On February 4, 2021, the DOU website published an interesting interview with the speaker of the Ukrainian Cyber Alliance (UCA) Andriy Baranovych. We are reprinting this interview for the readers of the international volunteer community InformNapalm, which at a certain historical moment also played an important role in uniting different groups of Ukrainian hacktivists into the single effective UCA team. Multiple publications on our website came out thanks to the cooperation of InformNapalm OSINT investigators with UCA hacktivists and other separate groups of Ukrainian IT specialists. Exactly 4 years ago, in early February 2017, our short documentary CYBERWAR: An Overview of Successful UCA Operations in 2016 was also released, and could serve to complement this interview.
Ukrainian Cyber Alliance (UCA) is a community of Ukrainian hacktivists that was born of the merger in 2016 of several hacker groups. According to the press secretary of the UCA Andriy Baranovych, their main goal was to obtain information about Russia and its participation in the war against Ukraine. Later, the UCA also launched the #FuckResponsibleDisclosure flash mob, aiming to assess the security of Ukraine’s state resources. In the interview with DOU, Andrei Baranovych spoke about the activities of the UCA, individual actions, cyber warfare and SBU searches of the organization’s members. He also shared his opinion on the Diya application, online elections and Internet security in Ukraine.
On Ukrainian Cyber Alliance
– The first question is a general one. Who are hackers?
First of all, I primarily see myself not as a hacker, but as a network, software, and security specialist. I started my public hacktivist activity only after the outbreak of the war. My colleagues and I decided that this was another way we could apply our knowledge. After all, if you know how to protect systems, you know how to attack them. That is, unlike black hackers who do this for money, and white hackers who do this just out of curiosity, in order to understand how technologies work, we consider ourselves hacktivists, since we use the information we retrieve for military and political purposes.
– I will quote your interviews so you could comment on them. In one of the articles you say: “On the “black” platforms the administration suppresses politics – guild interests are above the national ones.” Does it apply to the Ukrainian hacker community in general?
The quote refers exclusively to black hackers who hack to make money. As an information security specialist, I also have access to private hacker forums. Because, among other things, we collect data on how black hackers operate, observe them in their natural habitat, study their rules, learn about new things… And, of course, politics is not welcome there, because it greatly harms the business. Black hackers can also be seen as businessmen, even though they are engaged in illegal activities. Therefore, they try not to discuss politics. Cybercrime has no nationality.
– You have started talking about the creation of the Ukrainian Cyber Alliance. Could you tell us in more detail how it was formed?
At first we had a separate group called RUH8. My colleagues and I carried out several actions, including hacking of the State Duma of the Russian Federation, the Federation Council and regional governments in Astrakhan and Orenburg. Our cooperation with other hacker groups was established thanks to the InformNapalm website, where we all submitted information for processing and publication. So, in June 2016, the Ukrainian Cyber Alliance was formed in its entirety out of RUH8, FalconsFlame, Trinity and CyberHunta groups. Everyone had different skills, different specializations, and thanks to that we complemented each other. This way, we continued to work until 2019, and then in February 2020 the cyber police and the Security Service of Ukraine came to us with absolutely ridiculous accusations…
– We will come back to this topic. First, I want to know about the organization in general. How many members are there? Who are they, do they live in Ukraine, or are there foreigners who also want to take part in your activities?
At the moment, UCA as a wide community practically does not exist. A year ago, my colleagues and I officially registered our organization with the Ministry of Justice, so now there is an NGO “Ukrainian Cyber Alliance”. We planned to work on security, including Ukrainian systems, because war consists not only of attacks, but also of defense. These issues were discussed with representatives of the authorities, including the National Security and Defense Council in the fall of 2019. But then someone stopped liking it all… So now we have an NGO, which consists of three founders.
– What was the situation before last year?
I will not specify the exact number of permanent participants, but there were not very many of them: 10 people, give or take. We did not and do not accept any foreign aid. I never wanted to find out who the other members were. Some I know better, others less. These are mainly technical specialists. In general, you do not ask such questions: the less you know, the better you sleep.
The team included specialists from Ukraine. And our targets were exclusively in the Russian Federation and in the territories occupied by Russia. We have always repeated and repeat that our goal was exclusively to receive information about Russia, its participation in the war, military and political leadership. Nothing else has ever interested us.
