Ukraine’s Information Security Doctrine: A Breakthrough or the Veneer of Change?

On February 25, Ukrainian President Petro Poroshenko approved an Information Security Doctrine to address this specific subset of the “numerous national security threats faced by Ukraine” (President.gov.ua, February 25). In describing the main threats to the country in the domain of information security, the document explicitly names the Russian Federation and its “ruinous activities” that fall within the scope of so-called “hybrid warfare,” which mixes military and non-military methods such as active measures, cyberattacks, propaganda and the like.

The Doctrine, which came into force on the day of its publication, delineates the “separation of responsibilities” between the National Security and Defence Council, the Cabinet of Ministers, and the Ministry of Information Policy. These institutions have been tasked with elaborating, implementing as well as supervising concrete steps to secure Ukraine’s information space. Furthermore, the Ministry of Foreign Affairs, the Ukrainian Security Service (SSU), the State Special Communications Services, and the National Institute for Strategic Studies (NISS) have been afforded additional powers and responsibilities in the same domain.

Valentin Petrov, who is in charge of information security on the staff of the National Security and Defence Council of Ukraine, stressed the importance of adopting an information security doctrine: “within the past three years, Ukraine has become the main testing ground for Russian offensive operations and most advanced cyber technologies” (Defence-ua.com, February 1). He also pointed out that Russian offensive operations are subjected to constant evolution, which makes them much more sophisticated and unpredictable than used to be the case (Rnbo.gov.ua, February 27). Notably, the Russian activities against Ukraine that the document specifically lists include aiming to “inflame national and religious tensions” as well as spreading propaganda advocating “aggressive war” or calling for violating the “sovereignty and territorial integrity of the Ukrainian state.” The Information Security Doctrine’s serious treatment of these issues reflects a maturing recognition in Kyiv of the nature of the danger posed by Moscow.

A similarly important information-security initiative was voiced last month by Zorian Shkiriak, the adviser to the Ukrainian interior minister. In particular, he urged the authorities to block the highly popular social networks Odnoklassniki and VKontakte. He argued that these websites are “directly controlled by the Russian special services” and Moscow has extensively exploited these online communities, as early as 2013, to pit various parts of Ukrainian society against one another (112.ua, February 16).

Ukraine’s adoption of the Information Security Doctrine predictably triggered voices of discontent originating from Russia. Leading Russian tabloids branded the document an “introduction to censorship” that is “aggravating freedom of speech in Ukraine” (Parlementskaya Gazeta, February 26).

Perhaps more surprising has been the negative reception accorded to the document by certain parts of Ukrainian civil society. Conspicuously, the “leftovers” of the previous political regime have expressed discontent with the new law by echoing many of the positions of the Russian side. Mikhail Papiyev, a parliamentarian from the political party Opposition Bloc, openly declared that the “Doctrine is not merely a threat to freedom of speech […] it is a direct road toward totalitarianism” and it “will become the main weapon used [by the authorities] against the opposition.” He also appealed to the fact that the Doctrine has been opposed by Amnesty International (Opposition.org.ua, March 6).

But the negative reaction has not been limited to individuals linked to former president Viktor Yanukovych. Illustratively, the Internet Association of Ukraine sent a letter to Poroshenko stating that, if implemented, the document would allow the government to block access to the Internet, thus putting Ukraine on the same level as China, Iran and Russia. The group also warned that the measures detailed in the Information Security Doctrine would come with an astronomical price tag (approximately $1 billion) and could seriously increase the cost of online access for ordinary Ukrainians (Detector.media, February 28). Other notable Ukrainian experts and policy practitioners voiced similar concerns (Detector.media, February 27).

Meanwhile, political scientist Mykola Spiridonov noted that the difference between “controlling potentially dangerous e-resources and Moscow-sponsored specialists” and “targeting ordinary Ukrainians” is extremely narrow. The expert asserted that “in 90 percent of cases, [applying the measures outlined in the Information Security Doctrine] will have very little to do with pro-Russian bloggers… ordinary Ukrainians will suffer” (Detector.media, March 1).

On the other hand, Roman Semenukha, a member of parliament (MP) from the Samopomich Union faction, legitimized the adoption of the Doctrine by noting the rapid development of the Russian Federation’s offensive capabilities explicitly pointed against Ukraine. The most important aspect of the Doctrine, according to the MP, has nothing to do with the wording but the way it will be implemented (Espreso.tv, March 2).

In evaluating the likely impact the Doctrine will have on Ukrainian security and domestic civil rights, two questions immediately come to mind: First, is the document in fact the result of a well-calculated government strategy, or is it a mere response to recent Russian activities? In other words, have the creators seriously weighed all the costs, challenges and potential implications associated with the document? Second, how will the authorities implement the ambitious goals outlined in the Doctrine while not succumbing to the temptation to infringe upon such vital civil rights as freedom of speech and expression—elements that still make Ukraine different from many other post-Soviet states?

It bears pointing out that in its conflicts with Ukraine and other European countries, Russia has in fact been eager to capitalize on its superiority in the domains of cyberattacks and information warfare, which was visible on numerous occasions in recent years (see EDM, March 20, 2014; April 29, 2015; December 7, 2016). Moreover, aside from Lithuania and Estonia, where Russia is trying to pit the ethnic-Russian minorities against the indigenous majorities, Ukraine has been hit with particular severity in terms of subversive information operations (see EDM, January 20). Some more liberal members of Ukrainian civil society have pushed the government to react to these Russian threats by emulating the legal responses of European countries. Yet, recent Russian activities in the Baltic States have shown that European policies are not flawless either when it comes to deterring Moscow (see Commentaries, January 27). Moreover, Ukraine is in a much tougher situation than most other European countries since it lacks any direct security guarantees from the European Union, the North Atlantic Treaty Organization (NATO) or any of its member states. As such, its response will by necessity have to navigate some difficult trade-offs regarding security versus civil rights, at least for the near term.