Actual Problems of Administrative Responsibility in the Field of Information Security

Duben' Andrei Kirillovich Scientific Associate, Institute of State and Law of the Russian Academy of Sciences; Assistant, Department of Civil and Administrative Proceedings, Russian State University of Justice 119019, Russia, Moscow region, Moscow, Znamenka str., 10 k.duben@mail.ru Other publications by this author

Information security as a sub-branch of information law in modern conditions is becoming increasingly important. Issues of legal responsibility in the field of information security are particularly relevant both theoretically and practically.

Information, having become one of the most important economic and political resources, expands the range of ways for its positive and socially useful use for educational, social, economic and cultural purposes, however, at the same time opens up a wide range of opportunities for its use as a weapon that destroys the stability of public relations and affects the quality of human life.

The issues of ensuring the information security of the country are increasingly relevant in the national security system of Russia, the domestic legislator promptly responds to the challenges and threats arising in this area. To date, a direction has been formed in the state in which danger and threat in the information space occupy leading positions. Thus, in the context of the development of the information society, the transformation and digitalization of law, the emergence of new challenges, threats and risks, the issues of legal responsibility in the field of information security are of particular importance for Russian legislation.

It is important to note that the Russian doctrine failed to bring to a common denominator the general concept of legal responsibility, there are different positions on what should be understood by the term "legal responsibility".

According to S.S. Alekseev, the concept under study has been transformed taking into account external and internal conditions, meanwhile responsibility is state coercion expressed in legal norms and acts as an external influence on the behavior of subjects of law ^[1]. I.S. Samoshchenko, on the contrary, notes that legal responsibility is expressed in state coercion of certain adverse actions on the part of individuals and legal entities ^[2]. Complementing this definition, Vitruk N.V. believed that legal responsibility is carried out in strict accordance with the law, i.e. it is one of the forms of state coercion ^[3]. Summarizing the theoretical positions of scientists, it is worth noting that legal responsibility in the field of information security is, to a certain extent, the reaction of the state to the commission of illegal socially dangerous actions, which has a mandatory and compulsory nature.

At the same time, legal responsibility acts as an effective way to implement the regulatory and protective function of the state in order to prevent illegal actions, as well as to protect and restore violated rights. It is worth agreeing with the position of the luminary of information law I.L. Bachilo, who noted that the institute of responsibility in information and legal relations acts as a general institution, but in information law this institute has special methods and means of legal regulation ^[4]. Thus, the institution of legal responsibility in the field of information security has an intersectoral nature associated with the norms of administrative law.

Today, information technologies and information infrastructure facilities have acquired a cross-border and comprehensive character and have become an integral part of all spheres of human activity, society and the state.

Taking into account the above features, it should be recognized that the regulation of Internet relations through various legislative measures, including the norms of administrative law, is not always possible, which is primarily due to the lack of a definition of "legal responsibility for offenses in the field of information security". Based on theoretical provisions, we believe that legal liability for offenses in the field of information security is a measure of state coercion based on legal and public condemnation of the offender's behavior and the application of appropriate measures of legal responsibility to the guilty person for the committed act infringing on information security.

Considering the current Information Security Doctrine of the Russian Federation, it is worth noting that the institute of legal responsibility in the field of information security has a certain procedure for preventing the commission of offenses that infringe on information, informatization objects, information systems, websites and other objects in the Internet information and telecommunications network, communication networks, etc. ^[5].

In turn, information security is expressed in the public interest, in this regard, the main role of the legal mechanism for the protection of legal norms is played by the provisions of administrative and tort legislation. Consequently, the risks of the digital environment, information threats are the driver of modernization of the provisions of the Code of Administrative Offences of the Russian Federation (hereinafter – the Administrative Code of the Russian Federation).

Administrative offenses in the field of information security are characterized by the following signs:

- socially dangerous and illegal act;

- violation of the rights and freedoms of citizens;

- use of information and communication technologies;

- encroachment on public relations regulating the procedure for ensuring information security.

The main administrative offenses in the field of information security are provided for by Chapter 13 of the Administrative Code of the Russian Federation "Administrative offenses in the field of communications and information". At the same time, the subject composition includes: telecom operators (Articles 13.2.1, 13.30, 13.34), organizers of the dissemination of information on the Internet information and telecommunications network (Article 13.31), owners of the news aggregator (Article 13.32), owners of the audiovisual service (Articles 13.35, 13.36, 13.37), organizers of the instant messaging service (Article 13.39), search engine operators (Article 13.40), hosting providers (Article 13.41), owners of websites or other information resource on the Internet information and telecommunications network (Article 13.41).

The analysis of administrative and legal norms showed that the offenses provided for by Chapter 13 of the Administrative Code of the Russian Federation, depending on the area of influence of the subject, can be divided into three groups:

- in the field of communication;

- in the field of mass media;

- in the field of the procedure for collecting, storing, using, distributing and protecting information.

It should be emphasized that offenses in the field of information security, as a rule, are committed on the Internet information and telecommunications network. On this information platform, no special efforts and costs are required, it is enough for offenders to have information, software and computer tools with access to the Internet information and telecommunications network. At the same time, according to data analysis, the subjects of this type of administrative offenses do not have a professional technical education. It has been revealed that there are special forums, groups and chats on information platforms that provide access to malicious and viral computer programs that provide the ability to steal customer bank card numbers, disclose personal and identification data of users, commit electronic theft and carry out attacks on computer systems of information objects.