“We just pay no mind to threats”
– You are the press secretary of the Ukrainian Cyber Alliance. Were you selected or did you yourself want to communicate with the press on behalf of the UCA?
I always understood that if we want our information to influence the current events, we need to talk about it in detail, communicate with people… It all started with the Focus magazine asking for an interview. And I convinced my colleagues that we must give it, so that people understood who we are, what we do, so that they did not see us as a threat and did not confuse us with black hackers.
– Do you often talk to journalists?
Often enough. I give comments to numerous media as a security expert or write columns about current events.
– What means of communication do you usually use to report the results of your actions?
While we were focused on our main project counteracting Russia, our platform was InformNapalm. We processed information with them, wrote articles where we posted links to materials so that everyone could download them, verify them and make sure that we were not deceiving anyone and that everything was as we said in our publications.
– In different interviews you have repeatedly emphasized that you are acting within the existing legal framework. And yet many people, hearing the word “hacker”, think of criminals. How does this work in the UCA?
Naturally, we are breaking laws of the Russian Federation. Several dozen investigations have been initiated against us by all law enforcement agencies there: the police, the FSB, and the Investigative Committee. We are absolutely not ashamed of this and are not afraid, since there is no cooperation in law enforcement between Ukraine and Russia. In the occupied territories, Ukraine has retreated from its obligations to maintain law and order. And the Russian Federation cannot apply to Interpol, because all these actions have a political component.
In Ukraine, we naturally do not break the law. Even when we launched the #FuckResponsibleDisclosure campaign, the purpose of which was to show that Ukrainian systems were very vulnerable to attacks from both Russia and criminal hackers, we used non-invasive means. If we find some information belonging to Ukraine out in the public domain, then this has nothing to do with hacking – it was there due to negligence. Thus, we demonstrate that anyone, literally using Google, can find secret documents related to our army, law enforcement, and so on.
– You said that over the years of the existence of the UCA, you have been constantly receiving threats. From whom and what kinds of threats?
Naturally, those we hack do not like this very much. Let’s take for example the situation with the Russian propagandist Prokhanov. I took over his Facebook page, as well as his editions The Day and Tomorrow, and wrote some funny texts on his behalf. Then, on the air of the Vesti program, he got very indignant about this, and his son Andrey Fefelov poured empty threats. We’re constantly receiving all sorts of nasty things from the occupied territories, too. We just pay no mind to threats.
Cyberwar
– Which of your actions do you consider the most successful?
It is difficult to pick one specific thing. Sometimes we were able to find information, for example, from the Federal Security Service of the Russian Federation – this is part of the former KGB, which, among other things, deals with the security of critical infrastructure. Therefore, finding such information was not easy. Most of the mentions in the press received the SurkovLeaks campaign, when we got access to the mailboxes of the office of the Aide to the President of the Russian Federation Vladislav Surkov. All the excitement happened because the action coincided with the election of the President of the United States. Rumors immediately surfaced that it might be the US revenge on Russia for the DNC hack. These rumors, of course, were denied by the US intelligence community, but such timing attracted a lot of attention to this topic. There are operations that are technically more interesting.
– Programmers will read us, so they are mostly interested in the technical part …
From the technical point of view, Orenburg Oblast was an interesting case. We used already published exploits. It was Heartbleed, a memory leak. We scanned a large number of Russian websites, and we found one of the small sites located in the data center of the government of the Orenburg Oblast, and its server memory leak gave us access. But for a long time, nothing could be done there, because they have both an IT department and an information security department with strict control from the FSB. However, at one point, the system administrator made a mistake: he mounted a network share on a public web server, and enough information leaked from there to give us access to the entire system and gain a foothold there, watching all parts of this regional government, including the FSB.
We even had to shoo away several stray hackers who had entered the same system so as not to lose access to it. And the access was maintained for a very long time – about one and a half years. During this time, everything that could be pumped out was pumped out of there. This shows how even small and short-lived errors lead to long-term consequences. And if an APT (advanced persistent threat) group has already entered the system and established itself in it, these hackers will be hard to find, they will get information for years. A similar case, the most famous recent story, is the supply chain attack on SolarWinds, when Russian hackers distributed a backdoor through network monitoring software and maintained this access for months. They were discovered almost by accident.
– What is the purpose of your actions? What do you want to achieve?
