Search

Advanced search
null
Main » News


THE LAW OF UKRAINE ON THE BASIC PRINCIPLES OF ENSURING THE CYBER SECURITY OF UKRAINE (for reference only)
printer friendly
17 May 2018

THE LAW OF UKRAINE

ON THE BASIC PRINCIPLES OF ENSURING THE CYBER SECURITY OF UKRAINE

 

 

The Law defines the legal and organizational foundations for ensuring the protection of vital interests of individuals and citizens, society and the state, the national interests of Ukraine in cyberspace, core objectives, principal directions and foundations of national policy, powers and authority of state bodies, enterprises, institutions, organizations, individuals and citizens in this field, the basic principles of coordination of their activities on ensuring cyber security.

 

Article 1. Definition of terms

In this Law the following terms shall have the meanings set forth below:

1)    cyber threat indicators – indicators (technical data) used to detect and respond to cyber threats;

 

2)    cyber security incident information - information about the circumstances of a cyber incident, in particular, data about

 

·         objects subjected to cyber protection, that were exposed to cyber-attack,

·         circumstances under which objects subjected to cyber protection were exposed to cyber-attack,

·         cyber incidents which were successfully detected, neutralized and prevented,

·         cyber defence means, including cyber threat indicators, used to prevent cyber incident;

 

3)    cyber security incident (cyber incident) - an event or series of adverse events

·         occurred unintentionally (naturally occurring, technical, technological and erroneous nature, including also a factor of human error),

·         and / or events with signs of feasible (potential) cyber-attack that

-         pose security threat to systems of electronic communications and process control systems,

-         create a potential for disruption of the operating mode of such systems (including disrupting and / or blocking the system and / or unauthorized management of the system resources),

-         jeopardize the security (safety) of electronic information resources;

 

4) cyber-attack - directed (deliberate) actions in cyberspace, which are carried out by means of electronic communications (including information and communication technologies, software, soft hardware, other technical and technological tools and equipment) and aimed at achieving one or combination of such goals:

·         breach of confidentiality, integrity violation, unavailability of electronic information resources processed (transmitted, stored) in communication and /or technological systems, and also gaining unauthorized access to such resources;

·         security violation, disruption of steady-state functioning of communication and / or technological systems;

·         use of the communication system, its resources and electronic communications to launch cyber-attacks on other objects subjected to cyber protection;

 

5) cyber security - the protection of the vital interests of individuals and citizens, the society and the state when cyberspace is used, ensuring the sustainable development of the information society and the digital communicative environment, timely detection, prevention and neutralization of real and potential threats to the national security of Ukraine in cyberspace;

 

6) cyber threat - existing and potentially possible phenomena and factors that pose a threat to the vital national interests of Ukraine in cyberspace, adversely affect cyber security status of the state, cyber security and cyber protection of its objects;

 

7) cyber defence (cyber protection) - a set of legal actions, organizational, engineering and technical measures, as well as measures of cryptographic and technical information protection aimed at preventing cyber incidents, detecting and protecting against cyber-attacks, eliminating their consequences, restoring the sustainability and reliability of the functioning of communication and technological systems;

 

8) cybercrime (computer crime) - a socially dangerous unjust act in cyberspace and /or with the use of cyberspace, liability for which is provided for by the Law of Ukraine on Criminal Liability and /or which is recognized as a crime by international agreements of Ukraine;

 

9) cybercrime (total cybercrime, common computer–related criminality) – aggregate of cyber-related crimes;

 

10) cyber defence - a set of policies, legal and social actions, military activities, economic, organizational, scientific, scientific and technical, informational and other measures that are carried out in the cyberspace and aimed at

·         ensuring the protection of the sovereignty and defence capacity of the state,

·         prevention of armed conflict and the repression of armed aggression ;

 

11) cyberspace - an environment (virtual space) that provides opportunities for communication and /or social relations. The environment/cyberspace is formed in consequence of the operation of compatible (connected) communication systems and provision of electronic communications with the use of the Internet and /or other global transmission networks data;

 

12) cyber intelligence - activity carried out by intelligence agencies in cyberspace or with the use of it;

 

13) cyber terrorism - a terrorist activity carried out in cyberspace or with the use of it;

 

14) cyber espionage - espionage carried out in cyberspace or with the use of it;

 

