Social and Legal Studios
ISSN 2617-4162
e-ISSN 2617-4170
Publisher: Lviv State University of Internal Affairs
Abstract
The study aimed to identify ways to improve the legal regulation of the protection of information networks of Ukraine’s critical infrastructure, taking into account contemporary challenges in cybersecurity and international standards. The research employed a comparative analysis of the legislation of Ukraine, the EU, the USA, and the United Kingdom governing cybersecurity in critical infrastructure. Additionally, it assesses the effectiveness of existing legal and regulatory frameworks in the context of modern threats, particularly armed conflict. The analysis revealed the fragmented nature of the current legislation, the lack of an effective coordination mechanism among state authorities, and insufficient legal instruments for regulating liability for cybercrimes targeting critical infrastructure. It was established that Ukraine’s regulatory framework only partially complies with international standards, complicating its harmonisation with EU requirements. The insufficient integration of the public and private sectors in the field of cybersecurity is also a significant factor limiting the effectiveness of protecting strategic digital assets. To enhance the efficiency of legal regulation, comprehensive harmonisation of Ukraine’s legislation with EU norms is necessary, particularly with the NIS 2 Directive, which establishes unified requirements for the protection of critical infrastructure. The introduction of mandatory certification of cybersecurity measures and the expansion of criminal liability for cyberattacks on critical infrastructure, including sanctions for legal entities, are advisable. A crucial direction is the legislative establishment of a unified national cyber threat monitoring system and the improvement of mechanisms for public-private partnerships. The proposed changes will contribute to strengthening the cyber resilience of Ukraine’s critical infrastructure, ensuring its compliance with international standards, and facilitating its integration into the global cybersecurity system
Keywords: cyber resilience; digital space; strategic objects; cyber threats; national security
Suggested citation
[1] Abedi, A., Gaudard, L., & Romerio, F. (2019). Review of major approaches to analyze vulnerability in power system. Reliability Engineering & System Safety, 183, 153-172. doi: 10.1016/j.ress.2018.11.019.
[2] Act on the Federal Office for Information Security (BSI Act – BSIG). (2009, August). Retrieved from https://surl.li/gmcaco.
[3] Anakhov, P., Zhebka, V., Popereshnyak, S., Skladannyi, P., & Sokolov, V. (2023). Protecting objects of critical information infrastructure from wartime cyber attacks by decentralizing the telecommunications network. Cybersecurity Providing in Information and Telecommunication Systems, 3550, 240-245.
[4] Andrew, L. (2020). The vulnerability of vital systems: How “critical infrastructure” became a security problem. In M.A. Dunn & K.S. Kristensen (Eds.), Securing “The Homeland” (pp. 17-39). London: Routledge. doi: 10.4324/9780203926529.
[5] Cali, Ü., Catak, F.Ö., Balogh, Z.G., Ugarelli, R., & Jaatun, M.G. (2023). Cyber-physical hardening of the digital water infrastructure. In Proceedings of the 2023 European interdisciplinary cybersecurity conference (EICC ‘23) (pp. 181-188). New York: Association for Computing Machinery. doi: 10.1145/3590777.3591408.
[6] Cantelmi, R., Di Gravio, G., & Patriarca, R. (2021). Reviewing qualitative research approaches in the context of critical infrastructure resilience. Environment Systems and Decisions, 41, 341-376. doi: 10.1007/s10669-020-09795-8.
[7] Chernysh, R., Chekhovska, M., Stoliarenko, O., Lisovska, O., & Lyseiuk, A. (2023). Ensuring information security of critical infrastructure objects as a component to guarantee Ukraine’s national security. Amazonia Investiga, 12(67), 87-95. doi: 10.34069/ AI/2023.67.07.8.
[8] Chumachenko, S., & Popel, V. (2023). A systematic approach to the automation of the processes of ensuring personnel competence at critical infrastructure facilities of the defense forces of Ukraine. Bulletin of Cherkasy State Technological University, 28(3), 141-155. doi: 10.24025/2306-4412.3.2023.288836.
[9] Cloud consciousness: Industry group speaks out. (2015). Retrieved from https://digital-strategy.ec.europa.eu/en/library/ cloud-consciousness-industry-group-speaks-out
[10] Convention on Cybercrime. (2001, November). Retrieved from https://surl.gd/uxuxjl.
[11] Criminal Code of Ukraine. (2001, April). Retrieved from https://zakon.rada.gov.ua/laws/show/en/2341-14#Text.
[12] Critical Infrastructure Partnership Advisory Council. (2023). Retrieved from https://www.cisa.gov/resources-tools/groups/critical-infrastructure-partnership-advisory-council-cipac.
