Counterpart Deliverables 4 report

(view brochure in Ukrainian)

1. Youth does not know whom to ask for help under cybersecurity threat

At this moment government does not have hotline for cybersecurity threats. There is National child hotline, which is operated by NGO La Strada – Ukraine. But this hotline works only four hours a day (due to lack of money), without any governmental support.

Chart 1. Whom do young people ask for help under cybersecurity threat

  • nobody – 69%
  • friends – 15%
  • parents – 7%
  • private companies (mobile operators, ISP) – 5%
  • cyber police – 1%
  • hotline – 1%
  • CERT-UA – 1%
  • YouTube – 1%

To be done:

  • inform youth about National Toll Free child hotline – 0 800 500 335 or 116 123 (via cell phone) - by joint efforts of Ministry of Education and Science (MES), law enforcement structures, educational institutions, mobile operators and ISPs, IT private sector, media, civil society
  • apply to international donors and business for financial and institutional support to Ukrainian hotline and for ensuring Ukraine’s joining InHope (international network of hotlines). To include the money to finance system of cybersecurity of youth into the budget
  • work out tools of cooperation between hotline and Ukrainian law enforcement structures – by joint efforts of civil society, government, private sector
  • ensure CERT-UA support (with the help of private sector and civil society) in developing the tools and criteria for the protection of informational resources of MES and its subsidiaries, educational and child institutions

2. Both youth and experts lack information on varieties of cyber threats

For example, without having information about phishing, young person shares personal information about his/herself, relatives and friends with criminals. Criminals can use this information for credit arrangements, document forgery, financial fraud

To be done:

  • develop cybersecurity risk assessment model and risk management tools for youth – by joint efforts of experts from law enforcement structures, private sector, civil society, youth
  • conduct regular polling among youth regarding cybersecurity issues (for different age groups, educational background, means of access to Internet) – by joint efforts of experts of MES, sociologists, cyber police, private sector, civic society, youth. To organize public presentations and discussion of the results of such polling.
  • adjust Ukrainian terminology in cybersecurity sphere in compliance with European and worldwide one.

3. Youth does not realize risks of using Russian social networks, as well as Russian and/or pirate software (particularly, antivirus)

Via Russian social networks special services receive information about users, their relatives, friends, and can use this information for insidious purposes. More over, geotags allow to identify user’s location.

Chart 2. How Ukrainian youth uses Russian social networks

  • 71,7% continue to use
  • 23% do not use, but have account(s)
  • 4,3% deleted their accounts
  • 1,1% never have account

To be done:

  • work out informational campaign on risks of using of Russian social networks and Russian and/or pirate software – by joint efforts of sociologists, experts on cybersecurity, education, media, PR, SMM, youth representatives
  • ensure obligatory minimal standards for software, which is used in educational institutions (to stop using Russian and/or pirate software, to promote open-source software – by joint efforts of MES and law enforcement structures, with the participation of private and civil experts
  • promote Ukrainian software, antivirus – by joint efforts of media, social network activists, civil society

4. Youth does not know where to look for information on cyber threats and protection tools

More than half of respondents need more knowledges in the sphere of cybersecurity, but 62% of them do not know where to receive them. The most mainstream source of information on the issues of cybersecurity is social networks.

To be done:

  • develop state educational program on cybersecurity, focused on youth (both as a part of school curriculum on informatization and as separate courses) – with the participation of experts of international organizations, by joint efforts of governmental, private and civil experts, for sure with youth participation
  • develop state program of preventive actions on cybersecurity for educational institutions - with the participation of experts of international organizations, by joint efforts of governmental, private and civil experts
  • develop communication strategy for social networks on cybersecurity issues, particularly about activity of law enforcement structures and preventive actions – by joint efforts of governmental, private and civil experts
  • on regular basis to inform youth on new cybersecurity threats and how to deal with them – by joint efforts of experts of CERT-UA and cyber police, with the support of private and civil experts, media, social media activists
  • To promote existing and to create new online resources to uplevel cybersecurity of youth

5. Society lacks understanding of risks of using against youth of tools of social engineering and manipulation of conscience by social networks

Based on information, gathered in social networks, it is possible to submit information by the way, which influences on young minds in accordance of demands of “customer”

To be done:

  • support existing and create new educational programs on critical thinking, media literacy, informational hygiene and to include them into school curriculum – by joint efforts of MES and civil society
  • organize informational campaign to help youth to realize all risks of sharing information about themselves, their relatives and their friends in social networks – by joint efforts of Ombudsman office, law enforcement structures, MES, sociologists, private sector and civil society