15) critical information infrastructure - a set of critical information infrastructure facilities (objects);

 

16) critical infrastructure facilities (critical infrastructure objects) - enterprises, institutions and organizations regardless of their form of ownership, activities of which are directly related to technological processes and/or the service delivery of major importance to the economy and industry, the functioning of the society and the public security. Destruction or malfunction of infrastructure facilities may have a negative impact on national security and defence of Ukraine, natural environment, and may also cause property damage and /or pose a threat to human life and health;

 

17) National telecommunication network - a complex of special telecommunication systems (networks), systems of special communication, other communication systems that are being used in the interests of public authorities and local government, law-enforcement agencies and troop formations established under law. The National telecommunication network is intended for

·         circulation (transmission, reception, creation, processing, storage) and protection of national information resources,

·         provision of secure electronic communications,

·         providing a range of modern secure information and communication (multiservice) services in the interests of managing the state in peacetime, in a state of emergency and in a special period.

Current network is a dual-purpose system; part of its resources is used for delivery services, especially cyber protection service to other consumers;

 

18) national electronic information resources (national information resources) - systematized electronic information resources that contain

·         information regardless of its type, content, form, time and place of information creation (including public information, national information resources and other information),

·         information designed to meet the vital important social needs of a citizen, person, society and state.

Electronic information resources refer to any information that is created, recorded, processed or stored in digital or other non-material forms using electronic, magnetic, electromagnetic, optical, technical, software or other means and tools;

 

19) facility (object) of critical information infrastructure - a communication or technological system of the facility (object) of critical infrastructure; the cyber-attack on this system will directly affect the sustainable functioning of such critical infrastructure facility (object);

 

20) process control system (technological system, process system) is

·         an automated or automatic system, which is a set of equipment, resources, complexes as well as data processing, storage and transmission systems,

·         intended for administrative and /or production control (including industrial, electronic, communication equipment, other technical and technological means and facilities) irrespective of whether the system has access to the Internet and /or other global data networks;

 

21) electronic communication systems (communication systems) – transmission systems, switching or routing systems, equipments and other resources, including:

·         passive network elements that allow the transmission of signals by wire, radio, optical or other electromagnetic facilities,

·         mobile and satellite networks,

·         cable networks to the extent they are used for signal transmission).

All the above systems, equipments and other resources provide electronic communications (transmission of electronic information resources), including communication facilities and devices, computers, other computer equipment, information and telecommunication systems. According to this Law electronic communication systems are communication systems that have an access to the Internet and / or to other global data transmission networks.

 

The terms "national security", "national interests", "threats to national security" are used in this Law with the meanings assigned to them by the Law of Ukraine "On the Fundamentals of National Security of Ukraine".

 

 

Article 2. Principles of application of the Law

 

1. This Law does not apply to:

 

1) arrangements and services related to the content of information that is processed (transmitted, stored) in communication and /or technological systems;

 

2) activities related to the protection of

·         information defined as a State secret,

·         communication and technological systems intended for processing information classified as an official secret;

 

3) social networks, private electronic information resources on the Internet (including blog platforms, video hosting, and other web resources), provided that such information resources do not contain

·         information protection of which is required by law,

·         arrangements and services related to the functioning and operation of such networks and resources;

 

4)  communication systems that

·         do not interact with public electronic communications network (public electronic networks),

·         are not connected to the Internet and /or other global data networks (except for technological systems).

 

2. Application of legislation in the field of cyber security and making a decision by power entities on compliance with the provisions of this Law shall be carried out ensuring observance of the following principles:

 

1) baseline minimum regulation, whereby decisions (actions) of power entities shall be necessary and minimally sufficient to achieve goals and tasks determined by this Law;

 

2) objectivity, legal certainty and maximum available application of national and international law relating to powers and responsibilities that state bodies, enterprises, institutions, organizations and citizens have in the cyber security area;

 

3) ensuring rights protection of communication system users and/or protection of the rights of electronic communications service consumers and/or service consumers of information security services, cyber defence, including rights of privacy and personal data security;

 

4) transparency, according to which the decisions (actions) of power entities shell be duly reasoned and communicated to the subjects concerned before these decisions (actions) come into force (before applying decisions and actions);

 

