=Paper=
{{Paper
|id=Vol-2866/ceur_276_283_pleskach
|storemode=property
|title=Cyber Security and Cyber Protection: the Current State of Public Administration in Ukraine
|pdfUrl=https://ceur-ws.org/Vol-2866/ceur_276_283_pleskach.pdf
|volume=Vol-2866
|authors=Andrii Semenchenko,Valentyna Pleskach,Oleh Zaiarnyi,Mariia Pleskach
|dblpUrl=https://dblp.org/rec/conf/ukrprog/SemenchenkoPZP20
}}
==Cyber Security and Cyber Protection: the Current State of Public Administration in Ukraine==
https://ceur-ws.org/Vol-2866/ceur_276_283_pleskach.pdf
CYBER SECURITY AND CYBER PROTECTION: THE CURRENT STATE OF PUBLIC
ADMINISTRATION IN UKRAINE
Andrii Semenchenkoa[0000-0001-6482-3872], Valentyna Pleskachb[0000-0002-4700-6704], Oleh Zaiarnyib[0000-0003-4549-7201] ,
Mariia Pleskachb[0000-0003-3296-5475]
a
National Academy of Public Administration under the President of Ukraine, Kyiv, Ukraine
b
Taras Shevchenko National University of Kyiv, 03680, Kyiv-187, Akademician Glushkov Avenue, 4d.
Abstract: The study analyzes the organizational and legal mechanisms of cybersecurity state national management in
Ukraine. It provides the definition of the cybersecurity essence, its place in the strategic planning and management of
security and defence sector, assessment of the particular aspects of cyber security in Ukraine. The article has identified and
addressed the gaps in the conduct of cyber security reviews regarding defence sector, the national counter-terrorism system,
cyber protection of the national critical information cyber-protection of critical information infrastructure, etc. Such
reviews should include assessment of the state of cybersecurity, norms that regulate cyber-attacks, cyber espionage and
cyberterrorism, threats to national security of Ukraine in cyberspace, provision of advancement for the national cyber
security system through the supply of new specialized technologies and resources and upgrading of existing technology and
equipment steamed from rethinking of the national cybersecurity strategy. Legal regulations and organizational approaches
to the technical protection of the national critical infrastructure have become a specific aspect of the research. The authors
have analyzed in detail the organizational, legal and information bases of implementation of state and governmental
instruments of detection and counteraction to risks of encroachment on established regimes of public information,
described the necessary regulatory requirements for technical protection of critical infrastructure objects in the context of
ensuring national cyber security of the state. Important attention has been paid to the specifics of application of such public
administration tools in the sphere of cybersecurity, as national standards of technical protection of information, audit of
cybersecurity objects, monitoring of national critical infrastructure objects, etc. It is proposed to subordinate the State
Service for Special Communications and Information Protection of Ukraine to the Ministry of Digital Transformation of
Ukraine. In addition, the article contains recommendations for improving the system for ensuring cyber security in Ukraine.
In particular, it gives proposals for eliminating existing conflicts and gaps in the main legal acts regulating the sphere of
national, information and cyber security of Ukraine through the harmonization of Ukrainian legislation with international
legal acts in this area.
Keywords: information sovereignty of the state, cybersecurity, cybersecurity, critical infrastructure facilities, cybersecurity
system, cybersecurity strategy, cybersecurity actors.
Анотація: У дослідженні здійснено аналіз організаційно-правових механізмів державного управління
забезпеченням кібернетичної безпеки та кібернетичного захисту України, надано визначення його сутності, місця в
системі стратегічного планування та управління сектором безпеки та оборони, проведено оцінку аспектів
забезпечення кібернетичної безпеки в Україні, зокрема авторами виявлено прогалини у порядку проведення
оглядів у сфері кібернетичної безпеки (зокрема оборонного, огляду загальнодержавної системи боротьби з
тероризмом, огляду стану кіберзахисту критичної інформаційної інфраструктури тощо), які повинні містити оцінку
стану кібероборони, боротьби з кібершпигунством та кібертероризмом, загроз національній безпеці України у
кіберпросторі, забезпечення спроможностей основних суб’єктів національної системи кібербезпеки шляхом
постачання нових і модернізації наявних зразків спеціальної техніки. Окремим аспектом предмета дослідження у
цій статті стали правові та організаційні особливості технічного захисту об’єктів критичної інфраструктури.
Авторами детально проаналізовані організаційно-правові, інформаційні засади реалізації державно-владних
інструментів виявлення і протидії ризикам посягання на встановлені режими публічної інформації, описано
необхідні нормативні вимоги до технічного захисту об’єктів критичної інфраструктури у контексті забезпечення
національної кібербезпеки держави. Важливу увагу приділено особливостям застосування таких інструментів
публічного адміністрування у сфері забезпечення кібербезпеки як національні стандарти технічного захисту
інформації, аудит об’єктів кіберзахисту, моніторинг об’єктів національної критичної інфраструктури тощо.
Запропоновано з урахуванням організаційних змін в сфері кібербезпеки підпорядкувати Державну службу
спеціального зв’язку та захисту інформації України Міністерству цифрової трансформації України. Крім того, у
статті містяться рекомендації щодо вдосконалення системи забезпечення кібернетичної безпеки в Україні, зокрема
надано пропозиції щодо усунення наявних колізій і прогалин в основних нормативно-правових актах, що
регулюють сферу забезпечення національної, інформаційної та кібернетичної безпеки України, у тому числі
шляхом гармонізації українського законодавства з міжнародними правовими актами у цій галузі.