The fact is that Russian hackers feel at home inside Ukrainian systems. The state of information security in our public sector is appalling. So, the very first message that we would like to convey is that whatever you can do to us, we can do to you. We have enough competent specialists for this. The second goal is to directly obtain information about who makes decisions, especially the military ones, how they are made, what they are thinking in the presidential administration of the Russian Federation, what is their position in the negotiations in Minsk – not what they say in public, but what they discuss among themselves. I believe that this is valuable information that would be difficult or very expensive to obtain in any other way.
– In one of your interviews, you also said that cyber war is the cheapest one. But how effective is it? Do you think it can help take care of the real war?
If we talk not about the war as a whole, but only about its part, for example, about cyber espionage, then it is much cheaper than traditional espionage. A common idea in all the literature on this topic has become an expression that already feels tired, that now cyber is the fifth battlefield, along with land, sea, air and space. Naturally, wars are not won with the help of a computer yet – we are not that far in the future. But this is an important component that complements other military branches. There are no official doctrines on this in Ukraine. The area is not improving: neither in terms of defense, nor in terms of offense. There are, of course, numerous state cyber centers, including the cyber center of the Security Service of Ukraine, the cyber center of the State Special Communications Service, the cyber center of the Ministry of Defense, but so far, no significant success has been seen on their part.
– You have certain principles. For example, you said that you were not touching the critical infrastructure of Russia “since this is, in fact, an act of international terrorism.” What other similar principles does UCA have?
When we were actively collecting information about Russia, we were primarily interested in military and political targets. For example, in 2015 we managed to get access to information from one hundred thousand Russian mobile phones. We tried to look through the archives, for example, of SMS correspondence, but did not find anything that would deserve attention. Therefore, there was no point in wasting time on ordinary citizens, especially since our team is not very large.
In Russia, security is slightly better than in Ukraine. More money, more specialists, but still, I can’t say it’s very good. Naturally, we could get to the Russian infrastructure, hack something there, cause serious damage, but I think that it is still advisable to refrain from such actions and not slide into terrorism.
In 2015, Russia intervened in the work of the Ukrainian power system in Kyiv and the Carpathian region. This is an instance of international terrorism, and I was very surprised by the mild reaction of the Ukrainian government to these events. Abroad, attacks on our power plants are discussed much more than in Ukraine. For some reason, our Ministry of Foreign Affairs did not say that Russia basically switched to terrorist methods, which would be an additional step towards having the Russian Federation considered a rogue state, like Iran or North Korea. The investigation was not carried out properly. It is not clear how they got into the power plant system, what they were trying to achieve, whether it was a test run, an accident, or it will become a systematic activity on their part.
#FuckResponsibleDisclosure
– How did you move from the first project directed outward to a domestic one to protect Ukrainian state structures?
It all happened in parallel. When they passed the law On the foundations of ensuring the cybersecurity of Ukraine, numerous discussions arose on Facebook. Many government officials declared: “You see! And you said that nothing changes. Look at that wonderful law we have passed. Now, finally, everything will be all right.” The goal of the #FuckResponsibleDisclosure campaign was to show that no laws by themselves fix anything or affect anything. To illustrate this point, we pointed to several vulnerable government information systems. And then we made the search for these vulnerabilities into a dedicated project.
As I said, there were no break-ins. Here you can make a parallel with the situation when, say, you are walking along the street past some houses and you notice that there is a key under one rug. Or a wallet on the road. You walk up and point it out: “you have a key under the rug”, or “your wallet fell out”. But neither the key nor the wallet is lifted or used. Same with a vulnerability. We found it, we know how it can be used, what it can lead to. But we do not use it, we only show it: “you have a hole here”.
– How do you assess the level of cyberspecialists working in government agencies?
In Ukraine, there are about 100 thousands of all kinds of institutions, utilities, state enterprises… The public sector is huge. In some places, there are decent specialists, who apply their knowledge as intended. But there are very few of them. It is absolutely impossible to provide every institution with at least a system administrator. There are about 200 thousand IT specialists in all of Ukraine. So even if they all went to work in the public sector, there would still be not enough people.
