Three cards up the sleeve:

What cy­berthreats Ukraine is likely to face in 2019 elec­tions, and what it is do­ing to pre­vent them

The Ukrainian Week - - CONTENTS - Yuriy La­payev

Po­ten­tial cy­ber threats in 2019 elec­tions and ef­forts to counter them

Rus­sia’s likely in­ter­fer­ence in elec­tions in Ukraine can de­velop in three vec­tors. One is the tra­di­tional tech­nol­ogy with hand­outs and bribes for vot­ers, carousel vot­ing and other ways to af­fect the re­sults. They are not purely Rus­sian meth­ods. All elec­tions in Ukraine have shown plenty of do­mes­tic ex­perts in this il­le­gal cause. The sorry state of Ukraine’s econ­omy pushes peo­ple to ac­cept this ma­nip­u­la­tion in pur­suit of ex­tra in­come.

The sec­ond vec­tor in­cludes at­tempts to in­flu­ence peo­ple through in­for­ma­tion. It is nor­mal to look for can­di­dates’ skele­tons in the closet in ev­ery elec­tion. There is hardly a vote with­out scan­dals and sen­sa­tional rev­e­la­tions any­where in the world. How­ever, the lat­est cam­paign in the U.S. showed how im­por­tant it is to dif­fer­en­ti­ate be­tween hunts for com­pro­mis­ing in­for­ma­tion and de­ter­mined in­ter­fer­ence to dam­age one po­lit­i­cal force or can­di­date and ben­e­fit an­other. The chan­nels for this com­mu­ni­ca­tion are se­lected based on the fea­tures of the tar­get groups: for some, a free news­pa­per dis­trib­uted at a metro sta­tion is enough; oth­ers pre­fer Face­book posts, while some have to be bom­barded with end­less po­lit­i­cal talk shows on TV. In­for­ma­tion varies, too, from sim­ple slo­gans “for all things good and against all things bad” or cheap ma­nip­u­la­tions com­par­ing life in the past to that in the present, to more ex­quis­ite ones with hand-picked ex­perts that look like they pro­vide ob­jec­tive and un­bi­ased statis­tics, which then proves to have lit­tle in com­mon with re­li­able sources or re­al­ity.

Ar­ti­fi­cial ide­o­log­i­cal po­lar­iza­tion into home­boys and strangers is an­other pop­u­lar ap­proach. It is used by every­one, from pop­ulists to more rea­son­able politi­cians. It al­ways leads to a sim­i­lar re­sult: de­liv­ered through the right chan­nels and in the right words, this in­for­ma­tion helps change the vot­ers’ pref­er­ences – some­times to a com­plete op­po­site. Ma­nip­u­la­tors will es­pe­cially fo­cus on those Ukraini­ans that have not yet made their choice (see p. 18). This is eas­ier than try­ing to per­suade peo­ple with a shaped mind­set. The au­thor­i­ties will do lit­tle to stop such ac­tiv­i­ties on the part of mass me­dia. Pre­vi­ous moves against covertly pro-Krem­lin me­dia have sparked out­rage and ac­cu­sa­tions of at­tacks on the free­dom of speech. If ap­plied in the run-up to elec­tions, this will be in­ter­preted as the use of ad­min­is­tra­tive lever­age.

It will be equally dif­fi­cult to re­strict dis­in­for­ma­tion on so­cial me­dia, even if some have an­nounced cam­paigns to counter fake news and bot ac­counts. In­sta­gram and Face­book are mo­men­tar­ily re­mov­ing videos show­ing Rus­sian oli­garchs en­ter­tain them­selves, yet they are in no rush to close nu­mer­ous sep­a­ratist com­mu­ni­ties.

The third likely card will be cy­ber in­flu­ence. This is a fairly af­ford­able tool as one at­tack can cost up to sev­eral thou­sand dol­lars, yet it takes ex­pe­ri­enced ex­perts to carry out. Still, this will be a pop­u­lar tool as proven by hacker in­ter­fer­ence with the 2014 pres­i­den­tial elec­tion in Ukraine. That in­ci­dent pushed in­for­ma­tion se­cu­rity spe­cial­ists to dis­con­nect Cen­tral Elec­toral Com­mis­sion servers from the in­ter­net af­ter some Rus­sian TV chan­nels had used the fake im­age of the Right Sec­tor’s Dmytro Yarosh that ap­peared on CEC com­put­ers to talk of his vic­tory in the elec­tion. The skills of Rus­sian cy­ber crim­i­nals were not the only el­e­ment of that at­tack. One of the planned stages in spread­ing the mal­ware to af­fect CEC com­put­ers was the in­volve­ment of a CEC em­ployee who had to copy the virus and insert it into the sys­tem through a mem­ory card.


