The Verkhovna Rada of Ukraine is considering a draft Law of Ukraine on Amendments to Certain Laws of Ukraine regarding urgent measures to strengthen the capabilities for cyber protection of state information resources and critical information infrastructure facilities (No. 8087).
.in_text_content_22 { width: 300px; height: 600px; } @media(min-width: 600px) { .in_text_content_22 { width: 580px; height: 400px; } }
On January 12, 2023, it was accepted as a basis.
The bill provides for amendments to a number of laws of Ukraine, in particular in terms of expanding the powers of the State Service for Special Communications and Information Protection of Ukraine (hereinafter referred to as the State Service for Special Communications), the functioning of the national system for the exchange of information on cybersecurity incidents, cyber attacks, the implementation of state control over the state of technical protection of information and cyber protection .
In the spring, the deputy head of this department for digital development, digital transformations and digitalization, Viktor Zhora, in an interview with Interfax-Ukraine insisted that the innovation allows “to implement and form requirements for critical information infrastructure objects, to audit the security of these objects. receive confirmation as to how the requirements have been implemented.
Zhora complained that managers often ignore the order of the State Service for Special Communications and do not inform the service about incidents or even hide them. The bill introduces the position of an officer (head) for cyber defense at facilities and organizations. The State Special Communications Service will cooperate with him.
This bill was written on the basis of the decisions approved at the meeting of the National Security and Defense Council after the attack on January 14, 2022. However, not everyone in Ukraine is satisfied with the norms that will regulate cyberspace and complain about the return to the draconian laws of “January 16”.
State Special Communications Service provides unprecedented access to information systems of companies and organizations. In fact, this removes the restriction of access to servers, equipment, information, creates an opportunity for corruption and concentrates all powers in the State Special Communications Service.
Among the departments that pointed out to legislators the need to finalize the bill are the NAPC and the Ministry of Defense.
NAPC claims
The chairman of the National Agency for the Prevention of Corruption, Alexander NOVIKOV, who signed the examination of draft law No. 8087, notes that it contains corruption factors and requires significant improvement.
In particular, the conclusion of the NAPC refers to the following corruption factors:
- expansion of discretionary powers of the State Service for Special Communications and Information Protection (hereinafter – SSII) in the exercise of state control in the areas of technical protection of information and cyber protection;
- establishing a non-transparent way of authorization, granting permission for testing and access to information, electronic communication information and communication systems, critical information infrastructure to participants in state control in the fields of technical information security and cyber defense;
- unjustified delegation of powers to the SSIA to establish functions, powers, general requirements for cyber defense units and their employees, general requirements for cyber defense officers, as well as responsible persons performing the tasks and functions of a cyber defense officer.
The NAPC separately dwelled, for example, on the fact that in Art. 26 of the draft law does not define the method of granting permission for testing and access to information, electronic communication and information and communication systems, critical information infrastructure, as well as the method of their authorization by the chairman or deputy chairman of the SSAI.
In addition, it is not clear which persons, other than employees of the main subjects of ensuring cybersecurity in Ukraine, are authorized to directly carry out special events.
The applied wording “employees of the main subjects of the national cybersecurity system of Ukraine” is not clear, because such representatives can be both officials (officials) of the subjects of the national cybersecurity system of Ukraine, and any persons whom the subject of the national cybersecurity system of Ukraine delegated to participate in the control event, says in the conclusion of the NAPC.
Among the recommendations of the NAPC: to determine the method of authorization, granting permission for testing and access to information, electronic communication and information and communication systems, critical information infrastructure to employees of the main subjects of ensuring cybersecurity in Ukraine.
Ministry of Defense remarks
In April 2023, Vitaliy Deinega, Deputy Minister of Defense of Ukraine for Digital Development, Digital Transformation and Digitization, sent a letter to the leadership of the Council and the relevant security committee with comments from the Ministry of Defense.
They concern both individual provisions and the whole approach laid down in the draft law.
Deinega’s letter states that the project is introducing the institution of an industry authorized body for authorization, but such a body will not have any authority to establish the procedure for conducting authorization and its features, and in fact will only implement such a procedure.