[13] Cybersecurity and Infrastructure Security Agency Act. (2018, November). Retrieved from https://surl.gd/bfcepu.
[14] Darıcılı, A.B., & Celik, S. (2022). National security 2.0: The cyber security of critical infrastructure. PERCEPTIONS: Journal of International Affairs, 26(2), 259-276.
[15] Davydiuk, A., & Potii, O. (2024). National cybersecurity governance: UKRAINE. Retrieved from https://ccdcoe.org/library/publications/national-cybersecurity-governance-ukraine/.
[16] Davydiuk, A., & Zubok, V. (2023). Analytical review of the resilience of Ukraine’s critical energy infrastructure to cyber threats in times of war. In 15th international conference on cyber conflict: Meeting reality (pp. 121-139). Tallinn: Institute of Electrical and Electronics Engineers. doi: 10.23919/CyCon58705.2023.10181813.
[17] Decree of the President of Ukraine No. 242/2016 “On the National Coordination Centre for Cybersecurity”. (2016, June). Retrieved from https://zakon.rada.gov.ua/laws/show/242/2016#Text.
[18] Decree of the President of Ukraine No. 392/2020 “On the Decision of the National Security and Defence Council of Ukraine of 14 September 2020 “On the National Security Strategy of Ukraine”. (2020, September). Retrieved from https://www.president.gov.ua/documents/3922020-35037.
[19] Decree of the President of Ukraine No. 447/2021 “On the Decision of the National Security and Defence Council of Ukraine of 14 May 2021 “On the Cybersecurity Strategy of Ukraine”. (2021, May). Retrieved from https://www.president.gov.ua/documents/4472021-40013.
[20] Directive of the European Parliament and of the Council No. 2016/1148 “Concerning Measures for a High Common Level of Security of Network and Information Systems Across the Union”. (2016, July). Retrieved from https://eur-lex.europa.eu/eli/dir/2016/1148/oj.
[21] Djenna, A., Harous, S., & Saidouni, D.E. (2021). Internet of things meet internet of threats: New concern cyber security issues of critical cyber infrastructure. Applied Sciences, 11(10), article number 4580. doi: 10.3390/app11104580.
[22] European Commission. (2021). Horizon Europe. Retrieved from https://research-and-innovation.ec.europa.eu/funding/funding-opportunities/funding-programmes-and-open-calls/horizon-europe_en.
[23] European Commission. (2022). Digital Europe Programme. Retrieved from https://surl.li/hycdxt.
[24] Fuster, G.G., & Jasmontaite, L. (2020). Cybersecurity regulation in the European Union: The digital, the critical and fundamental rights. In M. Christen, B. Gordijn & M. Loi (Eds.), The ethics of cybersecurity (pp. 97-115). Cham: Springer. doi: 10.1007/978-3-030-29053-5_5.
[25] Haber, M. (2022). Great power competition: Critical infrastructure. In A. Farhadi, R.P. Sanders & A. Masys (Eds.), The great power competition: Cyberspace: The fifth domain (pp. 3-26). Cham: Springer. doi: 10.1007/978-3-031-04586-8_1.
[26] Ivanenko, O. (2020). Implementation of risk assessment for critical infrastructure protection with the use of risk matrix. ScienceRise, 2, 26-38. doi: 10.21303/2313-8416.2020.001340.
[27] Izycki, E., & Vianna, E.W. (2021). Critical infrastructure: A battlefield for cyber warfare? In 16th International conference on cyber warfare and security (pp. 454-464). London: Academic Conferences Limited.
[28] Kelemen, R. (2023). The impact of the Russian-Ukrainian hybrid war on the European Union’s cybersecurity policies and regulations. Connections, 22(2), 75-90. doi: 10.11610/Connections.22.2.55.
[29] Key consequences of Russian aggression for Ukraine’s water resources for 19-25 May 2022. (2022). Retrieved from https://davr.gov.ua/news/klyuchovi-naslidki-rosijskoi-agresii-dlya-vodnih-resursiv-ukraini-za-1925-travnya-2022-roku.
[30] Khan, M.J. (2023). Securing network infrastructure with cyber security. World Journal of Advanced Research and Reviews, 17(2), 803-813. doi: 10.30574/wjarr.2023.17.2.0308.
[31] Knapp, E.D. (2024). Industrial network security: Securing critical infrastructure networks for smart grid, SCADA, and other industrial control systems. London: Syngress. doi: 10.1016/C2022-0-02315-1.
