Cybersecurity – Why the US And Ukraine Are Cooperating

Hello and welcome to a new episode of Hromadske Radio’s Ukraine Calling! We’ve changed our format. Now we’ll be brining you a feature interview with Ukraine’s opinion makers, cultural movers and shakers, other interesting people, and the latest in new music from Ukraine. I’m Oksana Smerechuk in Kyiv. This week’s interview was conducted by Hromadske Radio co-founder and CEO, Andriy Kulykov. He spoke to three experts about a new phase of US-Ukraine cooperation in cyber security. Joining Kulykov are Junaid Islam, Founder, President & CTO Vidder Inc. a California-based company that develops security solutions for cloud based applications; Aleks Mehrle, President and Co-Founder of Ukrainian Global Trade and Investor, Inc. and Steven R. Browne, Director of the energy company, The Stanton Group.

Feature interview: Hromadske Radio CEO and co-founder, Andriy Kulykov, speaks (via Skype) to three US cybersecurity experts who are working with Ukraine

Kulykov: This is a recording for Hromadske Radio in Kyiv as a follow up to an interview with Oleh Dervianko who told us mostly about the Ukrainian side of the story. Now we are talking to three experts in the USA.  I thought that this interview would be about Ukrainian-American cooperation in cyber security but the name of this conversation is “Russian Cyber Attacks”. Is it about Russian cyber attacks or about more than just Russian cyber attacks?

Islam: The reality is that Ukraine is facing cyber attacks from Russia. This is a problem both for Ukraine and United States, because Ukraine is a model for Western democracies. From one perspective the Russian do not want it succeed as a model because of their own internal, political issues. Russian cyber attacks are important for everybody to understand and develop countermeasures.

Kulykov: Who was the initiator of cooperation? Was it the Ukrainian side who asked Americans for help or maybe Americans said, “Hey, guys! You are threatened, we can come and offer you some help.”

Mehrle: Simple question but a complicated answer. Let me start with a big picture. In a big picture there are multiple channels for discussion among stakeholders in Ukraine and the US happening both formally as government to government and informally as individual expert to individual expert who happen to know each other or might have worked together professionally and also in corporate or company sphere where obviously Ukrainian companies are active outside of Ukraine and have established relationships with stakeholders outside of Ukraine. Sometimes Ukrainian government representatives have experience in international companies as well as in IT cyber security generally.  So there are multiple channels of discussion that are going. What we are trying to do as a group with Oleh Derevianko and Junaid and as Oleh mentioned with a leading US university in cyber security, we are trying to bring an optimal in our view formal structure to that cooperation. One of the difficulties in cooperation on such complex questions as cyber security where multiple different stakeholders involved is that you get different channels.

We are trying to streamline that by opening a centre that has an office in Ukraine, Washington DC and Silicon Valley. Each  of which will work together and coordinate responses to individual threats as they come up in real time, tactical and  practical solutions, but also to be flexible and to change overtime. Today for example you may identify it as  critical infrastructure, electrical grid, nuclear facilities and so on as the area of greatest immediate need because the risk  of taking down the electrical grid or nuclear power plant are so high. As you secure those overtime you may focus on financial sector and banking or securing the knowledge economy or communications, or whatever it might be.

The structure that we are proposing as a group of interested experts and individuals that represent different companies, some of which have experience in government and some of which have more experience in private sector. We are proposing a solution that we think may work to help secure Ukraine today, and in the future, but also help the United States ant its Western allies learn form the experience in Ukraine on the ground.  

Kulykov: That is brilliant and clear cut answer, but the question goes further, by establishing physical head offices, aren’t you making an organization more vulnerable potentially?

Islam: I think the purpose is to establish a meeting and training place. So it’s not so much the locations being vulnerable it’s about bringing people together and sharing information in both directions. The American side learning from the Ukrainian team about what they are facing, and the Ukrainian team getting advice from America what countermeasures they may wish to deploy to stop these attacks.

Kulykov: We often say that Ukraine is notorious for its bureaucracy. Have you met any bureaucratic red tape or other obstacles on your way?

Mehrle: Let me give you some context. My mother is Ukrainian, I speak Ukrainian. She emmigrated after WWII. I grew up in New York in the diaspora community.  І speak 1942 Western Ukrainian. Я розмовляю українською. [I speak Ukrainian]

Kulykov: То я вже почув. [Yes, I heard this already.]

