Let us know what type of content you'd like to see more of. Fill out our three question survey.
Cybersecurity Lessons from Ukraine
Aug 1, 2019
Read this blog in Ukrainian.
When you walk into a room full of government officials, civil society organizations, and private companies discussing cybersecurity, you expect to hear disagreement. The exact opposite happened during the recent DAI-SocialBoost Cybersecurity Roundtable and Workshop in Kyiv, Ukraine.
The event started with a panel discussion with representatives from a myriad of government institutions working to address Ukraine’s cybersecurity challenges. Representatives came from the Ministry of Energy, the Pension Fund of Ukraine, State Service of Special Communications and Information Protection of Ukraine, the Presidential Administration, Ministry of Infrastructure, and National Information Systems. Joining them were representatives from the company Information Systems Security Partners (ISSP) and the law firm Sayenko Kharenko.
The panelists focused primarily on the general state of cybersecurity in Ukraine and the challenges cybersecurity poses to critical infrastructure sectors.
Panelists discuss cybersecurity issues. Photo: SocialBoost.
Protecting critical infrastructure from cyberattacks is a major focus in Ukraine and around the world. But what is critical infrastructure? According to the U.K. Government, it is the “facilities, systems, sites, information, people, networks, and processes necessary for a country to function and upon which daily life depends.” These include sectors such as:
- Emergency services
- Energy
- Government
- Health
- Finance
- Food
- Transportation
- Water
Running, maintaining, and staffing each of these sectors are people, who are at the heart of efforts to improve cybersecurity. Both the government officials and private sector representatives agreed that the best way to strengthen Ukraine’s cyber resilience is to upgrade the population’s digital skills. By making more people aware of cyber threats and teaching them how to mitigate these threats, the hope is that fewer successful cyberattacks will take place.
Teaching Cyber Hygiene
Following the panel, we led a “cyber hygiene” workshop for civil servants and entrepreneurs to bridge the human capital gap identified by the panelists earlier in the day.
We started with the basics—teaching practices that most people already know, but rarely employ. One example of good cyber hygiene is the use of strong passwords and changing them often. Passwords are foundational to accessing nearly all digital tools and services. They also serve as one of the weakest points in a network.
A workshop participant thinks through which download buttons are fake and which are real. Photo: SocialBoost.
Though widely known, it was no surprise that few people or companies employ good password management. The workshop participants were no different. They all had personal experience with their data getting stolen or misused, even though they know password management is essential to protecting information. Of the participants who did employ good password management, it was only because they were required to by an employer.
In addition to the importance of passwords, we also addressed other important cyber hygiene skills. For instance, the pros and cons of using virtual private networks (VPN), how to identify fake download buttons, and which considerations to take into account when designing a data collection tool. In Ukraine, understanding the pros and cons of VPNs is particularly important. Following former President Proshenko’s decision to ban the country’s most popular email service and social media networks, as part of sanctioning Russia for its annexation of Crimea, many Ukrainians started using VPNs to visit these Russian-owned sites. What many overlooked though was who owned these VPNs, meaning that they didn’t know who might be collecting or monitoring their data.
Key Takeaways and Opportunities
Throughout all the activities and discussions two things became clear:
-
People are the backbone of a country. If they are not empowered or offered the right resources to learn and employ cyber best practices, Ukraine’s cyber resilience will be limited.
-
Strengthening people’s skills is only half of the equation. To change behavior, cyber hygiene processes need to be integrated into the day-to-day habits of people’s lives. In a professional setting, this will require support from the highest levels.
Workshop participants receive certificates of completion. Photo: SocialBoost.
As demonstrated by the panelists and the workshop participants, there is an appetite for change—the kind of change that empowers the Ukrainian people to employ cyber best practices to protect their personal data, but also critical government systems. The challenge, for Ukraine, will be allocating the right resources and coordinating with the right partners to move this agenda forward. Keeping a keen eye on how the cyber landscape evolves will also be important and ensure that as foundational cyber hygiene skills are strengthened, new skills are also being acquired to consistently keep the ecosystem more secure. As one of the panelists surmised, accepting that “cybersecurity is a process, not a product,” is the first step in the right direction.