In fact, the authorized body for authorization will depend on the provisions of the regulatory acts of the State Service for Special Communications.
The Ministry of Defense also noted that the legislator has established requirements for suppliers of goods, works, services that ensure the functioning of information and communication systems, as well as the procedure for determining the risk level by customers and operators of critical infrastructure and information security measures corresponding to the risk level.
These norms cause significant risks, since they may entail interference in the economic activities of suppliers of goods and works, the letter of the Deputy Minister of Defense says.
Another risk is related to the combination of standardization and control functions in one body. This directly contradicts one of the EU directives, and international experience, suggesting the distribution of such functions.
In total, the letter of the Ministry of Defense contains several dozen norms and requirements of the bill, which, according to the department, need to be modified or taken into account.
Complex attack on the media?
Total state control over the media in Ukraine is not a horror movie of the distant future.
We are talking about greater or lesser control over information that can be obtained on the Internet by blocking “objectionable” resources by decision of officials whose names are unknown to anyone and accountable only to the vertical of power.
At the end of January 2023, the National Center for Operational and Technical Network Management (NCOTUM) under the State Service for Special Communications and Information Protection issued Decree No. 67/850 “On the Implementation of a Phishing Domain Filtering System”. According to this document, until March 2, 2023, Ukrainian Internet providers had to install a system for blocking access to web resources, which would automatically upload a list of sites for automatic blocking to the provider’s server every 15 minutes.
It was assumed that this list would be posted on a separate resource, administered (read – add sites that should be blocked) CSIRT-NBU – a special structure of the National Bank at the NBU Cyber Defense Center. And the National Security and Defense Council will be the owner of the entire system of blocking unwanted resources. It should be recalled that the publicly declared goal of creating this system was precisely to counteract phishing. But why such a distribution of powers is needed, what relation the National Security and Defense Council has in the banking system – the Order did not explain.
The document also lacks algorithms for appealing against a decision to refuse to exclude a site from the list for blocking – this entirely depends on the opinion of the CSIRT-NBU, in fact, a group of people blocking access to an Internet resource at their own discretion.
Experts also note the collection of user data. In a comment to Bukvam, InAU Executive Director Vladimir Kukovsky said that after registering an operator in the filtration system, it will automatically receive information about the user who tried to go to a resource blocked by the system. This data may include, in particular, the IP address and data about the client device: browser used, operating system, etc. The list is not exhaustive, and the content of the Regulations that regulate the operation of the system allows the collection of other information, as well as its transfer to other state bodies.
Due to the resistance of some market participants and specialized organizations in March, the launch of such a system was postponed indefinitely, and at the time of publication of the news, Letters did not receive a response to a request about the status of implementation of new products.
The cyber community has prepared proposals that will avoid security risks, user data collection and illegal blocking of resources that are not phishing. But Vladimir Kukovsky assumes that the filtration system has already partially started working, since some operators have voluntarily registered as its participants. The National Security and Defense Council is in no hurry to communicate with the market and relevant organizations.
Another danger lies in bill No. 9250. It actually legalizes the already created and partially launched filtering system.
The Law on Amendments to the Law of Ukraine “On Electronic Communications” (to combat phishing)” introduces a legislative definition of the concept of “phishing”. We are talking about “illegal actions on the Internet, the consequence of which is or may be the extortion of personal data and other data of subscribers, including details of payment cards and passwords, identification numbers, bank account numbers, etc.”
That is, a new type of misconduct is introduced. At the same time, the draft law does not provide for supplementing the legislation regulating civil relations, the Code of Ukraine on Administrative Offenses (or the introduction of administrative liability by the law itself, the CUAO allows this) or the Criminal Code of Ukraine with norms that determine the scope of responsibility for this type of misconduct.
“Letters” also write that bill No. 9250 proposes to fight theft by confiscating stolen property for state revenue, rather than punishing thieves. To continue this analogy, it allows you to confiscate any property from you today, because theoretically criminals can steal it from you tomorrow.
Source: Racurs
I am David Wyatt, a professional writer and journalist for Buna Times. I specialize in the world section of news coverage, where I bring to light stories and issues that affect us globally. As a graduate of Journalism, I have always had the passion to spread knowledge through writing.