Mehrle: I lived in Ukraine as Fulbright scholar in 2005-2006. Because of that I have a strong relationship with folks in Ukraine, people who left and are working now in private companies on issues related to Ukraine but from the United States. I have a good network as a result of that. I would like to think because of the timing right after the Orange Revolution and my age- I am approaching 40. There is a group of reformers who make sure the reforms succeed, that Maidan succeeds. In my network including Ukrainian government. So we are on the radar with people, speaking with people within the Ukrainian government but there are more stakeholders. There was some bureaucracy and questions what kind of entity we would become or we intend to become but we have been able to manage those.

Now we primarily focused on building a mousetrap. We identified a need. There is a need for US-Ukraine cyber security cooperation and it’s in the interest of both US and Ukraine to meet that need for their own national security strategy and also for the future of Ukraine, free, prosperous, viable  Ukraine as part of national strategic interest and also of the US. So all of these factors come together. What we have done is to prepare the best mousetrap in order to receive funding. Initially we targeted the US government that will be providing some funding for US-Ukraine security cooperation. What happens from that point forward looking into the future we can be flexible about it. The focus is not dealing with bureaucratic questions but really it’s about designing a framework and answer questions before you run into them. Having the right stakeholders, designing things in efficient and targeted way and in a way that cannot be questioned for transparency. We have to be transparent.

Kulykov: Aleks, what is the place of intelligence community among these stakeholders?

Mehrle: The Ukrainian intelligence community or the Western intelligence community?

Kulykov: Both, if you are able to answer for both of them, but primarily of course American, as you are Americans.

Mehrle: Well, some of our team does include former IC community stakeholders and fairly senior ones, but I will let Junaid comment on that to the extent that he is able to.

Islam: I think in the informal discussions I have had with intelligence community members, Russia has always had a view that they feel threatened and hemmed-in by other countries –which as a non-Russian I find hard to understand why they feel threatened—but they do have a program to destabilize other countries whether it was the United States election recently or in the case of Ukraine. These cyber attacks Ukraine is facing is really just an extension of that program and I think it is in all our interests that we find ways to mitigate these cyber attacks. I think it’s that simple. As a side-note, I think one of the interesting things is how Russia does everything in the public.

Typically when you think of intelligence programs you think of something of great secrecy, right? But they love to boast about their exploits in the public, they work to put everything on WikiLeaks, and so I think they are quite open about their aggression both to Ukraine as well as the United States.

Kulykov: How expensive is the operation going to be and where are the sources for financing?

Mehrle: Junaid, would you want to address that at a high level—at least initially?

Islam: Well the program is actually very modest in size, because we’re just focusing on sharing information about cyber attacks and training. So we’re talking single-digit millions of dollars. Even tens-of-millions would be too much. We are very small. The idea is to be very efficient with the funds and really focus on bringing together experts on cyber security as well as practitioners from Ukraine who have to protect systems, whether it be government systems, energy systems, or finance systems.

Kulykov: Well with all the talk about cyber security, we cannot rule out that there may be live agents among those who will participate in the program, maybe on both sides, maybe on the Ukrainian side. What are the ways to prevent this? Otherwise you may be sharing your experience with the wrong people, or Ukrainians may be sharing their experience with the wrong people.

Islam: I think one of the challenges both for the United States and Ukraine is that we are open societies, versus Russia who is a closed society. So it is just the cost of being an open society that someone who wants to do harm to you can enter your workspace and learn what you’re doing. For example, in the United States we have many conferences on security that are visited by the countries that happen to be attacking the United States. They actually show up at the conference and buy a ticket. And the reason the United States lets this happen is that we are an open society. So I think the challenge for us is how do we protect ourselves yet stay open. I think it’s very important that we remain as open societies, that we don’t start targeting people in Ukraine or America because we think they might be foreign collaborators. If we have specific proof we should certainly arrest them, but I think this notion that someone may be a spy or something I think we should stay away from.

I think we should actually make a point that we are open, and that we should develop counter measures to these cyber attacks so that even if they know what we’re doing, it doesn’t matter because we’ve designed it in such a way.

Kulykov: In your answer I hear the assurance that you’re going to be open and I agree with this. This is one of the best means of protection. On the other hand we have an old adage that says that: the best defense is a good offense. What about offenses in your program?

