Ukraine Adopts New, Stringent Cybersecurity Law
In Europe, perhaps only Germany now has a more stringent cybersecurity regime than Ukraine, attorney Igor Svechkar said.
November 13, 2017 at 10:00 AM
12 minute read
Ukraine joins an increasing number of nations in adopting a national cybersecurity law following increasing threats of cyber-attacks, according to legal specialists.
Enacted on Oct. 5 by the Parliament of Ukraine, the law is called the “Law On the Basic Principles of Cybersecurity of Ukraine.” It will impact critical infrastructure, and is expected to become effective in April 2018.
The concept “is defined rather broadly and may potentially apply to any company providing services in chemicals, energy, utilities, transport, information technologies, electronic communications, banking and finance, healthcare, food production and agriculture,” according to a statement from Ukrainian law firm Asters.
As far as its similarities or differences with cyber laws of other nations, Gordon Hylton, a law professor at the University of Virginia, told Legaltech News, “I believe most countries are moving in the same direction as Ukraine.”
“The Ukrainian statute may reflect a more explicit recognition of state-sponsored cyber terrorism, but that clearly stems from its ongoing conflict with Russia,” he added. “Especially since 2015, Ukraine has regularly blamed Russia for the wave of cyber-attacks that it has experienced.”
And when it comes to former Soviet Union countries, he speculated that Ukraine's experience “experience has, or will soon, cause most nations formerly under the control or influence of the Soviet Union before 1998 to take similar steps.”
Attorney Igor Svechkar of Asters explained that the approaches these countries are making have been different and depend on the challenges that they face. Some countries, he said, introduce significant cybersecurity laws, while others prefer the soft route with actions such as non-binding guidelines.
“It may be indicative of a trend—given that cyber threats have become a reality for many Eastern European countries. Speaking about the whole of Europe it is perhaps only Germany that has [a] more stringent cyber security regime than Ukraine now,” he added.
Asters in a statement explained that companies subject to the critical infrastructure rules will need to:
- Ensure cyber defense of communication and technological systems;
- Protect technological information;
- Undertake independent cybersecurity audits; and
- Instantly report cyber incidents to the government.
In addition, Svechkar explained that under the new law, a business running critical infrastructure will be subject to tough cybersecurity rules.
“They will have to implement certain measures, including appropriate organizational and technical safeguards, independent cybersecurity audits, instant reporting of incidents to CERT-UA [Computer Emergency Response Team of Ukraine],“ he said. The new law does not formulate how exactly these requirements shall be implemented. This is left for secondary legislation to be developed in 2018.”
He explained that the new law is “a game changer” for Ukraine defense and its cyber resilience. “So far, Ukraine has not had any similar rules to those introduced in the new law,” he explained.
Moreover, Hylton said the Ukrainian statute “focuses primarily on the ability of the Ukrainian state to resist cyber-attacks, especially those covertly launched or supported by other governments—especially that of Russia.”
He noted in the cyber act there are provisions expanding the ability of law-enforcement agencies to issue mandatory orders to electronic data owners, requiring them to record and store for up to three years electronic data that will facilitate the investigation of future cyber-attacks. There are also requirements that, when requested, telecom operators and providers, provide law enforcement with information necessary to identify service providers and data routes; provisions empowering Ukrainian courts to block websites and other informational resources that can be shown to be involved in improper cyber activity; and provisions expanding the admissibility of a wide variety electronic evidence in criminal proceedings.
“This is a complex law with a number of provisions and goals,” said Richard Warner, a law professor at the Chicago-Kent College of Law. “But one noteworthy aspect is the emphasis on data collection. Adequate cybersecurity requires adequate information about the likelihood of cyberattacks and the costs associated with successful attacks. Figuring that out requires information about past attacks and current defenses.
He also noted that “the data collection and information sharing requirements of cybersecurity statutes can conflict with privacy requirements in other statutes. The Ukraine law conflicts with its bank privacy requirements, for example. Companies need to be aware of this conflict and get expert advice about how to address it.”
