In the information age, data has become such a valuable commodity that its loss can cost companies everything. So, it’s worth hiring experts to protect it.
Recent cyberattacks on Ukraine show the country is far from meeting European legislation and standards of cybersecurity: in 2015, around 225,000 people in western Ukraine lost electricity supplies after a cyberattack on a power grid, probably originating from Russia; and in 2017 the “NotPetya” virus hit Ukrainian banks, government offices and numerous companies across the country before going on to spread around the world.
That attack cost companies around the globe billions of dollars. Just one company — Maersk, the world’s largest container shipping company — lost anywhere between $200-$300 million, business magazine Forbes reported on Aug. 16, 2017.
There have been no such massive attacks since then, but the assaults continue. In 2018, Ukraine was hit with at least nine serious cyberattacks, making the country the top target in Central and Eastern Europe, according to U.S. based Center for Strategic and International Studies.
The reason is simple — weak legislation and lax cyber security standards.
“Despite the fact that two years ago a cybersecurity law was passed that demanded the adoption of a number of regulatory documents,” not much has changed, said Yuriy Kotliarov, a partner at Asters law firm.
So malicious hackers, whoever they are, have continued to probe for weaknesses in Ukraine’s information technology systems, and launching occasional attacks.
Luckily, not all hackers are bad.
Bug hunters
Since the massive “NotPetya” virus attack a year-and-a-half ago, ethical “white-hat” hackers have started to work in Ukraine.
These computer specialists uncover security flaws, or bugs, before “black-hat” cybercriminals can detect and use them, often causing enormous damage as they do.
“In the (average) person’s mind, a hacker is an evil guy with a hoodie who hacks everything and steals,” Yegor Aushev, co-founder of Hacken, a Ukrainian company specializing on cybersecurity consultancy, told the Kyiv Post. “But when someone pays a white-hat hacker, they pay for results. A white-hat hacker will find vulnerabilities, and might even help to fix them.”
Trying to catch up with the increasing global demand for cybersecurity services, Hacken created a special platform called Hacken Proof, which already unites 1,500 white-hat hackers located in 70 countries. It serves as a link between ethical hackers and companies struggling to find security weaknesses in their systems. Around 80 percent of Hacken’s clients are foreign companies, but the number of big Ukrainian companies in their client base is also growing due to the country starting to implement the required international data safety standards.
And bug hunting can cost a lot.
While the prices for the most basic service start from $100, it can cost up to $250,000 to detect a major vulnerability.
That’s why white-hat hackers in developed countries can earn good money without the need to worry about being arrested for cybercrime. Unfortunately, in Ukraine there is still no punishment for black-hat hackers.
“On average, newcomers and average guys earn $5,000-$10,000 per month, whereas more experienced people can earn $20,000-$50,000. The most experienced earn $100,000 per month,” said Eugeniya Broshevan, CEO of Hacken Proof.
Recently BBC news agency reported on 19-year-old Santiago Lopez from Argentina, the first white-hat hacker millionaire. Santiago was able to find vulnerabilities in the software of some of the largest global tech companies, such as Twitter and Verizon.
Bug bounty
And it’s not only the private sector that uses the services of ethical hackers.
While in Ukraine it is still forbidden by law to probe the systems of various ministries for cybersecurity vulnerabilities, many other states use the services of white-hat hackers, experts say.
“In Switzerland, the government offered a bug bounty (compensation for reporting bugs) in its e-voting system,” said Broshevan. “They allocated 250,000 euros for the project, of which 150,000 euros was paid to a company to manage the process and 100,000 euros to hackers for finding the vulnerabilities.”
In the United States there is a “bug bounty” center called HackerOne, one of the clients of which is the U. S. Department of Defense.
“Why isn’t Ukraine introducing such systems? I don’t think that The Pentagon has any fewer secrets than the Ministry of Defense or Ukraine’s State Service of Special Communications. I don’t think this is right,” said Kotliarov.
Another option to improve the national level of cybersecurity is to increase the number of special centers that accept vulnerability reports, in both the public and private sectors.
Ukraine currently has only one such center, called the Computer Emergency Response Team of Ukraine, or CERT.
“In Europe, (such centers) are sprouting up every year, like mushrooms after rain,” said Aushev. “There were 28 of them in Germany, then 30, 32… We should be having a cybersecurity explosion, we should have 10, 15, 20 centers like this.”
But even if a private company offered to do cybersecurity tests for the Ukrainian government at no cost, it would come up against a bureaucratic firewall.
“At this time it’s easier for us to sign three contracts with Asia and provide them with services,” said Aushev.
What to expect next
However, despite all the difficulties and sluggish progress, there are still positive trends to be seen in Ukraine.
Just a couple of years ago, when the “NotPetya” virus hit Ukraine, most of the work for lawyers concerned addressing the consequences of the attack — broken contracts, unforeseen losses, and so on. Now companies are asking their lawyers about cyber-risk management and how to come into compliance with the new regulatory requirements.
“A well-run business makes information security management part of its strategy — today it’s a must,” said Kotliarov.
Asters partner Yuriy Koyliarov speaks to Kyiv Post on March 12. (Oleg Petrasiuk) (OLEG PETRASIUK)
Vitaliy Yakushev, operations director at 10Guards, another Ukrainian cybersecurity consulting company, says that cybersecurity due diligence is an investment for a company.
“It’s still too early to talk about growth in the (cybersecurity) market, but I’m completely confident that it will definitely happen since it’s impossible to ignore the impact of cyber-attacks on businesses,” he said.
This year parliament is expected to pass a law on information security auditing, which could open up the Ukrainian market for the provision of “white-hat hacker” services. In addition, lawmakers are discussing another law on the cybersecurity of objects of critical importance, such as energy companies, banks, healthcare, infrastructure and the central election commission.
It’s still unclear, however, when these laws will be adopted.
