New edition of Art. 274 of the Criminal Code of the Russian Federation
1. Violation of the rules for operating means of storing, processing or transmitting protected computer information or information and telecommunication networks and terminal equipment, as well as rules of access to information and telecommunication networks, resulting in the destruction, blocking, modification or copying of computer information, causing major damage -
shall be punishable by a fine in the amount of up to five hundred thousand rubles, or in the amount of the wages or other income of the convicted person for a period of up to eighteen months, or by correctional labor for a term of six months to one year, or by restriction of liberty for a term of up to two years, or by forced labor for a term of up to two years, or imprisonment for the same term.
2. The act provided for in the first part of this article, if it entailed grave consequences or created a threat of their occurrence, -
shall be punishable by forced labor for a term of up to five years or imprisonment for the same term.
Article 274 of the Criminal Code of the Russian Federation
This standard establishes liability for entities that violate the procedure for operating means for processing, storing, redirecting protected computer data, information and communication networks, terminal equipment, the procedure for accessing them, resulting in blocking, destruction, modification, copying of information and causing significant damage. For these acts the perpetrator is charged with:
- Fine up to 500 thousand rubles. or in the amount of his income for 1.5 years.
- Correctional work, lasting 6 months. - 1 year.
- Restriction of freedom.
- Forced labor.
- Imprisonment.
The duration of the last three punishments is 2 years. If the above acts resulted in serious consequences or created the danger of their occurrence, the perpetrator is sentenced to forced labor for a period of up to 5 years or to imprisonment for a similar period.
Everything about criminal cases
Go to the Criminal Code
Url Additional information:
Part
I
(2 - 5 years)
— Part 1 274.1 of the Criminal Code
impact on the critical information infrastructure of the Russian Federation
Part
II
(2 - 6 years)
— Part 2 274.1 of the Criminal Code
access to information in the information infrastructure of the Russian Federation
Part
III
(up to 6 years)
— Part 3 274.1 Criminal Code
violation of the rules for operating information infrastructure
Part
IV
(3 - 8 years)
— Part 4 274.1 Criminal Code
by a group of persons by prior conspiracy
Part
V
(5 - 10 years)
— Part 5 274.1 Criminal Code
leading to grave consequences
Plenum of the Supreme Court
- paragraph 20
Plenum No. 48 use of malware in fraud
Article 274.1 of the Criminal Code. Unlawful influence on the critical information infrastructure of the Russian Federation
1) Creation, distribution and (or) use of computer programs or other computer information knowingly intended to unlawfully influence the critical information infrastructure of the Russian Federation, including:
- for destruction,
- blocking,
- modifications,
— copying the information contained therein,
— or neutralization of means of protecting said information,
punishable:
1 | forced labor + with restriction of freedom up to 2 years (or without) | up to 5 years |
2 | imprisonment + with a fine of 500,000 - 1,000,000 | 25 years |
2) Illegal access to protected computer information contained in the critical information infrastructure of the Russian Federation, including using computer programs or other computer information that is obviously intended to unlawfully influence the critical information infrastructure of the Russian Federation, or other malicious computer programs, if it caused harm harm to the critical information infrastructure of the Russian Federation,
punishable:
1 | forced labor + with a fine of 500,000 - 1,000,000 (or without) | up to 5 years |
2 | imprisonment + with a fine of 500,000 - 1,000,000 | 26 years |
3) Violation of the rules for operating means of storing, processing or transmitting protected computer information contained in the critical information infrastructure of the Russian Federation, or information systems, information and telecommunication networks, automated control systems, telecommunication networks related to the critical information infrastructure of the Russian Federation, or rules of access to the specified information, information systems, information and telecommunication networks, automated control systems, telecommunication networks, if it resulted in damage to the critical information infrastructure of the Russian Federation,
punishable:
1 | forced labor + with deprivation of rights for up to 3 years (or without) | up to 5 years |
2 | imprisonment + with deprivation of rights for up to 3 years (or without) | up to 6 years |
4) Acts provided for in Part 1
,
part 2
,
part 3 of this article, committed:
- by a group of persons by prior conspiracy,
— or
an organized group,
Url Additional information:
METHODOLOGICAL recommendations of the Prosecutor General's Office
- Guidelines
: what is meant by official position
- or by a person using his official position,
are punished:
imprisonment + with deprivation of rights for up to 3 years (or without) | 38 years |
5) Acts provided for in Part 1
,
part 2
,
part 3
,
part 4 of this article, if they entailed grave consequences,
are punished:
imprisonment + with deprivation of rights for up to 5 years (or without) | 5 – 10 years |
Return to the Criminal Code
Seek advice
Article 274 of the Criminal Code of the Russian Federation: comments
The key object of encroachment is social relations related to ensuring the safety of using PCs and computer networks (systems). Accordingly, the subject of the crime is equipment used for storing, transmitting, and processing computer information. The composition of the act has a material structure. When assessing an act, the criteria established by Articles 272 and 274 of the Criminal Code of the Russian Federation are used. The first norm, in particular, defines the consequences of destruction, blocking, and modification of information.