Ключові слова: інформаційний суверенітет держави, кібербезпека, кіберзахист, об’єкти критичної інфраструктури,
система забезпечення кібернетичної безпеки, стратегія забезпечення кібербезпеки, суб’єкти забезпечення
кібербезпеки.
Introduction
One of the preconditions for the successful formulation and implementation of state cybersecurity policy is its
systematic effective political, organizational and legal, information and analytical, technical, scientific and
methodological, methodological support. Monitoring, analysis and assessment of this support and prospects for its
development at the national level are carried out primarily in in a series of Ukraine’s interrelated security and defence
sector reviews that, according to Article 27 of the Law of Ukraine "On national security of Ukraine" include a
comprehensive review of the security and defense sector and its separate components - the state of defense, public
safety and security, defense industry, intelligence agencies of Ukraine, national counter-terrorism, cyber protection of
Copyright © 2020 for this paper by its authors. Use permitted under Creative
Commons License Attribution 4.0 International (CC BY 4.0). 276
�state information resources and critical information infrastructure.
Based on the results of such reviews, conceptual, strategic, planning and program documents for the
development of the security and defense sector, starting from the general National Security Strategy of Ukraine and its
individual components, including the Cyber Security Strategy of Ukraine and the National Intelligence Program on the
basis of medium and short-term planning are formed in a sequence determined by the legislation.
The legislation defines a number of initiation factors of long-term strategic documents. Thus, according to
Article 26 of the Law of Ukraine "On national security of Ukraine", the National Security Strategy of Ukraine shall be
developed on behalf of President of Ukraine within six months after his assumption of office, and other strategic
planning documents in the areas of national security and defence shall be formed on its basis, in particular the strategy:
development of human capital, military security, public safety and security, development of defence industry,
economic, environmental, informational security and sybersecurity as well as national intelligence program, foreign
security strategy, state security, counterintelligence and counter-terrorism strategy.
Another reason for initiating the development of a system of interrelated strategic documents may be a sharp
change in the situation and conditions of the security and defence sector functioning, which were not foreseen at the
stage of its formation and, which cannot be compensated for their adjustments, for example, in 2015 and 2016 when
new National Security Strategy of Ukraine, Military Doctrine of Ukraine, Doctrine of Information Security of Ukraine,
Cyber Security Strategy were adopted [1,2].
Therefore, the urgency of the problem is predetermined by the imperfection of the existing theoretical and
methodological apparatus of mechanisms of state management of cyber security of citizens, society and the state, in
particular, in the organization and conduct of reviews in this area, the requirements of the legislation, inconsistency of
requirements regarding the state of cybersecurity and the level of its provision.
Literature review
The issues of cybersecurity and cyberdefence of a person, society and state have been considered in different
contexts by recognised international and Ukrainian scholars starting from К. Alexander who researches the integration
of private and public sector communication systems to create the advanced level of intelligence sharing and protect
society from cyberthreats worldwide [3]; J. Liepman who explores the elements of national foreign policy of a state on
the example of the USA, and also highlights global and regional problems, long-term political issues, organizational,
financial and diplomatic challenges to national security [4]; Bruce Schneier who researches information and cyber
security [5]; R. Aldrich, whose findings have been used to develop models of cyber security management and strategic
management system [6-8]; M. Schmitt, who specializes in international law regarding cyberspace [9].
Ukrainian scholars have also contributed to the research. In particular, V. Buriachok researches the influence
of cyber security on the state of economic development of leading countries worldwide including Ukraine [10]; Р.
Grischuk analyzes the technologies of cyberattack detection [11]; A. Dovgan considers information security as a
guarantor of the security of national information resources [12]; D. Myalkovskiy studies legislative and regulatory
issues in the field of cryptographic information protection [13]; T. Stanislavsky highlight the state and the ways of state
administration system future development regarding the implementation of the cyber security strategy of Ukraine [14].
However, not wishstanding the work of the researches mentioned above, there are not enough systematic
studies covering the issues of the state of cybersecurity and cyber defense in Ukraine now.
The lack of systematic research on the issues of reviewing the state of cyber security and cyber defence in
Ukraine has triggered the relevance of this study.
The aim of the article is to define the essence, place of organizational and legal mechanisms of state cyber
security and cyber defence management in the strategic planning and security and defence sector management, analyze
their status, interaction among organizational and legal mechanisms, justification of development and improvement
priority directions.
Review and analysis of cyber security and cyber defence state
General assessment of the state of cyber security in Ukraine is given in the Cyber Security Strategy of Ukraine,
which is characterized by an increase in the number and capacity of cyber attacks motivated by the interests of some
states, groups and individuals, the dissemination of illegal collection, storage, use and destruction of personal data,
illegal financial transactions, cybertheft and fraud on the Internet.
Cybercrime is becoming transnational and can cause significant damage to the interests of individuals, society and the
state.