5) balance between requirements and responsibilities, that is the balance between establishing liability for non-compliance with cyber security and cyber protection requirements and establishing responsibilities for imposition of excessive requirements and restrictions;

 

6) non-discrimination, according to which the decisions, actions and inactions of power entities cannot result in the legal or actual scope of person’s rights and obligations that is:

·         different from the scope of rights and obligations of other persons in similar situations, except cases when such difference is necessary and minimally sufficient to satisfy the public interest;

·         the same as the scope of rights and obligations of other persons in non-analogous situations, except cases when such uniformity is necessary and minimally sufficient to satisfy (serve) the public interest;

 

7) equivalence of requirements imposed on the providing cyber security of critical infrastructure facilities; according to this principle application of legal norms should be equivalent if these legal norms relate to ensuring cyber protection of communication and technology systems of critical infrastructure facilities, which belong to one and the same sector of the economy and /or perform the similar functions.

 

These principles are applied without giving precedence to any one of them over other principles according to the purpose and objectives of this Law.

Article 3. Legal basis of ensuring cyber security of Ukraine

1. The legal basis of ensuring the cyber security of Ukraine is represented by

·         the Constitution of Ukraine;

·         laws of Ukraine on

a)    Fundamentals of National Security of Ukraine,

b)    Fundamentals of domestic and foreign policy,

c)    telecommunications,

d)    protection of state information resources and information, the requirement on protection of which is established by law;

·         this and other laws of Ukraine;

·         the Convention on Cybercrime;

·         other international treaties, the consent to be bound by which has been granted by the Verkhovna Rada of Ukraine;

·         decrees of the President of Ukraine;

·         acts of the Cabinet of Ministers of Ukraine;

·         other laws and regulations that are adopted to execute the laws of Ukraine.

 

2. If the international treaty of Ukraine, the consent to be bound by which is provided by the Verkhovna Rada of Ukraine, defines other regulations than those established by this Law, the provisions of the international treaty of Ukraine shall apply.

 

 

Article 4. Objects subjected to cyber security and cyber protection

 

1. Objects subjected to cyber security are:

1) the constitutional rights and freedoms of man and citizen;

2) society, sustainable development of the information society and digital communication environment;

3) the state, its constitutional system, sovereignty, territorial integrity and inviolability;

4) national interests in all spheres of human and societal life, vital activities of the state;

5) facilities of critical infrastructure.

 

2. Objects subjected to cyber protection are:

1) communication systems of all ownership forms, where national information resources are processed and /or used in the interests of state government bodies, local authorities, law enforcement agencies and military formations established in accordance with the law;

2) facilities of critical information infrastructure;

3) communication systems used to meet public needs and /or to implement legal relationships in the area of e-government, e-government services, e-commerce, electronic document circulation.

 

3. The Cabinet of Ministers of Ukraine approves:

·         the procedure for drawing up a list of facilities of critical information infrastructure,

·         a list of such facilities and the procedure for their inclusion in the state register of facilities of critical information infrastructure,

·         the procedure for drawing up the state register of critical information infrastructure facilities and procedure for register operation support.

 

The authority over opening the register of facilities of critical information infrastructure in the banking system of Ukraine and procedure for register operation support lies with the National Bank of Ukraine.

 

 

Article 5. Cyber security entities

 

1.    Cyber security is integral part of the national security of Ukraine; the President of Ukraine coordinates activities in cyber security sphere through the National Security and Defence Council of Ukraine headed by the President of Ukraine.

 

2.    The National Cyber Security Coordination Centre as the working agency of the National Security and Defence Council of Ukraine

·         coordinates and monitors activities of the security and defence sector entities involved in ensuring cyber security,

·         makes proposals to the President of Ukraine on the formation and refinement of the Cyber Security Strategy of Ukraine.

 

3.    The Cabinet of Ministers of Ukraine

·         ensures the formation and implementation of the national cyber security policy, protection of human and civil rights and freedoms, national interests of Ukraine in cyberspace, fight against cybercrime;

·         ensures operation of the national cyber security system, providing it with the necessary forces, means and resources;

·         specifies requirements and ensures operation of the information security audit system at the facilities of critical infrastructure (except critical infrastructure facilities in the banking system of Ukraine).

