreign governments without permission, the state sets relatively bright lines of acceptable and unacceptable behavior. Hackers know, often without it being said explicitly, that some activities are off limits. Legalizing white hat hacking does the opposite: It makes explicitly clear, in an environment riddled with uncertainty, that the government wants Russian hackers to find and plug holes in Russian networks.
After a formal review of parliament’s bill, the Russian government has recommended that it clearly include the legality of testing government networks (not currently in scope). It also recommended the bill constrain how much Russian white hat hackers could help organizations in countries committing “unfriendly” actions against Russia — in other words, don’t help Western companies.
With the state’s blessing and recommended changes, the bill has a clear and nearly certain path forward to passage.
On the strategic level, there are two sides to Russia’s so-called ethical hacking effort. It does not come from a position of strength; brain drain, Western sanctions, the inability to replace Western chips with domestic-made ones and other developments since February 2022 have hampered the Russian cybersecurity sector. Authorities modified remote work rules to let Russians support their old companies from abroad. At the same time, state entities cracked down on remote work. The creation of a white hat hacker law is, in some ways, a reflection of the Kremlin’s desperate attempt to boost the cybersecurity of Russian systems amid hacks from Ukraine and others, huge losses of talent and technology, and a need to get a wider swathe of Russians involved in cyber defense.
Simultaneously, Russia is looking to its traditional cyber power base: companies, universities, developers, cybercriminals, so-called patriotic hackers, intelligence contractors and more. Lots of countries have white hat hacking laws, and Russia’s measure is not some inherently nefarious security services plot. But the Russian state does pressure private sector developers to build hacking tools. And it pays cybercriminals to support intelligence operations while encouraging hackers to target foreign countries (among others) when it needs additional support, plausible deniability or even specific capabilities. It is a distributed, entrepreneurial and ingrained way of leveraging a wide spectrum of cyber talent to support the Kremlin.
On top of paying off cybercriminals or firing up patriotic hackers, the proposed law will encourage more citizens, independent developers, academics and even possibly criminals to get involved in bug bounty programs and testing Russian public and private sector networks.
The takeaway for the U.S. national security community is clear: Russian cyber power isn’t just military troops and intelligence operatives; it’s about the entire base of companies, criminals and white hat hackers, too.
Justin Sherman is a nonresident fellow at the Cyber Statecraft Initiative, a program with the Atlantic Council think tank. He is also the founder and CEO of the research and advisory firm Global Cyber Strategies, as well as an adjunct professor at Duke University.