The level of cybersecurity and cyber protection in Ukraine is affected by a number of major negative factors, such as:
- the state of info-communications infrastructure, the level of its development and security do not meet the challenges
and threats of the modern cyberspace;
- insufficient level of protection of critical infrastructure, state electronic information resources and imperfection of
organizational and legal mechanisms of state management of cyber security and cyber protection make them vulnerable
to cyber attacks;
- discrepancies between the national cybersecurity framework on measures of cyber protection of critical infrastructure;
- insufficient development of organizational and technical infrastructure to ensure cyber security and cyberprotection of
critical infrastructure and state electronic information resources;
- insufficient effectiveness of Ukrainian security and defence sector in countering cyberthreats of military, criminal,
terrorist and other nature;
- insufficient coordination, interaction and information exchange within cybersecurity framework;
277
�- competence inconsistency among those subjected to cyber-security provision in performing certain functions and tasks
of the state regarding the direction of state policy;
- lack of universal requirements to technical tasks for creation or modernization of public registers, information and
telecommunication systems and databases;
- lack of special measures of administrative and criminal termination of illegal behaviour of citizens and legal entities,
containing signs of cybersecurity threats in the Ukrainian legislation.
The above mentioned negative factors are not only specifics of Ukrainian cyber security sphere, they are quite
widespread and to some extent inherent in other countries, but the mechanisms of their neutralization, as a rule, differ
and depend on the peculiarities of each country's development. Thus, for example, in case of illegal distribution of
information in China and countries of the Middle East, the provider is responsible for all the actions of users, while in
the EU countries the provider, under the European Directive on e-commerce, is exempt from liability if it meets certain
conditions of the contract, according to the legislation of other countries. For example, in the USA, the provider is not
responsible for the actions of users at all [15].
Among these negative factors, the imperfection of organizational and legal mechanisms of state management
of cyber security and cyber defence is especially hazardous; in particular, their incompleteness, declarative,
contradictory, blurred, fragmented, uncoordinated character and inconsistency among them.
According to the decision of the National Security and Defence Council of Ukraine approved by the Decree of
the President of Ukraine "On organization of planning in the security and defence sector of Ukraine" of May 16, 2019
№ 225 [16], a number of reviews are to be conducted, in particular, of defence sector, taking into account the national
system of combating terrorism, the state of cyber-protection of critical information infrastructure, state information
resources and information, the protection of which is required by the law.
These reviews may be conducted either as part of a comprehensive monitoring of the security and defence sector or its
separate divisions. Most reviews have already been conducted.
In 2019, the decisions of the Government (Resolution of the Cabinet of Ministers of Ukraine "On approval of
the procedure for review of public security and protection by the Ministry of Internal Affairs" of May 22, 2019 № 07,
"On approval of the procedure for review of the defence industry" of May 22, 2019 № 490 and "On approval of the
procedure for the defence review by the Ministry of Defence" of October 31, 2018 № 941 as amended by Resolution of
the Cabinet of Ministers of Ukraine № 911 of November 6, 2019) and the President of Ukraine (Presidential decrees
"On the order of review of intelligence agencies of Ukraine" of August 9, 2019 № 589/2019 and "On the order of
review of the national system of combating terrorism" of July 9, 2019 № 506/2019) have developed and approved
unified procedures and criteria for the above reviews, by which the state of readiness of the security and defence sector
in the respective spheres has been assessed. However, regarding the examination of state information resources cyber
defence and critical information infrastructure, the relevant orders have never been approved by the Government, and
the review of the sector has not been carried out.
The results of these reviews have laid the basis for the formation of a set of interrelated long-term documents
defined by the Law of Ukraine "On the national security of Ukraine", in particular, the new National Security Strategy
of Ukraine and the new Military Security Strategy of Ukraine, the Strategy of Public Security and Civil Protection of
Ukraine, the Strategy of Development of Defence Industry of Ukraine, the Strategy of Cyber Security of Ukraine that
are the basis for targeted state programs and other medium-term and short-term planning documents on the national
security and defense.
Therefore, in order to strengthen the legal, organizational and methodical support of the review of cyber
defence of state information resources and critical information infrastructure it is necessary to develop and approve the
procedure of its implementation by the Cabinet of Ministers of Ukraine, taking into account international and national
experience, such as the defence review of the Ministry of Defence, to develop and adopt a number of the following by-
laws:
- Recommendations on planning an review of the state of cyber defence of state information resources and critical
information infrastructure based on its capabilities.
- The procedure of conducting reviews by law enforcement agencies of the activity of public registers, databases
managers and administrators as well as information and telecommunication systems to detect and prevent threats to
cyber security of the state, society, individual citizens and legal entities.
- Procedure for organization and implementation of public-private partnership projects in the sphere of ensuring
cybernetic security of the State, territorial communities and international governmental organizations whose official
representative offices are located on the territory of Ukraine [17].
- Procedure for ensuring cyber security of state and municipal resources that are placed or managed via cloud
computing technologies.
- Action plan for the review of the cyberdefence of State information resources and critical information infrastructure,
detailing and specifying tasks and measures, quantitative and qualitative indicators, performers and expected results of
the review of the cyberdefence of State information resources and critical information infrastructure.
By analogy, as it is successfully implemented in the Slovak Republic and Great Britain [18].
