Getting the Deal Through: Cybersecurity 2019. Ukraine
The main statutes and regulations that promote cybersecurity are as follows:
- the Law on the Main Principles of Maintaining Cybersecurity of Ukraine (the Cybersecurity Law);
- the Law on Protection of Information in Information and Telecommunication Systems;
- Budapest Convention on Cybercrime;
- Decree of the Cabinet Ministers of Ukraine on Approval of the Concept of Establishment of a State System for Critical Infrastructure Protection;
- Resolution of the Ukrainian National Security and Defence Council on the National Security Strategy of Ukraine, approved by Presidential Decree (the National Security Strategy); and
- Resolution of the Ukrainian National Security and Defence Council on the Cybersecurity Strategy of Ukraine, approved by Presidential Decree.
The Cybersecurity Law establishes the regulatory framework for a number of measures in the cybersecurity domain. It lays down the main directions of the state policy in the area as well as the roles of the major responsible stakeholders. The Cybersecurity Law introduces the concept of critical infrastructure (CI) and critical information infrastructures, mandating stringent security requirements for organisations running the CI. Overall, the Law is a high-level set of rules defining competence of and delegating to the governmental authorities the right to regulate many other issues in the cybersecurity domain.
The National Security Strategy is a document that states the priorities of the national security policy. Its main goal is to create conditions necessary to ensure safe cyberspace and its use in the interests of individuals, society and government. This effectively paved the way for passing the dedicated law that comprehensively addresses a broad range of issues in the cybersecurity area: the Cybersecurity Law.
At the end of 2017, the government approved the Concept of Establishment of a State System for Critical Infrastructure Protection in Ukraine. The Concept identifies the main directions, mechanisms and timetables for implementation of legal measures aimed at protecting critical infrastructure.
A draft law ‘On critical infrastructure and its protection’ has been developed. Its goal is to increase the critical infrastructure protection capability and to help reduce vulnerabilities concerning critical infrastructures.
The Cybersecurity Law envisages stringent rules for CI. This is a new concept that is defined rather broadly and may potentially catch any company, which is essential for the maintenance of vital civil services, the disruption or destruction of which would have a significant impact on national security. In particular, the Cybersecurity Law names the following industries: chemicals, energy, utilities, transport, information technologies, electronic communications, banking and finance, healthcare, food production and agriculture.
Most of these sectors have no specific cybersecurity regulations at the moment, and these should be developed by the goverment. The banking sector is still ranked first towards promoting cybersecurity.
The Cybersecurity Law determines the National Bank of Ukraine (NBU) as one of the subjects of providing cybersecurity, authorised to develop and implement preventive, organisational, educational and other measures in cybersecurity and cyber defence.
The NBU adopted Decree on Approval of the Measures to Ensure Information Security in the Banking System of Ukraine (Decree No. 95). Decree No. 95 for the first time provides for mandatory regulation by the NBU of information security and cyber defence issues in Ukraine’s banking system. It also provides for the appointment of a chief information security officer in banks with the authority to take relevant managerial decisions, and defines the principles of information security management based on the new national standards of Ukraine on information security and the principles of information security and cyber defence.
The NBU intends to resolve the issue of ensuring the proper level of cyber defence and information security in the area of money transfer for the first time.
At the end of September 2018, the NBU proposed a draft of the Decree on Approval of the Regulations on Cybersecurity and Information Security in Payment Systems and Settlement Systems for public discussion.
Specifically, the draft Decree stipulates:
- requirements in regard to building information and cybersecurity systems;
- procedures for detecting cyber attacks; and
- requirements in regard to organisational and technical measures to ensure protection of information and cybersecurity by the respective market players, etc.
Yes. Decree No. 95 defines the principles of information security management based on the new (effective from 1 January 2017) national standards of Ukraine on information security (ISO 27001:2015 and ISO 27002:2015), and the principles of information security and cyber defence, which commonly apply in international practice. Some of the other standards include ISO/IEC 27000:2015 and ISO/IEC TR 13335:2003.
The Cybersecurity Law still envisages some basic steps that companies subject to the CI rules will have to take. These include:
- ensuring the cyber defence of communication and technological systems;
- protection of technological information;
- undergoing independent cybersecurity audits; and
- instant reporting of cyber incidents to the Computer Emergency Response Team of Ukraine (CERT-UA).
Under the law, the owners and CEOs of legal entities are responsible for ensuring compliance with the above-mentioned requirements, and failure to comply may trigger criminal liability under article 363 of the Criminal Code for violation of rules on electronic communications and protection of information.