[32] Kovaliv, M., Skrynkovskyy, R., Nazar, Y., Yesimov, S., Krasnytskyi, I., Kaydrovych, K., Kniaz, S., & Kemska, Y. (2021). Legal support of cybersecurity of critical information infrastructure of Ukraine. Path of Science, 7(4), 2011-2018. doi: 10.22178/ pos.69-12.
[33] Law of Ukraine No. 1882-IX “On Critical Infrastructure”. (2023, November). Retrieved from https://zakon.rada.gov.ua/laws/ show/1882-20.
[34] Law of Ukraine No. 2163-VIII “On the Basic Principles of Ensuring Cybersecurity of Ukraine”. (2017, October). Retrieved from https://zakon.rada.gov.ua/laws/show/en/2163-19#Text.
[35] Law of Ukraine No. 2297-VI “On Personal Data Protection”. (2010, June). Retrieved from https://www.president.gov.ua/ documents/2297vi-11567.
[36] Law of Ukraine No. 2824-IV “On Ratification of the Convention on Cybercrime”. (2005, September). Retrieved from https:// zakon.rada.gov.ua/laws/show/2824-15#Text.
[37] Liu, W., & Song, Z. (2020). Review of studies on the resilience of urban critical infrastructure networks. Reliability Engineering & System Safety, 193, article number 106617. doi: 10.1016/j.ress.2019.106617.
[38] Loveček, T., Straková, L., & Kampová, K. (2021). Modeling and simulation as tools to increase the protection of critical infrastructure and the sustainability of the provision of essential needs of citizens. Sustainability, 13(11), article number 5898. doi: 10.3390/su13115898.
[39] Lyndyuk, A., Boiko, V., Bruh, O., Olishchuk, P., & Rurak, I. (2023). Development of international cooperation of the borderline territorial communities of Ukraine with the EU countries under martial law. Financial and Credit Activity: Problems of Theory and Practice, 5(52), 244-255. doi: 10.55643/fcaptp.5.52.2023.4161.
[40] Markopoulou, D., & Papakonstantinou, V. (2021). The regulatory framework for the protection of critical infrastructures against cyberthreats: Identifying shortcomings and addressing future challenges: The case of the health sector in particular. Computer Law & Security Review, 41, article number 105502. doi: 10.1016/j.clsr.2020.105502
[41] Memorandum of Understanding between Ukraine and the USA Regarding Collaboration on Ukrainian Energy System Resilience. (2021, September). Retrieved from https://ua.usembassy.gov/memorandum-of-understanding-between-ukraine-and-the-usa-regarding-collaboration-on-ukrainian-energy-system-resilience/.
[42] Mitoulis, S.A., Argyroudis, S., Panteli, M., Fuggini, C., Valkaniotis, S., Hynes, W., & Linkov, I. (2023). Conflict-resilience framework for critical infrastructure peacebuilding. Sustainable Cities and Society, 91, article number 104405. doi: 10.1016/j. scs.2023.104405.
[43] Network and Information Systems Regulations. (2018, April). Retrieved from https://www.legislation.gov.uk/uksi/2018/506/contents/made.
[44] Newbill, C.M. (2019). Defining critical infrastructure for a global application. Indiana Journal of Global Legal Studies, 26(2), 761-779.
[45] Newlove-Eriksson, L., Giacomello, G., & Eriksson, J. (2018). The invisible hand? Critical information infrastructures, commercialisation and national security. International Spectator, 53(2), 124-140. doi: 10.1080/03932729.2018.1458445.
[46] NIS 2 Directive. (2024). Retrieved from https://www.nis-2-directive.com/.
[47] Osei-Kyei, R., Almeida, L.M., Ampratwum, G., & Tam, V. (2023). Systematic review of critical infrastructure resilience indicators. Construction Innovation, 23(5), 1210-1231. doi: 10.1108/CI-03-2021-0047.
[48] Palko, D., Babenko, T., Bigdan, A., Kiktev, N., Hutsol, T., Kuboń, M., Hnatiienko, H., Tabor, S., Gorbovy, O., & Borusiewicz, A. (2023). Cyber security risk modeling in distributed information systems. Applied Sciences (Switzerland), 13(4), article number 2393. doi: 10.3390/app13042393.
[49] Pipyros, K. (2019). A new systematic modelling methodology for improving cyber-attack evaluation on states Critical Information Infrastructure (CII). Athens: Athens University Economics and Business.
[50] Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts (Protocol I). (1977, June). Retrieved from https://www.ohchr.org/en/instruments-mechanisms/instruments/protocol-additional-geneva-conventions-12-august-1949-and.
[51] Pursiainen, C. (2021). Russia’s critical infrastructure policy: What do we know about it? European Journal for Security Research, 6, 21-38. doi: 10.1007/s41125-020-00070-0.
