At a glance, Valeriy Striganov seems like an unremarkable Ukrainian civil servant.
But he has a monumental mission: as head of the Central Election Commission’s (CEC) IT Department, Striganov is tasked with protecting the upcoming March 2019 presidential elections from a cyber attack.
“We find malware every day,” Striganov said with a laugh, peering out from behind a Republic of Gamers-branded laptop that he bought for his job.
The question for Ukraine’s cyber security professionals is not so much whether an attack on the election will take place — that is almost completely assured. Rather, it’s how such an offensive will take place.
“The main thing that we should beware of in these elections is not so much a technical attack as an informational one,” Striganov said.
But time is running out.
With the electoral campaign set to begin on Dec. 31, experts say the government will need at least three months lead time to fully prepare its electronic election infrastructure against an intrusion.
“We are hindered by a lack of financing,” he said.
2014 attack
Awareness of how elections can make democracies vulnerable to foreign interference blossomed following Russia’s meddling in the 2016 U. S. presidential election.
But Ukraine’s experience goes back farther.
In 2014, months after the EuroMaidan Revolution toppled the regime of Viktor Yanukovych, the country was days away from the May 2014 presidential election that brought Petro Poroshenko to power.
“We found that three days before the election, the system didn’t work and it seemed that the main components were switched off,” said Viktor Zhora, director of cybersecurity firm InfoSafe that identified the first phase of the attack after helping build CEC’s network for the elections.
Zhora, along with law enforcement, worked day and night to bring the system back online. But as results streamed in, InfoSafe detected an image about to flash on the election commission’s website: a result screen showing that Right Sector leader and Russian bogeyman Dmytro Yarosh had, apparently, won.
Ukrainian authorities quickly prevented the image from appearing. saying it was the product of a hack, but not before Russian TV stations ran with the image. In reality, Yarosh received only 0.7 percent of the vote.
Attributing such attacks is a difficult and time-consuming process. Analysts end up relying on clues emanating from who benefits or how the results of attacks are used in order to make tentative claims about attribution.
“We have direct proof that if Yarosh was shown on Russian TV, then this group is linked to the Russians,” Zhora said.
Human factor
Ukraine, working with help from Western organizations, refurbished its cybersecurity system for the October 2014 parliamentary elections.
But as the country prepares for 2019, there’s work left to be done. CEC Chief Mykhaylo Okhendovsky said that he would need at least Hr 36 million ($1.3 million) to secure election infrastructure from potential attack — a sum that has not been disbursed, less than a year out.
Ukraine has an advantage in that all votes are cast on paper ballots. The tallies are then counted in district centers and transmitted electronically.
But Zhora argued that the “human factor” could prove to be a bigger weakness in the system, either through direct bribery of officials managing the system or by compromising the network through infected files or flash drives.
Striganov said that his defense system would automatically detect such an intrusion, but conceded that his employees’ low pay constituted a vulnerability.
“The temptation is always big, but it’s a question to the whole civil service,” he said. “If someone is making Hr 15,000 ($547), and he is offered $100,000, then believe me, it’s a big temptation, regardless of where he works.”
Disarray
The worst case scenario, however, might not be an attack like that of NotPetya in July 2017, which knocked out computer systems and infrastructure across Ukraine.
Rather, Striganov argued, an attack that managed to cast doubt on the legitimacy of the results could be far more damaging over the long term.
“To publish some fake pictures on the internet saying that the CEC system is hacked would be easy,” he said. “If you release it at the right moment, that’s enough. For example, during the two days that preliminary results are coming out. There’s nothing complicated in causing a sensation over two days.”
“People will hear that the system was hacked, that preliminary results being shown on the site are untrue,” he added.
According to Keir Giles, a senior consulting fellow at Chatham House and expert on Russian information warfare, the aim of such attacks may be to provoke confusion as much as achieve specific goals.
“Russian planning is content to accept a much wider range of possible outcomes, not as tied to a specific critical part,” Giles said. “Therefore, if you mount an operation which has an ideal goal but instead you achieve some other disruptive effect which furthers your interests, this is an acceptable outcome.”
Giles refers to these initiatives as “cognitive attacks,” in which the target is “not computers or infrastructure, but the human mind.”
White hats
The Ukrainian agency responsible for checking for vulnerabilities in cyber defenses is DerzhSpetzSvyaz, or the State Service of Special Communications and Information Protection. They continually audit the CEC’s infrastructure, and issued Striganov’s department a certificate saying that his system is sound.
“This will all be modified, modernized, the system will be redone,” Striganov said. “But that will be closer to the elections.”
Striganov would not say whether his department had encountered large, coordinated attacks on the election system since 2014.
But other cybersecurity professionals say that it won’t be totally clear whether some sort of malware is embedded in Ukrainian election infrastructure until election day itself.
“Hackers could have entered a long time ago and just sit there and wait for the moment, for a signal to release what they have,” said Yegor Aushev, CEO of the Information Security Group and co-founder of Hacken, a company of so-called “white-hat hackers” that attempt to penetrate cyber defenses to identify vulnerabilities, and not commit crimes.
Aushev argues that one potential solution to lack of resources in cybersecurity would be to allow white hat groups to probe for vulnerabilities.
“We need to allow state organs to use white hat hackers,” he said. “Other forms of certification — that you’ve passed some sort of audit — is yesterday’s approach, it’s primitive. One or two people doing an audit can’t be compared to hundreds of hackers testing a system.”
Ukraine passed a law on cybersecurity in 2017.
“There’s no direct concept of white hat hacker in the law,” said Maria Koval, an attorney at Ilyashev and Partners. “The government has begun to look at it seriously, but there’s a real problem in the lack of specialists in government.”
Striganov, when pressed on the issue, sighed.
“Few people work on altruistic principles,” Striganov said. “For us to attract a high-quality specialist, he won’t waste a month of his working time for nothing.”