When we launched #FuckResponsibleDisclosure three years ago, within a couple of months we found holes in at least half of the ministries, the presidential administration, many branches of the government, including the Computer Emergency Response Team at the State Special Communications Service. They simply left the plaintext password from one of their mailboxes on their website. And, for example, the Academy of the Ministry of Internal Affairs left an open, password-free shared drive on the Internet, with the database of all personnel: both those who train and those who are trained. It was the same with the Kyiv police…
Naturally, we do not interfere there. And if there is any information that can help a malicious cracker to pry this hole open and break in, then we do not publish it. Although often the only thing that makes any effect on officials is when we shame them publicly. Only the fear of publicity and ridicule makes them do something. The most egregious holes were thus closed. Many have tried to act in a different way, warning directly administrators and management about existing holes. For example, Yevhen Dokukin (founder of the Ukrainian Cyber Army initiative – ed.) sent several hundred such messages. In 99 percent of cases, officials do not respond to such warnings.
That is, the goal of the #FuckResponsibleDisclosure campaign was not to close all the holes – this cannot be done through the efforts of volunteers – but to show that information security in Ukraine is in an unsatisfactory, inadequate state. No individual laws or decrees of the Cabinet of Ministers can lead to systemic changes. It is necessary to reconsider the approach itself, otherwise the hacks will continue. We all remember NotPetya, which caused damage amounting to $10 billion, numerous leaks from the Ministry of Internal Affairs, the Security Service of Ukraine, hacking of large enterprises such as Antonov, the aforementioned blackouts in Kyiv and the Carpathian region… If you do not start paying attention to this, the consequences will be catastrophic.
– After you reported about a vulnerability, did you follow up whether they listened to you or not?
It varied. Let me give you an example. There was publicly accessible water utility equipment, including remote control of mechanics, some kind of valves, shutoffs… I don’t understand enough about water utilities, but I understand that this is direct access to equipment, logins, passwords so that you can access it remotely and then do something. We warned the officers of the Security Service of Ukraine that we knew. After all, this is an immediate threat: an attack could leave several regions without water. The SBU tried to fix this, the data disappeared from open access, but the water utility turned out to have such a resourceful management that it managed to send the Service to hell with their demands.
– It is now customary for us to write more about negatives. I wonder if it ever happened that you discovered well-protected systems or met an adequate response from officials?
Yes, not very often, but we met with a calm professional reaction from some officials, when they quickly fixed vulnerabilities, wrote about it, publicly thanked us. That is, they acted as they should have done. Still, I would like to note that even if officials react, it still doesn’t compare with how businesses, especially large ones, react.
For example, when the information of one mobile operator became publicly available, the response time to the security incident was 30 seconds. That is, we published the cover of the document (there was nothing secret in the cover itself), and half a minute later a security engineer wrote to us and politely asked for all the details. Within 24 hours, they conducted their own internal investigation, found the cause of the leak and eliminated it. It was the same when traces of a break-in of the House of Representatives of the US Congress were found in the public domain. Some unknown hackers crawled around there, and one of our volunteers found an intermediate server through which the information was downloaded. Again, literally a few hours later, the Americans were already asking if this was all information or if there was something else that we did not want to talk about publicly.
And in our country, unfortunately, it often happens that after we discover a vulnerability, the head or the press secretary of the organization comes out and starts claiming that this is not a vulnerability. That all this is unimportant, it was left by the predecessors… They begin to threaten with reporting us to the police and the Security Service of Ukraine, to resist in every possible way and go through all phases from denial to acceptance. For some reason, they are sure that this was deliberately planned against them personally, in order to denigrate them and undermine them.
Searches and courts
– How did the Cyber Alliance interact with government agencies initially?
The information that we considered important, that could be used, we passed to the military or special services. This was not some kind of formal interaction, just communication through the officers we knew and trusted. In the case of vulnerabilities in the public sector, most of the information was published with a description of vulnerabilities and what could be done to improve the situation.
In the fall of 2019, the Cyber Alliance was invited to the National Security and Defense Council. There was a discussion about how to reform the state approach to information security, how to combine it with the digitalization plans of the Deputy Prime Minister Mykhailo Fedorov. He also spoke at this meeting, talking about his plans. After that we held several meetings with officials, listened to what they were saying, formed a small group, discussed everything among ourselves (not only within the UCA, but also with the participation of many well-known IT specialists), developed a vision of how the existing system could be changed… And that was it. We sat and talked – and walked away, nothing has changed.
