New Cybersecurity Strategy: How Will Ukraine Defend Itself in Cyberspace?

On 1 February, President of Ukraine Volodymyr Zelensky signed a decree to enact the decision of the National Security and Defence Council on the “Action Plan of the Cybersecurity Strategy of Ukraine,” endorsed in August 2021. This is the second document of its kind, and its importance in times of impending Russian aggression can hardly be overestimated. This article explains how the new strategy differs from the previous one, what its goals are, and how it relates to the EU’s digital decade strategy.

Having learned the lesson

Ukraine’s first Cybersecurity Strategy was endorsed in 2016. The document contained several gaps that affected the efficient implementation of goals, the progress of which was only 40%. First, it did not sufficiently outline public policy priorities in the cybersector. Second, the focus was on the activities of security and defence bodies, not offering models of public-private cooperation and covering the issues of involvement of academia and the public in the least. Third, no system of strategy performance indicators was developed to assess the state of cybersecurity.

However, it should be noted that a number of positive changes in the development of Ukraine’s cybersecurity system happened over that period:

1. In 2017, the Law of Ukraine “On Basic Principles of Cybersecurity of Ukraine” was adopted which, among other things, defined the powers of government agencies, enterprises, and individuals in the sector
2. In 2020, the Resolution of the Cabinet of Ministers of Ukraine No. 943 approved the procedure for compiling a list of critical information infrastructure facilities, but the relevant list was never formed
3. Specialised units were set up in a number of structures, including the National Bank, the Ministry of Infrastructure, the State Service of Special Communications and Information Protection of Ukraine, and the Security Service of Ukraine, as well as the working body of the National Security and Defence Council – the National Coordination Center for Cybersecurity – aiming to coordinate the activities of various actors in the public cybersector
4. Branch-wise partnership at the international level was established, including a cyberdialogue with the United States.

The 2021 strategy identifies three priorities: safe cyberspace, protection of citizens’ rights in the digital space, and European and Euro-Atlantic integration, and sets out important goals, such as:

1. Creating efficient cyberdefence. To this end, a cyber army is planned to be created within the Ministry of Defence in the first half of 2023.
2. Countering intelligence and subversive activities and cyberterrorism
3. Combating cybercrime by completing the implementation of the provisions of the Convention on Cybercrime into Ukrainian legislation and involving relevant U.S. practices
4. Developing asymmetric containment tools
5. Ensuring national cyberpreparedness and reliable cyberdefence (the document pledges to create a national incident management system)
6. Ensuring professional improvement, cyberliterate society, and scientific and technical support for cybersecurity
7. Providing safe digital services
8. Strengthening the coordination system
9. Forming a new model of relations in the area of cybersecurity, where the state will act as a partner
10. Ensuring pragmatic international cooperation

The correction of mistakes of the previous document is evidenced by the Strategy’s Action Plan, which clearly defines the deadlines and institutions responsible for achieving each of the goals. For example, the development of a system of cybersecurity indicators is scheduled for the second half of 2022. And the involvement of academia in the development of safe and promising cyberspace is evidenced, for example, by authorising the National Institute for Strategic Studies to conduct annual sociological research on cyberthreats to the population.

Cybersecurity Strategy of Ukraine and Cybersecurity Strategy of Georgia‘s Ministry of Defence: the same path to a common goal?

Russia’s hybrid war against Ukraine, which since 2014 has been actively accompanied by cyberattacks on government websites and even on critical infrastructure facilities (attacks on Prykarpattyaoblenergo, electricity provider in western Ukraine), is not the first test of the Kremlin’s method of hybrid aggression. In August 2008, ahead of the hot phase of the Kremlin’s war against Georgia, Russian hackers targeted government websites and the media, denying service, and later carrying out DoS attacks on private entities.

Another similarity is that Georgia, like Ukraine, is part of the Associated Trio, which is also focused on bringing domestic legislation in line with the European Union norms. Therefore, it is interesting to compare the strategic cybersecurity documents of both countries.

The Cybersecurity Strategy of the Ministry of Defence of Georgia is designed for 2021-2024 (Ukraine’s Strategy – for 2021-2025) and stipulates only three goals:

1. Developing human capital. The Ministry of Defence’s analysis of cyberincidents identified the human factor as one of the most vulnerable elements in the country’s cybersecurity. That is, the first goal is focused on the improvement of skills of cyberspecialists through participation in relevant educational projects.
2. Institutionalising processes and increasing management efficiency. Optimisation of the administration through a risk-based planning approach is envisaged as the Defence Ministry specialists defined the fragmentation of planning as a reason for the low efficiency of the goal implementation.
3. Ensuring technological resilience by stepping up cybercapabilities through a high level of technical support

Three levels of cooperation were identified as means of achieving strategic goals, which, in particular, will contribute to “approaching Western standards.” They are: interagency, national, and international. Regarding national cooperation, the document describes the need for cooperation between specialised government agencies, such as the National Security Council, the Cybersecurity Bureau at the Ministry of Defence, the Cybercrime Department of the Ministry of Internal Affairs, etc. The involvement of business, academia, and the public is outlined in just one sentence. The international level of cooperation envisages a partnership with NATO and the EU to involve cyberspecialists in programs, workshops, and training sessions to help bring the ministry’s guidelines in line with Western standards. It is noteworthy that the Georgian strategy does not identify sources of threats, unlike the Ukrainian case, in which the Russian Federation is recognised as such.

However, both strategies call for bringing domestic cyberpolicies in line with EU standards. Ukraine’s Strategy stipulates that “the provisions of the EU’s Cybersecurity Strategy for the Digital Decade, cybersecurity strategies of individual EU member states and NATO member states are taken into account.” However, the document does not contain a list or a separate annex of provisions that will be taken into account, except for one of the items of the Implementation Plan that provides for the implementation of the Directive of the European Parliament and Directive of the Council of EU 2016/1148 of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union as an element of Ukraine’s European integration. At the same time, the Georgian version does not have a clear definition of standards in focus.

Conclusion

Given the number of gaps in the 2016 Cybersecurity Strategy and only 40% of the goals achieved, the 2021 strategy sought to address all the shortcomings of the previous one. For example, the Strategy’s Implementation Plan defines the deadlines, as well as the institutions responsible for achieving each of the goals. Ukrainian and European relevant documents identify three priority areas of work. For Ukraine, these are safe cyberspace, protection of citizens’ rights in cyberspace, and European and Euro-Atlantic integration. Both Kyiv and Tbilisi have experienced Russian hybrid aggression. The new Cybersecurity Strategy of Ukraine took into account this factor, so the document is more detailed and broader than the Cybersecurity Strategy of the Ministry of Defence of Georgia. Ukraine’s Cybersecurity also resonates with the EU’s Cybersecurity Strategy for the Digital Decade. We have a common goal, namely to ensure safe global and open cyberspace. However, despite all the positives, as well as seemingly attempts to take into account all previous mistakes, it is worth remembering that even a good strategy is not the key to success without proper implementation.

Anastasiia Hatsenko and Bohdana Sadomska, Information and Cybersecurity Experts at ADASTRA think tank