Practical implementation of the mentioned proposals directly reflects the tasks of the state activity on
enhancing the technical protection of information in public registers and information and telecommunication systems,
coordination of data structures, stored or processed, as well as modernization of IT-architecture of corresponding
objects in order to ensure their interoperability, technical neutrality and protection against external threats. Positive
Copyright © 2020 for this paper by its authors. Use permitted under Creative
Commons License Attribution 4.0 International (CC BY 4.0). 278
�experience of dealing with such issues was analyzed and evaluated by M. Grebenyuk. [19]
To meet these objectives the President of Ukraine issued Decree 558/2019 of July 29, 2019 "On some
measures to improve access of individuals and legal entities in electronic services" with the main purpose to strengthen
national electronic resources and systems security and ensure the provision of electronic administrative services or
processing of personal data of Ukrainian citizens and persons who have residency in our state [20].
Cybersecurity issues are in almost all spheres of national security and defence as defined in Article 17 of the
Constitution of Ukraine and the Law of Ukraine "On national security of Ukraine". Therefore, the most important
aspect is the inclusion of the assessments of the state tasks implementation by the main subjects of the national system
of cybersecurity within their competence into the reports on the results of the comprehensive review of the security and
defence sector and its separate reviews, in accordance with Article 8 of the Act on basic principles of cybersecurity and
the provision of such information to the State Service for Special Communications and Information Protection of
Ukraine, as "a State body responsible for formulating and implementing State policy for the protection in cyberspace of
State information resources and information, the protection of which is required by law, and the cyber defence of
critical information infrastructure objects".
Thus, under Article 27, Paragraphs 1 and 3 to 5, of the National Security Act and Article 8 of the Basic
Principles of Cyber Security of Ukraine Act, individual reviews must include assessments of the status, including the
following [21]:
- cyber defence - in the defence review;
- combating cybercrime - in the review of public security and protection;
- combating cyber espionage and cyberterrorism in the review of the national system of countering terrorism.
- threats to Ukraine's national security in cyberspace - in an intelligence review;
- providing capabilities of the main subjects of the national system of cyber security through the supply of new and
modernization of existing samples of special equipment - in the review of the defence industry of Ukraine, etc.
Some procedures for certain reviews (defence review by the Ministry of Defence of Ukraine, taking into
account the defence-industrial complex of the Ministry of Economic Development, Trade and Agriculture of Ukraine,
taking into account the national system for combating terrorism) provide for the creation of appropriate
interdepartmental (working) groups, which may include representatives of the State Service for Special Communication
and Information Protection of Ukraine, in the interests of, among others, formation of an overall assessment of the state
of cyber security and cyber defence. However, as practice shows, the effectiveness of this mechanism of interaction is
still quite low and not applied in all reviews. For example, the review of public security and civil protection of the
Ministry of Internal Affairs of Ukraine, where the procedure of the review does not include representatives of other
government agencies and the National Institute for Strategic Studies, makes it difficult to form an overall assessment of
the state of cybersecurity, since the issue of combating cybercrime is its important part. At the same time, the
international experience of some countries points to the fundamental possibility of successful solution of the above
problems, which can be taken into account in Ukraine regarding the peculiarities of the country’s development [22].
It is possible to collect and summarize information on the state of cybersecurity at the level of the Government
(the State Service of Special Communication and Information Protection of Ukraine), but in the conditions of
organization of information interaction based on the results of reviews of intelligence agencies and the national system
of combating terrorism (the Security Service of Ukraine) in terms of threats to the national security of Ukraine in
cyberspace and the fight against terrorism. as well as at the level of the National Security and Defence Council of
Ukraine (the main option defined by legislation) in the formation of the next Cyber Security Strategy of Ukraine,
primarily on the basis of the National Coordination Centre for Cyber Security, which in accordance with legislation
(Presidential Decree of June 7, 2016 № 242/2016 "On National Coordination Centre for Cyber Security") is the
customer of this document and performs analysis of cyber security; the results of the review of the national system of
cybersecurity; the state of readiness of cybersecurity subjects to perform tasks to counter cyberthreats; the state of
compliance with the requirements of legislation on cyberprotection of state electronic information resources,
information the protection of which is required by law, as well as critical information infrastructure; data on
cyberincidents regarding state information resources in the information and telecommunication system
However, due to the insufficient resources of the Centre, primarily its human resources, there is a problem with
the effectiveness of the tasks assigned to it. For example, in Great Britain, the Office of Cyber Security and Information
Support coordinates cooperation between different subjects in cyber security, including the private sector, much more
effectively. The National Infrastructure Protection Centre in the UK exchanges information with private companies that
are responsible for important information infrastructure [23]. The high quality of performance of these bodies' functions
was confirmed by the high British rating in GlobalCybersecurityIndex (GCI) [24]. Informational interaction of
individual reviews should also be organized at the level of the National Institute for Strategic Studies, which according
to the legislation (Law of Ukraine "On the National Security of Ukraine", "On Basic Principles of Cyber Security of
Ukraine") is responsible for scientific and methodological support of a comprehensive review of the security and
defence sector.
The proper conduct of the above reviews is extremely important not only at the national level, but also at the
local one. In particular, their results can be used for effective and high-quality deployment of smart cities in Ukraine, as
the ability to protect the information rights of people depends on quality review and action plans for the implementation
of their results. «Problem of respect for information rights of a person has become a common prerequisite for ensuring
the cybersecurity of residents of smart cities. In our opinion, its implementation could be facilitated through the
279
�implication of the following measures by the authorities of the Council of Europe member states and businesses as
recognition the ensuring of cybersecurity for smart cities at the level of national cybersecurity strategies, non-
observance of fundamental human rights as a significant threat to cybersecurity of the residents of smart cities; as
approval by the authorized central executive body of the national standard of cybersecurity of smart cities and
formation of components of smart cities IT infrastructure based on the principle of providing cybersecurity to the
residents of smart cities» [25] .