Types of requirements
Rules for the operation of equipment, for violation of which Article 274 of the Criminal Code of the Russian Federation formulates punishment, may contain instructions of a technical nature or provisions regulating work with various system products. The first, for example, includes requirements for humidity, voltage, electromagnetic field, and so on. The second are provisions on the sequence of issuing commands/performing operations, prohibiting the implementation of certain procedures, monitoring the compatibility of different software products, mandatory performance of certain actions upon the occurrence of specific circumstances, etc. In addition, the rules may contain a description of organizational activities. For example, these could be operations to backup information, requirements to use an uninterruptible power supply. The requirements for compliance with these provisions depend on the specifics of the operation of a particular enterprise.
Nuances
The crime, the punishment for which is established by Article 274 of the Criminal Code of the Russian Federation, is considered completed at the moment of modification, blocking, or destruction of computer data in such quantities that their absence causes significant harm to the user or owner of the data. Materiality in this case acts as an evaluative concept. The amount of harm caused by a crime in violation of the rules for operating equipment will be determined based on the totality of all data available to the court. In part two, Article 274 of the Criminal Code of the Russian Federation provides for punishments for acts that have caused grave consequences. Their list is not disclosed in the law. However, in practice, the provisions on consequences established in Article 273 are applied.
What to expect from judicial practice under Article 274.1 of the Criminal Code of the Russian Federation
Predicting judicial practice is a thankless task, but sometimes it is possible with a high degree of confidence in the result. The CII subject is primarily interested in who and in what case can be held accountable under Parts 3-5 of Article 274.1 of the Criminal Code of the Russian Federation (“Unlawful influence on the critical information infrastructure of the Russian Federation”). For a crime to occur under these elements, two factors are required: damage must be caused to the CII and the cause of this harm must be the culprit’s failure to comply with the rules for operating “ means of storing, processing or transmitting protected computer information contained in the CII
". CII is defined in Federal Law-187 as a set of critical information infrastructure objects and telecommunication networks used to organize the interaction of such objects. Accordingly, causing harm to any CII object will cause harm to the CII as a whole.
The subject area under consideration can be characterized as follows:
- There are objects, incidents with which can lead to resonant consequences (people may die, production may stop, environmental consequences may occur, etc.)
- There are rules for the operation of these facilities; someone can violate these rules intentionally or out of ignorance, and this violation can cause such an incident. However, it is not clear what rules are being discussed in the article.
- Only a very specific person can become the culprit of the violation - the investigation must establish and prove that the inaction of this person or certain actions of this person became the cause of the incident and the harm caused by it. Accordingly, it is unclear who could be considered such a culprit in the event of a real incident.
There is no statistically significant judicial practice on the application of this article and is not expected in the near future. But there is Article 274 of the Criminal Code of the Russian Federation (“Violation of the rules for operating means of storing, processing or transmitting computer information and information and telecommunication networks”), which at first glance is completely similar and on which there is judicial practice. Here is what is said about it in the methodological recommendations of the Prosecutor General's Office of the Russian Federation:
- “The subject of this crime is the means of storing, processing or transmitting protected computer information, information and telecommunication networks and terminal equipment.”
Everything is clear here: for a crime to occur, the harm must be caused by an impact on the technical component of the object. - “This norm is blanket and refers to specific instructions and rules establishing the procedure for working with means of storing, processing or transmitting protected computer information, information and telecommunication networks and terminal equipment in a department or organization.”