Moreover, company managers and owners need to ensure compliance with the new law's requirements, and if they do not, they may face criminal liability for violation of rules on electronic communications and protection of information, according to the Asters firm.
“For some time, Ukraine has been aware of its vulnerability to cyber-attack,” Hylton said. “It may well be [that] the high level of political instability in post-Orange Revolution Ukraine has contributed to its being a frequent target of hackers.”
He explained that the “final straw” were the cyber-attacks on June 27, 2017. “Although a wide variety of western countries were the victims of this attack, it appears that the so-called Petya virus was first manifested in an attack on state-owned agencies and institutions in Ukraine,” Hylton said.
“The harmful consequences of this attack were also greater in Ukraine than in almost any other country,” he added. “Government owned banks, energy firms, transportation systems, including the Kyiv (Kiev) Metro and Boryspil Airport, television stations, the national postal systems, and various government ministries were all hit by ransomware during this attack. The Swiss government's Reporting and Analysis Centre has concluded that the Petya virus, which caused similar injuries in Ukraine and elsewhere in 2016, was the culprit,” he said.
In response, President Petro Porochenko requested the Rada adopt a beefed-up cybersecurity act on March 16, 2016, but it appears to have taken the June 2017 incident to get the Ukrainian legislature to enact the new statute, in Hylton's view.
It is also noteworthy that U.S.-based companies running critical infrastructure in Ukraine will be subject to the requirements, “and these are the owners and managers of companies who are responsible for ensuring compliance…. Though, it is unclear for now what particular U.S.-based companies—or their local subsidiaries—will appear on the list of those running critical infrastructure,” Svechkar said.
Meanwhile, the U.S. companies active in the related Ukrainian sectors should re-examine their cybersecurity measures and ensure that they comply with the rules and can withstand possible scrutiny by the Ukrainian authorities, he said. “Because of the technical nature and complexity of the area, it makes sense to commence this re-examination in advance to identify potential gaps in the policies, procedures and security architecture and be able to adapt them accordingly at an early stage.”
Ukraine joins an increasing number of nations in adopting a national cybersecurity law following increasing threats of cyber-attacks, according to legal specialists.
Enacted on Oct. 5 by the Parliament of Ukraine, the law is called the “Law On the Basic Principles of Cybersecurity of Ukraine.” It will impact critical infrastructure, and is expected to become effective in April 2018.
The concept “is defined rather broadly and may potentially apply to any company providing services in chemicals, energy, utilities, transport, information technologies, electronic communications, banking and finance, healthcare, food production and agriculture,” according to a statement from Ukrainian law firm Asters.
As far as its similarities or differences with cyber laws of other nations, Gordon Hylton, a law professor at the University of
“The Ukrainian statute may reflect a more explicit recognition of state-sponsored cyber terrorism, but that clearly stems from its ongoing conflict with Russia,” he added. “Especially since 2015, Ukraine has regularly blamed Russia for the wave of cyber-attacks that it has experienced.”
And when it comes to former Soviet Union countries, he speculated that Ukraine's experience “experience has, or will soon, cause most nations formerly under the control or influence of the Soviet Union before 1998 to take similar steps.”
Attorney Igor Svechkar of Asters explained that the approaches these countries are making have been different and depend on the challenges that they face. Some countries, he said, introduce significant cybersecurity laws, while others prefer the soft route with actions such as non-binding guidelines.
“It may be indicative of a trend—given that cyber threats have become a reality for many Eastern European countries. Speaking about the whole of Europe it is perhaps only Germany that has [a] more stringent cyber security regime than Ukraine now,” he added.
Asters in a statement explained that companies subject to the critical infrastructure rules will need to:
- Ensure cyber defense of communication and technological systems;
- Protect technological information;
- Undertake independent cybersecurity audits; and
- Instantly report cyber incidents to the government.
In addition, Svechkar explained that under the new law, a business running critical infrastructure will be subject to tough cybersecurity rules.
“They will have to implement certain measures, including appropriate organizational and technical safeguards, independent cybersecurity audits, instant reporting of incidents to CERT-UA [Computer Emergency Response Team of Ukraine],“ he said. The new law does not formulate how exactly these requirements shall be implemented. This is left for secondary legislation to be developed in 2018.”