OUTLINE RECOMMENDATIONS

for Parliament

  • To develop and to adopt Law on cybersecurity in order to create effective cybersecurity system, which includes cybersecurity of youth, and adopt Ukrainian terminology in cybersecurity sphere in line with the European one

for Government and MES

  • To draw the state program of educational, awareness raising and preventive actions for educational institutions. To involve representatives of private sector, civil society, youth in developing the program
  • To initiate regular polling among youth on cybersecurity issues
  • To organize competitions of “white hackers”, Olympic Games on cybersecurity

for law enforcement structures

  • To develop communication strategy with the following purposes:
    • to spread information about hotlines for children and youth under cybersecurity threats
    • to deliver information on new cybersecurity threats and ways to deal with them on time
    • to spread information about results of investigations of cybersecurity criminal accidents, especially with the involvement of youth
    • to use social media more actively

for private sector
Under terms of social responsibilities:

  • to take part in developing the Communicational Strategy of Government and MES on Cybersecurity
  • to take part in organization of awareness raising on cybersecurity issues in educational institutions
  • to take part in creating online courses and online resources on cybersecurity for schoolchildren, their parents, teachers, students

for schools

  • To organize cocurricular lessons of experts on cybersecurity issues for children or to share video lectures of experts - both foreign and Ukrainian for civil society
  • To take an active stand in developing information campaign and communication strategy on cybersecurity of government and MES and to initiate own awareness-raising campaigns
  • To be involved in awareness-raising campaigns on cybersecurity issues in educational institutions
  • To promote Ukrainian informational resources, antivirus in part for youth
  • To actively participate in developing and discussion of legislative initiatives and state programs on cybersecurity
  • To care about own awareness-raising on cybersecurity issues, media literacy, information hygiene, to consciously handle own personal data, as well as such of your relatives and friends, using suspicious informational resources
  • To actively participate in Ukrainian Youth Internet Governance Forum

ABOUT RESEARCH

Research was conducted by iNGO European Media Platform with financial support of Counterpart International.

Research was structured into two parts:

  • anonymous polling of three focus groups (several classes of one Kyiv school, one course of one Kyiv college, one group of one Kyiv University). Total number of respondents was 95;
  • communication with key Ukrainian experts on cybersecurity on polling results and receiving their comments on these results and answers to general questions regarding results of this polling. Total number of expert - 25. Experts were: representatives of cyber police, CERT-UA, Council on National Security and Defense of Ukraine, experts from private sector, civil society, independent experts

Please refer to our website for more details - eump.org

Author of the research is Oksana Prykhodko, Director of the iNGO European Media Platform, sana@eump.org
Facebook page:
https://www.facebook.com/European-Media-Platform-288743257832686/

Cybersecurity from the point of view of Ukrainian Youth
(draft report)

(view this report in pdf)

The aim of the research is to analyze the role of Internet users (especially young) in Internet Governance and cybersecurity in Ukraine (from the point of view of different stakeholders), to analyze relevant Ukrainian policy landscape.

1. Cybersecurity landscape in Ukraine

Legislative level:

  • Council of Europe Convention on cybercrime (signed by Ukraine in 2001, entered in force in 2006 – not in full, until now);
  • Law on basis of cyberserity in Ukraine (2017);
  • Strategy on cybersecurity (2016);
  • Ukrainian President’s Decree №133/2017 (on blocking access to a number of Russian websites in Ukraine, such as Yandex, Vkontakte and Odnoklassniki).

Institutional level:

There is no one coordination center for cybersecurity in Ukraine.

We have governmental stakeholders, such as:

  • National Security and Defense Counsel of Ukraine;
  • State Service of Special Communications and Information Protection of Ukraine (CERT-UA);
  • cyberpolice;
  • Security Service of Ukraine

and a lot of others.

Private stakeholders:

  • Zillya (Ukrainian antivirus);
  • Deloitte, ISSP, Berezha Security.
  • Cisco, Cognitix.

Civil society:

  • La Strada;
  • European Media Platform;
  • Internews

Youth organizations:

  • Minor Academy of Sciences of Ukraine.

2. Within the framework of the Counterpart International project iNGO European Media Platform conducted opinion poll in focus-groups (students of one Kyiv school, one Kyiv college, one Kyiv university). The text of questionnaire is attached as AnnexA.

Results of this opinion-poll: 63,5% respondents (14-20 years old) met cybersecurity threats.

Which threats?