 

 4. Entities that directly implement measures within the scope of their jurisdiction to ensure cyber security are:

1) ministries and other central executive bodies;

2) local public administrations;

3) local self-government bodies;

4) law enforcement, intelligence and counterintelligence agencies, entities of operative investigative activities;

5) the Armed Forces of Ukraine, other military units, formed in accordance with the law;

6) the National Bank of Ukraine;

7) enterprises, institutions and organizations classified as facilities of critical infrastructure;

8) business entities, citizens of Ukraine and associations of citizens, other individuals who conduct activities and /or provide services related to national information resources, electronic information services, electronic transactions, electronic communications, information protection and cyber defence/protection .

 

5. Entities of cyber security within their competence:

1) implement measures to prevent the use of cyberspace for military, intelligence and subversion, terrorist and other illegal and criminal purposes;

2) detect and respond to cyber incidents and cyber-attacks, and eliminate their consequences;

3) exchange information on realized and potential cyber threats;

4) develop and implement preventive, organizational, educational and other measures for cyber security, cyber defence and cyber protection;

5) provide information security audit, including audit on subordinate objects and objects belonging to the sphere of their management;

6) take other measures to ensure the development of cyberspace environment and safety in cyberspace.

 

 

Article 6. The critical infrastructure facilities (objects)

 

1. Critical infrastructure facilities (objects) can include enterprises, institutions and organizations, regardless of its ownership, which:

 

1) carry out activities and provide services within the energy, chemical industry, transport, information and communication technologies, electronic communications, banking and financial sectors;

 

2) provide services for the livelihoods of populations, in particular in the areas of centralized water supply, wastewater disposal, supply of electric energy and gas, food production, agriculture, health care;

 

3) are communal, emergency response and rescue services, emergency aid services to the citizens;

 

4) are included in the list of enterprises of strategic importance for national security and economy;

 

5) are potentially hazardous production facilities.

 

2. The criteria and procedure for assigning objects to the critical infrastructure facilities (objects), the list of such facilities (objects), general requirements for their cyber security, including the use of cyber threats indicators, and requirements for an independent information security audit shall be approved by the Cabinet of Ministers of Ukraine, and in the banking system of Ukraine by the National Bank of Ukraine.

 

3. The requirements and procedure for conducting an independent information security audit of the critical infrastructure facilities (objects) shall be established by the relevant regulatory legal acts on the information security audit, approved by the Cabinet of Ministers of Ukraine.

 

The development of regulatory legal acts on the independent information security audit of critical infrastructure facilities (objects) is carried out on the basis of international standards, the European Union and the NATO standards, with mandatory involvement of representatives of the main entities (actors) of the national cyber security system, scientific institutions, independent auditors and experts in cyber security, public organizations.

 

 

 

4. Responsibility for

·         cyber protection of communication and technological systems of critical infrastructure facilities (objects),

·         technological information protection in accordance with the legislation requirements,

·         urgent and timely informing the governmental Computer Emergency Response Team of Ukraine (CERT-UA) about cyber security incidents,

·         procedure of information security independent audit of critical infrastructure facilities (objects)

lie with the owners and /or the head of enterprises, institutions and organizations classified as critical infrastructure facilities (objects).

 

5. Exchange of information about cyber security incidents containing personal data is carried out in compliance with the requirements of the Law of Ukraine “On Personal Data Protection”.

 

 

Article 7. Principles of providing cyber security

 

1. Providing cyber security in Ukraine is based on the following principles:

 

1) supremacy of law, legitimacy, respect of human rights and fundamental freedoms and their protection in the manner prescribed by law;

 

2) ensuring the national interests of Ukraine;               

 

3) openness, availability, stability and safety of cyberspace, development of the Internet and responsible actions in cyberspace;

 

4) public-private interaction, broad cooperation with a civil society in cyber security and cyber protection, in particular through cyber incident information sharing, implementation of joint scientific and research projects, personnel training and professional development in this area;

 

5) proportionality and adequacy of cyber protection measures to real and potential risks, realization of State’s inalienable right to self-defence (in accordance with international law in case of aggressive actions in cyberspace);

 

6) priority of preventative actions;

 

7) inevitability of punishment for cybercrime;

 

8) priority development and support of the national scientific and technological potential, and also production capabilities;

 

9) international cooperation aimed at

·         enhancing mutual confidence in cyber security,

·         developing common approaches to address the cyber threats,

·         consolidating efforts to investigate and prevent cybercrime,

·         preventing the use of cyberspace for terrorist, military and other unlawful purposes;

 

10) ensuring democratic civilian control over the military units and law enforcement agencies established under the laws of Ukraine and engaged in cyber security activities.

