Nataliya Tkachuk is the secretary of the NCCC, the head of the information security service of the NSDC Apparatus of Ukraine.
Cybersecurity is rapidly developing in the world and is one of the most dynamic directions in the national security system. In Ukraine, we have a double dynamic , in that russia’s aggression against Ukraine revealed our hidden advantages and significant alliances. What are the foundations of Ukraine’s cyber security and what does it mean for our country in the future?
The first draft of the Cyber Security Strategy of Ukraine appeared in 2012 and was presented to our international partners at the NATO forum. But then there was no understanding from the state leadership that cyber security was something important and that it is a full-fledged independent component of national security. Unfortunately, this attitude in the state continued until the beginning of the war in 2014. War is a disaster, a serious evil, but there is a maxim: “What doesn’t kill us makes us stronger.” And the war made us stronger in terms of cyber security, the state leadership at the political level began to understand the importance of this area.
The first cyber attacks on the critical infrastructure of Ukraine took place together with the seizure of Crimea. The “Black Energy” virus attacked the energy facilities of Ukraine, in parallel with the military offensive in the east of our country. This is how the first full-fledged cyber war in the world unfolded before our eyes.
In 2016, the first Cyber Security Strategy of Ukraine was adopted, which laid down the model and the very essence of the national cyber security system. Crucially, the strategy defined the roles and the first outlines of the areas of responsibility between the main players and identified that we have six key players responsible for cyber security. In fact, this strategy initiated the creation of the National Coordination Center for Cyber Security at the National Security and Defence Council. The strategy distinguished the concepts of “cyber security”, “cyber protection” and “cyber defense”.
For our international partners, this terminological series is not very clear, because they define all three words as “cyber security”. In Ukraine, different bodies have different competencies: the Ministry of Defense and the General Staff of the Armed Forces are responsible for cyber defense. The State Service of Special Communications is responsible for the formation of policy requirements in the field of cyber protection. While cyber security is a particular condition that provides for the protection of the vital interests of a person and the state when using cyberspace. It is a broader concept that includes cyber intelligence, cyber defense, cyber security, and counterintelligence protection of state interests in the field of cyber security, and countermeasures cybercrime, that is, the functions of all the main subjects of its provision.
Then the Cyber Security Situation Center of the Security Service of Ukraine was created, the capacities of CERT-UA began to be developed, and the capabilities of the National Bank of Ukraine, which is a separate independent entity of the National Cyber Security System, were developed. With the support of the “Ukraine-NATO” trust fund and Yesiv Partners, they began to conduct cyber security training for specialists of state bodies, found funding to gradually purchase modern equipment and software, and began to build cooperation with the private sector. And today, when there is a full-scale war, Ukraine has proven that we have the highest level of cooperation and close interaction in public-private partnerships in the field of cyber security in terms of content, not form.
Our international partners highly appreciate the cyber capabilities of the Ukrainian cyber community. They noted how Ukraine was able to give a worthy rebuff to the aggressor in cyberspace and now we are teaching them and sharing our experience.
So, we have laid a serious foundation for the development of cyber security for the future and are advancing the creation of a new vision.
So, the first cyber security strategy in 2016 defined the circle of key players and their areas of responsibility. In 2017, the law on the basic principles of cyber security was adopted, and in 2021 there was the second strategy. What is the key difference between the strategy adopted in 2016 and 2021? How do you assess the leap between the conceptual levels of the two strategies and the implementation of solutions in practice?
The first strategy was fundamental. However, the process of planning and implementation of tasks was not efficient enough. Not all state bodies were included in the process and there was no funding for the implementation of tasks. When we began to study this problem more deeply, we saw that there should be a cycle of strategic planning.
We currently have about ten national security strategies, but most of them are disconnected from reality. Strategic level goals should be set within the framework of long-term strategic planning: cyber security strategy, information security strategy, economic security strategy and others. Each state body must understand the plans for the implementation of the strategies, and form the budget request that it submits. But our state bodies, which must implement the strategies, do not connect this with their budget planning, requests, and annual plans. Therefore, in the second strategy, we tried to change the structure so that the cyber sphere would become an example of correct strategic planning at the state level. For example, to ask for help from international partners now, the state body must know what resources it needs, for what purpose and what outcomes are expected.
Today, our country and the whole world are experiencing tectonic shifts, where what is needed is not progress, but a qualitative leap. What can it (this leap) consist of when building a 3.0 vision and strategy? What should Ukraine do?
We will analyze the problematic issues of implementing the 2021 Strategy. Strategy 2.0 has more than 90 practical tasks. There are specific threats and problematic factors. International partners, analysts and the private sector, experts and scientists were involved in the development of the strategy. In general, as a document, strategy 2.0 was considered a fairly good level. But the question is not only in the writing of the strategy but also in the qualitative understanding of the contextof the strategy. For a high-quality leap, we need leadership maturity and the ability to act in a fast-moving context, not the formal execution of tasks. And this requires a completely different type of thinking.
What is the role of the National Cyber Security Coordination Center? In what do you see the purpose and what can be improved in relations with the external and internal environment?