  • Virus – 44,2
  • Spam – 42,1
  • Scam – 25,2
  • Piracy – 22,1
  • Password theft – 21
  • Hacking – 17,8
  • Personal data theft – 16,8
  • DDoS attacks – 11,5
  • Financial theft – 9,5
  • Child abuse – 8,4
  • Phishing – 7,4
  • Bulling – 7,4
  • Child grooming – 6,3
  • Using computer for bitcoin mining – 4,2
  • Using computer as a part of botnet – 2,1
  • Cyberterrorism – 1
  • Pornography – 1

98,9% of respondents had accounts in Russian social networks, 71,6% continue to use them.

50,5% of respondents named social media as a main source of information on cybersecurity issues (37,5 – educational institutions, 18,9 – friends, 14,7 – parents).

54,7% of respondents admit that they need more skills, knowledge and tools for cybersecurity, but 62% of them do not know where to get it.

84,2% of respondents use antivirus (360 Total Security, NOD, Avast mainly, in individual cases - Bitdefender, Avira, Dr.Web, Kaspersky, Zillya).

55,8% use licensed OS (Windows), 12,6% - open code OS.

36,6% of respondents think, that the dominant role in cybersecurity in Ukraine has to be played by government, 28,4% - by all stakeholders together. 47,3% think that youth has to play more active role in cybersecurity, 36,8% consider youth as the most active segment in cybersecurity, 24,2% consider youth as the most vulnerable segment of Ukrainian society regarding cybersecurity, and 24,2% think that youth is the most active segment in creating cybersecurity threats.

3. Cybersecurity market in Ukraine.

There is no information regarding value and structure of cybersecurity market in Ukraine at all.

The most obvious segment of this market is antivirus products, market assessment of this segment in Ukraine is about $100 million. Leaders of this market segment are: 360 Total Security, ESET, Avast, Bitdefender, Avira, Zillya.

Cybersecurity audit and consulting – Deloitte, ISSP, Berezha Security.

Cybersecurity equipment – Cisco, Cognitix.

4. Consultations with cybersecurity experts.

We organized our consultation with cybersecurity experts in two rounds – at first one we have sent our questionnaire (Annex B) for experts to our colleagues from IGF-UA Steering Committee, At-Large Council at State Special Communications Service of Ukraine, members of different closed groups on Facebook.

We sent them unofficial results of our survey and asked seven questions (Annex B).

Answers to these questions below.

Which results of this survey are the most crucial from the point of view of cybersecurity of Ukrainian use?

We received 20 answers to this question. The most commonly found answer (8 respondents) is about the level of actual knowledge of Ukrainian youth about cybersecurity threats (63,5% respondents (14-20 years old) met cybersecurity threats). 5 respondents evaluated this level as rather high, 3 of them pointed out that 36,5% met such threats, but did not recognize them, so, they evaluate the level of Ukrainian youth regarding cyberthreats as extremely low.

The second commonly found answer is about the role of social media (6 respondents, 2 of them stress the role of Russian social network – VKontakte, Odnoklassniki). Ukrainian governmental stakeholders have to use social media in more active (and more creative) way. Extremely difficult question is about using of Russian social networks.

Three other items received the same amount of answers – 3 for each.

They are:

  • using of anti-virus;
  • using of licensed or open software;
  • the role of youth in cybersecurity.

The most controversial is the last one – about the role of youth.

  • youth suffers the role of learned helplessness (Stesin);
  • we witness the formation of layer of Ukrainian society with culture of information security (Potiy).

Two respondents pointed out the problem of pornography (which is criminal crime in Ukraine). The most illustrative comment (from Petrov) was: one respondent complained, others enjoined.

Which information is unexpected for you? Which information was predicted by you? Could you please send us links to similar surveys?

Answers to this question are extremely controversial. Unchallenged leader in both categories (expected and unexpected) is the percentage of use of Russian social networks (3 respondents marked this percentage as expendently high, 3 — as unexpendently high). The main conclusion is that Ukrainian authorities could not convince Ukrainian youth in the danger of Russian social networks using, but at the same time a lot of Ukrainian youth learned to use VPN and other tools to avoid Internet censorship.

Two respondents called attention to high level of using of licensed or open software.

Two respondents agreed, that viruses and spam are the most actual threats, some others (in answers to another questions) pointed out, that spam is not danger (nevertheless we have new Ukrainian draft law about spam as extremely important danger).

Cyberterrorism (1%) raised a lot of questions (but not from Security Service of Ukraine).