– And before that, privately, did government agencies contact you on any specific issues?
No, they didn’t.
– Now you have stopped cooperation with government agencies after the searches in February 2020 and subsequent court proceedings. Tell us the timeline of events.
Let’s start with the fact that in the fall of 2019, the leadership of the cyber units in both the SBU and the police changed in Ukraine. New people came there, and for some reason it was then that these events began to unfold. How did it all start? In October 2019, some unknown joker uploaded an offensive picture of Greta Thunberg to an electronic display at Odessa Airport. Everyone laughed at this, shrugged their shoulders: “Well, it happens.” And a few weeks before this incident, one of our volunteers, Andriy Pereveziy, had warned that there were holes in the system.
And in February 2020, the SBU and the police broke into my house, along with heavily armed KORD special ops unit, all in protective gear, and with extra magazines for their rifles. Were they going to start a small war in my kitchen or something? The search warrant stated that I, Andriy Pereveziy and Alex Galushchenko (he now works in the cyber center at the National Security and Defense Council), the three of us, broke into the display at Odessa International Airport. That is, absolutely ridiculous charges, of course, the case was fabricated.
We did not remain silent and the next day we organized a press conference, where we announced that this was political pressure. After that there were two court sessions on the arrest of the seized property. At the first court session, our defense totally destroyed the position of the prosecutor’s office, but during a break between two court sessions happening on the same day, the judge took a sick leave. I believe that the law enforcement agencies put pressure on him not to make a fair decision. After that, the judge was replaced, and the new one arrested our property seized during the searches – computers, disks.
Eleven months have passed since then. The case is not progressing at all, we do not even have any status: we are not witnesses, not defendants, we haven’t been officially served any charges. Now the police are dealing with this case. They’re just playing for time, hoping… I don’t know what they’re hoping for. I personally hope that with the help of our wonderful attorneys we will achieve not only justice in court, but also punishment of those responsible.
– In one interview you said that you consider the situation with the Odessa airport as an excuse “to come to us with searches, to seize equipment and try to find something there.” What do you think they wanted to find?
I don’t know, maybe there’s some kind of compromising material to put pressure on us, to force us to do something or to make some indecent proposal. But it didn’t come to that, because everything immediately passed into the public sphere. There can be no agreements in such conditions. I am absolutely convinced that had there been no Odessa Airport, they would have used any other pretext to come with the searches in the same way.
– Have you tried to conduct your own investigation of the situation with the airport?
In the case file, I got acquainted with the technical details. I think it won’t be easy to find the real culprit. The best thing to do is to conduct a security audit and protect the airport system. It is run by a private Odessa company, and I think they can do it.
– At the mentioned conference, several UCA participants revealed their identities, although before that they had remained anonymous. Do you regret this decision? How has this affected you in particular?
It made things easier. Besides, our anonymity was symbolic. It was rather a part of the image: masks and balaclavas attract attention. Of course, I think both the SBU and the Ministry of Internal Affairs had known our names for a long time. In a practical sense, there was no point in continuing the game of anonymity. Therefore, we went to the press conference under our real names: me, Artem Karpinsky, Andriy Pereveziy and Olexandr Galushchenko. We also had a representative of the lawyers’ association with us, who gave legal commentary.
– In your opinion, should Ukrainian hacktivists have immunity, that is, protection from criminal prosecution? Or will it lead to submission?
First of all, I believe that no one should have immunity from criminal prosecution. Being a “nice guy” is not a defense. But our law enforcement system is completely corrupted and destroyed – I see this as a problem. That is, if we don’t violate Ukrainian laws, then I don’t understand what questions they might have for us, whether we are hackers, bakers, or someone else.
Press conference of the Ukrainian Cyber Alliance
About the Diya application and Internet security
– At the same press conference, someone said that if the UCA always reached out directly to international institutions, then Ukraine would have lost visa-free entry to Europe a long time ago. What exactly did they mean?
As far as I remember, this was said by Andriy Pereveziy. As I understand it, he meant that the same nuclear power plants and airports are part of the critical infrastructure, and Ukraine has certain international obligations regarding the safety of these facilities. Because if a civilian plane falls, God forbid, or an accident occurs at a nuclear power plant, then not only Ukraine will suffer. So, if the international organizations that are involved in the control of nuclear energy and aircraft safety (IAEA and ICAO), learned how low the level of protection of these critical facilities was, they would have a lot of questions to the Ukrainian government.
