Nadiya Kostyuk is a doctoral candidate in Political Science and Public Policy at the University of Michigan. you can follow her @NadiyaKostyuk.
“When NATO encounters various cyber [organizations] in Ukraine, they only observe how these [organizations] fight against each other and blame each other for failures. This is how a Ukrainian expert was described to me in 2015 his government’s inability to coordinate among itself and with other private sectors to improve the country’s cybersecurity. It was a recurring theme that year when I conducted interviews around the country.
Last month I returned to Ukraine and heard the same thing again. Why has this problem persisted, despite a dramatic change in the country’s cyber threat landscape over the past three years? The country suffered two power cuts in 2015 and 2016 and was plagued by NotPetya ransomware attack Last year. If these important incidents cannot motivate state agencies to work together, what can?
In 2015, the Ukrainian government was just beginning to develop a common cybersecurity lexicon. The main priority for Kiev was to repel a Russian invasion in the east, not to protect the country from online threats. Intergovernmental cooperation was not considered important. For example, the government has applied a traditional external-internal divide to cybersecurity issues – the Home Office, which focuses on tackling cybercrime within the country, did not feel the need to work with the Security Service of Ukraine (SBU) whose priorities are external to it.
The past three years have seen two significant changes on Ukraine’s cyber capability front. First, the state has strengthened its IT apparatus by adding new responsibilities to existing organizations and creating new cybersecurity units. For example, the Minister of Defense became responsible for “Repel military attacks in cyberspace” and developed a new cyber unit with the help of NATO. Even the central bank has become an important player in the cybersecurity landscape, responsible for “establish[ing] cyber protection requirements for critical information infrastructures in banking. Second, Kiev changed its perception of cybersecurity issues and began to approach them in a multidisciplinary way. For example, the work of the SBU began to bridge the blurred gap between external and internal and now works with the national police. to fight cybercrime, in addition to its traditional role of counterintelligence.
However, these changes are not necessarily correlated with improved state efficiency. Konstiantyn Korsun, director of Berezha security, told me that the state of Ukrainian interagency cooperation looks like a Ukrainian fable from 1814 in which three heroes are unable to move a loaded cart because each is pulling it in different directions. Likewise, in Ukraine, each cybersecurity agency “tries to grab whatever it can and pull it in its own direction”, and, therefore, using the words of the fable, “their trades fail and trouble is the only fruit of their labor.”
Instead, Korsun recommends having an agency responsible for coordinating cybersecurity efforts across the country. This agency should carve out the lion’s share of public cybersecurity funds, which it can distribute to relevant agencies as needed, and should be responsible for the successes and failures of the entire state cybersecurity system.
Such an agency actually exists in Ukraine. In 2016, the country set up its National Cyber ââSecurity Center (CCN) within the National Security and Defense Council. The multi-agency representation of the center – the Chief of the General Staff of the Armed Forces, the head of the SBU, the Minister of the Interior and the head of the Defense Intelligence Directorate sit on its board of directors – seemed to be the first step to success. But it is difficult to assess the centre’s progress so far due to the lack of publicly available information on its progress, as the NCC primarily deals with national security issues. Charged with a plethora of responsibilities, including assessing the country’s cybersecurity, identifying and detecting threats and developing policies, the NCC is seen as the entity that “diligently assigns[s] responsibilities to others â(ârazvodiashchiyâ) According to Victor Zhora who runs a Ukrainian cybersecurity company, but not as the main anchor point for all cybersecurity efforts in the country.
Secrecy aside, will the NCC, in fact, be able to effectively juggle the different and sometimes competing priorities of various agencies? Will he be able to stop bureaucratic struggles over budgets, get rid of redundant efforts, and take full responsibility for the country’s cybersecurity failures and successes?
These important questions are not unique to Ukraine, as more and more countries are building their cybersecurity devices. Countries are in the process of identifying the best approaches to regulate digital security. This is accomplished by learning from their own mistakes or those of their peers. At this time, it’s unclear whether the NCC can make the state’s cybersecurity efforts more effective and efficient, but time will tell. Zhora sees the NCC playing a symbolic role until the state better educates parliamentarians on cybersecurity, as only they can implement the cybersecurity laws and regulations the country desperately needs. Until then, the NCC will remain a razvodiashchiy agency, not Ukraine’s cybersecurity anchor.