4,2% of respondents, supposing that their computers are used for illegal bitcoin mining, was extremely fun unless information in Ukrainian media that entering web-site http://meteo.gov.ua/ (for weather prognosis) threats using of individualʼs computer as the tool for illegal bitcoin mining (ukrainskogo-gidromettsentra-nashli-programmu-dlya-skrytogo-mayninga-kriptovalyuty).

The role of youth in cybersecurity is also extremely controversial. Two respondents expected that majority of youth relied on governmental stakeholders, two others were surprised by the underevaluation of this role (because young people often fulfill the role of «domestic» network engineers and IT teachers for older memebers of family, and they have to create «new culture» of information society in Ukraine).

What can you recommend to all stakeholders – government, private sector, civil society, youth – to enhance the level of cybersecurity of Ukrainian youth?

100% recommendations — education, awareness raising. There are some details in these recomendations. For example, ideas of importance of knowing logic and rhetoric, as well as English language.

Social networks — we tried to ask governmental stakehokders about their using of Russian social networks, but did not receive any answers.

Another very popular recommendation is to secure public-private partnership (no one from experts did not mention multistakeholderism at all).

There are a lot of very specific recommendations:

  • promotion of cybersecurity as future carier;
  • Olimpic Games for «white hackers»;
  • promotion campaign likes as antiHIV (Cisco);
  • promotion campaign likes Anti LUKOIL ( Tuliev, against using of Russian social networks);
  • involvement of media.

Do you think we need more similar surveys? If yes, do you have any propositions for the questionnaire for youth?

From 20 respondets, answered to our questions, the only one responded with «no» - without any explanations.

We received a lot of additional questions to our survey. We are not sure that we can import all these questions into our next survey (it will be . We have to elaborate «risk model» and evaluation table of cyberthreats to Ukrainian youth.

Questions of extremely importance for us:

  • personal experience;
  • comparisons with other strata

How can you describe the structure of cybersecurity market of Ukraine? (Which companies are members of this market?)

  • antivirus;
  • audit;
  • integration solutions;
  • cyberaccidents investigations;
  • HW vendoring;
  • SW vendoring
  • education;

How can you describe the structure of cybersecurity market of Ukraine? (Which companies are members of this market?)

What are the main players on this market?

Cisco, Eset, Check Point, Arbor Networks, FireEye, ArcSight, ISSP, CyS-Centrum. Active Audit Agency.

Another answer (Rvachov): 1) operators: “Volya”, “Vodafone”, “KyivStar”; 2) vendors: “Rozetka”, “АЛЛО”, “Foxtrot”, “Comfy”; 3) software producer “Microsoft”; 4) social media owners: “Facebook” та “Вконтакте”; 5) e-commerce web-site olx.ua

Cisco, IBM, IT-Integrator, ISSP, ESET, Check Point, Symantec, Berezha Security, CYS Centrum, Infosafe, IT Integrator, IT Specialist, ISSP, Netwave, SOC Prime, Smartnet, Svit IT

What is your evaluation of cybersecurity market volume?

From $100 mln to unlmtd

Based on answers to this survey, we contacted main representatives of all stakeholders with more detailed questions (in process).

Preliminary results of this consultation

The most unexpected for us – there were no such polls at all! Only two respondents (from 30+ - we are still receiving answers) sent us links to surveys (regarding cybersecurity risks for companies and about Internet dependence of youth).

The most crucial for us – there is no model of cybersecurity risks for Ukrainian youth (that is why it is impossible to evaluate any threat to cybersecurity of Ukrainian youth and to pick up 3-5 of the most dangerous ones). For example – what threats are related to the continuation of using of Russian social networks and to leaving them without deleting them?

The most unanimous results:

  • We need more such surveys;
  • We need cybersecurity lessons in schools and even in kindergardens;
  • We need more active participation of key cybersecurity actors in social networks.

Terminology:

  • what are we talking about at all? (cybersecurity, informational security);
  • child abuse in Ukrainian translation;
  • OS and gadgets (licensed, open code and pirate)

Cybersecurity threats:

  • it is extremely good that 63,5% recognized any cybersecurity threats;
  • it is extremely bad that 36,5% did not recognize any cybersecurity threats

5. Recommendations:

  • All-Ukrainian poll (based on recommendations from social scientists);
  • cybersecurity as a part of educational program at school;
  • more active use of social networks regarding cybersecurity issues;
  • open and transparent discussion of cybersecurity of Ukrainian youth with the participation of all key representatives of all stakeholders