– In one of your posts you said that mobile communications in Ukraine are not safe, unlike the Internet. Tell us about this.
I’m actually surprised that this is news for anyone. Since the early 2000s, when the law on telecommunications was adopted, the Security Service of Ukraine has had direct access to the operators’ telephone networks. This is necessary in order to conduct “nonpublic investigative activities” or, simply put, wiretapping. Law enforcement agencies receive up to several thousand warrants a year in order to conduct legal wiretapping. But, of course, since they have direct access to the operators’ equipment, this opens up a huge space for abuse. There is a black market for services where, for a very reasonable amount of money, they will sell you all information from state registers, or do illegal wiretapping, among other things.
And as for the recent events… Now, for the second time around, the parliament has passed a new law No. 3014 on telecommunications. The first time it was passed by the Rada, Zelensky blocked it. They made certain changes and submitted it for signature again. And it is not clear whether the president will sign it or reject it. With some of the wordings there, those provisions that relate to wiretapping of telephone conversations can now be interpreted in such a way as to force Internet providers to provide access to the Security Service of Ukraine to their networks too, which, naturally, will entail extremely unpleasant consequences. And this now is a complete and ultimate disgrace.
No one disputes the principle that law enforcement officers should have a legal way to obtain information about subscribers from telephone operators and Internet providers. But, I think, it would be logical for them to have to obtain a warrant, provide it to the operator, who would independently record the necessary information. If law enforcement agencies have access to equipment, they will use it, including for selfish personal ends. And this is corruption and a huge loss for the economy and for the civic rights.
– You have also recently commented on the bug bounties in order to identify the vulnerabilities of the Diya application. Did you participate in this? How safe do you think this application is?
I am closely following the mass digitalization project. And I think that this is thoughtless digitalization, when they digitize those processes that are not needed at all. Let’s say I need a certificate from the state. It doesn’t matter to me what form it will be in, I want no certificates to exist. Or let’s take the first thing they did in the Diya application – they added a passport of a citizen of Ukraine there. I don’t really understand why. In my opinion, it is much easier to cancel passport checks when selling train tickets than to load your passport into your phone. I just want, according to the Constitution, to have freedom of movement and walk without a passport. I think many ideas in this application are either meaningless, or prone to extremely negative consequences.
We know that data from the registries leaks regularly, is faked regularly, that there is a huge number of errors in these registries. And instead of reducing the amount of information that the government collects about its citizens, instead of ensuring that this information is properly protected, the Ministry of Digital Transformation is trying to combine it into a giant system. This means that more people will have access to different registries, there will be more leaks and risks.
As for the presence of some vulnerabilities, the Ministry of Digital Transformation’s response to criticism is absolutely inadequate. Many journalists tried, through official requests, to obtain at least some information about the portal and the application, including a certificate on computer security compliance. In response, the ministry provided deliberately corrupted files that could not be opened. In reply to all questions, they assure: “We are doing well, we have conducted audits. We have certificates. We will not show them though, you just have to take our word for it.” I believe that information security is not an area where you can rely on the words of an official.
The bug bounty program which they announced in December is a PR move to patch up their reputation: “So we turned to hackers from all over the world, they checked everything and found almost nothing, which means the application is reliably protected.” Personally, we did not participate in all this. However, several Ukrainian companies and institutions (public and private) contacted the Ministry of Digital Transformation: “Let us also take part in your bug bounty,” and the response from the minister was absolutely wild – he rejected everyone.
This indicates that they are trying to quietly run everything on the side and thus strengthen their reputation, so they are throwing all kinds of spanners in the works, limiting the number of participants. Moreover, you hold a bug bounty when you are already fully confident that you have done everything possible to ensure security. But before that there were no independent auditors involved. Only some Estonian non-profit organization took part. That is, there was no independent audit, the results were not published, but for some reason a bug bounty program is being carried out.
– Your quote: “Anything can be hacked – it’s a matter of time and effort.” Considering this, do you even need such applications as Diya?