 

 

Article 8. The National Cyber Security System

 

1.    The National cyber security system is a complex of

·         actors (entities) of cyber security and interrelated political, scientific and technical, information, educational measures,

·         organizational, legal, search, intelligence, counterintelligence, defence, engineering and technical operations,

·         activities in the field of cryptographic and technical protection of national information resources, cyber protection of critical information infrastructures.

 

2. The main entities (actors) of National cyber security system are the State Service of Special Communications and Information Protection of Ukraine, the National Police of Ukraine, the Security Service of Ukraine, the Ministry of Defence of Ukraine and the General Staff of the Armed Forces of Ukraine, the intelligence agencies, the National Bank of Ukraine. They under the Constitution and the laws of Ukraine fulfil the following key tasks in accordance with the established procedure:

 

1)    the State Service of Special Communications and Information Protection of Ukraine

·         ensures

-          formation and implementation of the national policy on protection of state information resources in cyberspace,

-          information security, since the requirement of information protection was imposed by law,

-          cyber protection of critical information infrastructure,

-          state control in these spheres;

·         coordinates the cyber defence activities of other cyber security entities;

·         ensures the development and operation of the National Telecommunication Network, implementation of the organizational and technical cyber defence model;

·         carries out organizational and technical measures to prevent, detect and respond to cyber incidents and cyber-attacks and to mitigate any effects of them;

·         informs about cyber threats and appropriate protection methods against them;

·         ensures the implementation of the information security audit of the critical infrastructure facilities (objects), sets requirements for information security auditors, and determines the procedure for verification and validation of auditors' qualifications;

·         coordinates, organizes and conducts security and safety audit to define vulnerability of communications and technological systems of critical infrastructure;

·         ensures the functioning of the State Cyber ​​Defence Centre, the Computer Emergency Response Team of Ukraine CERT-UA;

 

2) The National Police of Ukraine

·         ensures the protection of human and civil rights and freedoms, the interests of society and the state against criminal intrusion in cyberspace;

·         implements measures to prevent, detect, terminate and solve cybercrime, and also to raise public awareness of security in cyberspace;

 

3) The Security Service of Ukraine

·         prevents, detects, terminates and solves crimes committed in cyberspace against peace and security of mankind;

·         carries out counterintelligence and operational-search activities aimed at combating cyberterrorism and cyber-espionage;

·         inspects in a secretive way the readiness of critical infrastructure to repel possible cyber-attacks and respond to cyber incidents;

·         counteracts cybercrime, the consequences of which can threat to vital state interests;

·         investigates cyber incidents and cyber-attacks targeting national electronic information resources, critical information infrastructures and information, since the requirement of information protection was imposed by law;

·         responds to cyber incidents in the national security area;

 

4) the Ministry of Defence of Ukraine, the General Staff of the Armed Forces of Ukraine, in accordance with their competence,

·         carry out measures to prepare the state to resist the military aggression in cyberspace (cyber-defence);

·         achieve military cooperation with NATO and other actors of defence sector to ensure the cyberspace security and a collaborative defence against cyber threats;

·         implement measures to ensure the cyber protection of critical information infrastructure under a state of emergency and martial law;

 

5) Intelligence Agencies of Ukraine carry out intelligence activities regarding threats to the national security of Ukraine in cyberspace, other events and circumstances related to the cyber security;

 

6) The National Bank of Ukraine

·         determines the procedure, requirements and measures for cyber protection and information security in the banking system of Ukraine and for the money transfer entities, and also supervises their execution;

·         creates a cyber defence centre for the National Bank of Ukraine, ensures functioning of the cyber defence system in the banking sector of Ukraine;

·         ensures cyber defence status assessment and information security audit for the critical infrastructure facilities (objects) of the banking system of Ukraine.

