Ukraine’s Finally Got a Cybersecurity Strategy. But Is It Enough?

Ukraine has been battling for its independence not only in the fields of the Donbas, but also in cyberspace. Government networks have been subject to continuous cyber espionage, while other cyberattacks have disrupted a presidential election, blocked access to news media, and engaged in hacktivism and propaganda distribution. Although these attacks initially did not seem like a full-fledged cyber war, Ukraine suffered the first ever successful cyberattack on a power grid in December 2015. Experts warned other strategic sites could also be infected with sophisticated malware called BlackEnergy. These cyberattacks on the nation’s critical infrastructure, attributed to Russia, have been a wake-up call for the government to introduce its first cybersecurity strategy.

On March 15, President Petro Poroshenko approved the strategy to respond to politically-motivated cyberattacks, address cyber crime, correct network vulnerabilities, and recognize Russia’s direct or proxy involvement.

The strategy’s objective is to “create conditions for the safe operation of cyberspace for the benefit of [everyone].” Its goals are to develop cybersecurity policy, become compatible with international standards, strengthen cyber defense and response, assign the National Security and Defense Council to oversee coordination of various cyber activities among government agencies, deepen international cooperation, and raise public awareness about cybersecurity, among other activities.

Overall, the strategy is a positive move, although some aspects remain opaque. Cyber crime expert Glib Pakharenko sees the strategy as more of a conceptualization of the country’s direction, rather than a plan with concrete projects and budgeting. Alexiy Yankovskiy, CEO of Kyiv ISACA, says that the strategy needs revision and adoption of a decentralized cybersecurity regulation model in the private sector.

Like other countries, Ukraine faces significant hurdles to achieving cybersecurity: a shortage of highly-qualified IT experts, strained public-private relations, and legal challenges.

Ukraine has 80,000-100,000 IT specialists capable of repelling cyberattacks, but attracting and retaining them in the public sector is a challenge. Another 10,000 IT students graduate annually, but they lack real-world experience. The strategy does not address how the government will hire enough cybersecurity experts by offering a salary of 7,000 hryvnas or less per month (roughly $3,000 annually). Even patriots cannot afford to work for such a low wage.

One patriot, though, does stand out. Over the past two years, Eugene Dokukin has created the Cyber Forces of Ukraine and fought separatists online by freezing their bank accounts, blocking their propaganda websites, and detecting their GPS coordinates. Perhaps as a tribute to Dokukin, the strategy envisions that the government will attract volunteers. In order to shore up Ukraine’s cyber defenses during war, Ukraine will either need to attract more aid like NATO-Ukraine Cyber Defense Trust Fund or ask its IT specialists to work for low salaries for a short period of time.

The strategy also seeks to improve relations between the public and private sectors. Until recently, the government did not perceive the private sector as an equal partner in cyber defense. This has been changing with the formation of the Computer Emergency Response Team CERT-UA (the government cyber response center) and the recent creation of CyS-CERT (the private sector cyber response center), but red tape still impedes the full potential of this cooperation.

Inadequate cybersecurity legislation is another big challenge. Two important bills on cybersecurity and cyber crime have stalled in the Verkhovna Rada for almost a year. The IT community has opposed the bills because they are incomplete and extend the powers of the State Service of Special Communication and Information Protection to regulate critical infrastructure and the Internet. The concern is that this would encourage more corruption and violate freedom of speech. The December cyberattacks are pushing legislators to rework the bills. Meanwhile, the delays in passing the legislation make the job of law enforcement in cyberspace harder. Although Ukraine created its cyber police to fight cyber crime, bringing cyber criminals to justice remains difficult due to the poor definition of cyber threats.

While the strategy focuses on cyber defense, it does call for the creation of an offensive cyber command unit. Volodymyr Horbulin, head of Ukraine’s National Institute for Strategic Studies, urged Ukraine to develop its own cyber offensive capabilities to show the adversary that it can deliver a serious asymmetric response. While developing offensive cyber capabilities requires significant investment and preparation, Ukraine is in a reactive posture.

Complete cybersecurity cannot be achieved—it’s a continuous process. It takes strategy, means, technology, organization, and people. The government should optimize resources (especially human capital) and attract foreign investment, while addressing institutional and legal gaps in its national approach to cybersecurity to reduce its vulnerability. Until then, Ukraine remains vulnerable.

Vera Zimmerman is an independent researcher. She holds an MA in Political Science from George Mason University.

Image: Passengers get registered at Kyiv's main airport, Boryspil, in Ukraine, January 18, 2016. Ukrainian authorities will review the defences of government computer systems, including at airports and railway stations, after a cyber attack on Kyiv's main airport was launched from a server in Russia, officials told Reuters. REUTERS/Valentyn Ogirenko