The fact that almost everything can be hacked does not mean that nothing needs to be done. I am not urging everyone to return to the Stone Age, give up their phone and computer and use paper again. This is inconvenient, out of date, there is no need to give up technological progress. But any tasks must be implemented correctly. What is the goal of the Diya application? One of those that periodically appear in the statements of the leadership of the Ministry of Digital Transformation and Mr. Zelensky himself – in the future, this will allow holding elections in digital form.
But I believe, and this is not only my opinion, but practically all international experts in the field of elections and information security, that at the moment there is no technology that would allow to conduct elections online and convince everyone that they were fair. Because the task of the elections is not to determine the winner, but to convince the loser that no one has cheated. In the case of digital elections, this is not possible, at least for the time being. Nowadays there is no country other than Estonia where online elections are held. And even in the small Estonia, there are many disaffected people who want to return to a safer offline system.
If the Ministry of Digital Transformation wants to improve something, then it would be worthwhile to deal primarily with the responsibility of officials for entering inaccurate information into the registries. Let’s say you wanted to use a driver’s license in the Diya application. It could be lacking a photograph, a vehicle inspection card, or have some nonsense written in it. And then you have to go to the Administrative Services Center and basically get a brand-new driver’s license. I believe that a useful digitalization would be to force those officials who entered inaccurate data to correct their mistake so that you don’t have to run around, but they have to do it on their own. After the system starts working reliably offline, it can be automated. If we automate a mess and fraud, then we get automated mess and digital fraud.
– In one of your interviews, you said that incompetence and irresponsibility are two reasons that allow Russian hackers to attack our government and business structures. How do you see the resolution of these issues? And is it possible to solve them completely, if, according to your own words, anything can be hacked?
You can hack anyone, but hacking some things is easy, and hacking others is difficult. And it is not even the fact of hacking that is important, but how people react to it and how they try to mitigate the damage done.
Officials must understand that they are responsible for the information that we have entrusted to them, because it is valuable. We can even determine exact black-market pricing. So, it is a valuable property that needs to be guarded just like physical objects. In the meantime, no one is responsible for its safety and protection.
There is the flip side of the coin – a person can only be held responsible for what he knows. If there is no real system administrator in a state organization, but only a low-paid employee who runs around and changes cartridges in printers, then, of course, he cannot be responsible for anything. But if a state institution cannot maintain its own information system, then let it return to paper, safes and security guards at the entrance. That is, you will either learn to maintain your information systems and bear responsibility for their safety, up to criminal liability, dismissals, fines, reprimands, or you simply should not have them.
– At the beginning of the interview, you said that at the moment there are three active members of the organization. What is the Ukrainian Cyber Alliance doing now?
At the moment we are mainly taking care of our own business. Although, of course, we take part in all kinds of discussions, including about changes in the legislation. But we are not currently conducting any systemic projects. That is, we want to first achieve justice in court, and then we will decide what to do next.
– Do you have any specific plans, ideas?
There are many ideas in terms of what could be done both for defense and for offense. It is precisely the task of a public organization to come up with such projects. But we’re keeping them on ice. Let us deal with the court first.
Read more from InformNapalm
- Proofs of the Russian Aggression: InformNapalm releases extensive database of evidence
- Volunteers gathered evidence of 32 Russian military units taking part in the invasion of Crimea
- SurkovLeaks (part 3): analysis of the correspondence of Surkov’s first deputy Inal Ardzinba
- SurkovLeaks (part 2): hacktivists publish new email dump
- DPR financial systems hacked: accounts of Zakharchenko hold over 100 million roubles
- Cyberwar: top operations of Ukrainian Cyber Alliance (UCA) in 2016
- FrolovLeaks VII: the costs of the “Russian Spring”
- Andriy Derkach and his tapes. About one special operation to interfere in the US presidential election
- Kremlin is behind anti-Ukrainian protests in Poland: analysis of the hacked correspondence.
- Artillery officer of the 1st Army Corps under UCA surveillance. Part 1
- Reconnaissance commander of the 2nd Army Corps in the focus of the UCA. Part 5: PSNR-8
- UCA: hunting down Russian propagandists on an industrial scale
- Reconnaissance commander of the 2nd Army Corps in the focus of the UCA. Part 2: UAV Forpost
- Hackers Exposed a Russian Federal Service for Execution Operative. Video 18+
No Responses to “Ukrainian hacktivists, cyber warfare and vulnerabilities in the public sector – interview with the speaker of the Ukrainian Cyber Alliance”