At the end of last year, a wave of cyber attacks hit several critical sectors in Ukraine. According to information of CERT-UA, a specialized unit of the State Center of protection and combating cyber threats, in January 2016 the Borispol airport flight control system was targeted by a computer virus called BlackEnergy. In fact, it was the same virus which in December 2015 was used in a successful attack on the energy company “Prykarpattya Oblenergo”. The gap in the Ukrainian legislation Quite often different “DDOS attacks” are directed against systems which serve private and public enterprises and the public authorities in Ukraine. In February 2012, after a popular file exchanger “EX. ua” was shut down by the national police, unknown attackers brought down the website of the Ministry of Internal Affairs. In another case, in just two days unknown hackers managed to bring down the site of the Presidential Administration of Ukraine, the Security Service of Ukraine and the official websites of the Party of Regions and the Communist Party of Ukraine. In November-December 2013, the Ukrainian media reported “DDOS attacks” (i.a. pravda.com.ua, zik.ua, zaxid.net, hromadske.tv, ukr.net, censor.net, zn.ua, lb.ua, 5.ua, tyzhden.ua). The attackers have not been found.
Currently in Ukraine there are no clear regulations which define cybercrimes against the governmental electronic systems or the attacks on the critical infrastructure. The criminal actions can be qualified as an unauthorized intervention in the operation of computers which blocks information (art. 361 of the Criminal Code of Ukraine) or as an act of terrorism (art. 258 of the Criminal Code of Ukraine). Yet in the Criminal Code of Ukraine there is no mention of responsibility for crimes against critical information infrastructure or computer sabotage. Despite the lack of a clear definition of the critical infrastructure in the Ukrainian legislation, this term is used in different concepts and strategies (e.g. in the “National program of cooperation Ukraine-NATO 2016”). In order to eliminate the gaps in the legislation on 16 January 2014, the Ukrainian parliament adopted a new law N 721-VII On amendments to the law of Ukraine ‘On the Judicial System and Status of Judges’ and procedural laws on additional measures to protect the safety of citizens. This act amended Chapter XVI of the Criminal Code of Ukraine (new articles 361-3, 361-4 and 362-1). These changes complemented the already existing concepts in the Criminal Code of Ukraine on critical information infrastructure and unauthorized access to information being processed in the state electronic information resources or information and telecommunication systems. However, this law was revoked as it was adopted in violation of procedures together with other unconstitutional laws.
Today in Ukraine there is also no special article in the Criminal Code which establishes liability for attacks on critical information infrastructure or even DDoS attacks. The Criminal Code in article 363-1 defines responsibility for obstructing the work of electronic computers (PCs), automated systems, computer networks or telecommunications networks through mass distribution of messages telecommunications (SPAM). Yet, according to the statistics of the State Judicial Administration of Ukraine in the last years this article was not used in practice.
In order to remove the gap in the legislation a bill “The basic principles of ensuring cyber security Ukraine” was drafted. It includes all relevant terms (critical information infrastructure and unauthorized access to information), yet it does not establish criminal liability. Currently, it is being debated in the Verkhovna Rada of Ukraine. On 27 January 2016 the Cybersecurity Strategy of Ukraine (CSS) was adopted. It assigned the National Security and Defense Council to oversee the coordination of various cyber activities among the government agencies, extend international cooperation and raise public awareness on cybersecurity. The strategy also seeks to improve relations between the public and private sectors. Until recently, the government did not perceive the private sector as an equal partner in cybersecurity. This has changed with the formation of the Computer Emergency Response Team CERT-UA (the government cyber response center) and the recent creation of CyS-CERT (the private sector cyber response center). Based on the CSS the recommendations of a parliamentary hearing on the Reform of Information and Communication Technologies and Development of Ukraine’s information space were accepted. They provide guidelines on the state programs for economic and social development of Ukraine as well as suggestions on draft laws and regulation acts relating to information and communication technologies (IT) and Ukraine’s information space. The Cabinet of Ministers of Ukraine recommended to ensure the translation and introduction of international standards and best practices in IT and cybersecurity. It also suggested to develop and implement the mechanisms for public-private partnership to manage critical information infrastructure in preventing cyber threats. Taking these recommendations into account it is worth looking at some European legal solutions. The article 138b of the Criminal Code of the Netherlands provides liability for intentional and unlawful obstruction of access to or use of computerized device/system. An implementation of such a legal norm in Ukraine will be crucial, as one can observe a growing number of the DDoS attacks to stop or slow down the activities of a company, agency or an individual. The German Criminal Code contains some legal rules which do not exist in the Ukrainian legislation, but their adoption would significantly improve it. The issue of criminal responsibility for crimes in the computer field in Germany was enshrined in 1986. In the German Criminal Code there is no separate chapter dedicated to computer crimes, or crimes in the sphere of computer information. The norms which provide liability for these crimes are present in the different sections of the Code:
» § 202 on data espionage (Ausspähen von Daten) which envisages responsibility for illegally obtaining data from an entity for which they are intended. A potential punishment might be in a form of a fine or imprisonment for up to three years; » § 263a on a computer fraud (Computerbetrug) which gives the definition of actions that aim at obtaining material benefit or causing property damage by e.g. creating malware; » § 269 on falsification of data (Fälschung beweiserheblicher Daten/ Datenveränderung) which envisages criminal responsibility for data changes that have probative value; » § 303b on computer sabotage (Computersabotage) which envisages a punishment in a form of a fine or imprisonment for up to 5 years for abuse of process data that is essential for the enterprise agencies or public authority.