The draft law on critical infrastructure and its protection introduces a new concept - ‘operator of critical infrastructure’ covering the entities (both public and private) and individuals that own or otherwise legitimately hold critical infrastructure objects and are responsible for day-to-day operation of such objects. Moreover, it defines, also, assignments, rights, obligations and responsibilities for operators of critical infrastructure.
Some specific obligations for operators of critical infrastructure in banking sector are designated in Decree of the NBU No. 95.
The Cybersecurity Law gives the following definitions:
- ‘cybersecurity’ as the ‘protection of the vital interests of men and citizen, society and the state in cyberspace, which ensures the sustainable development of the information society and digital communication environment, timely detection, prevention and neutralisation of real and potential threats to the national security of Ukraine in cyberspace’; and
- ‘cybercrime’ as a ‘socially dangerous offence in cyberspace and/or its use, criminal liability for which is provided for by the law of Ukraine and/or recognised as a crime by international treaties of Ukraine’.
Under the Law on Personal Data Protection data controllers, data processors and third parties are required to protect personal data from accidental loss or destruction, as well as unlawful processing, including unlawful destruction of or access to personal data. However, neither said law nor the Model Order for Personal Data Protection provides further details or requirements on any specific technical measures.
According to the Law on Telecommunications, the operators and providers of telecommunication services must adopt technical and organisational measures required to ensure secrecy of communications; protection of telecommunication networks and telecommunication facilities; limited access to information transmitted by these networks.
Under the Law on Protection of Information in Information and Telecommunication Systems, the owner of a system is responsible for ensuring the protection of information in the system. State information resources and classified information must be processed in an integrated, protected and verified system certified by the competent state agency.
The technical measures to ensure information security in the banking system of Ukraine are described in more details in Decree No. 95. These measures include, among others:
- use of an authorisation system (ie, including password restrictions and best practices for password selection and regular update);
- protection of electronic means and data against unlawful data processing operations, unauthorised access and malware;
- network security, encompassing the overall structure and network access control;
- security protection of servers;
- security protection of applications;
- data security and backup;
- establishment and maintenance of a security management system and related procedures and policies;
- establishment and maintenance of security management positions, clearly defining responsibilities of each, as well as the examination of the identity and professional qualifications of each personnel;
- regular employee training to enhance security awareness; and
- compliance with the established requirements concerning purchase of the relevant IT products and services.
Yes. In general, cyberthreats to intellectual property are addressed by the provisions of Law No. 3792-XII of 23 December 1993 on Copyright and Neighbouring Rights, which regulate and provide for several means for protecting intellectual property both in the online and offline environment. For example, key provisions of the Law punish:
- copyright piracy (publication, reproduction and distribution of counterfeit copies of works on the internet);
- falsification, unauthorised modification or removal of information, including in electronic form, regarding digital rights management;
- illicit use of trademarks, either of a digital or a material nature;
- plagiarism (completely or partly publishing someone’s work under the name of a person who is not the author of the work) either of a digital or a material nature;
- card sharing, namely provision in any manner of access to a broadcasting programme, the access to which is restricted by copyright or related rights holder by virtue of technical protection means (eg, subscription card or code), by circumvention of such technical protection and making the programme accessible. Moreover, the Law provides for sanctions against intellectual property infringement in general and more specific provisions on anti-piracy, which often also extend to cyberthreat prevention; and
- any acts aimed at intentional circumvention of technical protection means for the protection of copyright and related rights, including production, distribution, import with the purpose of distribution and exploitation of means for such circumvention.
Finally, Law No. 3792-XII of 23 December 1993 on Copyright and Neighbouring Rights provides for sanctions against intellectual property infringement in general; there are no specific provisions, for example, on anti-piracy or for infringements of a digital nature.
In addition to the above, the Law introduced legal tools aimed at preventing cyberthreats to intellectual property by means of notice and takedown procedures and other judicial and non-judicial remedies.Further, the Law provides for a non-judicial procedure for termination of copyright infringement or related rights using the internet, or both.
Yes, the Cybersecurity Law specifically addresses cyberthreats and other cybersecurity issues with regard to critical infrastructures.
Yes. The right to privacy (secrecy) of correspondence (including letters, telegrams, telephone conversations, wire messages or other types of communications) is a personal right guaranteed by the Ukrainian Constitution and implemented through various other acts, including the Law on Telecommunications.
