Ukraine joins an increasing number of nations in adopting a national cybersecurity law following increasing threats of cyber-attacks, according to legal specialists. Enacted on Oct. 5 by the Parliament of Ukraine, the law is called the “Law On the Basic Principles of Cybersecurity of Ukraine.” It will impact critical infrastructure, and is expected to become effective in April 2018. The concept "is defined rather broadly and may potentially apply to any company providing services in chemicals, energy, utilities, transport, information technologies, electronic communications, banking and finance, healthcare, food production and agriculture,” according to a statement from Ukrainian law firm Asters. As far as its similarities or differences with cyber laws of other nations, Gordon Hylton, a law professor at the University of Virginia, told Legaltech News, “I believe most countries are moving in the same direction as Ukraine.” “The Ukrainian statute may reflect a more explicit recognition of state-sponsored cyber terrorism, but that clearly stems from its ongoing conflict with Russia,” he added. “Especially since 2015, Ukraine has regularly blamed Russia for the wave of cyber-attacks that it has experienced.” And when it comes to former Soviet Union countries, he speculated that Ukraine’s experience “experience has, or will soon, cause most nations formerly under the control or influence of the Soviet Union before 1998 to take similar steps.” Attorney Igor Svechkar of Asters explained that the approaches these countries are making have been different and depend on the challenges that they face. Some countries, he said, introduce significant cybersecurity laws, while others prefer the soft route with actions such as non-binding guidelines. “It may be indicative of a trend—given that cyber threats have become a reality for many Eastern European countries. Speaking about the whole of Europe it is perhaps only Germany that has [a] more stringent cyber security regime than Ukraine now,” he added. Asters in a statement explained that companies subject to the critical infrastructure rules will need to:
- Ensure cyber defense of communication and technological systems;
- Protect technological information;
- Undertake independent cybersecurity audits; and
- Instantly report cyber incidents to the government.
In addition, Svechkar explained that under the new law, a business running critical infrastructure will be subject to tough cybersecurity rules. “They will have to implement certain measures, including appropriate organizational and technical safeguards, independent cybersecurity audits, instant reporting of incidents to CERT-UA [Computer Emergency Response Team of Ukraine],“ he said. The new law does not formulate how exactly these requirements shall be implemented. This is left for secondary legislation to be developed in 2018.” He explained that the new law is “a game changer” for Ukraine defense and its cyber resilience. “So far, Ukraine has not had any similar rules to those introduced in the new law,” he explained. Moreover, Hylton said the Ukrainian statute “focuses primarily on the ability of the Ukrainian state to resist cyber-attacks, especially those covertly launched or supported by other governments—especially that of Russia.” He noted in the cyber act there are provisions expanding the ability of law-enforcement agencies to issue mandatory orders to electronic data owners, requiring them to record and store for up to three years electronic data that will facilitate the investigation of future cyber-attacks. There are also requirements that, when requested, telecom operators and providers, provide law enforcement with information necessary to identify service providers and data routes; provisions empowering Ukrainian courts to block websites and other informational resources that can be shown to be involved in improper cyber activity; and provisions expanding the admissibility of a wide variety electronic evidence in criminal proceedings. “This is a complex law with a number of provisions and goals,” said Richard Warner, a law professor at the Chicago-Kent College of Law. “But one noteworthy aspect is the emphasis on data collection. Adequate cybersecurity requires adequate information about the likelihood of cyberattacks and the costs associated with successful attacks. Figuring that out requires information about past attacks and current defenses. He also noted that “the data collection and information sharing requirements of cybersecurity statutes can conflict with privacy requirements in other statutes. The Ukraine law conflicts with its bank privacy requirements, for example. Companies need to be aware of this conflict and get expert advice about how to address it.” Moreover, company managers and owners need to ensure compliance with the new law’s requirements, and if they do not, they may face criminal liability for violation of rules on electronic communications and protection of information, according to the Asters firm. “For some time, Ukraine has been aware of its vulnerability to cyber-attack,” Hylton said. “It may well be [that] the high level of political instability in post-Orange Revolution Ukraine has contributed to its being a frequent target of hackers.” He explained that the “final straw” were the cyber-attacks on June 27, 2017. “Although a wide variety of western countries were the victims of this attack, it appears that the so-called Petya virus was first manifested in an attack on state-owned agencies and institutions in Ukraine,” Hylton said. “The harmful consequences of this attack were also greater in Ukraine than in almost any other country,” he added. “Government owned banks, energy firms, transportation systems, including the Kyiv (Kiev) Metro and Boryspil Airport, television stations, the national postal systems, and various government ministries were all hit by ransomware during this attack. The Swiss government's Reporting and Analysis Centre has concluded that the Petya virus, which caused similar injuries in Ukraine and elsewhere in 2016, was the culprit,” he said. In response, President Petro Porochenko requested the Rada adopt a beefed-up cybersecurity act on March 16, 2016, but it appears to have taken the June 2017 incident to get the Ukrainian legislature to enact the new statute, in Hylton’s view. It is also noteworthy that U.S.-based companies running critical infrastructure in Ukraine will be subject to the requirements, “and these are the owners and managers of companies who are responsible for ensuring compliance…. Though, it is unclear for now what particular U.S.-based companies—or their local subsidiaries—will appear on the list of those running critical infrastructure,” Svechkar said. Meanwhile, the U.S. companies active in the related Ukrainian sectors should re-examine their cybersecurity measures and ensure that they comply with the rules and can withstand possible scrutiny by the Ukrainian authorities, he said. “Because of the technical nature and complexity of the area, it makes sense to commence this re-examination in advance to identify potential gaps in the policies, procedures and security architecture and be able to adapt them accordingly at an early stage.”