Despite this multitude of possible synergies between separate cybersecurity reviews, none of them have been
effective so far. Therefore, taking into account organizational changes in cybersecurity, in particular the foundation of
the Ministry of Digital Transformation of Ukraine with the subordination of the State Service for Special
Communications and Information Protection of Ukraine, it is necessary to clarify their powers, primarily by making
appropriate changes to the Laws of Ukraine "On State Service for Special Communications and Information Protection
of Ukraine", "On the basic principles of cybersecurity of Ukraine" [26] and "On the national security of Ukraine",
including the legal mechanism for review of cyber security of state information resources and critical information
infrastructure, in particular, the mechanism of interaction of such reviews on cybersecurity issues (defense review,
review of cyber security of critical information infrastructure, state information resources and information, the
protection of which is required by law, review of the national anti-terrorism system, review of intelligence agencies,
review of public security and protection), and in general the mechanism of formation and implementation of the Cyber
Security Strategy of Ukraine. There is a nessecity to determine National Coordination Center for Cyber Security of
Ukraine as a main coordinator of these reviews.
In the context of the practical implementation of these changes, an important problem that needs to be addressed
is the regulatory definition of criteria for the delimitation of competences of authorized entities. In our opinion, such
criteria may include the tasks of activity of authorized subjects of power, direct connection of their powers with legal
instruments, that are used for the objectives of organization and preparation of reviews, in particular: normative
regulation, monitoring of cybersecurity, requests for official information, review of critical infrastructure objects, etc.
At the same time, an important condition for further implementation of the above recommendations is to ensure that the
managers of public registers and information and telecommunication systems perform functions of expertise and
technical examination of the relevant category of information objects in order to form reviews, conduct their proper
technical, managerial and security audits, to establish their ability to withstand possible cyberthreats and cyber attacs.
Unlike all other reviews (complex and its separate components), which are defined either directly in the Law of
Ukraine "On the national security of Ukraine" or in the relevant procedures for carrying out separate reviews, the
legislation does not provide a clear definition of both "examination of the state of cyber-protection of state information
resources and critical information infrastructure" and "review of the national cybersecurity system", which is provided
for in the subparagraphs below. Article 8.3 of the Law of Ukraine "On basic principles of cyber security in Ukraine"
and the current Cyber Security Strategy of Ukraine, as well as their interrelationship.
There are two main approaches regarding the understanding of the relationship between these inconclusive
terms, but according to the National Security Strategy of Ukraine, in order to form the Strategy of Cyber Security of
Ukraine it is necessary to conduct either appropriate reviews or consider "reviews of the state of cybersecurity of state
information resources and critical information infrastructure is "a component of a more general" considering the
national system of cybersecurity". According to the first approach, these timelines are considered to be identical, i.e.
different laws refer to the same review procedure differently. In our opinion, this approach is not justified, primarily
because these reviews, in accordance with the Law of Ukraine "On basic principles of cyber security of Ukraine", cover
mainly the objects of review that are different in scope and function. Thus, the main objects of the review of the
national cybersecurity system are the following:
- constitutional human and civil rights and freedoms;
- society, sustainable development of information society and digital communication environment;
- the state, its constitutional system, sovereignty, territorial integrity and inviolability;
- national interests in all spheres of life of an individual, society and state;
- objects of critical infrastructure.
The objects of cyberdefence are defined by the above Law of Ukraine:
- Communication systems of all forms of ownership where national information resources are processed and/or used in
the interests of government bodies, local authorities, law enforcement agencies and military units established in
accordance with the law;
- objects of critical information infrastructure;
- communication systems subjected to meet public needs and/or implement legal relations in the areas of e-government,
e-government services, e-commerce and electronic document management.
The comparison of these sets of objects shows that the second list is an integral part of the first one, where
objects of critical infrastructure incorporate objects of critical information infrastructure, and communication systems
are important elements of the organizational and technical system of the state, as well as objects of critical
infrastructure.
The same can be applied to the actors of ensuring these procedures. The list of cybersecurity actors is clearly
defined by legislation and systematically presented in the form of a hierarchical model of three interacting lists of
cybersecurity participants: a list of participants at the national level of coordination (the President of Ukraine, the
National Security and Defense Council of Ukraine, the National Coordination Center for Cyber Security of Ukraine, the
Copyright © 2020 for this paper by its authors. Use permitted under Creative
Commons License Attribution 4.0 International (CC BY 4.0). 280
�Cabinet of Ministers of Ukraine), a list of actors that directly implement measures to ensure cybersecurity within their
competence.
The list of cybersecurity actors is not specifically defined by legislation, but its model also has a hierarchical structure
and covers the same upper parts of the list of actors, and in the model of lists of cybersecurity actors. The lowest link
of this list of actors, based on their functions, including the State Service for Special Communications and Information
Protection of Ukraine with the State Center for Cyber Defence and the Government team for response to computer
emergency events in Ukraine CERT-UA subordinated to it.