He explained that the new law is “a game changer” for Ukraine defense and its cyber resilience. “So far, Ukraine has not had any similar rules to those introduced in the new law,” he explained.
Moreover, Hylton said the Ukrainian statute “focuses primarily on the ability of the Ukrainian state to resist cyber-attacks, especially those covertly launched or supported by other governments—especially that of Russia.”
He noted in the cyber act there are provisions expanding the ability of law-enforcement agencies to issue mandatory orders to electronic data owners, requiring them to record and store for up to three years electronic data that will facilitate the investigation of future cyber-attacks. There are also requirements that, when requested, telecom operators and providers, provide law enforcement with information necessary to identify service providers and data routes; provisions empowering Ukrainian courts to block websites and other informational resources that can be shown to be involved in improper cyber activity; and provisions expanding the admissibility of a wide variety electronic evidence in criminal proceedings.
“This is a complex law with a number of provisions and goals,” said Richard Warner, a law professor at the Chicago-Kent College of Law. “But one noteworthy aspect is the emphasis on data collection. Adequate cybersecurity requires adequate information about the likelihood of cyberattacks and the costs associated with successful attacks. Figuring that out requires information about past attacks and current defenses.
He also noted that “the data collection and information sharing requirements of cybersecurity statutes can conflict with privacy requirements in other statutes. The Ukraine law conflicts with its bank privacy requirements, for example. Companies need to be aware of this conflict and get expert advice about how to address it.”
Moreover, company managers and owners need to ensure compliance with the new law's requirements, and if they do not, they may face criminal liability for violation of rules on electronic communications and protection of information, according to the Asters firm.
“For some time, Ukraine has been aware of its vulnerability to cyber-attack,” Hylton said. “It may well be [that] the high level of political instability in post-Orange Revolution Ukraine has contributed to its being a frequent target of hackers.”
He explained that the “final straw” were the cyber-attacks on June 27, 2017. “Although a wide variety of western countries were the victims of this attack, it appears that the so-called Petya virus was first manifested in an attack on state-owned agencies and institutions in Ukraine,” Hylton said.
“The harmful consequences of this attack were also greater in Ukraine than in almost any other country,” he added. “Government owned banks, energy firms, transportation systems, including the Kyiv (Kiev) Metro and Boryspil Airport, television stations, the national postal systems, and various government ministries were all hit by ransomware during this attack. The Swiss government's Reporting and Analysis Centre has concluded that the Petya virus, which caused similar injuries in Ukraine and elsewhere in 2016, was the culprit,” he said.
In response, President Petro Porochenko requested the Rada adopt a beefed-up cybersecurity act on March 16, 2016, but it appears to have taken the June 2017 incident to get the Ukrainian legislature to enact the new statute, in Hylton's view.
It is also noteworthy that U.S.-based companies running critical infrastructure in Ukraine will be subject to the requirements, “and these are the owners and managers of companies who are responsible for ensuring compliance…. Though, it is unclear for now what particular U.S.-based companies—or their local subsidiaries—will appear on the list of those running critical infrastructure,” Svechkar said.
Meanwhile, the U.S. companies active in the related Ukrainian sectors should re-examine their cybersecurity measures and ensure that they comply with the rules and can withstand possible scrutiny by the Ukrainian authorities, he said. “Because of the technical nature and complexity of the area, it makes sense to commence this re-examination in advance to identify potential gaps in the policies, procedures and security architecture and be able to adapt them accordingly at an early stage.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1The Key Moves in the Reshuffling German Legal Market as 2025 Dawns
- 2Social Media Celebrities Clash in $100M Lawsuit
- 3Federal Judge Sets 2026 Admiralty Bench Trial in Baltimore Bridge Collapse Litigation
- 4Trump Media Accuses Purchaser Rep of Extortion, Harassment After Merger
- 5Judge Slashes $2M in Punitive Damages in Sober-Living Harassment Case
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250