Breach of privacy of correspondence may only be allowed by court to prevent a crime or within a criminal proceeding if the information needed cannot be obtained otherwise. In all other instances, the breach of privacy of correspondence may be regarded as a criminal offence (ie, the breach of privacy of letters, telephone conversations, telegraph or other correspondence transmitted via communication means or computer), which attracts fines, correctional labour or imprisonment.
Moreover, in relation to the broader scope of communications (ie, not only those covered by privacy of correspondence) the Law on Telecommunications expressly provides that interception of information from telecommunication networks is prohibited, unless otherwise provided by law. Such interception, as well as collection of information from electronic informational systems, is a criminal investigatory activity that interferes with private communications and may only be taken by law enforcement bodies if authorised by court.
Telecommunication operators and services providers must take technical and organisational measures for the protection of telecommunication networks and means, classified information regarding arrangement of such networks and the data transmitted. Further, they must ensure security of information regarding consumers.
Further, telecommunication operators may, at their own cost: install on their networks the equipment required for the competent authorities to conduct criminal investigations; ensure that this equipment functions properly and remains duly protected from unauthorised access; and facilitate conduct of the investigations and prevention of disclosure of relevant organisational approaches.
The Law on Personal Data Protection provides that the processing of confidential personal data without proper consent is prohibited, except when provided for statutorily, and only in the interests of national security, economic welfare and human rights.
Ukraine ratified the Budapest Convention in 2006. This was followed by the adoption of the law that added additional articles in the section dedicated to ‘Crimes in the Area of the Use of Electronic-Computational Machines (Computers), Systems, Computer Networks and Telecommunication Networks’ into the Criminal Code.
In particular, the principal criminalised cyberactivities relevant to organisations include:
- unsanctioned interference in the operation of computers, networks (article 361 of the Criminal Code);
- creation for the purpose of use, dissemination and distribution of harmful software or hardware, as well as their dissemination and distribution (article 361(1) of the Criminal Code);
- unauthorised dissemination and distribution of information with restricted access, which is stored in the electronic computing machines (computers), automated systems, computer networks or information-carrying medium (article 361(2) of the Criminal Code);
- unauthorised alteration, erasure or blocking of information, which is processed in the electronic computing machines (computers), automated systems, computer networks or stored on the information-carrying medium, if it led to a leak, committed by a person entitled to access to such information (Part 1, article 362 of the Criminal Code);
- unauthorised interception or copying of information, which is processed in the electronic computing machines (computers), automated systems, computer networks or stored on the information-carrying medium, if it led to a leak, committed by a person entitled to access to such information (Part 2, article 362 of the Criminal Code);
- violation of operation of electronic computing machines (computers), automated systems, computer networks or telecommunications networks and the order or rules on protection of information that is processed there, if it caused significant damage, committed by a person entitled to access to such information (article 363 of the Criminal Code); and
- impeding the work of electronic computing machines (computers), automated systems, computer networks or telecommunication networks by mass distribution of electronic messages (article 363(1) of the Criminal Code).
Importantly, article 363(1) does not criminalise DDoS attacks; rather, the ‘mass distribution’ refers to sending messages to a multitude of non-specific recipients. Thus, this crime usually refers to spam with a malware component. In turn, DDoS attacks are criminalised under article 361 of the Criminal Code, which is confirmed by the recent practice.
In particular, by the decision of a district court in Kharkiv, No. 640/953/17 of 21 March 2017, a group of persons were found guilty of the online sale of software designed to carry out DDoS attacks (article 361(1) of the Criminal Code). In this respect, to demonstrate the operability of the said software, the perpetrators completed several DDoS attacks (article 361 of the Criminal Code).
Interestingly, the same article 361 of the Criminal Code was also used as a preliminary qualification for the Petya malware infection. Namely, according to a statement from the head of department of the cyber police, 597 criminal proceedings had been initiated by 5 July 2017 under article 361.
There were a couple of other cases recently where articles 361 and 361(1) were used. In particular, on 3 November 2017, a district court in Kiev found the conduct of hackers who stole US$1 million from Credit Dnipro Bank to fall under the definition of the said offences. Additionally, by the decision of a court in Chernihiv of 28 July 2014, a person was found guilty of creating of harmful software for its further use and sale.
The draft Law on Amendments to Certain Laws of Ukraine Regarding Processing of Information in Systems Using the Technology of Cloud Computing was prepared for a second reading in the Ukrainian parliament back in November 2016, but has not been passed yet.