Ac­cord­ing to Va­len­tyn Petrov, Head of the In­for­ma­tion Se­cu­rity De­part­ment at the Na­tional Se­cu­rity and De­fense Coun­cil, says that tech­ni­cal pro­tec­tion of in­for­ma­tion, in­clud­ing cy­ber pro­tec­tion, is the re­spon­si­bil­ity of the owner. In the case of Ukraine’s elec­tion, the owner is the Head of the Cen­tral Elec­toral Com­mis­sion. There­fore, CEC Head is in charge of the Elec­tions Uni­fied In­for­ma­tion & An­a­lyt­i­cal Sys­tem, its el­e­ments and chan­nels of com­mu­ni­ca­tion. “This is an ax­iom. The law states so, and the owner is al­ways re­spon­si­ble for at­tacks on any ob­jects of crit­i­cal in­fra­struc­ture,” he notes.

Poor pro­tec­tion leads to penal­ties un­der Art. 363 of the Crim­i­nal Code. This pro­vi­sion lists penal­ties for vi­o­la­tions in the use of com­put­ers, net­works or sys­tems. A hacker at­tack thus puts re­spon­si­bil­ity on two par­ties – the hack­ers in­volved and the head of the or­ga­ni­za­tion or in­sti­tu­tion who failed to set up proper pro­tec­tion of his or her in­for­ma­tion re­sources.

De­spite a num­ber of pow­er­ful cy­ber­at­tacks with se­ri­ous con­se­quences that have taken place in Ukraine, there have been no re­ports on penal­ties for the lead­ers of these in­sti­tu­tions who failed to keep up with the stan­dards of pro­tec­tion. The norms and stan­dards are de­vel­oped by the Spe­cial Com­mu­ni­ca­tion and In­for­ma­tion Ser­vice (SCIS). It is also in charge of in­spect­ing


the com­pli­ance with these stan­dards at var­i­ous in­sti­tu­tions.

Ac­cord­ing to Petrov, the re­sults of the vot­ing will be pro­tected by other se­cu­rity en­ti­ties apart from CEC and SCIS. Past prac­tices have proven the ef­fi­ciency of set­ting up work­ing groups with tech­ni­cal ex­perts from CEC, SCIS, Se­cu­rity Bureau of Ukraine and Na­tional Po­lice. This mech­a­nism has been tested in pre­vi­ous elec­tions, and Ukraine has man­aged to hold two elec­tions even in the dif­fi­cult cir­cum­stances as the war un­folded.

Also, Petrov be­lieves that hack­ers would not be able to ac­tu­ally af­fect the re­sults of the vot­ing if their at­tack on CEC suc­ceeded. In Ukraine, all votes are counted by hand, on pa­per bal­lots and pro­to­cols, while elec­tronic sys­tems largely serve for in­for­ma­tive and con­sult­ing pur­poses. The win­ner would thus be de­ter­mined even if the CEC were to shut down or show dis­torted re­sults.

Its se­cu­rity is fur­ther re­in­forced by the fact that most of CEC’s in­for­ma­tion re­sources, in­clud­ing the Elec­tions or Pres­i­den­tial Elec­tions sys­tems, are in a sus­pended mode and launched a few weeks be­fore the vot­ing be­gins. As they go into op­er­a­tion, a com­plex of in­for­ma­tion pro­tec­tion is cre­ated and train­ings are con­ducted to model po­ten­tial threats. This takes place at cen­tral units and dis­trict elec­tion com­mis­sions. The time­frame of se­cu­rity in­spec­tion nor­mally matches the of­fi­cial start and end of the elec­tion process.

The State Reg­is­ter of Vot­ers can be an­other tar­get of the cy­ber crim­i­nals. Un­like most of CEC’s re­sources, it op­er­ates on a per­ma­nent ba­sis. It con­tains iden­ti­fi­ca­tion data on the vot­ers, their per­sonal data with places and terms of the vot­ing, and ser­vice data. Who­ever has ac­cess to this re­source can hy­po­thet­i­cally af­fect the vot­ing at sep­a­rate ter­ri­to­rial units. This will hardly af­fect the elec­tions over­all. But this type of ac­tiv­ity has at least one dan­ger­ous el­e­ment – in­ter­fer­ence with this re­source can un­der­mine the ac­cu­racy of the elec­tions. There­fore, they can be rec­og­nized il­le­git­i­mate.