Coordination is the backbone of any national cyber security system. These are legislation, organizational and technical capabilities, human resources, and interaction with international partners and the private sector. If there is no coordination, it leads to duplication of functions, inefficient cooperation and the exacerbation of unhealthy competition.
So coordination is needed to see the big picture. First, we can direct everyone together to solve a specific problem and minimize the use of resources. Secondly, the role of the NCCC: is coordination and control. This is a platform where you can solve any problematic issues. For example, the NCCC recently approved the procedure for a joint response to cyber attacks. This document has had a positive impact on the incident response at the national level.
The NCCC is a working body of the NSDC. We participate in the preparation of all decisions of the National Security and Defence Council on cyber security issues. As an example, a draft decision on the creation of cyber troops was developed on our platform.
The world is interconnected. Cyberspace has national characteristics, but there are no borders. In what areas is there potential for interaction with the external and internal environment that has not yet been realized ?
My personal opinion is that we have a problem in the international law that governs cyber attacks. There is international humanitarian law, the law of war, which defines what constitutes a war crime. We know that according to this right, weapons cannot be used against civilian objects during a war. If you do that, it’s a war crime. But, for example, when Ukrainians are asked “Are you attacking the russian federation, or are you conducting cyberattacks?”, we understand that, according to the interpretations of international law, we are being asked whether Ukraine is conducting cyberattacks on civilian objects. After all, this can be interpreted as a war crime.
But what is the difference between kinetic weapons and cyber weapons? What are kinetic weapons aimed at? They destroy physical objects and harm life forces, they are aimed at killing and destruction. From the point of view of international law, it is unacceptable to direct rockets at a power plant, radio broadcasting masts, shops , and internet providers, because these are civilian objects and there are civilians present . Although the russian federation does not interfere …
As for cyber weapons, they do not destroy physical infrastructure and do not kill people. Consider the example of an attack on a media company that broadcasts fake russian content. As a result of this attack, the page will be defaced so that russians can see the truth about what is happening in Ukraine. According to the modern interpretation of international humanitarian law, this can be considered as a war crime, because it is an attack on a civilian object. But I do not agree with this, because we cannot compare the consequences of kinetic weapons and cyber weapons.
The first world cyber war, which is currently taking place in Ukraine, must be analyzed so that we can correctly interpret international law. Therefore, we will send a representative of Ukraine to the United Center of Advanced Technologies for Cyber Defense in NATO. So that a Ukrainian can participate in shaping the interpretation of international law.
The time has come to open a debate in the international arena regarding the correct application of international law to cyber warfare. And Ukraine should become a leader of opinions.
We have internal interaction with critical infrastructure objects – for example, critical infrastructure of the private sector and the field of energy. In particular, one of the decisions of the NCCC envisages the construction of a cyber security situational center specifically in the field of energy. This includes representatives of the private sector.
The second direction is education. The NCCC organizes training programs on cyber security as a component of national security. We also involve the private sector as a cooperation partner to achieve a more mature level of national security.
Is it possible to learn cyber attack techniques while working with cyber security tools? What is the present state of learning and is there potential for development?
Ukraine should develop not only its kinetic weapons but also develop cyber weapons. This is software that allows you to take active actions in cyberspace. At the same time, we remember the relevant legal framework. Therefore, in August of last year, we raised the issue of creating cyber troops. And it is not just adding a line to the law “On the Armed Forces of Ukraine” that creates a separate type of military. This is about providing appropriate powers: creating cyber weapons, conducting a cyber offensive in the interests of defense, involving private sector specialists, etc.
What set of strategic decisions does Ukraine need to make today in cyberspace to win the war?
It is necessary to start with human capital, the political awareness of managers, their responsibilities , legislative frameworks, technical solutions, development of own capabilities and public-private partnerships. But I know from my own experience that the key issue is personnel. This problem exists not only for our country but also for the whole world.
We have to find a solution, how to interest professionals in working in the public sector. We tried to implement this idea by creating a cyber reserve. So that all young men and women can go to school if they wish. They become reservists but work in the private sector. And if necessary, the state can mobilize them, and not only in the interests of the Armed Forces but in the interests of all subjects of the security and defense system of our state. Such an idea could solve the issue of “personnel starvation” in the national cyber security system of our country.
And how can it be done?
The decision must be made by the Ministry of Defense of Ukraine because the creation of legal norms depends on them.
You mentioned that managers in the public sector are changing, and people are coming in with different visions, experiences and attitudes to the future of the country. What opportunities does this open up for a cybersecurity system?
The nation’s cybersecurity system now has many young, change-seeking leaders who are educated, smart, and proactive. They are not afraid of new approaches, not afraid to make mistakes, and not afraid to take responsibility. The worst thing for a manager is the fear of doing something differently, in a new way, because of the fear of making a mistake, but if you are afraid of not taking responsibility when you make management decisions, then you have chosen the wrong path.
Senator business center, 32/2, Dukes of Ostrozhsky, Kyiv+38 (050) 428 44 68 (Ukraine), +1 (786) 755 8398 (USA)
© 2023 GLOBAL CYBER COOPERATIVE CENTER (GC3). All rights reserved