 

3. Functioning of the national cyber security system is provided by:

1) formulation and operational adaptation of state cyber security policy aimed to develop a cyberspace, achieve compatibility with the relevant European Union and NATO standards;

2) development of legislative and regulatory framework, creation of terminological base for cyber security, harmonization of normative documents in the field of electronic communications, information protection, information security and cyber security in accordance with international standards, particularly the European Union and NATO standards;

3) determination of mandatory information security requirements for the facilities (objects) of critical information infrastructure, in particular during their development, commissioning, operation and modernization in reliance on the international standards and industry, relevant facilities of critical information infrastructure belong to;

 

4) development of a competitive environment in the electronic communications sphere, providing information security and cyber security services;

 

5) involvement of expertise from the scientific institutions, professional and public associations to prepare draft conceptual documents in cyber security field;

 

6) conducting training in the case of emergencies and incidents in cyberspace;

 

7) functioning of the information security audit system, implementation of the best international practices and international standards on cyber security and cyber defence;

 

8) network development of computer emergency response teams;

 

9) development and improvement of the technical and cryptographic information protection system;

 

10) ensuring compliance with the legislation requirements on the state information resources and information protection;

 

11) establishment and maintenance of the National Telecommunication Network;

 

12) information sharing on cyber security incidents between entities providing cyber security in the manner prescribed by law;

 

13) establishment of a unified (universal) system of cyber threats indicators to meet international standards on cyber security and cyber defence;

 

14) training of specialists with the education and qualification level of “Bachelor” and “Master” in accordance with the State order in the numbers necessary to meet the needs of the public sector of the economy, and also for non-budget funds; this includes the professional development and mandatory performance appraisal (re-qualifications) of staff who are responsible for critical infrastructure cyber security according with international standards;

 

15) implementation of organizational and technical model of the national cyber security system as a set of cyber defence measures, forces and means, aimed to prompt response (crisis response) to cyber-attacks and cyber incidents; introduction of countermeasures aimed to minimize the communication systems vulnerability;

 

16) establishment of requirements (rules, guidelines) regarding the safe use of the Internet and provision of electronic services by public authorities;

 

17) the public-private partnership in

·         preventing cyber threats to the critical infrastructure facilities (objects),

·         responding to cyber-attacks and cyber incidents,

·         eliminating their consequences, in particular under conditions of a crisis, in a state of emergency and martial law, and during a special period;

 

18) a periodic review of the national cyber security system, development of cyber security indicators;

 

19) strategic planning and result-driven support for electronic communications, information technology, information security and cyber defence;

 

20) enhancing international cooperation in cyber security field; support of international cyber security initiatives meeting Ukraine’s national interests; deepening of Ukraine’s cooperation with the European Union and NATO in order to strengthen cyber security capacity of Ukraine; participation in confidence-building activities while using cyberspace, held under the auspices of the Organization for Security and Co-operation in Europe;

 

21) implementation of operational and investigative activities, intelligence actions, counter-intelligence and other measures aimed to prevent, detect, terminate and solve crimes against peace and security of mankind, committed employing cyberspace; conducting investigation, prosecution, prompt response and counteraction to

·         cybercrime and

·         the Internet usage for military purposes,

·         intelligence, subversion, terrorist and other activities in cyberspace, which harm Ukraine’s interests;

 

22) implementation of politico-military, military-technical and other measures for

·         increasing the capabilities of the National Military Establishment, security and defence sector through the use of cyberspace;

·         generation and development of forces, means and tools as the possible response to aggression in cyberspace, this response can be used as a deterrent to military conflicts and threats, which created with employing cyberspace;

 

23) limitation on participation in the information security and cyber security activities as well as restrictions on the use of products, technologies and services of

·         any economic entities under control of the state recognized by the Verkhovna Rada of Ukraine as an aggressor state,

·         or states and persons those are subjected to special economic and other restrictive measures (sanctions) imposed at the national or international level owing to aggression against Ukraine

to provide technical and cryptographic protection of the state informational resources, strengthening the state control in this sphere;

 

24) development of a cyber security counterintelligence support intended to prevent, timely detect and counteract external and internal threats to Ukraine’s security employing cyberspace; addressing the conditions conducive to these threats and causes of their occurrence;

 

25) conducting the intelligence activities to identify and counter threats to the national security of Ukraine in cyberspace, to detect other events, facts and circumstances related to cyber security.

 

4. The Cabinet of Ministers of Ukraine approves:

·         operating procedures for the National Telecommunication Network,

·         criteria, rules and requirements for service delivery,

·         their tariffication for users of the public sector service,

·         reimbursement of the state budget expense for maintaining the National Telecommunication Network.