Annex A. The text of questionnaire for youth focus groups

1.1. How can you evaluate your own level of literacy in cybersecurity:

0 – the lowest level; 5 – the highest level:

  • 0
  • 1
  • 2
  • 3
  • 4
  • 5

1.2. What is the main source of your knowledge and skills in cybersecurity:

  • parents
  • school (college, university)
  • workspace
  • friends
  • social networks
  • traditional media (TV, newspapers, radio)
  • Ukrainian governmental structures (please specify)
  • private entities (please specify)
  • international resources (please specify)
  • other (please specify)

1.3. Did you ever meet personally any cybersecurity threats?

  • Yes (please specify)
    • fishing
    • hacking
    • scam
    • spam
    • virus
    • financial theft
    • personal data theft
    • password theft
    • child abused
    • child grooming
    • bulling
    • cyber terrorism
    • DDoS attack
    • using computer as a part of botnet
    • using computer for bitcoin mining
    • piracy
    • what are you talking about at all?
    • other (please specify)
  • No

1.3.1. If yes, did it harm you?

  • yes
    • in money (if yes, please specify how much);
    • in other aspects (please specify)
  • no harm (I do not see any harm)

1.3.2. If yes, did you ask for help?

  • police/cyberpolice (please specify)
  • Service of Security (SBU)
  • CERT-UA
  • national hot-line (please specify)
  • international hot-line (please specify)
  • parents
  • teachers
  • friends
  • bank(s)
  • ISP
  • mobile service provider
  • private cybersecurity companies
  • social media
  • on-line educational tips
  • other (please specify)
  • I did not ask for help

1.3.c.1.

If you asked for help, did you receive it?

  • yes (please specify)
  • no (please specify)

1.4. Do you use antivirus?

  • yes (please specify)
  • no

1.5. What soft do you use?

  • open code/source (please specify)
  • licensed soft (please specify):
    • licensed version (please specify how you received it)
    • pirate version

1.6. Did you ever have account in Vkontakte, Odnoklassniki, mail.ru?

1.6.1. If yes, do you use them now?

  • yes
  • no

1.6.2. If you do not use this (these) account(s) now, did you delete it (them)?

  • yes
  • no

1.6.2.a. If you deleted it (them), when you did it:

  • before 16 May 2017 (Decree of Ukrainian President regarding blocking of these platforms);
  • after 17 May (entering into force of this Decree) – please specify did you use VPN or not

1.7. Do you need any additional tools to enhance your personal level of cybersecurity knowledge and skills?

  • yes
  • no

1.7.1. If yes, do you know how to do it?

  • yes (please specify)
  • no

1.8. What is your evaluation of the level of cybersecurity knowledge and skills of Ukrainian youth in average?

0 – the lowest level; 5 – the highest level:

  • 0
  • 1
  • 2
  • 3
  • 4
  • 5

1.9. What is your evaluation of the role of youth in cybersecurity:

  • youth is the most vulnerable segment of Ukrainian society regarding cybersecurity;
  • youth is the most active segment of Ukrainian society in cybersecurity;
  • youth is the most active segment in creating cybersecurity threats;
  • youth has to play more pro-active role in counteracting cybersecurity threats;
  • other (please specify).

1.10. Who has to play dominant role in cybersecurity in Ukraine?

  • government(s)
  • private sector;
  • civic society;
  • all stakeholders together;
  • other (please specify)

1.11. What is your age?

  • under 15
  • 15-25
  • 25-35
  • above 35

1.13. What is your stakeholder group:

  • government
  • private sector
  • civil society
  • students (schoolchildren)
  • teachers
  • other (please specify)

1.14. Are you interested to participate in any future surveys or events, devoted to the role of Ukrainian youth in cybersecurity?

  • yes (if yes, please mark your agreement for using your contact information for sending you results of this survey, future surveys, invitations for future events by clicking on this option and provide your personal e-mail)
  • no

Annex B. Questions for cybersecurity experts

  1. Which results of this survey are the most crucial from the point of view of cybersecurity of Ukrainian use?

  2. Which information is unexpected for you? Which information was predicted by you? Could you please send us links to similar surveys?

  3. What can you recommend to all stakeholders – government, private sector, civil society, youth – to enhance the level of cybersecurity of Ukrainian youth?

  4. Do you think we need more similar surveys? If yes, do you have any propositions for the questionnaire for youth?

  5. How can you describe the structure of cybersecurity market of Ukraine? (Which companies are members of this market?)

  6. What are the main players on this market?

  7. What is your evaluation of cybersecurity market volume?