Ukraine Cybersecurity Posture and Known Vulnerabilities Russia Could Exploit

Written by Bradley Fowler, MA, MS, MPP, MMIS

Ukraine’s public and private sector computer information system vulnerabilities face potential exploitation. The culprit allegedly seeking to exploit Ukraine’s computer information systems is Russia. The collection of intelligence by journalists investigating issues encompassing Ukraine’s computer information systems and known vulnerabilities, invokes increased concern about national security. Ms. Natalia Spînu authored the Ukraine’s Cybersecurity Governance Assessment in 2020, sharing details regarding the inabilities Ukraine public sector embodied regarding its cybersecurity posture. Thus, this research shares details compiled from Ukraine’s Cybersecurity Governance Assessment, publicly shared in 2020, and assesses threats facing Ukraine’s cybersecurity infrastructure that should be mitigated to safeguard the country from public embarrassment and possible economic instability.

The Ukraine Cybersecurity Governance Assessment published in 2020 shared details that many cybersecurity experts may question. First, Ms. Spînu explains that threats to Ukraine’s cybersecurity, according to the National Cybersecurity Strategy, are determined by factors that include: “dissimilarity of national electronic communications infrastructure, the development and protection level to modern requirements as well as insufficient degree of protection of critical infrastructure, public electronic information resources and information. Additionally, unsystematic cyber protection measures of critical infrastructure are ignored and ineffective activities of the security and defence sector of Ukraine in combating cyber-threats of military, criminal, terrorist and other natures, and inadequate level of coordination, corporation and information exchange among the cybersecurity entities” (Spînu, 2020, p.4). Ms. Spînu also shares three categories Ukraine attempts to classify cybersecurity threats by, including: threats to Ukraine’s cyber resilience, cyber-crimes aimed at private sector entities, and threats targeting cyber defence by terrorist, organizations, or hackers.

In addition, Ms. Spînu conveys that Ukraine needs proper regulatory governance for public-private sector partnership and communication efforts regarding critical infrastructure protection and desperately requires legal framework for mutual obligations for public-private sector exchange of information regarding critical infrastructure protection. Ms. Spînu explains there is a lack of cyber crisis management, as well as cyber crisis management planning. She believes, Ukraine government needs to establish a comprehensive crisis plan that focuses on large scale cyber incidents. Her recommendation is that Ukraine’s government enacts legislation that will deploy effective measures to safeguard these concerns. Furthermore, Ms. Spînu explains that to improve weakened military capability to thwart cyberattacks, Ukraine needs to invest more focus on improving the skills and good practices “in the service of national strategy threats and needs” (Spînu, 2020, p.5). Unfortunately, Ms. Spînu confesses that Ukraine fiercely lacks efficient educational and research institutions that specialize in cybersecurity areas as well as admits that these issues are not primarily issues Ukraine faces, but other nation states face these issues too (Spînu, 2020).

Then, Ms. Spînu points out that the main authorities managing Ukraine’s cybersecurity defence strategies, include the Ministry of Defence, State Service of Special Communications and Information Protection, Security Service, National Police, National Bank, intelligence agencies, and the government within the State Centre of Cyber Defence. Next, Ms. Spînu expresses that Ukraine lacks a nationwide strategic approach that engulfs management, protection, and security of the whole cybersecurity infrastructure system (Spînu, 2020). She points out that Ukraine does not have a mitigation strategy that deters potential crisis that can impact the Ukraine Cybersecurity infrastructure.

Last, Ms. Spînu shares concerns Ukraine has regarding its cybersecurity critical infrastructure, including increased development, enactment, and management of legal framework governing the cybersecurity infrastructure. Most importantly, she explains that “as for the spectrum of ‘Critical Infrastructure’ threats existing in Ukraine, their nature is shaped by the security environment currently faced by the country. Hostilities as part of the Anti-Terrorist Operation in the Donbas Region, featuring high level of wear of capital assets and serious problems with environmental and anthropogenic safety, rapidly increases the level of threat of accidents at high hazard assets such as coal mines, power sector facilities, chemical factories and steelworks, as well as in the utility networks - whether as the result of incidental damage, loss of process control, or as a consequence of terrorist acts of sabotage”( Spînu, 2020, p. 10).

What Ms. Spînu neglected to comprehend when she authored the Ukraine’s Cybersecurity Governance Assessment in 2020, was that she exposed the weaknesses Ukraine faced at that time regarding its cybersecurity posture. She also failed to prevent Ukraine from being a target of cyberattacks towards both public and private entities, because Ms. Spînu exposed Ukraine’s vulnerabilities and lack of education and skills needed to effectively safeguard the country from victimization of external attack forces. Sadly, when cybersecurity infrastructure and policy is developed in many countries who lack qualified educated workforce that will be responsible for managing and governing software, hardware, computer devices, networks, information systems, cloud environments, geospatial, robotics, artificial intelligence, and Internet of Things, such countries make their country’s known information systems vulnerabilities target of exploitation by skillful and knowledgeable subject matter experts, who either operate in alignment with government support or independently. Either way, potential risk is enveloped in sharing sensitive details about known system vulnerabilities.

Thus, it is recommended that Ukraine utilizes its partnership with NATO to increase its cybersecurity resilience and deterrence methodologies and increase the knowledge sharing among public and private sector. Building stronger global alliances is crucial to managing an effective cybersecurity infrastructure and recruiting quality cybersecurity practitioners. Otherwise, Ukraine and other countries, alike, will continue being targeted by subject matter experts who exploit weak information systems. So, while Russia may be the culprit that is allegedly responsible for cyber-attacks deployed towards Ukraine. Ukraine may very well be victimized by anyone located anywhere in the world, who knows their information system vulnerabilities.

Reference

 

Spînu, N. (2020). Ukraine Cybersecurity Governance Assessment. Retrieved from: https://www.dcaf.ch/sites/default/files/publications/documents/UkraineCybersecurityGovernanceAssessment.pdf