Ukrainian Cybergeddon: from fake digital signature to e-governance

critical infrastructure shutdown

Oleksandr Tsaruk, Ph.D.Chief adviser, Committee on ICT,Parliament of Ukraine

Digital signature as key element of e-governance system

The Legal core of D-Signature Scandal 2016The national legal framework was adjusted to allow for online submission of

income and property declarations of all officials and civil servants. “As Must” it is obligatory for top officials by the November 1, 2016.

The automated information system for online filing of income statemes of public officials was developed with support of UNDP office and launched on August 15, 2016. But IT security audit revealed the serious threads for other critical resources. Because of this it worked as autonomous system without connection to basic government resources till September 1, 2016.

How Fake D-Signature was used to compromise trust on Agust 19, 2016 Fake e-declaration was submitted and published on official

on-line e-registry of National Agency on Corruption Prevention.

Day later two MP’s during press conference showed this like an evidence that this system is not ready to be launched yet.

during this journalists and IT experts received the private key footprint of “testing” digital signature which was used to sing fake declaration of the board member of National Agerncy on Corruption Prevention. Some hours later that D-key footprint disappeared from official registers so law enforcement did not manage to find the issuing authority.

Outcome 1Problems with lunching of on-line income declaration submission system for

civil servants which could allow to increase transparency of the public officials’ income and their accountability uncovered weaknesses in cybersecurity rules in Ukraine and caused developing new legislations on using digital signature.

It would never happen if private key would be placed in secure token and kept well. In our case it is still possible to keep it on any device.

Cybersecurity regulations as tool of making order from chaos

Fake D-Signature scandal attracted attention of working group on "Anti-raider" Law on importance using safe containers for private key of officers with access to governed registries like: Land, Real estate etc.

In two weeks the “Anti-raider” Bill was registered in the Parliament and in one moth was enforced. The idea that notarization e-signatures must be stored on safe tokens received overwhelming support because using notary d-key Raider can change all ownerships record and even your marriage status

Outcome 2The Prykarpatyaobenergo shutdown by BlackEnergy and Fake D-Signature Scandal acted role of first stage of advocacy campaign and raised awareness of government officials.

And now we are working on Cybersecurity law as basis legal Frame. Tomorrow we are planning to implement ideas of The EU Directive on security of network and information systems.

Q & AOleksandr Tsaruk, Ph.D.

https://www.facebook.com/tsaruk