Those. there are no abstract rules known to everyone by default - only the requirements of specific documents can be violated. - “These rules must be set by the authorized person.”
Here, too, it is clear: no one is obliged to carry out the instructions of a person who has not been given such powers by anyone. Only requirements established by an authorized person are taken into account. - “A causal connection must be established between the fact of the violation and the significant harm that has occurred, and it must also be proven that the consequences that have occurred are the result of a violation of the operating rules... The rules referred to in Art.
274 of the Criminal Code of the Russian Federation, should be aimed only at ensuring information security.” . Obviously. - “Rules of access and operation related to information processing are contained in various regulations, instructions, charters, orders, GOSTs, project documentation for the corresponding automated information system, contracts, agreements and other official documents.”
Those. A violation of operating rules is considered to be a violation of any mandatory requirements in general, no matter what documents and regulations they are contained in.
I want to especially note the last point: I often hear the opinion that operating rules refer only to internal regulations of the organization that owns the information system - they say, only the owner of the information system can establish rules for its operation. This does not correspond to the position of the Prosecutor General’s Office cited above, which clearly names state standards as one of the sources of operating rules - they are in no way internal regulations of the organization. This error in interpretation is due to two factors
When retelling someone else's opinion, people tend to omit or distort what they consider to be insignificant details. Thus, in textbooks the concept of “rules of operation” is retold in simpler language and, for example, to students of the University of the Prosecutor’s Office of the Russian Federation it is presented as follows:
These rules must be established by an authorized person and adopted in the proper manner, for example, approved by a written order, with which the performers must be familiarized with signature. In addition, operating rules can not only be established by an authorized person, but also determined by technical descriptions and instructions transmitted by the employer to the employee, as well as by the user from the manufacturer when purchasing the corresponding device or software, or by the rules of access to information and telecommunication networks in certain cases.
As we can see, the meaning of the explanations of the Prosecutor General’s Office is preserved here, but GOSTs and other official documents have disappeared from the examples, only internal regulatory documents remain, which the user or employee is familiar with. It is not surprising that in the future graduates do not turn to primary sources, but retell the material they have learned once.
The second factor is the negligible number of cases of application of Article 274 of the Criminal Code of the Russian Federation: according to the Judicial Department under the Armed Forces of the Russian Federation, in 2017-2018, all courts of the Russian Federation issued 2 (in words “Two”) sentences, and in both cases this article was additional to the main act . According to other sources (thanks to Valery Komarov), in 2010-2017, law enforcement agencies opened only 21 criminal cases with the qualification of the act under this article. Therefore, when talking about judicial practice regarding violations of operating rules, we are dealing with a statistically insignificant sample, which mainly included crimes against commercial companies initiated at the request of their owners. To qualify the act, it was enough that the internal rules of the victims were violated.
In CII, in relation to significant objects, we have a fundamentally different situation: there are a number of legal norms that define the responsibilities of the CII subject during the operation of a significant CII object - see, for example, section 13 of FSTEC Order No. 239. The question arises: what will happen if the cause of a high-profile incident at a significant CII facility is ignoring the regulator’s requirements?
Judicial practice under Article 274 of the Criminal Code of the Russian Federation does not help us here, but there is another subject area that has exactly the same characteristics - fire safety:
- There are objects where fires can lead to resonant consequences (people may die, production may stop, environmental consequences may occur, etc.)
- There are fire safety rules for these facilities; someone can violate these rules intentionally or unknowingly, and this violation can cause such an incident. At the same time, it is just as unclear what rules are being discussed in the article.
- Only a very specific person can become the culprit of the violation - the investigation must establish and prove that the inaction of this person or certain actions of this person became the cause of the incident and the harm caused by it. Accordingly, it is unclear who could be considered such a culprit in the event of a real incident.
In the review of judicial practice, we see that the Plenum of the RF Armed Forces interprets the concept of “fire safety rules” in the same way as the Prosecutor General’s Office interprets the concept of “operation rules”:
As you know, the disposition of this article is blanket. The legislator does not disclose the concept of “fire safety rules” in it and refers us to the norms of special legislation. At the same time, in the Federal Law “On Fire Safety” one of the types of regulatory documents in this area is called “fire safety rules”. At the same time, this Federal Law classifies as regulatory documents on fire safety standards, norms, instructions and other documents, the violation of which upon the occurrence of those specified in the disposition of Art. 219 of the Criminal Code of the Russian Federation entails criminal liability.