Then any can­di­date or po­lit­i­cal party can claim that they have lost elec­tions be­cause of cy­ber­at­tacks, not poor pub­lic sup­port. This is a con­ve­nient ex­cuse as av­er­age vot­ers will hardly have tools to check how ac­cu­rate such claims are. News un­der such head­lines can ruin trust in any of the po­ten­tial win­ners.

The Law on the State Reg­is­ter of Vot­ers de­fines the reg­is­ter man­ager as the one re­spon­si­ble for pro­tect­ing it – the in­tegrity and ac­cu­racy of its data­bases, as well as cor­rect op­er­a­tion of equip­ment and soft­ware – along­side SCIS. They are re­spon­si­ble for pre­vent­ing at­tempts of il­le­gal in­tru­sion, copy­ing or elim­i­na­tion of in­for­ma­tion. Also, the law es­tab­lishes le­gal re­spon­si­bil­ity for vi­o­la­tions of the reg­is­ter pro­tec­tion procedure through unau­tho­rized ac­cess, vi­o­la­tion of in­tegrity, copy­ing and dele­tion. Ac­cord­ing to An­driy Ma­hera, CEC Deputy Head, CEC is now man­ag­ing the State Reg­is­ter of Vot­ers, as pre­scribed by law. There­fore, it is qual­i­fied CEC de­part­ments that pro­vide the pro­tec­tion of the reg­is­ter’s in­for­ma­tion re­sources in co­op­er­a­tion with the SBU and SCIS. When it comes to po­ten­tial threats, Ma­hera says that no sys­tem in the world is 100% hacker-proof. Still, he be­lieves that in­ter­fer­ence with CEC sys­tems un­likely.

It is widely dis­trib­uted and op­er­ates across the ter­ri­tory of Ukraine. It is im­pos­si­ble to hide at one pro­tected premises. So ev­ery sec­tion of it is in­di­vid­u­ally vul­ner­a­ble to ex­ter­nal in­tru­sions. How­ever, in­ter­fer­ence with lower sec­tions pro­vides very lim­ited ac­cess to the main servers. This makes these at­tacks less sig­nif­i­cant.

As a re­sult, hack­ers are most likely to fo­cus on the CEC’s cen­tral servers based in Kyiv. “We are much bet­ter pre­pared for such sit­u­a­tions,” Petrov notes. He be­lieves that Ukraine’s au­thor­i­ties re­al­ize how se­ri­ous the threats are and pre­pare to counter them.

Sean Townsend, spokesman for the Ukrainian Cy­ber Al­liance, an ac­tivist cy­ber-se­cu­rity group, agrees. He says that state en­ti­ties should be bet­ter pre­pared for the elec­tions af­ter the 2014 at­tacks, so CEC servers will not be as vul­ner­a­ble as other gov­ern­ment re­sources. He says that

there are cur­rently no vis­i­ble vul­ner­a­bil­i­ties or hacks in the CEC’s in­for­ma­tion re­sources that could be ex­am­ined by ac­tivists with­out vi­o­lat­ing the law. Still, he be­lieves that other gov­ern­ment en­ti­ties in­volved in the elec­tion process can end up be­ing at­tacked by the crim­i­nals. So can the me­dia for the pur­pose of spread­ing mis­lead­ing in­for­ma­tion. “We have to pre­pare for in­for­ma­tion and com­bined at­tacks in ad­vance,” Townsend com­ments. In his view, cy­ber se­cu­rity of gov­ern­ment re­sources – CEC sys­tems in­cluded – can be im­proved through per­sonal re­spon­si­bil­ity of em­ploy­ees for the data and sys­tems they are in charge of. Equally im­por­tant is ex­change of in­for­ma­tion be­tween ex­perts in gov­ern­ment and the pri­vate sec­tor. “This should not work as in­struc­tions given from above or as state­ments from press ser­vices, but as ini­tia­tives on the lower lev­els,” Townsend says. Gov­ern­ment en­ti­ties need to have sys­tem op­er­a­tors in­ter­ested in pre­serv­ing data, while cy­ber se­cu­rity en­ti­ties should help them and make their work eas­ier rather than threaten them with pun­ish­ment and con­trol.

Petrov claims that there are some is­sues with the leg­isla­tive base ham­per­ing co­op­er­a­tion be­tween gov­ern­ment and pri­vate en­ti­ties. Most laws have been drafted for the pub­lic sec­tor. The Law on the Foun­da­tions of Cy­ber Se­cu­rity was the only break­through, but it has not yet come into ef­fect. It out­lines the obli­ga­tions of the own­ers of crit­i­cal in­fra­struc­ture ob­jects, pub­lic or pri­vate, for in­for­ma­tion pro­tec­tion.

