The National Cyber Security Index (‘NCSI’) 2020 placed Ukraine in 25th place among 160 countries worldwide. The key problems identified in Ukraine are a weak protection of digital services, as well as the absence of cyber crisis management1. The State Service of Special Communication and Information Protection in Ukraine (‘SSSCIP’) reported in 2020 that last year became a year of active launching cybersecurity reform. One of the key goals for 2021 is the introduction of protection of critical infrastructure (‘CI’) and critical information infrastructure (‘CII’) through new standards and best practices, performing an audit of protectiveness and continuous monitoring of cybersecurity through sensor infrastructure and 24/7 reacting to cyber incidents2. Ario Dehghani and Yuliia Brusko, from Sayenko Kharenko, provide a brief overview of recent legislative updates with regard to the CI and CII areas, as well of upcoming changes expected in 2021.
Despite a rather high ranking in the NCSI, the National Security and Defence Council of Ukraine (‘NSDC’) reported that, as of August 2020, there were approximately 1 million cyberthreats, including network attacks, network scan attempts, WEB-attack attempts, phishing, distributed denial-of-service (‘DDoS’) attacks, and malware distributions.
General regulation of CI objects and CII facilities
In October 2020, the Ukraine Government (‘the Government’) adopted two key resolutions regulating CI objects3 and CII facilities4. In order for the object to be classified as CI object, it is assessed as per the methodology summarising the following characteristics of the object:
The Government categorised CI objects into four criticality levels:
CI objects of all four levels are included in sectoral lists administered by state authorities responsible for a particular sector (industry). Based on sectoral lists, information about CI objects of I and II criticality level are consolidated in the national list. Sectoral state authorities submit information about CI objects of I and II criticality level once in two years or more frequently if such information is amended. Both national and regional lists are not publicly available in the interests of national security. Similar to the procedure established for CI objects, the CII facilities are to be included in the national and sectoral lists. Sectoral lists are maintained by state authorities responsible for a particular sector. The national list is maintained by SSSCIP office and includes information about CII facilities only at CI objects of I and II criticality level. Both national and sectoral lists are limited in access. Information from the national list is thereafter included in the respective state register, access to which is also limited and can be provided to external users only under conditions specified by law. Information infrastructure facilities are categorised as CII facilities if they fulfil all of the below criteria:
Operators of CI objects shall keep information about CII facilities up to date and provide amendments where necessary to the responsible state authorities.
Extended list of CI sectors
The vague description of CI sectors outlined in the Law of 5 October 2017 No. 2163-VIII of Ukraine on the Main Principles of Maintaining Cybersecurity (‘the Cybersecurity Law’) was clarified in the Government resolution of October 20205. Each sector that potentially may have CI objects is divided into subsectors. The resolution also determines the relevant state authorities responsible for each subsector. The identified CI sectors and subsectors correspond to the CI sectors identified in the Proposal for a Directive of the European Parliament and of the Council on the resilience of critical entities (‘the Critical Infrastructure Act’). To a certain extent, the Ukrainian list of CI sectors is even wider than the one proposed in the EU.
Cyber incident reacting system
In December 2020, the Government, by its resolution, identified the procedure of functioning of systems of revealing vulnerabilities and reacting to cyber incidents and cyberattacks6. It is mainly aimed at establishing the system of reacting to cyber incidents at state-owned CI objects. However, private companies operating objects subject to cybersecurity can voluntarily apply to the SCC to be included in such a system and install active sensors (see below). The system includes four following elements ensuring timely reaction to cyberthreat and incidents:
Review of status of CII facilities
In November 2020, the Government adopted a procedure for the review of the status of CII facilities7. The review is performed by an intergovernmental commission (‘the Commission’) under the general management of the SSSCIP. As a result of the review, the Commission prepares its recommendations on improvements of the national cybersecurity system given the actual and potential threats in cyberspace and financial capabilities of the state. The results of the review are communicated to the state authorities responsible for particular sectors where CII objects are being operated, as well as to the NSDC.
Banking system
In November 2020, the National Bank of Ukraine (‘NBU’) adopted a resolution8 by which it identified the CII facilities in the banking system:
Banks are provided with discretionary powers to include other facilities to the CII facilities list of which the NBU must be informed. The list is subject to annual review. Those banks that are identified as CI objects have their CII facilities registered in the national register.
Expected developments in 2021
Cybersecurity strategy
In 2021, the NSDC approved the draft Cybersecurity strategy for 2021-20259 (‘the Strategy’). The key role in ensuring implementation of the Strategy and interaction between different stakeholders will be given to the National Cybersecurity Coordination Center. The key goals set out in the Strategy for the upcoming years are announced to be:
Among the strategic goals, the NSDC indicated secret checks of CI objects readiness, creating technological capabilities for automatic detection of cyberattacks in real time, the introduction of CI objects audit system, certification of products used for cybersecurity of CII facilities, and regular assessment of CIII facilities protectability, etc. The Strategy must thereafter be adopted by the Ukrainian Parliament (‘the Parliament’) .
Draft laws on CI objects
In 2020, it was announced that until the end of 2020, the law on CI objects had to be adopted. However, this did not happen. Currently, there are two draft laws on CI objects submitted to the Parliament for consideration. The key issues raised in the draft laws cover the following areas:
Given that cybersecurity of CII facilities is one of the main elements of the Strategy and of the state security and defence as a whole, it is expected that this area will be further developed rather rapidly. This is also the opinion of the international partners, in particular, the U.S., that provided Ukraine with funding in the amount of $38 million for the development of an efficient cybersecurity system.