As we can see, in both subject areas, by “rules” the judicial system of the Russian Federation understands the totality of all norms establishing the responsibilities of a subject in a given subject area, regardless of which document specifically establishes these responsibilities. This means that we should expect that when applying Article 274.1 of the Criminal Code of the Russian Federation, the judicial system will also include the regulatory requirements of the FSB and FSTEC, which define the responsibilities of the CII subject during the operation of the CII facility, as operating rules.
Simply put, if clauses 13.2 and 13.3 of FSTEC Order No. 239 require the CII subject to periodically analyze vulnerabilities and perform update management, then failure to comply with these requirements in the event of a successful attack on the CII object of a ransomware virus will become an independent criminal offense, the responsibility for which lies with subject KII. And here an interesting question arises: who exactly will bear this responsibility?
And here again judicial practice in fire safety cases comes to the rescue. Here is one typical example. The organization rented a landing stage and equipped a dormitory on it. A person responsible for fire safety was appointed, but in fact, fire safety requirements were not met or were not met in full (the verdict lists only violations). There was a fire and a person died. Court sentenced:
- Despite the fact that by order of the director, a person responsible for fire safety was appointed, it was the director who “ did not ensure that the responsible employees were trained in the fire-technical minimum in terms of knowledge of the requirements of regulatory legal acts regulating fire safety, in terms of the fire regime, as well as techniques and actions in the event of fire in the organization, allowing them to develop practical skills in preventing fire, saving lives, health and property in case of fire, did not test employees’ knowledge of fire safety requirements
. - It was the director who “ failed to ensure that fire safety signs were in good working order, including those indicating evacuation routes and emergency exits, as a result of which the evacuation lighting did not turn on automatically when the power supply to the working lighting was cut off.
” - It was the director’s fault that “ the landing stage superstructure building, being a public facility, was not equipped with an automatic fire alarm system with smoke detectors installed in the premises,
” etc.
The court ruled that all the violations listed in the verdict were committed by the director, consciously, for the sake of economy, with an understanding of the possible consequences. The director was found guilty, and the fact that he got off with a suspended sentence, which was removed from him due to the amnesty, is a completely different story.
This practice is quite applicable to significant CII objects. If an attack on a CII facility leads to resonant consequences, someone must take the plunge. Following the logic that guided the court when rendering the sentence discussed above, personnel responsible for ensuring security, whether it is fire or information security, are responsible only for the performance of those duties that are clearly established for them by external or internal regulations. If the head of the organization did not appoint those responsible, did not define their responsibilities, or did not provide the opportunity for them to fulfill these responsibilities (did not organize training, did not allocate a budget, etc.), then he himself bears responsibility for the consequences.
This is not the only such sentence, it was just the first one that appeared in the search results. It is not a fact that the investigation and the courts will always adhere to this logic. But this example shows that in cases where the loss of life or other equally resonant consequences are involved, the head of the organization is often responsible for the consequences jointly with the responsible employees, and in some cases, individually.
Subjective part
Any sane citizen of 16 years of age can be held accountable for the crime in question. At the same time, he must have access to a PC, computer system (network). In the last two cases, the subject of the crime is special, endowed with appropriate official powers. Bringing a person to justice is carried out not only on the basis of the very fact that he has access to a PC, networks or computer system. Of no small importance during qualification is their familiarization with the rules or instruction in the operation of equipment. This fact must be documented. There must be a connection between the consequences and the actions of the subject. Acts for which responsibility is fixed in Part 1 of Art. 274, are classified as minor, and in part two – moderate.
Commentary on Article 274 of the Criminal Code of the Russian Federation
1. The main object of a criminal attack is social relations that ensure the safety of the operation of computers, computer systems or their networks.
2. The subject of the attack is a computer, a computer system or their network.
3. The objective side of the crime is a violation of the rules for operating a computer, a computer system or their network, resulting in the destruction, blocking or modification of computer information protected by law, if this act caused significant harm (Part 1) or grave consequences (Part 2).