Yet, the cul­ture of em­ploy­ees and their per­cep­tion of threats, es­pe­cially in gov­ern­ment en­ti­ties, re­main the key el­e­ment of cy­ber se­cu­rity. Petrov men­tions a re­cent cam­paign by Ukrainian Cy­ber Al­liance where the ac­tivists looked for crit­i­cal vul­ner­a­bil­i­ties in in­for­ma­tion sys­tems at pub­lic en­ti­ties and cru­cial na­tional en­ter­prises, and re­ported on them. “We can draft any law and build any sys­tem of pro­tec­tion, open cen­ters and set up pro­tected net­works. But none of this will work if the hu­man fac­tor re­mains weak,” he com­ments.


As to tech­ni­cal de­tails, Petrov talks about a na­tional telecom­mu­ni­ca­tions net­work that has been cre­ated in Ukraine and is be­ing de­vel­oped now to de­liver se­cure con­nec­tion and trans­fer of data for pub­lic en­ti­ties. This net­work pro­vides suf­fi­cient pro­tec­tion of in­for­ma­tion, in­clud­ing cryp­tog­ra­phy. Ukraine is one of the few coun­tries that have a full cy­cle of cryp­tog­ra­phy pro­duc­tion of their own. Over the time left un­til the elec­tions, it has to con­struct the sys­tem of pro­tec­tion. The Na­tional Cy­ber Se­cu­rity Co­or­di­na­tion Cen­ter is work­ing to that end un­der the Na­tional Se­cu­rity and De­fense Coun­cil. As this ar­ti­cle was go­ing to press, the up­com­ing meet­ing of the Cen­ter planned to dis­cuss the pro­tec­tion of CEC in­for­ma­tion re­sources.

“We know our weak spots. We have iden­ti­fied those who will build the sys­tem, the in­fra­struc­ture they will use and the soft­ware so­lu­tions they will ap­ply. We are work­ing in ad­vance to avoid any rush,” Petrov com­ments on the prepa­ra­tions. Ac­cord­ing to the SBU, its rep­re­sen­ta­tives have im­ple­mented a new model to counter the threats to seam­less work of CEC re­sources in co­op­er­a­tion with SCIS and CEC, and with sup­port of some top IT com­pa­nies in Ukraine. One of the el­e­ments is a ten­fold backup of com­mu­ni­ca­tion chan­nels for CEC sys­tems. SBU rep­re­sen­ta­tives have noted that all au­to­mated e-sys­tems of the CEC op­er­ate with a com­pre­hen­sive in­for­ma­tion pro­tec­tion sys­tem au­tho­rized by the SCIS.

To speed up in­for­ma­tion ex­change on cy­ber at­tacks, a na­tional com­puter emer­gency re­sponse team (CERT) is be­ing built. In­ter­na­tional prac­tices show that some spe­cific sys­tems ben­e­fit from own cen­ters. Ukraine al­ready has a CERT-UA head­quar­ters. Spe­cial­ized teams have been cre­ated at the SBU, the Na­tional Bank and the Min­istry of En­ergy. A sep­a­rate cen­ter is un­der­way for the Gen­eral Staff of the Armed Forces. A num­ber of ini­tia­tives are de­vel­op­ing in the pri­vate sec­tor. “If we have 1015 cen­ters op­er­at­ing and ex­chang­ing data in real time, it will make our cy­ber se­cu­rity sys­tem far more re­silient,” Petrov claims. Ac­cord­ing to Townsend, cy­ber cen­ters are a nec­es­sary el­e­ment of the na­tional se­cu­rity sys­tem. Still, the prob­lem he sees is in a lack of proper com­mu­ni­ca­tion among them and in­suf­fi­cient un­der­stand­ing of the chal­lenges in this sec­tor. He be­lieves that pub­lic en­ti­ties and en­ter­prises must learn to in­ter­act be­tween them­selves, with so­ci­ety and cy­ber cen­ters.

The lat­est elec­tion trends in the world prove that pol­i­tics and the IT tools in­volved in it grow more so­phis­ti­cated and dam­ag­ing. Ukraine is likely to face an en­tire range of new tools used to lead pro-Krem­lin po­lit­i­cal forces to power or to de­crease the share of pro-Euro­pean ones in power. Agents of in­flu­ence, kompromat and fake in­for­ma­tion, as well as DDoS at­tacks against CEC make an ad­di­tional front in the hy­brid war against Ukraine. 2019 will show how re­silient it is.


Newspapers in English

Newspapers from Ukraine

© PressReader. All rights reserved.