One should also pay attention to art. 269 of the Criminal Code of Poland which establishes a responsibility for those who destroy, damage, remove or change data information of particular importance to national defence, security communications and the functioning of the government or interfere with or prevent an automatic processing, collection or transmission of such data. Moreover, to eliminate the gaps in the field of the critical infrastructure one should closely analyze the Polish law on “Crisis Management” which contains the necessary definitions and regulation mechanisms. In fact, among the EU countries it is the Polish legislation that is the closest to the Ukrainian one. Therefore, it will be rational to use the Polish experience to develop the Ukrainian legislation. The European experience in fighting computer crimes For finding the ways to improve the Ukrainian legislation it is necessary to analyze the existing Ukrainian criminal law rules on liability for cybercrime and compare them with the European solutions. It should be mentioned that the limitations of crime sanctions established the by the Ukrainian legislation generally correspond to the norms and legislative trends abroad. Such a correspondence refers both to the usage of terms as well as the severity and differentiation of penalties. The analysis of the legislation in different countries shows that the prevailing average of an upper limit of the punishment is 5 years imprisonment, including prevalence of a criminal forfeiture. Still in many countries a more severe punishment is applicable for computer data crimes. In fact, one of the features of the Ukrainian legislation is the failure to provide a sufficient criminal responsibility for certain acts recognized as a crime in other countries. For example the criminal law in France provides for 7 years of imprisonment combined with a fine of 100 000 € for destruction or illegal copying, removal and public disclosure of confidential data by a person possessing any information, process, article, document, computerized database or files of a national defence nature. Also the French Criminal Code provides for criminal responsibility (up to 15 years of imprisonment combined with a fine of 225 000 €) for the transfer of data, information, documents, computerized data and files to any foreign state which causes damage to national interests.
In the Ukrainian legislation the responsibility for espionage is similar (from 8 to 15 years of imprisonment). Yet, since the “transfer of computer data” is not specified, a broader term – “information” – is used in the Ukrainian legislation.
Several countries established criminal responsibility for “computer sabotage”. For example article 411-9 of the Criminal Code of France provides for a punishment of up to 15 years of imprisonment and a fine of 225,000 € for destroying, defacing or misappropriating of any document, equipment, construction, installation, technical device or computerized system, done to the benefit of other country, enterprise or organization. Computer sabotage as a crime is also specified in the criminal codes of Germany and Poland.
The police statistics of crimes in Germany revealed 49,925 cyber crimes registered in 2014 (11% of which related to computer sabotage). The police statistics of data manipulation detection and computer sabotage in Germany in the past few years has shown an increased detection of this type of crime: 2009 – 2276 cases, 2011 – 4644 cases, 2013 – 12766 cases, 2014 – 5667 cases.
According to the police statistics in Poland, the number of prosecutions for computer sabotage (art. 269a of the Criminal Code of Poland) has significantly increased between 2005 and 2014. In 2005, only one crime was registered with further initiation of proceedings. In 2006, this figure reached 19 criminal proceedings. 38 criminal proceedings were initiated in 2011, while 48 crimes were reported and 27 criminal proceedings initiated in 2014.
A lack of computer sabotage statistics in Ukraine does not mean an absence of the attacks. It should be mentioned that the definition of computer sabotage is used by Interpol with a separate classifier number (QS). Thus, it is recognized as a separate violation. Still the Ukrainian legislation does not provide for a special legal norm establishing criminal responsibility for “computer sabotage”.
Today under the Ukrainian Criminal Code such criminal actions are classified as unauthorized interference with the work of electronic computing machines (computers), automated systems, computer networks or telecommunication networks (art. 361 of the Criminal Code of Ukraine). Introduction of a special legal norm for “computer sabotage” and establishment of responsibility for some other crimes against cyber security in the Ukrainian legislation will provide for a proper criminal responsibility for cybercrimes. Conclusions and recommendations » Currently Ukraine has no real legal protection of its critical infrastructure. It should be noted that the Ukrainian defense facilities – which in international practice belong to the critical infrastructure – are governed by numerous regulatory acts, mostly of internal nature. The National Institute for Strategic Studies developed a “Green Paper on Critical Infrastructure Protection in Ukraine” that defined the necessary concepts and terms. The “Green Paper” provided
a list of recommendations (e.g. legislation regarding protection of the critical infrastructure objects). In further works, Ukraine should be looking at the Polish law on “Crisis Management” and Polish experience in this field. » On 13 December 2010 Ukraine adopted “The concept of development of e-government” and has begun the process of implementation and development of an e-government system. Currently this system works only partially. According to a CERT-UA report almost 40% of the governmental information systemswere regularly undergoing access attempts, defeat malware and other cyber operations in 2014 (out of 216 incidents, 124 were on the domain gov.ua owned by government authorities). Today the Ukrainian legislation does not allow to fight effectively against modern cyber threats. » The Criminal Code of Ukraine has not been updated since 2003 in its part regarding establishing criminal liability for cybercrime. To resist cyber threats which are new for Ukraine, the Ukrainian Criminal Code should be amended. New criminal regulations should define criminal responsibility for the DDoS attacks, cyber espionage and cyber sabotage.