The Law of Ukraine on Protection of Information in Telecommunication Systems lays down the legal framework for data protection in information and telecommunication systems. Specifically, owners of such systems are charged with ensuring protection of information. The procedure and requirements of data protection, as well as its processing, are to be set forth in an agreement between the owner of the system and the owner of information. In addition, the procedure for access to the information, the list of users and their rights should be determined by the information owner. Most probably, the cloud service providers operating data centres or other automated equipment physically located in Ukraine will qualify as owners of information systems, subject to the said statutory requirements.
Responsibility for ensuring information security in the system relies on the owner of the system. The owner of the system, where processed the state secret information or information with limited access, have to create a service for the protection of information or appoint a responsible qualified person.
Foreign organisations doing business in Ukraine are subject to the same cybersecurity obligations and responsibilities as domestic entities.
The National Police of Ukraine, the Security Service of Ukraine, CERT-UA may provide some recommendations addressing cybersecurity protections; take actions for preventing, detecting and eliminating the effects of cyber incidents; organise and conduct practical workshops on cyber defence.
Nowadays, those who are interested in cybersecurity can find publicly accessible news about new malware, phishing, denial of service attacks, etc, on the official websites of the Cyberpolice of Ukraine (a department within the National Police) and CERT-UA. Moreover, it is possible to find necessary recommendations addressing cyberthreats fixed by these authorities.
In February 2018, the CERT of the Security Service of Ukraine was established; however, it has not launched any public resources or issued guidelines or recommendations as to protection from cyberthreats.
There are no effective government mechanisms that can incentivise organisations to improve their cybersecurity. Exchanging incident information is not enough to get interested in cybersecurity improvement. Motivation for the private sector to participate should be a priority.
The main standards include:
- ISO 27001:2015 (available at: http://document.ua/informaciini-tehnologiyi_-metodi-zahistu_-sistemi-upravlinnj-nor29396.html);
- ISO 27002:2015 (available at: http://online.budstandart.com/ua/catalog/doc-page.html?id_doc=66911);
- ISO/IEC 27000:2015;
- ISO/IEC TR 13335:2003 (available at: https://dnaop.com/html/41033/doc-%D0%94%D0%A1%D0%A2%D0%A3_ISO/); and
- ISO/IEC 27032:2012 (available at: www.klubok.net/article2617.html).
No official guidelines on how to respond to breaches are available yet. However, the widely accepted recommended best practices include:
- immediate reporting to cyber police and CERT-UA;
- alerting employees and customers;
- PR support; and
- engagement of competent technical experts for adequate cyber response and audit.
There are some international platforms such as VirusTotal that are popular in Ukraine. Information and cybersecurity forums are also used to share information about cyberthreats. In addition, the Cybersecurity Law mentions the sharing of information between public and private sectors about cyberthreats, cyberattacks and cyber-incidents as one form of public-private cooperation.
So far, the development (predominantly a translation of widely accepted international standards into Russian and Ukrainian) of the standards has generally been a private initiative. With the adoption of the Cybersecurity Law, the role of the state in this area should increase.
For example, the Cybersecurity Law envisages that the CI objects will have to undergo cybersecurity audits. Requirements and procedure for such audits will be set in the relevant regulations of the Cabinet of Ministers. In turn, such regulations should be based on international standards, including those of the European Union and NATO, developed with the mandatory involvement of representatives of the main stakeholders of the national cybersecurity system, scientific institutions, independent auditors, experts in the field of cybersecurity and NGOs.
Yes, insurance for cybersecurity breaches is available in Ukraine but this is not common. Apparently, comparatively high cyber risks that are currently inherent in Ukraine do not make the market particularly attractive for many international insurance companies, and hence the penetration of this service is somewhat limited.
The main authorities that ensure cybersecurity in Ukraine include the Ministry of Defence of Ukraine, the State Service of Special Communications and Information Protection of Ukraine, the Security Service of Ukraine, the National Police of Ukraine, the NBU and the intelligence agencies. In particular:
- the Security Service of Ukraine is responsible for fighting cyberterrorism, cyberespionage and countering cybercrimes that pose a direct threat to vital interests of Ukraine;
- the National Security and Defence Council Coordination is responsible for the control of defence sector actors responsible for cybersecurity in Ukraine;
- the State Service for Special Communications and Information Security is responsible for development and implementation of the government policy to protect the government information resources and critical information infrastructure;
- the Ministry of Defence and General Staff of the Armed Forces of Ukraine is responsible for preparation of the state to respond to military aggression in cyberspace;
- the National Police of Ukraine is responsible for countering cybercrimes;
- the Intelligence Agencies of Ukraine are responsible for operations to address the threats to national security in the cyberspace; and
- the NBU determines the procedure, requirements and measures for ensuring cybersecurity in the banking system of Ukraine and for entities transferring funds.
