In the wake of the attack, local cybersecurity experts are unanimous that Ukraine remains vulnerable to future cyberattacks. They see the root of Ukraine’s vulnerability lying deep in the ineffective cybersecurity structure, the country’s insufficient cooperation with the private sector, and the lack of direct responsibility for not addressing security flaws.
During the online campaign #FRD (F*ck Responsible Disclosure) of 2018-2020, a group of cybersecurity experts of the Ukrainian Cyber Alliance (UCA) published around 120 reports on critical vulnerabilities in the cyber defense of Ukrainian government agencies.
However, the state organs were not pleased. Their reactions ranged from denying the existence of vulnerabilities and downplaying their seriousness to threatening the whistleblowers with the police. The campaign ended when law enforcers raided the homes of UCA members and confiscated all computer equipment. In turn, the Alliance publicly announced the cessation of cooperation with any state bodies. Criminal proceedings against the experts have been underway to this day.
This case highlighted not only Ukraine’s multiple cybersecurity issues but also the officials’ unwillingness to discover and fix the security flaws. Not much in effect seems to have changed since then, as the 14 January attack has shown.
Ukrainian official sites under massive cyberattack with a Russian trace
Back in 2021, the National Security and Defense Council of Ukraine (NSDC) adopted the updated Cybersecurity Strategy of Ukraine for 2021-2025, containing much-needed essential guidelines for improving the situation at the state level.
However, less than two weeks before the 14 January attack, the Foreign Policy Portal (FPP), an online platform that unites several Ukrainian foreign policy think-tanks, pointed out that
“despite the declaration of really important tasks, the Strategy doesn’t in any way outline ways or methods of achieving the claimed goals, which turns them into slogans, not supported by a vision of practical implementation,” reads the document prepared by cyberexpert Kostiantyn Korsun.
Ukraine’s (un)readiness for cyberattacks
Local experts are generally pessimistic about the current situation with cybersecurity at the government level in Ukraine, admitting some strategic improvements but mentioning major basic structural issues.
Commenting on Ukraine’s readiness for future cyberattacks, Kostiantyn Korsun told Euromaidan Press that it isn’t ready at all.
“Since the beginning of the active phase of the Russian-Ukrainian cyberwar in 2014-2018, almost nothing has changed for the better. The national cybersecurity system exists exclusively on paper and in the bravura reports of officials (i.e. in ostentatious assurances, – Ed.). Interactions or at least mutual understanding between the state, the private sector, and the communities were never established. Even attempts towards this weren’t made, only empty declarations of ‘public-private partnership’,” said Mr. Korsun.
Another expert in cybersecurity Kir Vaznitcky, Senior Consultant at the aerospace company Armorum Solutions, said in his comment to Euromaidan Press that the January 14 attack on Ukrainian government websites has clearly shown what private-sector experts have been constantly saying, namely the fact that government resources are nowhere near to being secure.
“The attack wasn’t that subtle or too complicated: it used well-known techniques and tactics, well-known vulnerabilities. It wasn’t lightning-fast, and hackers remained unnoticed in compromised systems for several weeks. They were downloading data, furthered the attack, and no one noticed, let alone thwarted it. So what kind of readiness can we talk about?” Mr. Vaznitcky said.
Asked what Ukraine’s shortcomings in the field of cybersecurity are, Kostiantyn Korsun replied,
According to Kir Vaznitcky, the main flaw in the government’s cybersecurity sector is the state’s lack of interest in security,
“The private sector gets protected as they have something to lose. As for the state resources, why do something (hire specialists, seek advice, conduct security tests, train staff) if there is no responsibility for inaction?”
Data protection
The Ukrainian officials denied any personal data leaks during the cyberattack of 14 January. However, new databases with possibly valid data put on sale on underground marketplaces shortly after the hack might show that the intrusion could have been not that harmless as the authorities assure.
“All the experts I spoke to are convinced that the data are not necessarily from the Diia (e-governance online portal giving centralized access to over 50 governmental services, – Ed.), but they are up-to-date and relevant, dating back about the time of fall-winter 2021,” cyber expert Andrii Baranovych of UCA told Tyzhden commenting on the available data samples from the databases being sold on the black market.
The Ministry of Digital Transformation which is behind the Diia service called the data leak “a fake” because Diia doesn’t store information only displaying data from state registries, according to the ministry’s chief Mikhailo Fedorov.
In the same interview with Tyzhden, another UCA member, Artem Karpinskyi, outlined the general scope of the issue,
“The problem is that we’ve been told for two and a half years that we’ve spent a lot of money on cyber security and engaged the world’s best experts. Separately, they mentioned that Diia didn’t store data, and that all our registries are securely protected. Therefore, such events were to be expected,” he said.
Kir Vaznitcky commented to Euromaidan Press that the approach of state institutions to personal data protection is often rather formal, giving an example of obsolete security standards.