 

5. The implementation of the organizational and technical cyber security model as a component of the national cyber security system is carried out by the State Cyber ​​Defence Centre, which ensures the development and functioning of:

·         fundamental components of the system of secure access to the Internet for the public authorities,

·         antivirus protection system of national information resources,

·         information security audit and cyber security audit of critical information infrastructure (facilities) objects,

·         vulnerability detection system, cyber incident and cyberattack response system as to objects subjected to cyber protection,

·         interaction of computer emergency response teams.

 

Cooperating with other cyber security entities (actors), the State Cyber ​​Defence Centre develops

·         the cyber threat response scenarios,

·         measures to counteract such threats,

·         programme and methodology for cyber security trainings.

 

 

Article 9. The Computer Emergencies Response Team of Ukraine CERT-UA

 

1. The CERT-UA tasks are:

1) accumulation and analysis of cyber incidents data, maintenance of the national register of cyber incidents;

 

2) providing owners of objects subjected to cyber protection with a practical help in preventing, detecting and eliminating the effects of cyber incidents at these assets;

 

3) organizing and conducting practical seminars on cyber defence issues for the entities of national cyber security system and owners of objects subjected to cyber protection;

 

4) drafting recommendations on counteraction to modern types of cyber-attacks and cyber threats and placing them on its official website;

 

5) cooperation with the law enforcement agencies, providing them with timely information on cyber-attacks;

 

6) cooperation with the foreign and international organizations on cyber incident response, in particular through participation in the Forum of Incident Response and Security Teams (FIRST) with an annual membership fees payment;

 

7) interaction with the Ukrainian computer emergency respond teams, as well as with other enterprises, institutions and organizations, regardless of their form of ownership, engaged in activities related to the cyberspace security;

8) processing information received from citizens about cyber incidents at assets which need cyber protection;

 

9) assistance to government authorities, local government, military units established in accordance with the law, enterprises, institutions and organizations regardless the form of ownership, as well as the Ukraine’s citizens for solving cyber defence and counteraction to cyber threats.

 

2. The CERT-UA management is carried out by the State Service of Special Communications and Information Protection of Ukraine within the limits of staff size and the allocated amount of financing.

 

 

Article 10. Public-private interaction in cyber security

 

1. Public-private interaction in cyber security is effected through:

 

1) establishment of a system for the timely detection, prevention and neutralization of cyber threats, including through the involvement of volunteer organizations;

 

2) increasing the security culture in cyberspace and digital literacy of citizens, upgrading comprehensive knowledge, skills and abilities necessary to support the cyber security goals; implementation of state and community projects to raise public awareness of cyber threats and cyber defence;

 

3) information sharing among the public authorities, private sector and citizens on cyber threats to the critical infrastructure facilities (objects), other cyber threats, cyber-attacks and cyber incidents;

 

4) partnership and coordination of computer emergency response teams;

 

5) involvement of the expert potential, scientific institutions, professional associations and public organizations to prepare the key branch projects and regulatory documents in the cyber security sphere;

 

6) providing an advisory and practical assistance for response to cyber-attacks;

 

7) building initiatives and establishment of authoritative advisory centres with a purpose to provide the Internet security for citizens, industry and business representatives;

 

8) implementation of the public monitoring tool over the effectiveness of measures to ensure cyber security;

 

9) holding periodic national summit of professional business service providers, including insurers, auditors, lawyers, definition of their contribution to improvement of risk management in cyber security;

 

10) establishment of training system and competence development system for professional staff members in the various cyber security activities;

 

11) close collaboration with individuals, community and volunteer organizations, IT companies to implement cyber defence measures in cyberspace.

 

2. Public-private interaction in a cyber security is applied in the light of the specific legal regime, established by the legislation, toward the certain objects and certain activities.

 

 

Article 11. Assistance to the cyber security entities of Ukraine

 

Public authorities and local government bodies, their officials, enterprises, institutions and organizations, regardless of the form of ownership, individuals, citizens and citizen groups are obliged

·         to assist the cyber security entities,

·         to inform about known data on the national security threats through the use of cyberspace or any other cyber threats to the cyber security objects, cyber-attacks and/or circumstances, details of which may help preventing, detecting and terminating these threats, cybercrime attacks, cyber-attacks and minimization of their negative effects .