As D.A. Savenkova rightly notes in her dissertation research, open access to the information and telecommunications network of the Internet allows you to easily commit administrative offenses using the global network. Since it is quite difficult to identify the person who committed the offense on the network. The anonymity of the Internet information and telecommunications network, free and wireless access, and the use of proxy servers make it impossible to identify the offender, because modern attackers use the so-called "chain of servers" ^[6].

The main problem of bringing to administrative responsibility for offenses in the information sphere is related to the problem of low efficiency of investigation of the category of offenses under consideration and judicial proceedings. Certain problems in the fight against administrative offenses in the information sphere are associated with a high level of latency of this group of offenses and the definition of the offense event itself, including the place and time of its commission. At the same time, the judicial authorities, when making a decision, examine and evaluate the submitted materials in totality and interrelation, guided by the provisions of the Administrative Code of the Russian Federation and Federal Law No. 149-FZ "On Information, Information Technologies and Information Protection" ^[7]. From the analysis of judicial practice, it should be noted that cases of administrative offenses in the information sphere are mainly initiated either on the basis of information received during the implementation of administrative measures, or on the fact of an already committed offense ^[8].

Consequently, the investigation of administrative offenses committed on the Internet information and telecommunications network requires prompt analysis and preservation of electronic data, which by their nature are vulnerable and are quickly destroyed by offenders. These characteristic features apply to all cyber-violations, since it takes a short period of time to commit these illegal actions. In addition, the offender can use various places where he will use his technical devices when committing illegal actions, this factor is a feature inherent in computer crime that has a cross-border character ^[9].

It follows from the above that today, the issue of territorial jurisdiction in the case of administrative offenses in the field of information security on the territory of another state is relevant. In our opinion, it is necessary to develop certain means to bring to administrative responsibility for the illegal actions of a computer attacker both from the State on whose territory he used technical devices, and from the state to which the damage was caused.

In turn, the domestic legislator responds in a timely manner to new challenges and threats in the information sphere, in particular, by Federal Law No. 62-FZ of March 25, 2022 "On Amendments to Articles 8.32 and 20.3.3 of the Code of Administrative Offences of the Russian Federation" ^[10]. These changes were made in order to solve the problems of distinguishing criminally punishable acts from administrative offenses in a variety of criminal law offences by fixing the criteria for criminalizing acts that are inherently related to the amount of harm caused. In this regard, in our opinion, the legislator needs to abandon the use of evaluation categories, which, in turn, can have a positive impact on overcoming difficulties in their qualification. In this regard, it is necessary to adopt an appropriate explanation of the Plenum of the Supreme Court of the Russian Federation on information offenses, the provisions of which could contribute to the uniform application of the norms of administrative legislation ^[11].

Thus, at present, the problems of qualification of administrative offenses are caused by the lack of a clear definition of the amount of damage caused in the information environment, in this regard, the issue of determining the damage caused as a result of committed offenses using information methods and means is particularly acute. The adoption of a number of new regulatory legal acts regulating responsibility in the field of information security of the Russian Federation contributes to the prevention and suppression of offenses in the information sphere ^[12].

Despite the allocation of administrative offenses in the information sphere to an independent chapter 13 of the Administrative Code of the Russian Federation, most of the norms are concentrated in other chapters of the Administrative Code of the Russian Federation. For example, responsibility for violating the rules of information protection (Article 13.12 of the Administrative Code of the Russian Federation); for illegal activities in the field of information protection (Article 13.13 of the Administrative Code of the Russian Federation); for violating the established procedure for collecting, storing, protecting and processing information constituting a credit history (Article 14.30 of the Administrative Code of the Russian Federation); for using official information in the securities market securities (Article 15.21 of the Administrative Code of the Russian Federation); for disclosure of information about security measures (Article 17.13 of the Administrative Code of the Russian Federation); for concealment or distortion of environmental information (Article 8.5 of the Administrative Code of the Russian Federation), etc.

It is worth noting that the size of administrative fines imposed for the commission of the above administrative offenses, in general, do not correspond to the achievement of the goals of administrative punishment, the legal consequences in the information sphere are several times higher than the real damage ^[13]. We believe that in order to solve this problem, the domestic legislator needs to review the procedure and sequence of administrative punishment using the expertise and assessment of authorized persons in the field of information security.

Thus, from the comparative legal analysis of the normative legal acts of the Russian Federation, it follows that state coercion in the form of legal liability for an offense in the field of information security is carried out through measures provided for by information legislation ^[14].

In turn, the current administrative and legal measure is more effective and effective in the field of information security in the Russian Federation. It is worth agreeing with the position of E.V. Klimovich, who noted "...a special role in ensuring the implementation and preservation of law and order in the information sphere is assigned to the institute of administrative responsibility. On the one hand, this institution has the properties of economy and speed of applying various measures of administrative responsibility to the offender, and, on the other hand, it contains such administrative and legal norms that protect certain categories of confidential information that do not fall under the protection of other norms of Russian legislation" ^[15]. Thus, the norms of administrative legislation establishing legal responsibility in the field of information security are of great social importance, since information as a source of certain information affects the rights, freedoms and interests of an individual subject of law.

Summing up, it should be noted that over the last period of time, a number of changes have been made to the administrative legislation in terms of legal regulation of information security. These changes indicate that in the Russian Federation, state control is being strengthened to prevent information threats and risks, while the legislator responds in a timely manner to changes in society in the conditions of digitalization of law and geopolitical instability in the world. Today, measures of administrative responsibility for offenses in the field of information security are constantly being developed and improved. With the advent of new information technologies, means of communication and objects of critical information infrastructure in the Russian Federation, it is necessary on an ongoing basis to conduct scientific research on issues of legal liability for unlawful influence on such information objects with the active participation of public authorities in order to introduce scientific and technical developments into practical activities.