4. According to the legislative structure, the corpus delicti is material.
5. For destruction, blocking and modification of computer information, see paragraphs 5.5 - 5.7 comments. to Art. 272.
6. Violation of operating rules can be expressed in non-compliance, improper compliance or direct violation of the rules ensuring the safety of information and the integrity (operability) of computer equipment. Violation of the rules can be committed either by action or by inaction (failure by the offender to comply with the requirements enshrined in the rules).
7. The commented article does not contain specific technical requirements for the operation of computers and refers to instructions and rules defining the procedure for working on computers. The rules must be established by a specially authorized person or body and communicated to users, to whom the TOS applies for violation or non-compliance with these rules in accordance with Art. 274.
7.1. The network refers only to the internal network of a department or organization, which may be subject to the requirements of rules and regulations. The commented article applies only to crimes committed on local networks. It is not used in global networks such as the Internet.
7.2. We can distinguish two types of computer operating rules that should guide the activities of persons working with a computer, a computer system or their network. The first type of rules are instructions for working with computers and computer storage media, developed by the manufacturer of the computer and peripheral technical devices that are supplied with the computer. These rules are required for compliance by the computer user under the threat, as a rule, of loss of rights to warranty repairs and maintenance. The second type of rules are rules established by the owner or legal user of information resources, information systems, technologies and means of supporting them. They determine the procedure for using a computer, a computer system and a computer network, as well as other computer media <1>. ——————————— <1> See: Krylov V. Forensic problems of assessing crimes in the field of computer information // Criminal law. 1998. N 3. P. 88.
7.3. Rules can be established both by competent authorities and by computer manufacturers or software developers, as well as by the owner or legal user of a computer, computer system or their network.
7.4. Responsibility for violation of the rules can only arise if these rules were adopted properly (developed by specialists and signed by the head of the institution, department, etc.), fixed (usually on paper) and communicated to the user (usually under painting).
7.5. The rules may be contained in: regulations; departmental regulations; rules established in specific organizations; technical descriptions and operating instructions; instructions for using computer programs (the corresponding instructions can be attached both on paper and on computer media), etc.
7.6. The rules for operating a computer can establish both technical requirements (voltage, humidity, mechanical and chemical effects, device compatibility, electromagnetic field, etc.) and provisions governing work with software products (sequence of issuing commands or performing procedures, a ban on performing any operations with software, monitoring the compatibility of various software products, mandatory performance of certain procedures upon the occurrence of certain circumstances, etc.). And such activities as backing up information and using an uninterruptible power supply should be classified as organizational requirements for the security of computer information, since the requirements to comply with these rules depend on the characteristics of the activities of a particular organization.
8. The crime (Part 1) is completed (by elements) at the moment of destruction, blocking or modification of such a quantity of information or such information, the absence of which caused significant harm to the legitimate user or owner of the information.
8.1. The significance of the harm is an assessment category, and the determination of the amount of harm caused as a result of violation of the rules of operation of a computer, computer system or their network will be carried out by the court, taking into account the totality of available data.
9. The subjective side of the crime is expressed in the form of intent or negligence. In a qualified composition, two forms of guilt are possible.
10. In part 2 comments. Article establishes liability for violation of the rules of operation of a computer, computer system or their network, causing grave consequences through negligence.
10.1. The list of grave consequences, as well as significant harm, is not disclosed in the law. However, these should include the consequences indicated in the commentary. to Art. 273.
11. There must be a cause-and-effect relationship between a violation of the rules of operation of a computer, a computer system or their network and the consequences specified in the disposition: the destruction, blocking or modification of computer information must be a consequence of a violation of the rules of operation of a computer, and they, in turn, must be the cause the occurrence of significant harm or serious consequences.
12. The subject of a criminal offense is a sane individual who has reached the age of 16 and has access to a computer, a computer system or their network (special subject).
13. In order to bring a person to the Criminal Code, it is necessary to establish not only the fact that the perpetrator has access to a computer, computer system or their network, but also the fact (documented) that this person has undergone instruction or familiarization with the rules of operation of the computer, computer system or their network.
14. The acts described in part 1 belong to the category of crimes of minor gravity, in part 2 - of medium gravity.