Cyber security/cyber defence Ukraine – Structural changes ahead

November 29, 2017

It is no secret that Ukraine, over the past 5 years in particular, has become something of a petri dish for the testing and/or implementation of cyber incidents by hostile actors.

That is not to say every such cyber incident is the direct or indirect action of the same particular hostile actor.  While many can and will be attributed privately to direct or indirect Kremlin attacks via both evidence and intelligence (and evidence and intelligence are not the same thing at all), it is not the case that Ukraine suffers only from malevolent Kremlin or Kremlin supported cyber incidents.

Indeed this entry is not concerned with attribution, but rather the broad brushstrokes of resilience.  It will be deliberately superficial for reasons that will become apparent at some point during 2018 (if publisher’s deadlines and other whims be met.  If they be so met, dear readers, please buy the book).

Naturally with The Kremlin waging war upon Ukraine across all possible fronts, cyber security is one such front.  It is thus a front that requires a structured response from government with regard to protecting vital infrastructure.  Fortunately for the Ukrainian government, Ukraine is home to a very high number of (Apple and Miscrosoft among others) certificated programmers.  Per capita, Ukraine would sit in the top 5 nations in the world for such people.

The caveat to “fortunately” for the Ukrainian State is that “fortune” very much depends upon whether these people are wearing their “white hat” or “black hat” on any particular day.  That notwithstanding any specialisms they may have such as penetration, exfiltration, analysis etc. – to be competent at one does not make somebody competent at all.  There are limits to what a “patriotic hacker” can do alone – regardless of to whom they are patriotic toward.

Ukraine has created the Cyberpolice, and CERT UA, among other specific public, public-private, and rather more cloaked entities over recent years.

In October 2017, President Poroshenko signed into law, “About the basic principles of providing cyber security of Ukraine“.  It is worth reading for it clearly identifies not only definitions, but what is, and just as importantly what is not covered by the law.  It is framework legislation from which clearly numerous other statutory acts will have to be born and subordinate to.

It also identifies institutional responsibilities – CERT UA, the State Service for Special Communications and Information Protection of Ukraine, the State Center for Cyber ​​Defense, the National Police, the “agencies” (SBU, and FISU), the MoD and the NBU – all of whom are currently represented at the National Security and Defence Council (NSDC).  Indeed the framework law linked above was developed in compliance with the the decision of the National Security and Defense Council of Ukraine dated January 27, 2016, “On the Strategy of Cybersecurity of Ukraine.”

Clearly a potential horizontal overlap (which is better than matters falling through the gaps) and no overarching institutional command and control until reaching the NSDC itself, where all have their seats at the table.

The Ministry of Infrastructure is not directly represented upon the NSDC.  The Prime Minister, representing the Cabinet of Ministers would be the conduit through which this ministry would impart its thoughts relevant to national security and defence.

It is however, the Ministry of Infrastructure that is creating a “General Secretariat for Digital Infrastructure and a state-owned enterprise that will deal with cybersecurity.”

The name of this newly created State Owned Enterprise (SOE) is unknown at the time of writing – but it exists.  So to has a director been appointed (albeit your author recalls no candidate competition to lead this SOE).  The identity of the director (it is a he) is also unknown at the time of writing, however said director is currently assembling a management team.

Naturally, a specially created SOE within the purview of the Ministry of Infrastructure, or its latest bureaucratic  “General Secretariat for Digital Infrastructure” department, should be all about structure and process rather than an individual director or chairman’s personality – but Ukraine is still sadly severely hampered by the “cult of personality” and individual empire, to the extreme detriment of structure and process.

The creation of this cyber-SOE is being, at least in part, financed by the EU to the tune of UAH 60 million.

(Further it is rumoured that the leadership of this new SOE has already been poking around at Odessa Port with a view to mirroring, the systems in place there and the attacking/cyber war-gaming those copied systems. The results would be interesting.)

This is clearly an area upon which to keep a watchful eye – not only for the usual abuses of budget, but for a raft of legislation required to fill in the detail of the framework law.  There are questions of how to “encourage” the “too big to fails” and State insitutions alike to become wholehearted partners in a what can only become a truly effective cybersecurity/defence policy – a genuine public-private partnership.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: