What are some of the most pressing issues in the field of cybersecurity in Ukraine?

Most people still think that cybersecurity risks exclusively affect the government and the objects of critical infrastructure. But in fact, everyone is subject to these risks. For example, by using messengers on the smartphone. Usually, people don't care what messengers know about the users, which data they collect, how they regulate information related to the secret services, and how they share this information.

You need to protect yourself and also maintain your cyber hygiene. In the same way as you clean your teeth in the morning, you need to have a daily routine for your accounts, and you have to complete certain actions each time when you open a link, or when you share information with your friends on social media. If you think that the government protects you or social media platforms protect you, you are wrong. You must do your own research and risk assessment, protect your accounts and websites, and always verify the information before trusting it.

How have changed the cybersecurity risks in Ukraine after Russia’s full-scale invasion?  

Hacking and fraud are a huge problem for NGOs in Ukraine. Many NGOs started working with the refugees, humanitarian agencies, or working directly with the army. They help deliver humanitarian aid and collect sensitive data, so Russia tries to hack their accounts or websites.

Also, many civilians in Ukraine collect money for the needs of the army. These are not only famous activists who raise large amounts of money. Often, these are family members of the soldiers or people who have lost someone to this war, raising smaller amounts for more narrowly targeted help. They create fundraising campaigns on Instagram from their personal accounts. These accounts are at risk of being hacked. The scammers announce a new account for the same fundraiser from a hacked Instagram page, usually using PayPal or a cryptocurrency platform.

There are also attacks on critical infrastructure objects in Ukraine. There is plenty of disinformation in the media and on the internet. There are leaks of information because people do not protect their accounts and websites well enough.

What is the main thing to remember for people who work in NGOs and operate with sensitive data?

First and foremost, they need to understand their map of risks. It is unique for every organisation. An NGO helping refugees or providing humanitarian aid would face different risks than an NGO supporting the army. Following the general tips does not work in the field of cybersecurity. For example, to continue the topic of messengers, many think that Signal is safe to use. And it is mostly true unless one uses it in temporarily occupied territories. In that case, it is not completely safe because the Russian soldiers can simply go through one’s phone. So, it depends on the situation, and risk assessment must be the priority for the NGO’s cybersecurity.

Except for people from NGOs, who else should be well aware of cybersecurity? People from academia? Law sector?

Cyber security is like football: it’s all about teamwork. It is really important to engage all the sectors: businesses, NGOs, and academia. I don't think that this is solely the government’s responsibility. The government does the investigations and the preventive work. They also create some instruments and campaigns. However, they don't have the capacity to collect smaller stories about cyber security incidents.

Also, not every country has governmental programs to educate people about cybersecurity. Sometimes, they only work with kids and parents, but not educators. That’s when NGOs step in. I think that it's good if you can create an online course along with the government. You can create a really good product, which will be interesting for different target groups.

Can you give specific examples of some of the cybersecurity incidents you dealt with?

For example, we did a project for kids who arrived from the temporarily occupied territories. We taught them about safety in Telegram. When we looked into their accounts and checked active sessions, we saw one active session in Lviv and another active session in the territory of Russia.

Also, there was a case involving a foundation that helps kids in Ukraine. Some scammers created a website that was very similar to this organisation’s website, just with a slightly changed domain, and launched a fraud fundraising campaign. The money that people donated to this fraudulent website went to Russia. After finding this out, I communicated with the cyber police, who helped block that website.

However, it is important to remember that we do not hear about all the cases because many of them are not public. Many cybersecurity cases cannot be disclosed because of ongoing investigations or security issues.

What is the situation in terms of cybersecurity literacy in Ukraine?

When we started teaching cybersecurity in Ukraine, it was still a very new topic for our society. The NGOs or business experts did not talk about this. There was some vague understanding of cybersecurity being a concern of the government or an issue relevant only to critical infrastructure. When we analysed our school programs, we didn’t see the topic of digital privacy being covered. After finding this out, we launched online courses on digital privacy for children and their parents.

When our team in MINZMIN launched the very first online course in Ukraine about digital security and digital rights, we received 10,000 requests on the first day with a ton of feedback and questions.

What should parents keep in mind about digital security?

When parents decide to buy a smartphone or another gadget for their child, they don’t usually provide any instructions. They mostly assume that this is the responsibility of educators to give children tips on how to safely use Instagram, TikTok, and Snapchat. But actually, it is the parents’ responsibility.

It also surprises me that parents share photos of their children on social media freely without considering the safety risks. We explain this issue using the ‘rule of billboard’: if you wouldn’t want a photo to appear on a billboard, don’t share it on social media. Sometimes, parents don’t understand this rule, and they say they want to share their lives on social media. So, we have to explain that if one shares some information on social media, one shares it with the whole world. Any stranger on the internet can make a print screen or download a picture posted publicly on social media.

This is crucial also in terms of the physical safety of children. Parents often post pictures from their child’s school, mentioning the number of the school. If the parent’s account is public, this is risky. In Ukraine, as well as abroad, there have been cases of kidnapping. This is a serious issue, but parents don’t usually think about it.

What motivated you to apply for the Prague Civil Society Centre fellowship progamme and how have you benefited from it?

Around seven years ago, when I worked in the national police of Ukraine, I saw information about this fellowship. Back then, I thought it was an excellent opportunity for experts with a strong background in the civic area. After the beginning of the full-scale invasion of Russia in Ukraine, I came across the open call announcement on social media and felt like it was a good time for me to apply.

The fellowship allowed me to think about cybersecurity outside of the country. I researched the topic of security in messengers and started running a blog #who_are_living_in_our_smartphones. I have already published 2 articles about why Telegram is dangerous, and how to choose a safer messenger to use.

I worked a lot with NGOs, experts, and the government. And when I arrived, I really appreciated being here in Prague, without everyday air raid sirens and drones flying above my head. I remember when I was sending the application form, I was in the bomb shelter, and it was several hours before the deadline. I felt quite stressed, but I sent this application anyway and was very happy about it.

One of the ideas I have is to launch cybersecurity podcasts. In Ukraine nowadays, a lot of people listen to podcasts because one can listen to them in a shelter or while driving.

I have contacts with cybersecurity experts in many countries, and it would be really good to talk more about Ukrainian expertise and European and American expertise in this area.

‍

Anastasiia’s projects:

• MINZMIN, an NGO providing civil education in cybersecurity since 2019, which taught 1.5 million Ukrainians digital security skills. The team created a chapter Online safety for Diia Education - the platform has more than 7 million active users. Among others, MINZMIN collaborates with the Ukrainian Ministry of Digital Transformation and the Ministry of Education.
• Cyberbrama (Cyber Gate), a project implemented in collaboration with the Ukrainian cyber police, aiming to educate the general public on digital security risks when working, teaching, studying, or playing online games. Cyberbrama provides courses and online safety guidelines for platforms like Facebook, X, or gaming applications. Its reporting system is connected to the police and the reporting systems of social media and online messenger apps.
• Apetyk consulting, a consulting agency specialised in designing privacy and cybersecurity policies, providing cybersecurity audits for businesses and NGOs, protecting them from increased risk of hacking.
• Safebot, a start-up tailored for NGOs and people who work with documents and links in the form of a Telegram chatbot providing instant data verification, thus ensuring the safety of the information exchange. This is especially relevant for those working on temporarily occupied territories. The aim is to accelerate it to bigger B2C (business to client), B2B (business to business), and even B2G (business to government) solutions.

‍

‍