Ukraine’s gearing up to protect its cyberspace

At the end of September 2017, a joint meeting in the framework of the United States-Ukraine Bilateral Cyber Dialogue took place in Kyiv, Ukraine. During that meeting, the US Ambassador to Ukraine, Ms. Marie Yovanovitch, informed that Washington would provide more than $5 million in order to strengthen Ukraine’s ability to “prevent, mitigate, and respond to cyberattacks”.

This comes in handy, especially taking into account that Ukraine has been suffering from massive cyber attacks after the annexation of Crimea by the Russian Federation of 2014 followed by support of the armed groups and military intervention in East Ukraine. The most recent significant attack took place on June 27, 2017, affecting the government institutions, the Boryspil International Airport, the state power distributor as well as banks, including the National Bank of Ukraine.

Since the Independence in 1991, the Ukrainian Government has been drastically decreasing national defense capabilities. The non-alined policy mixed with the weak economy motivated the Government to cut the defense expenditures. This resulted in a drastic decrease in personnel and by 2013 the Armed Forces of Ukraine consisted of 184000 where only 139000 were servicemen.

During the Yanukovych Presidency the key defense posts were given to the people close to Russia, for instance, Minister of Defence Dmytro Salamatin, a Russian citizen before 2005. Neadless to say it didn’t participate in boosting Ukraine’s defense capabilities, on the contrary, it deteriorated the state of the army even more. According to some estimations, just before the Russian aggression in Ukraine, Kyiv could field between 6,000 and 10,000 ready-to-fight troops while.

The war forced the Ukrainian Government to introduce significant adjustments and to start carrying out reforms. The funding for the defense sector has risen to roughly 5% of the GDP, what allowed the increase of the Armed Force’s personnel to 250,000 in 2015.

Speaking of cybersecurity, until 2016 Ukraine had no cyber strategy at all. Certainly, some aspects of the cyber domain were mentioned in the National Security Strategy and the Military Doctrine, but no document purely related to the cyber security issues existed in Ukraine.

Evolution of Ukraine’s strategic documents

Ukraine started to draft its first defensive strategic documents in 1993, two years after the Independence from the Soviet Union. The first such document was the Military Doctrine, where Ukraine proclaimed its adherence to the non-proliferation process and the will to get rid of its 3rd world’s largest nuclear arsenal. Back in that period nobody spoke of a cyber threat and, therefore, Ukraine’s Military Doctrine had no mention of it at all. The only reference was to the “information space” and it was about creating a single information space for the whole Armed Forces on the territory of Ukraine.
Later on, Ukraine started to mention the cyber security issues in the Doctrines and, in 2006, even created the State Service of Special Communications and Information Protection of Ukraine.

Under Yushchenko’s Administration, Ukraine’s 2007 first National Security Strategy mentioned the development of national standards and technical reglaments for the use of IT technologies that should go in line with the European standards and ratified Cybersecurity Convention of 2001.

But only under Poroshenko’s Administration, Ukraine started to include cyber issues into the fundamental documents. The National Security Strategy of 2015 was a first solid document to include the issues of cyber and information security as well as abandoning Ukraine’s non-aligned status, after it was introduced in the previous redaction under President Yanukovych in 2012.

The Strategy defines “vulnerability of the critical infrastructure objects, public information assets to cyber-attacks” as a cyberthreat. The Strategy also defines the directions of reforms for the Security Service of Ukraine and among them we can find the protection of the state against “terrorism, economic, information and cyber threats”. It is worth noting that the development of the cyber intelligence capabilities is also foreseen in the framework of the Ukrainian intelligence bodies.

In addition, this document has also set up a number of goals in order to achieve a better cyber security for the country, such as: “setting up a system of cyber security, development of CERT network; ensuring protection of critical infrastructure, state information resources from cyber-attacks, renouncing use of software, especially antimalware produced in Russia; setting up a system of cyber defence personnel training for Ukraine’s security and defence sector;”.

The 2015 National Security Strategy laid the ground for the development of cyber security documents and two following years were extremely rich regarding the development of such kind of documents. The Cybersecurity Strategy of Ukraine was adopted in 2016 after the massive cyberattack on the Ukrainian power grid provoking extensive blackouts, and Information Security Doctrine, that has been adopted on February 25, 2017.