Therefore, according to the second approach, it is considered that the relationship between the above
procedures and concepts is characterized by a ratio of general and private, where "review of the state cyberdefense of
State information resources and critical information infrastructure" should be considered as an integral specific
technical and technological component of a more general procedure, namely "review of the national system of cyber
security". Other components of " review of the national system of cybersecurity" are aimed at assessing the state of
readiness of the cybersecurity system. That inplies the readiness of its main subjects in the national system of
cybersecurity to carry out their tasks, including combating cybercrime, cyberterrorism, cyber espionage, military
aggression in cyberspace (cyberdefence), execution of intelligence activities addressing threats to Ukraine's national
security in cyberspace, and the like. Their evaluation should be carried out within the framework of the abovementioned
reviews in order to assess the state of cybersecurity in the relevant areas.
The Act “On the basic principles of cybersecurity in Ukraine” defines the terms “cybersecurity” and
“cyberdefence”, their objects and subjects, the concept of the national cybersecurity system, its main subjects, their
objectives and the ways of ensuring the efficient functioning of the system. Analysis of these principles makes it
possible to assert that cyberdefence is part of a more general concept of cybersecurity. According to the Law of Ukraine
"On basic principles of cybersecurity of Ukraine", cyberdefence is mainly limited to measures of cryptographic and
technical protection of information resources, cyberdefence of objects of critical information infrastructure, cyber
security as protection of vital interests of a person and citizen, society and state in the use of cyberspace, which ensures
sustainable development of information society and digital communication environment, timely identification,
prevention and neutralization of real and potential threats to Ukraine's national security in cyberspace and "cyber
defence - a set of organizational, legal, engineering and technical measures, as well as measures of cryptographic and
technical protection of information aimed at preventing cyberincidents, detection and protection against cyberattacks,
elimination of their consequences, restoration of stability and reliability of communication and technological systems",
that also means that cybersecurity is more general concept than cyberdefence.
Lack of definition or ambiguity of these terms makes it difficult and hinders the development of such reviews
and realisation of the action plan of its implementation.
It should be noted that in Ukraine the legislative base on cyber security and cyber defence has been created in
general. It has a hierarchical structure and is in permanent dynamic development, trying to meet modern global
tendencies, new challenges and threats in this sphere, the needs and requirements of citizens, society and state,
international obligations of Ukraine on reliable protection of vital interests of a person and citizen, society and state in
cyberspace. Such process is also being observed in other countries, first of all in the EU, the USA, Canada [23].
In previous studies, it was proposed to define "review of the state of cyberdefense of state information resources
and critical information infrastructure" [27] as a procedure for periodic observation, measurement, analysis and
evaluation of the state and readiness of cyberdefense of critical information infrastructure, information and
telecommunication systems, that process and store information resources and information, the protection requirement
for which is established by law; as well as information regarding surveillance of the state of cyberdefense - active,
systematic, purposeful, and study of the real state of cyberdefense aimed at prevention of cyber-incidents, detection,
prevention and suppression of cyberattacks, liquidation of their consequences, the ability of critical information
infrastructure to restore their operation after cyberattacks and cyberincidents.
There is a requirement to legislatively regulate the relationship to ensure cybersecurity of cyberdefense actors and
owners (managers) of critical information infrastructure objects at the prevention, detection and suppression of
cyberattacks and cyberincidents, as well as during the elimination of their consequences that should be formalized in the
State Service for Special Communications and Information Protection of Ukraine. The draft resolution of the Cabinet of
Ministers of Ukraine "On approval of the Protocol of joint actions of the main subjects of cybersecurity, subjects of
cyberdefence and owners (managers) of critical information infrastructure objects at the prevention, detection and
suppression of cyberattacks and cyberincidents, as well as during the elimination of their consequences" was developed
but was not approved. The absence of this document significantly reduces the effectiveness of the state policy to ensure
cybersecurity.
However, the state policy on cybersecurity has made significant progress over the past five years, and as of 2020,
it contains a number of important pieces of national legislation - Constitution of Ukraine, laws of Ukraine "On
information", "On national security of Ukraine", "On basic principles of cybersecurity of Ukraine", "On information
protection in information and telecommunication systems", "On electronic trust services", "On protection of personal
data", etc., as well as by laws approved by the President of Ukraine and the Government, in aprticilar the law “On the
national security strategy of Ukraine, On the concept of development of the security and defense sector of Ukraine; On
the strategic defense bulletin of Ukraine, On the national coordination center for cyber cecurity, On the threat to the
state cybersecurity and urgent measures to neutralize it, on some issues of organization of interdepartmental information
exchange in the National System of Confidential Communication, On approval of the Concept of creation of the state
281
�system of protection of critical infrastructure [29], On approval of the General requirements to cyber protection of
objects of critical infrastructure.
Ukraine's international obligations in this area consist primarily of the Budapest Convention (Convention on
Cybercrime of the Council of Europe), ratified by Ukraine in 2005. An extremely important international document in
this area is the Directive on security of network and information systems (NIS Directive or The Directive on security of
network and information systems), adopted by the European Parliament in 2016, which provides for a number of
organizational, legal and communication measures aimed at improving the overall level of cybersecurity in the EU [28].
Although the NIS Directive is not binding on Ukraine as a non-EU member state, its basic provisions are useful for the
development of the national public policy and administration in cybersecurity and cyber protection.
