The third and final day of RIGF 2021 opened with the session on Attributing cyberattacks on the internet. Myths busting. The moderator, Alexei Lukatsky from CISCO, delivered opening remarks pointing out the special relevance of this topic today due to a rapid growth in the number of accusations of cyberattacks against various countries. The speaker suggested considering whether unequivocal identification of cybercriminals is possible on the internet at all, what approaches are used in attributing cyberattacks, and what difficulties law enforcement agencies encounter with interstate exchanges during the investigation of cybercrimes.
Alexander Kalinin (Group IB) cited some examples of attribution of attacks by large hacker groups. He spoke about the company's experience in investigating cyber incidents and emphasized that while each of the attribution elements taken separately – signature, hosting and registrar, graph analysis or additional indicators – might mean nothing, all taken together, they can actually lead to attributing a cybercrime.
Sergei Golovanov from Kaspersky Lab agreed with his colleague. He shared examples of recent incidents and added that attributing an attack is critical to further prosecution of the perpetrators and trial. “Attribution is everyone’s responsibility, including witnesses, specialists and experts. Experts can express their opinions, but experts working with material evidence cannot afford any guesswork – they have to use a clear methodology, and the examination process must be reproducible,” he said. Attribution requires clear evidence, verified by experts, and not the personal opinion of an individual. Furthermore, before calling someone a criminal, the case must be brought to court.
Liis Vihul (Cyber Law International, Estonia) spoke about the approaches to attributing cyberattacks in international law and the difficulties encountered in the investigation of cross-border crimes. She noted that, to be able to claim that some action took place in a country’s cyberspace, evidence needed to be presented – not only technical information but also other things such as reports from various organizations, research etc. Only then can the evidence base be considered complete.
Igor Zalevsky (Rostelecom-Solar) spoke about how cybercriminals are identified in reality at the request of a specific company. He noted that most customers want to protect themselves from further attacks, while finding the perpetrator who was behind the crime seems less important to them, especially considering that the cost of investigation can be much higher than their losses from the attack.
Summing up the discussion, the experts noted that there are no technical difficulties in investigating cross-border crimes today, but so far, there is no single international judicial body, which is able to handle international cybercrime.
Overcoming the inequality of the legal status of the internet platform and the user that all user agreements come with was the focus of the next session, User agreements with internet platforms: Way to protect Russian Internet users’ rights and the state’s interests.
According to moderator Anna Dupan (Higher School of Economics), despite the differences in the phrasing of the user agreements, almost all of them contain a clause stating that the platform has the right to block any user’s account or to censor or delete their content without any reason. At the same time, the platform is not liable to the user for any harm caused as a result of such action. More than that, to be able to use the platform, users are required to submit their personal data – in fact, the platform gets unlimited access to their data, and not only to data it actually needs to fulfill the user agreement.
Many Russian users have encountered blocking on YouTube due to incorrect markup of their video content, said Karen Kazaryan from RAEC. The platform has shown no interest in getting to the root of the problem.
Anna Starkova (Rossiya Segodnya) also cited examples of injustice and blockages that RIA Novosti faces as a media outlet using Western websites, and called for the protection of the rights of Russian users and companies. “First of all, we need to build communication with Western social media through their representative offices in our country. Russian internet companies could also help defend the rights of the Russian media and information sovereignty, but to be able to do so, they would have to create platforms that would be superior to their Western counterparts. And we actually have enough potential for that, and it is the only way we can avoid the blocking of individual users and media outlets alike,” she said.
Dmitry Magonya (ART DE LEX) noted that internet platforms now have a lot of power over users. “It is imperative for state authorities to regulate the internet platforms. This is happening all over the world. States must find ways to protect the interests of the population in their interaction with tech giants,” the speaker said.
Roman Krupenin, representative of Yandex, Russia’s largest internet platform, said platforms today are struggling with sometimes conflicting requirements that cannot be met. Many modern services could not work without user data, and personalization is primarily needed for the convenience of the user. “In any case, when working out requirements for platforms, the authorities would need to use the most balanced and differentiated approach,” he concluded.
According to Elena Zayeva (FAS Russia), the accumulated data can strengthen companies’ bargaining power and increase competition in the market. “If platforms manage people’s personal data in such a way that users understand and exercise their right to switch platforms, then platforms won’t overstate their requirements. But for users to know how to use their rights, these rights must be explained to them first,” she said.
Yury Kontemirov (Roskomnadzor) also highlighted personal data security, adding that the user should be able to decide whether they agree to the conditions or whether to refuse certain services or conditions the website offers.
“We are working to foster a culture of online conduct. Consumers need to understand which resources can be trusted with their personal data, which resources do not carry risks of violation of their rights or leakage of personal data. A person should be able to use the criteria that are proposed as part of various awareness-raising activities aimed at fostering this culture to figure out who can be trusted in the internet landscape,” he said.
Summing up the discussion, Anna Dupan from Higher School of Economics noted that the platforms need to be given the opportunity to set the rules of the game themselves, and communicate them to their users. They need to explain to people how exactly their data is used. A dialogue between the platform and the user moderated by the state would help avoid serious problems. There would be no need to deal with emerging problems by blocking users or slowing traffic – they would be addressed by means of dialogue.