It is worth noting, that traditionally the Russian Federation uses the term “information security” instead of “cybersecurity”. For instance, in 2016 Russia updated its Information Security Doctrine. However, taking into account the interconnectivity of cyber and information spaces, we may argue that Information Security is a wider field, therefore Russia, and other countries using this term, intend to cover broader issues than simple cybersecurity.

Cybersecurity Strategy and Information Security Doctrine as a first step to improve Ukraine’s cyberdefense capabilities

The Cybersecurity Strategy of Ukraine clearly indicates the threats that the Ukrainian state is facing and even names a country threatening Ukraine. We can read in the Strategy that its main task is “the creation of conditions in order to ensure a safe functioning of the cyberspace, its usage in the interest of person, society and a state”.

At the same time, the Strategy names Russia as a country that threatens Ukraine and her cyberspace. We can read under the General Provisions of the Strategy the following: “The ongoing Russian Federation’s aggression and other significant changes in internal and external security environments of Ukraine demand an immediate creation of a national cybersecurity system as a component of a system [responsible for] national security of Ukraine”.

The Strategy also goes in line with the NATO Warsaw Summit decision of 2016 regarding the inclusion of the cyberspace into the “domain of operations” together with the more traditional domains such as “Land”, “Air”, “Sea” and “Space”.

This Documents serves as a base and outlines the directions of the further development of Ukraine’s cyber defense capabilities. For instance, we can read that one of the priorities is the adaptation of the state policy regarding the cyber defense in order to meet the EU and NATO standards. This reflects the decision of Ukraine to move towards the integration into NATO and the EU.

Recently, Ukraine banned the Russian social networks and accounting software in the framework of the sanctions, however, this disposition has also been foreseen by the Strategy, in particular it mentions the possibility to ban certain providers under the decision of the court.

Regarding the Information Security Doctrine, it seems it is a more substantial document than the Cybersecurity Strategy. It outlines concrete steps in order to improve Ukraine’s cybersecurity capabilities. However, its adoption has also risen some fear among the civil society. This Doctrine aims to clarify the basis of the information policy of the Ukrainian state, especially given the “destructive informational influence of the Russian Federation in the conditions of the hybrid war waged by her”.

The Doctrine guarantees to the public the free circulation of the information, but outlines the possibility to introduce some lawful restrictions. The current threats to the national interests of Ukraine in the information sphere, among others, are: “the implementation of special information operations aimed at undermining the defense capabilities, demoralization of the personnel of the Armed Forces of Ukraine and other military formations, provoking extremist manifestation, feeding the panic mood, exacerbating and destabilizing the socio-political and socio-economic situation, stirring up interethnic and interconfessional conflicts in Ukraine.” The implementation of the Russian special information operations with the aim to create a negative image of Ukraine in the world in other countries is noted as a threat as well.

The Doctrine separates the responsibilities of the Ukrainian governmental bodies such as the National Security and Defense Council, the Cabinet of Ministry and the Ministry of Information Policy, created in December 2014.

‘More security versus less liberties’ dilemma

The recent “Petya” cyberattack against Ukraine, blocking numerous banks and ATM’s, firms and even governmental bodies is a clear evidence of the cyber vulnerabilities that exist. This Doctrine may help the Ukrainian authorities to better address such cyberattacks and to mitigate the risks, however, it will be difficult to achieve without restricting some liberties, as it was seen as a case with the banning of Russian social networks.

Russia wages a hybrid war against Ukraine and its military machine has much more human and technical capabilities than the Ukrainian army. Taking into account that Ukraine is not a part of any military alliance, nor has she a reliable powerful state to guarantee the territorial integrity, it seems that the Ukrainian society will have to pay some price.

This was also argued by Sergey Sukhankin in his article “Ukraine’s Information Security Doctrine: A Breakthrough or the Veneer of Change?” where he comes to the conclusion, that at least for the near term Ukraine will have to “navigate some difficult trade-offs regarding security versus civil rights”.

At the same time, even though Ukraine may receive a backlash and drop down on the international ‘freedom rankings’, the survival of the state seems more important. Two decades ago, after a 9/11, the United Stated had also to make a choice, and the ‘Patriot Act’ spurred a negative reaction from the civil society, but it seems it helped Washington to drastically limit the terrorist threat on the American soil. It is quite sure, Ukraine will make the same choice.