The Constitution of Ukraine defines national values that are transformed into national interests - the vital
interests of an individual, society and the State, the implementation of which ensures the State sovereignty of Ukraine,
its progressive democratic development, as well as safe living conditions and the well-being of its citizens as stated in
Article 17. This is due to the proclamation in the norms of Art. 3 of the Basic Law of direct meaning of human rights
and freedoms for determination of directions of state activity, determination of bases of its legal responsibility to the
person for its activity. "Accordingly, as social values, human rights and freedoms not only determine the measure of
possible (permitted) behavior, conditions of satisfaction of individual interests and needs in public legal relations, but
also serve as a means of establishing the content and direction of state activity, determine the range of responsibilities of
subjects of public administration objects, as well as reflect the criteria of social significance of specific values that must
be protected by the state" [30, p. 136].
It is the Law "On basic principles of cybersecurity in Ukraine" that defines the main objects of cyberdefense that
create the critical infrastructure of the country, normatively fixes the conceptual apparatus in cybersecurity at the
highest level, regulates the principles of cybersecurity and the national system of cybersecurity, defines public-private
cooperation in cybersecurity and establishes liability for violation of legislation in this sphere and control over the
legality of measures to ensure cyberdefense [26]. This Law also defines the legal and organizational basis for ensuring
the protection of the vital interests of individuals and citizens, society and the State, and the national interests of
Ukraine in cyberspace; the main goals, directions and principles of State policy in the area of cybersecurity; the power
of State bodies, enterprises, institutions, organizations, individuals and citizens in this area; and the basic principles for
coordinating their activities to ensure cybersecurity.
The Law of Ukraine "On basic principles of ensuring cyber security of Ukraine" is a main framework document,
it legally defines the key concepts in the field of cybersecurity and attempts, in our opinion, to allocate areas of
responsibility of government agencies in the field of information protection, although a part of the Law simply
translates the key provisions of the Cyber Security Strategy. The law determines the need to introduce a single
(universal) system of indicators of cyber threats, taking into account international standards on cyber security and cyber
protection.
Conclusions and recomendations
1. It is necessary to provide simultaneous development and mutually agree on the content of the amendments to the
Law of Ukraine "On basic principles of ensuring cyber security of Ukraine" and the draft Law of Ukraine "On critical
infrastructure facilities and their protection" should
2. It is necessary to amend the Law of Ukraine "On the fundamental principles of ensuring cyber security of Ukraine"
regarding its detailed elaboration and specification of mechanisms for implementing public-private partnership in the
sphere of cybersecurity and conducting reviews of cybersecurity and cyber defence.
3. To take into consideration the changes that have occurred in the field of cybersecurity, namely the emergence of the
Ministry of Digital Transformation of Ukraine and subordination to it of the State Service for Special Communications
and Information Protection of Ukraine, should be considered in the Laws of Ukraine "On the basic principles of
cybersecurity in Ukraine", "On the national security of Ukraine", "On the state service for special communications and
Information protection of Ukraine"
4.To consider, in accordance with paragraph 4 of Article 10 of the Law of Ukraine "On national security of Ukraine"
the development of the "White Paper on Cyber Security" at least once every three years, as well as to transfer of this
norm in the new version of the Law of Ukraine "On the basic principles of cyber security in Ukraine.
5. To develop and adopt a procedure for conducting "reviews of the national cybersecurity system" and "review of
cybersecurity of state information resources and critical information infrastructure".
6. To adapt national cybersecurity legislation in line with the international cybersecurity legislation, primarily NIS
Directive (The Directive on security of network and information systems).
7. To establish special panels in courts of general jurisdiction of Ukraine to consider cases related to IT and cyber
security issues.
8. To develop and adopt the draft of the State Target Program on Cyber Security Development.
9. To harmonize international standards in cybersecurity sphere.
10. To codify, develop and adopt an Information Code of Ukraine (Information Code of Ukraine).
11. To adapt the existing infrastructure of public institutions to the requirements of cybersecurity, primarily with regard
to the work of public servants with electronic means (e-mails, etc.), fixed and mobile communications, and use of the
global Internet open segment.
12. To develop a mechanism for regular audits of critical infrastructure and the training and development programmes
on cybersecurity for public services, authorized officials of enterprises - administrators of public registers and
Copyright © 2020 for this paper by its authors. Use permitted under Creative
Commons License Attribution 4.0 International (CC BY 4.0). 282
�information systems.
13. To develop, implement and update various educational programmes in higher education institutions on cyber
security and cyber hygiene with round tables, international conferences and symposiums.
14. To stimulate the development of public-private partnership programs in the sphere of cybersecurity, including
aspects of updating national information infrastructure, except for critical ones.
Compliance with ethical standards
The authors declare that all the data used in the research and analysis is in open access.
References
1.Decree of the President of Ukraine (2016). On the decision of the National Security and Defense Council of Ukraine dated On the Cyber Security
Strategy of Ukraine. Government Courier (52).(in Ukrainian).
2.Decree of the President of Ukraine (2015) № 287. On the decision of the National Security and Defense Council of Ukraine On the National
Security Strategy of Ukraine. Government Courier (95) (in Ukrainian).
3. BRANDOM, RUSSELL (2020). Former NSA chief Keith Alexander has joined Amazon's board of directors.
4. DOBBINS JAMES & SOLOMON RICHARD H. & CHASE MICHAEL S. et al (2015). Choices for America in a Turbulent World: Strategic. 5.