“Regulatory documents require obtaining a certificate of KSZI (Integrated Information Security System, – Ed.) for government systems that store and process the personal data of citizens. And these certificates are actually received because they give responsible officials the opportunity to claim to have done everything possible. But this outdated certificate has nothing to do with modern methods. I don’t know of any system that this certificate would have helped,” Mr. Valnitsky said.
“It’s like a sign on the door about the person responsible for the fire safety – this hasn’t helped anyone prevent a fire,” he adds.
The policies of major actors and their approaches to addressing issues may also not contribute to overall weak cyber defenses,
“Additionally, we can mention the Ministry of Digital Transformation. They realize that their systems with Diia being best-known have underlying vulnerabilities at the level of architectural design. Therefore, they deliberately manipulate the conditions of Bug Bounty by excluding the possibility of demonstrating vulnerabilities. That is why they behave so aggressively when specialists point out the critical shortcomings and incompetence of their employees,” Mr. Vaznitcky says.
Back in May 2021, criticizing the current Ukrainian leadership’s approach to e-governance, Kostiantyn Korsun said that, unlike the Western countries who follow the principle “security first, convenience next,” Ukraine implements e-services in an opposite way that can be described as “convenience first, then security or whatever it turns out.”
Now, Kir Vaznitcky says,
How to prevent new cyberattacks in the future
Under the Ukrainian law “On Basic Principles of Cyber Security of Ukraine” of 2017 and Cybersecurity Strategy of 2021, major national cybersecurity actors are the State Service for Special Communications and Information Protection of Ukraine (Derzhspetszvyazok), law enforcement, intelligence, defense agencies, and the National bank. The President coordinates cybersecurity activities via the NSDC, while NSDC’s National Cybersecurity Coordination Center (NCCC) oversees the actors in the security and defense sector.
“All nine major actors in national cybersecurity are state executive bodies, most of which are law enforcement agencies. The private sector, the cyber community, and research institutions are in no way included in this system and don’t have the opportunity to contribute to cybersecurity,” the Foreign Policy Portal says.
Moreover, each of these agencies implements cybersecurity measures only within its sector of responsibility, while NCCC has no direct power and regulatory leverage over key actors in the national cybersecurity system, according to FPP.
Euromaidan Press contacted the Cyberpolice, asking whether Ukraine is ready for new cyberattacks in the future. In their reply, the Communications Department of the Cyberpolice listed major cybersecurity actors and their main functions and assured,
“All cybersecurity actors of Ukraine, in accordance with their tasks, on a regular basis take measures to increase cyber resilience, working out in practical classes possible mechanisms of attacks, as well as improving tools to deter them.”
The biggest problem, according to Andrii Baranovych‘s column on Tyzhden, are the features of the post-Soviet system of government in which a bureaucrat’s main goal is to “create a personal feud and protect it from competitors” to ensure their safe stay in office by “smearing” the responsibility on as many people as possible.
For example, in regard to the recent cyberattack, all of many state agencies and the contractor linked to the development, maintaining, and protection of the affected sites can easily report on their allegedly sufficient work, so much so that in the end, no one is to blame that the breach wasn’t prevented.
“No money or expert would be helpful here, as long as there is a system in which no one is responsible for anything... We now have an overly extensive and overly complex bureaucratic system that needs to be dismantled,” Baranovych said according to Tyzhden.
In his comment to Euromaidan Press, Kir Vaznitcky stresses that Ukraine’s strategic cybersecurity decisions can’t change anything in the immediate future,
“I can’t say that nothing is going on in the field of cybersecurity at all. Various doctrines get adopted, general provisions get enshrined in legislation. But if all these actions are to bear fruit, it won’t be in the near future. We talk so much about critical infrastructure, pass a law on its protection. But no one has been able to compile a list of critical infrastructure facilities. And these facilities must be subject to special regulations,” he said.
Additionally, Mr. Vaznitcky stressed that state agencies should order not only the development of web resources but also purchase support plans for them while the responsibility must be clearly defined,
“If a government entity doesn’t have the money to keep the relevant specialists in its staff, it announces a tender to purchase such services. This is what works. But if these agreements don’t provide for mandatory support with the prescribed responsibility, it would end up in the same way as in Kitsoft’s case,” he says.
The mentioned Kyiv-based company Kitsoft was the private contractor that developed most of the websites affected by the 24 January cyberattack. Derzhspetszvyazok suspected the so-called supply chain attack, meaning that the attackers initially hacked Kitsoft’s infrastructure which enabled the subsequent attack on the websites that they had developed.
Read more:
- Strengthening the security resilience of Ukraine: military, energy, cyber
- Hungary blocked Ukraine’s accession to NATO cyber defense center
- Hacktivists of #SurkovLeaks stop helping Ukrainian government after police raid
- Ukrainian hackers turn on own government to make it care about cybersecurity (2018)
- Why are Russian hackers targeting COVID-19 vaccine laboratories?
- Ukrainian banks, enterprises, media and energy companies under powerful cyber attack, including Chornobyl NPP – LiveUpdates (2017)
- “We have no need for CIA help” – Ukrainian hackers of #SurkovLeaks | Exclusive interview (2016)