Islam: I am strongly against offensive cyber security activities. Simply because any country that can attack you can also basically highjack another countries connections to attack you, and then it becomes confusing who the attacker is. Then there is a high probability you might go after the wrong person. I think we have to develop information systems that are inherently secure from external—or even internal—attack. I think cross-border reprisals are not what we want to do. In fact, the reason we’re kicking off this initiative between the United States and Ukraine is because of the cross-border attacks by Russia onto Ukraine. So that is something that we consider illegal behavior, so the last thing we want to do as an organization is do the same kind of illegal behavior we’re asking somebody else to stop. So that is not something that is appropriate and also its not necessary, or useful.

Kulykov: I ask this question Oleh Derevianko in our interview a week or so ago that Ukrainian cyber security and other internet or cyber people have quite a lot of reputation internationally, but still the notion here is that American expertise is higher or deeper. What’s your take on this?

Islam: People in Ukraine are experts in enterprise cyber security which is the cyber security related to keeping a business safe. Where Ukraine lacks is developing counter measures to state-sponsored cyber attacks, which are completely different in terms of how they are executing. This is where the United States is a clear leader in developing countermeasures just because unfortunately the US faces so many cyber attacks from so many hostile countries around the world. I think we want to share this with Ukraine’s countermeasures against state sponsored attacks like the ones it is facing from Russia right now.

Mehrle: Let me just add to that briefly. In the United States we have the added benefit of having a strong concentration from the commercial side or businesses and companies in IT, and as a result also in cyber security, in Silicon Valley. Silicon Valley sort of organically grew and developed into this massive, but still in terms of geography, concentrated area of IT and technology companies and research and development. And like any other community even though it is quite big, a lot of people know one another and have worked together for years. So for example Junaid was early with CISCO and developed some interesting technologies for ATMs that all of us use everyday while he was there. And he grew up as a professional in that community and within 20 miles of where he’s sitting right now giving this interview—because he’s in California now—he has ten, twenty, thirty close colleagues that he could reach out to, to help understand the dynamics of an attack and the response to an attack. So other countries, the EU for example, have maybe things like Silicon Valley but smaller and scattered against member states. They certainly are strong in terms of technology and in cyber security as well, but you just don’t have this concentration of it like you do in Silicon Valley. And that’s something that we’re very eager to bring to the solution in Ukraine, because having an office there and have Junaid and others who are active in that community be able to reach out and bring the best and the brightest together in a room either to train Ukrainian stakeholders or to analyze and respond to an attack in real time and develop counter measures for it, is something that you simply cant do anywhere else other than from an office in Silicon Valley.

Kulykov: Maybe Steven would like to start to sum up the interview?

Browne: Alright, instead of summarizing the cyber-specific things that have been discussed already, because I think I wouldn’t do a better job at than the folks who have already spoken, let me just mention, for a minute or two, our particular involvement in cyber security between the US and Ukraine. My company is in the energy business, not the cyber business. We understand the importance of cyber security for carrying out activities and energy, particularly in a place like Ukraine. As you certainly know, energy security is really important for the political security of Ukraine, and to have energy security now in Ukraine, you need to have cyber security — it’s all over the world. Energy experts — and Ukraine has many of them – have to really understand the business, engineering, also perhaps economics, financial engineering projects done, and there’s lots that needs to be done. But in the past, such activities did not have to worry about, and often did not think about, the impact of cyber attacks on the security of the energy platforms. And if you look at one area in particular- the nuclear sector and Ukraine’s very important nuclear power plants – which of course were originally Soviet in design, there are many things to be done to protect them against cyber attacks in the future.  Our belief as a company is that the best way to protect them is to integrate the cyber side and the physical side. Let me give you a couple of more examples. If you are looking at the nuclear power plant and worry it being protected against attacks, there are different levels of priorities. It’s one thing to worry about keeping them shut down and not generating power tomorrow or 6 months, if some of the major elements were hurt.  Another more important concern is to worry if such attacks could cause a greater catastrophic event such a meltdown of some nuclear components. So you have to think about isolating those components in different ways that you may had in the past to protect of what have happened if cyber attacks were successful in any one of the areas within such a power plant or a collection of power plants. Or the director takes the company that is responsible for operation of all of them, then regulatory agencies are involved. We think it is important and we try to do what we call “system integration” between the cyber security specialist and energy specialist. That is not to say that Ukraine’s nuclear sector they do not have cyber security expert nuclear sector. Of course they do. But if we are talking about new cyber attacks, cross border, national, and carefully directed counter measures, you also need to protect the physical side in light of counter measures that you are putting forward.