[52] Rehak, D., Senovsky, P., Hromada, M., & Lovecek, T. (2019). Complex approach to assessing resilience of critical infrastructure elements. International Journal of Critical Infrastructure Protection, 25, 125-138. doi: 10.1016/j.ijcip.2019.03.003.
[53] Resolution of the Cabinet of Ministers of Ukraine No. 518-2019-p “On Approval of the General Requirements for Cyber Defence of Critical Infrastructure Objects”. (2019, June). Retrieved from https://zakon.rada.gov.ua/laws/show/518-2019-%D0%BF#Text.
[54] Riggs, H., Tufail, S., Parvez, I., Tariq, M., Khan, M.A., Amir, A., Vuda, K.V., & Sarwat, A.I. (2023). Impact, vulnerabilities, and mitigation strategies for cyber-secure critical infrastructure. Sensors, 23(8), article number 4060. doi: 10.3390/s23084060.
[55] Schmitt, M.N. (2017). Tallinn manual 2.0 on the international law applicable to cyber operations. Retrieved from https://lawcat. berkeley.edu/record/199769.
[56] Semenchenko, A., Pleskach, V., Zaiarnyib, O., & Pleskachb, M. (2020). Cyber security and cyber protection: The current state of public administration in Ukraine. In I. Sergienko & P. Andon (Eds.), Proceedings of the 12th international scientific and practical conference of programming (UkrPROG 2020) (pp. 276-284). Kyiv: CEUR Workshop Proceedings.
[57] Shahini, E., Fedorchuk, M., Hruban, V., Fedorchuk, V., & Sadovoy, O. (2024). Renewable energy opportunities in Ukraine in the context of blackouts. International Journal of Environmental Studies, 81(1), 125-133. doi: 10.1080/00207233.2024.2320021.
[58] Shopina, I., Khomiakov, D., Khrystynchenko, N., Zhukov, S., & Shpenov, D. (2020). Cybersecurity: Legal and organizational support in leading countries, NATO and EU standards. Journal of Security and Sustainability Issues, 9(3), 977-992.
[59] Sokiran, M. (2021). Basic principles of public administration of critical information infrastructure: The example of Ukraine. Advanced Space Law, 7, 63-72.
[60] Sopilko, I., Svintsytskyi, A., Krasovska, Y., Padalka, A., & Lyseiuk, A. (2022). Information wars as a threat to the information security of Ukraine. Conflict Resolution Quarterly, 39(3), 333-347. doi: 10.1002/crq.21331.
[61] The history of the NotPetya virus: Should we be wary of similar cyberattacks in the future? (2018). Retrieved from https:// www.imena.ua/blog/notpetya-cyberattack/.
[62] Ukraine becomes a partner in the Three Seas Initiative. (2022). Retrieved from https://www.eurointegration.com.ua/ news/2022/06/21/7141676/.
[63] United Nations Charter. (1945, June). Retrieved from https://www.un.org/en/about-us/un-charter/full-text.
[64] United Nations. (2021). Group of governmental experts on advancing responsible state behaviour in cyberspace in the context of international security. Retrieved from https://www.un.org/disarmament/group-of-governmental-experts/.
[65] White, R. (2019). Risk analysis for critical infrastructure protection. In D. Gritzalis, M. Theocharidou & G. Stergiopoulos (Eds.), Critical infrastructure security and resilience: Theories, methods, tools and technologies (pp. 35-54). Cham: Springer. doi: 10.1007/978-3-030-00024-0_3.
[66] Yefimenko, I., Sakovskyi, A., & Bilozorov, Ye. (2023a). Protection of critical infrastructure as a component of Ukraine’s national security. Law Journal of the National Academy of Internal Affairs, 13(2), 74-85. doi: 10.56215/naia-chasopis/2.2023.74.
[67] Yefimenko, I., Slipchenko, V., & Vaško, А. (2023b). Critical infrastructure as an object of criminal encroachment: General characteristics and features of the investigation organisation. Scientific Journal of the National Academy of Internal Affairs, 28(2), 41-51. doi: 10.56215/naia-herald/2.2023.41.
[68] Zhang, H., Huang, C., & Lyu, A. (2024). A compliance-enhancing approach to separated continuous auditing of intelligent endpoints security in war potential network based on location-sensitive hashing. In Y. Zhang, L. Qi, Q. Liu, G. Yin & X. Liu (Eds.), Proceedings of the 13th international conference on computer engineering and networks (pp. 100-119). Singapore: Springer. doi: 10.1007/978-981-99-9247-8_11.