Biometrics was covered by a secret state – Mail News

The Central Bank told the FSB that it was impossible to fully comply with the requirements of the service for the protection of citizens' biometric personal data collected by banks. We are talking about cryptographic protection at the level of the state secret, and there is no Russian equipment necessary for this. Bankers confirm the existence of problems, but the CSF does not plan to relax the requirements. However, market players do not threaten the sanctions of security officials. The regulatory body will have to coordinate all issues with the FSB, otherwise the data collection will simply stop.

On the past November 27-28 SOC Forum Artem Sychev, first deputy head of the Central Bank's information security department, pointed out that there is currently no national cryptographic equipment needed by the market to protect the biometric data collected from the central bank. citizens of the KV clbad. This type of protection – at the level of state secrecy – is determined by the order of the FSB No. 378. At the same time, Igor Kachalin, deputy head of the eighth FSB center in Russia, expressed the same. hope that the Central Bank "would be harsh" by all means of protection implemented when it used the biometric data of citizens.

But the bankers confirm that they can not meet the requirements of the CSF. "In order to encrypt the collected images sent to a single biometric system, you have to integrate special equipment (HSM module) into the systems and then obtain the keys of the KV clbad electronic signature certificate," the source told Kommersant in a statement. big bank.

The KV clbad keys are only published by the FSUE Voskhod Scientific Research Institute, and the key issuing procedure was only approved in mid-October. As "Kommersant" says in "Rostelecom", "Voskhod" has the necessary number of keys. "However, there is no way to properly integrate HSM After the integration of the module, you must seek the advice of the CSF," said the source in Kommersant another major bank. But it is unrealistic to get the conclusion of the CSF. According to Rostelecom, the implementation of HSM is carried out in 26 banks, but it is not completed anywhere.

The Central Bank is ready to offer banks several solutions for information security when collecting biometric data. As explained "Kommersant" Artem Sychev, there is now a standardized solution that meets the information security requirements for connection to EBS. "Some credit institutions have already implemented it and others are in the works," he said. "The Bank of Russia, together with the FSB, has also developed a cloud solution and a standard solution for connecting banks to the EBL with all the necessary requirements." According to him, the option of a cloud and a standard solution for connecting banks to the EBU is additional and is under development to reduce bank costs. Banks must meet the requirements for information security by the end of 2019, said Sychev.

However, with the solutions proposed by the central bank, it is not easy, experts say. According to the "Kommersant" interlocutors in the banks already operating in accordance with the standard solution, there is no encryption in the HF clbad – the biometry is sent on an encrypted channel, but without additional encryption at the HF level. The typical Rostelecom solution, according to which the commercial offer was sent to the banks a few days ago, has not yet been certified. In "Rostelecom", "Kommersant" indicated that its standard solution was compliant with the FSB and provided for the availability of KV clbad encryption. Solution Cloud and is in the development stage. "There will be several providers of cloud computing solutions, they say to Rostelecom." We have already coordinated with the Central Bank and the FSB the architecture of the cloud solution and the roadmap for its implementation. "

The banks are ready to meet the requirements of the CSF, when there will be at least one complete solution. In Tinkoff Bank note that they are actively engaged in the integration of HSM into the process of collection and transmission of biometric data of customers in the EBU. By 2020, the bank needs to set up processes for collecting and transmitting biometrics from a representative at the central office through channels using GOST cryptography. According to a council member Postal bank Svetoslav Emelyanov, now sent to the EBS database and thus seriously protected. "But we are ready to introduce additional mechanisms and to acquire the necessary equipment after receiving the requirements and clarifications from the competent authorities," he said. "It is now important to have a unified integration solution that correctly integrates the HSM into the bank's infrastructure.

However, banks should not fear the sanctions of the FSB. "The FSB is not a regulator for credit institutions, its employees can not go to the bank with a check," notes the internet security Cisco Alexey Lukatsky. The position of the Central Bank, which promises not to apply measures to credit organizations, is important here. "The banks must work and hope that the Central Bank with the CSF will solve the problem of protecting the information of biometric data transmitted, otherwise the collection of biometric data will simply have to be stopped, experts conclude.

Veronika Goryacheva