Under the Cybersecurity Law, the mandate of the State Service for Special Communications and Information Security (SSSCIS) is most relevant to compliance-monitoring activities. For this purpose, the SSSCIS has an extensive set of powers, including the right to request information and documents, and carry out interviews and dawn raids. Yet, it remains to be seen how the SSSCIS will apply these powers in practice in the private context. So far, it has maintained a focused approach in its work, dealing mostly with special communications’ technical matters (eg, establishment of secure communication lines with foreign top officials, provision of mobile service for state and governmental authorities, cryptographic information protection), rather than with the broader spectrum of threats and concerns that characterise the protection of the private sector in cyberspace.
As far as the investigation of cyber incidents is concerned, this is a key function of law enforcement bodies, including the Security Service of Ukraine and the National Police of Ukraine (the cyber police department). That said, they have various rights to carry out investigative activities, including to request court orders to subpoena the production of documents and testimony of witnesses, carry out searches and seizures, use technology-assisted physical surveillance, non-consensual electronic surveillance, record communications, etc.
The first problem is a functional parallelism of various organisations and bodies leading to major overlaps in their activities. For example, the State Security Service of Ukraine and the Ministry of Internal Affairs have nearly identical responsibilities for forensics related to the investigation of cybercrimes, and no criteria could be ascertained with regard to the allocation of work and tasks between these two institutions. Therefore, there is a high potential for jurisdictional conflicts, a factor that is prone to reducing the effectiveness of this particular area of cybersecurity safeguards. The Cybersecurity Law seems to add some clarity here, expressly assigning responsibility for cyber incidents carried out against CI to Ukraine’s Security Service. However, it remains unclear whether this distinction will be appropriately reflected in other relevant laws and regulations.
This lack of clear separation between the criminal justice measures and the national security measures creates another problem of limited public trust and lack of cooperation between criminal justice authorities and private sector entities, which are often reluctant to cooperate with the law enforcement bodies. Moreover, law enforcement powers, such as those addressed in the Budapest Convention on Cybercrime, are not clearly defined in the Ukrainian Criminal Procedure Law, and this adversely affects law enforcement service provider cooperation, confidentiality rights and sometimes the rule of law. Thus, public-private cooperation in cybercrime and electronic evidence has been hampered by, among other reasons, the absence of a coherent legal framework for exercising procedural powers available under the Budapest Convention on Cybercrime, as well as a divergent practice of application of already available investigative powers.
Finally, another problem is the under-financing of the relevant public institutions, which leads to a reduced attractiveness of these workplaces owing to low salaries; only a limited number of highly skilled cybersecurity and cyber defence professionals are employed in public sector institutions.
See question 4.
See question 4.
There are no specific rules for parties seeking private redress for unauthorised cyberactivity or failure to adequately protect systems and data. Private redress can be brought under existing civil, commercial and administrative laws.
Policies and procedures should include information security risk assessment policy, IT-roles segregation, segregation of test and product environment, separation of project networks, change management, malicious code protection, patch management, acceptable usage policy, mobile device usage policy, etc.
There are no specific requirements of Ukrainian law that effectively require organisations to keep records of cyberthreats or attacks. However, an obligation to retain certain records may apply, for example, to telecommunications operators; such data retention obligation is imposed by article 39 of the Law on Telecommunications. However, many commentators argue that this provision is vague, does not contain definitive requirements and safeguards and, as a result, is applied arbitrarily.
Detailed rules are yet to be developed.
Under the Cybersecurity Law, the reporting shall be made instantly, but the exact timeline for this has yet to be set by secondary legislation.
Detailed reporting obligations are yet to be developed.
We anticipate that the regulatory framework for cybersecurity will change in 2019. These expectations are based on the fact that the new Cybersecurity Law is a framework piece of legislation that needs to be backed by many implementations and secondary rules.
In connection with this, as a party to the Budapest Convention, Ukraine is working towards the Convention’s full implementation; a draft law defining the important terminology and clarifying the responsibilities of the service providers according to the Convention has been prepared and is currently being discussed by the stakeholders.