Kulykov: Mr. Browne, being on user or customer end of the process, how often do you have to change the providers of cyber security if at all? What is the life cycle of the measures as dangers and threats are constantly changing and you need to adapt countermeasures as well?

Browne: Let me address the second question first. You are absolutely right- the measures are constantly changing and you have to adapt your countermeasures in response to that. No question about it. As we would say what we did yesterday worked fine, why do not we stick to that for a few of months or years”. That would never work. You constantly need to adapt your countermeasures. As to the first question, the way to do it is to have a proper training and institute, a whole complex regime, which will be dealing with these countermeasure particularly, which I think  are not related at all until the issue who is providing your technology. If you think from the business prospective which brand of cyber software do we buy? Of course, I can imagine you have to change it quite frequently. But that is not what we are talking here. We are talking about countermeasures and corporate training and so on which are independent of individual software sellers or components of cyber security.

Kulykov: Is there at all a point of exit in the cooperation that you have started? Will you at some point say: yes, we have reached our goal, we have done everything we can. There is no longer a single threat that Ukraine can’t cope with. You don’t need us anymore, and we don’t need Ukrainians, in this sense, anymore?

Mehrle: Let me try and answer that. I think there’s appoint of exit for individual members of the team. The team is built and developed and meant to be flexible, and it will evolve over time. I think of it as modules. So right now, an early focus of ours has been the energy sector, because it’s so critically important and vulnerable. As you know the electrical grid has been attacked in Ukraine two Decembers in a row. Once we address, to some meaningful degree, we’ll never be perfect because attacks will always evolve. But once we address this to a meaningful degree, some of the immediate issues that we were fortunate enough to do that in energy, you can either in parallel, or at that point when you finish energy, you can start working on another sector that is necessary. So I think a fluid framework, which will see different experts on the US side, different key persons and stakeholders on the Ukrainian side come together to address problems. Either in the priority of their importance, because, as I said energy is an example of importance, because of the risks of getting it wrong and have insecurity. Or if there’s another specific need driving that. Another example might be the knowledge economy. Ukraine has a very strong potential to develop into a knowledge economy that innovates, develops products, the result of which leads to exports, plugs into the world knowledge economy. Sort of like Silicon Valley has developed. But in order to encourage companies, even Ukrainian companies, to put the fruits of their research development on a Ukrainian server on Ukrainian territory, you need to be able to protect them, so they know they won’t be stolen. Or easily stolen.

So there are a lot of different things that we as a framework, the US-Ukraine Cybersecurity framework could work on. But they don’t all need to be in parallel, they will change over time. A month from now, six months from now, a year from now, perhaps Steven won’t be involved anymore. And perhaps Junaid may be less involved, because the areas of his expertise have been addressed to some meaningful degree.

But the idea of the centre is to build something that is flexible enough to have it persist into the future. And to some degree for there to be potentially some self-sustainability, in terms of projects in specific technical areas, requiring/having members to pay dues in order to access the information that has been developed. So individual stakeholders may change over time. We expect that they will. But we would like this to be set up in a persistent way, to continue to facilitate meaningful cooperation. Not just in the defence of Ukraine, securing national security interests of Ukraine and the United States, but also in the future doing certain important things from the cybersecurity perspective that would help develop the Ukrainian economy, trade between the US and Ukraine, trade between the West and Ukraine.

Kulykov: Well, Steven, Aleks, Junaid, thank you very much, keep up the good work.

MUSIC

As we’re still in the old style holiday season, here’s a new version of an ancient Christmas carol for you. It’s called По Всьому Світу, which means All Over the World. Since Ukraine Calling has listeners all over the world, we thought you might enjoy it. This instrumental version is performed by a L’viv group called ROKOKO.

LOOKING FORWARD

Tune in next week for a new episode. Bohdan Nahaylo will be interviewing Andy Hunder, President of the American Chamber of Commerce in Kyiv. And do let us know what you think about the new format, or anything else on ukrainecalling@hromadskeradio.org. I’m Oksana Smerechuk for Hromadske Radio in Kyiv. Thanks for listening.

Interview transcribed by Marta Dyczok, Caroline Gawlik, Larysa Iarovenko, and Nykole King. Music by Marta Dyczok. Sound engineer Andriy Izdryk. Web support Kyrylo Loukerenko.