 

 

Article 12. Responsibility for violation of cyber security legislation

 

Persons guilty of violating legislation on national security, electronic communications and information protection, on condition that cyberspace is a place and/or a way a crime or another offense were committed, are liable in accordance with the law if the responsibility for commission of this crime is provided for by civil, administrative and criminal law.

 

 

Article 13. Financial support for cyber security measures

 

Financial sources for the cyber security and cyber defence activities and measures are the state and local budgets, own funds of business entities, bank loans, international technical assistance funds and other sources which are not prohibited by law.

 

 

Article 14. International cyber security cooperation

 

1. In accordance with its international treaties, Ukraine cooperates in cyber security sphere with foreign states, their law enforcement agencies and special services, as well as with international organizations engaged in combating the international cybercrime.

 

2. In accordance with international treaties agreed upon by the Verkhovna Rada of Ukraine, Ukraine can participate in joint measures to ensure cyber security, in particular, to conduct the joint trainings for security and defence sector entities within the framework of collective defence measures in compliance with the requirements of the Laws of Ukraine “On the Procedure of Sending Units of the Armed Forces of Ukraine to Other States” and “On the Admission Procedure and Conditions of Stay of Units of the Armed Forces of Other States on the Territory of Ukraine”.

 

3. According to the Ukraine’s legislation on external relations, cyber security entities within its mandate can directly on a bilateral or multilateral basis carry out an international cooperation in cyber security.

 

4. Adhering to the requirements of the legislation of Ukraine and its international legal obligations Ukraine shall provide a foreign state upon request with information concerning the international cybercrime prevention. Such information may be provided without any prior request of a foreign state, if this does not impede the pre-trial or trial investigation and may facilitate the competent foreign authorities in stopping a cyber-attack, timely detection and termination of the criminal offense committed with the use of cyberspace.

 

 

Article 15. Control of legality of measures ensuring cyber security of Ukraine

 

1. The control of legal compliance in the implementation measures ensuring cyber security is carried out by the Verkhovna Rada of Ukraine in accordance with the procedure established by the Constitution of Ukraine.

Parliamentary control over compliance with legislation on the personal data protection and access to public information in cyber security is carried out by the Ukrainian Parliament Commissioner for Human Rights.

 

2. Monitoring the cyber security activities of security and defence sector entities, other
public authorities
shall be performed by the President of Ukraine and the Cabinet of Ministers of Ukraine in accordance with the procedure established by the Constitution and Laws of Ukraine.

3. Independent audit of activities of the main national cyber security entities, as defined by Part 2 in Article 8 of this Law, concerning the effectiveness of the state cyber security system, is conducted annually in accordance with international standards on auditing.

 

Reports on the independent audit of activities of the main national cyber security entities, as defined by Part 2 in Article 8 of this Law, concerning the effectiveness of the state cyber security system for the preceding year shall be submitted to the President of Ukraine, the Verkhovna Rada of Ukraine and the Cabinet of Ministers of Ukraine within up to forty-five days after the end of calendar year.

 

The Committee of the Verkhovna Rada of Ukraine, jurisdiction of which is to solve the national security and defence issues, and the Committee of the Verkhovna Rada of Ukraine, jurisdiction of which is to address informatization and communication matters, review at their meetings the reports of the main national cyber security entities, as defined in Part 2 in the Article 8 of this Law, on the independent performance audit regarding the effectiveness of the state cyber security system.

 

The main national cyber security entities, as defined in Part 2 in the Article 8 of this Law, shall submit annually progress reports on implementation of actions within their jurisdictions to ensure the state cyber security. Amongst others things, the results of the independent audit on activities of the national cyber security entities shall be included to progress reports.

Following the examination of reports of main national cyber security entities, the Committee of the Verkhovna Rada of Ukraine, jurisdiction of which includes information and communication issues, may raise the question of addressing these issues by the Verkhovna Rada of Ukraine.

 

 

This Law shall come into force in six months after its publication (9 May 2018).

 

 

 

 

President of Ukraine

P.POROSHENKO

 

Kyiv

October 5, 2017

No. 2163-VIII



  Created by Softline Corporation (Ukraine)         
© State Service of Special Communication and Information Protection of Ukraine