SCHNEIER BRUCE (2008). Schneier on Security.
6. ALDRICH RICHARD J.& CORMAC RORY & GOODMAN MICHAEL S. (2013). Spying on the World: The Declassified Documents of the
Joint Intelligence Committee.
7. SINGER PETER & FRIEDMAN A. (2014). Cybersecurity and Cyberwar.
8. PUYVELDE DAMIEN VAN & BRANTLY AARON (2019). Cybersecurity: Politics, Governance and Conflict in Cyberspace.
9. YUVAL SHANY & DAN EFRONY & MICHAEL SCHMITT (2018). The Tallinn Manual on Cyber Operations and the Laws of War: Towards
Customary International Law.
10. BURIACHOK VOLODYMYR (2015). The impact of cyber security on the economic development of the world's leading countries and
Ukraine. (4) P.29-43. (in Ukrainian).
11. HRYSHCHUK R. & OKHRIMCHUK V (2015). Formulation of the scientific tasks for the potentially dangerous patterns of cyberattacks
development. (3) P.276-282. (in Ukrainian).
12. DOVHAN OLEKSANDR (2015). Information security as a guarantor of the national information resources safety. (2) P.130-134. (in Ukrainian).
13. MYALKOVSKY DANYLO (2017). Analysis of the subject area of identification and authentication. (191) P.120-127. (in Ukrainian).
14. STANISLAVSKYI TARAS (2019). State and improvement of planning of measures on implementation of the cyber security strategy of Ukraine.
(4) P.99-103. (in Ukrainian).
15. MIKHAILOVA ALINA (2014). Cybersecurity problems in Russia and ways to solve them. (in Russian).
16. Decree of the President of Ukraine (2019) №225. On the decision of the National Security and Defense Council of Ukraine. On the organization
of planning in the security and defense sector of Ukraine. Government Courier (92) (in Ukrainian).
17. DUBOV DMYTRO (2018). Public-private partnership in the field of cybersecurity: international experience and opportunities for Ukraine. Kyiv:
NISD (in Ukrainian).
18. European Union Agency for Network and Information Security (ENISA). (2014) An evaluation Framework for National Cyber Security
Strategies.
19. GREBENYUK MAXYM (2020) Some issues of organizational and legal support of cybersecurity: a review of best practices of foreign
experience. (2) P.203-207.
20. Decree of the President of Ukraine (2019) № 558 On some measures to improve access of individuals and legal entities to electronic services.
Government Courier (144) (in Ukrainian).
21. On National Security of Ukraine: Law of Ukraine (2018). Bulletin of the Verkhovna Rada of Ukraine. (31). - St. 241 (in Ukrainian).
22. ARDIELLI EVA, ARDIELLI JIŘÍ (2017) Cyber security in public administration of the Czech Republic.
23. European Information and Research Center (EIRC). (2016) Legislation and cyber security strategy in the European Union, USA, Canada.
24. Global Cybersecurity Index (2018).
25. PLESKACH MARIIA & ZAIARNYI OLEH & PLESKACH VALENTYNA (2020) Respect for Information Rights of a Person as a Condition
for Cybersecurity of Smart Cities Residents.P. 759-764.
26. On the basic principles of cybersecurity of Ukraine: Law of Ukraine (2017). Bulletin of the Verkhovna Rada of Ukraine (45). - St.403 (in
Ukrainian).
27. SEMENCHENKO ANDRII&MIALKOVSKYI DANYLO &STANYSLAVSKYI TARAS (2018). Scientific and methodological approaches to
the review of cyber protection of state information resources and critical information infrastructure. Investments: practice and experience (18). P. 87-
95. (in Ukrainian).
28. The Directive on security of network and information systems Avaibale from: https://ec.europa.eu/digital-single-market/en/network-and-
information-security-nis-directive(in English)[Accessed 15/03/2020].
29. The concept of creating a state system of critical infrastructure protection (2017) № 1009-r. Government Courier dated 10.01.2018-№ 5.(in
Ukrainian).
30. ZAYRNYI OLEH (2017). Legal support of the development of the information sphere of Ukraine: administrative-tort aspect. Kyiv: Vidavnichyi
dim Gelvetika (in Ukrainian)
283
�About the authors:
Semenchenko A. I.,
Doctor of Science in Public Administration, Professor,
National Academy of Public Administration
under the President of Ukraine
Andrii.Semencenko@gmail.com
ORCID ID 0000-0001-6482-3872
Pleskach V.L.,
Dr. Habil. (Economics)
Candidate of Technical Sciences,
Head of the Department of Applied Information Systems
Faculty of Information Technologies
Taras Shevchenko national University of Kyiv
v_pleskach@ukr.net
ORCID ID 0000-0002-4700-6704.
Zaiarnyi O.A, Doctor of Law, Associate Professor
Institute of Law
Taras Shevchenko national University of Kyiv
ORCID ID
e-mail: oleganalitik.knu@gmail.com
Pleskach M.V, postgraduate sdudent
Taras Shevchenko national University of Kyiv
pleskachmarija@gmail.com
ORCID ID 0000-0003-3296-5475.
Copyright © 2020 for this paper by its authors. Use permitted under Creative
Commons License Attribution 4.0 International (CC BY 4.0). 284
