The Ukrainian-style Matrix: The National Bank seeks to control the domestic Internet space

The system of blocking Internet resources introduced to combat phishing will soon be revised. The Internet Association of Ukraine (IAU) is to submit its proposals to the National Security and Defence Council on 21 March. As it became known to Mind, on Tuesday, 14 March, the National Security and Defence Council hosted a meeting between representatives of the IAU and a representative of the Cyber Security Incident Response Team in the Ukrainian banking system at the National Bank (CSIRT-NBU). The meeting at the NSDC was dedicated to blocking phishing websites.

The mechanism introduced at the suggestion of the NBU in its current version has received numerous comments from the Internet community and lawyers. The range of these drawbacks is wide – from the questionable reasons for collecting personal data of citizens on the NSDC servers to the absence of a definition of "phishing" in domestic legislation, which generally eliminates the criteria for blocking websites. The IAU argues that the system currently poses a direct threat to the information security of the state and therefore requires immediate revision.

Mind analysed what the system envisaged and what exactly its risks were.

How did the system emerge? How does it work? The system was initiated by the NBU. The relevant order of the National Centre for Operational and Technical Management of Telecommunications Networks under the State Service of Special Communications and Information Protection of Ukraine was adopted on 30 January 2023.

As of 2 March 2023, all Ukrainian providers were required to connect to the system. Through such a system, CSIRT-NBU manages the fight against phishing. The National Bank compiles a list of phishing sites that is updated every 15 minutes.

"Now all mobile and most key Internet providers have joined the system, which will make it possible to fully implement an effective system of protection against cyber fraud throughout Ukraine," the National Bank says. However, in reality, providers did not have a choice whether to join the system – they had to comply with the orders of their regulator.

"Specialists of the NBU's Cyber Defence Centre regularly monitor the Internet and social media and identify fraudulent resources aimed at collecting data to access citizens' bank accounts. After that, users' transitions to such malicious sites are restricted by Internet service providers, and citizens are redirected to a page warning that this site is created by fraudsters and that visiting it could lead to loss of funds," the NBU told Mind.

They have also explained that there is currently no blocking of domains. It is only a matter of redirecting users to a secure landing page containing information about the reasons for the restriction.

How does this process differ from blocking websites, including russian ones? Since 2014, access to several russian resources has been restricted in Ukraine. Initially, the legislation stipulated that blocking should be carried out by providers based on a court decision (ruling). "Such an act was individual. Later, blocking was carried out based on a decision published by the National Security and Defence Council, which brought it to the level of a regulatory act," says Sergiy Boyko, former CEO of telecoms provider Volia and now director of Smart House Systems LLC.

Now, blocking is done at the discretion of National Bank officials, and information about people who have tried to access phishing sites is recorded and passed on to the National Security and Defence Council.

Why did the introduction of this mechanism cause resistance from the telecom community? At the end of February, members of the Internet Association of Ukraine appealed to the President of Ukraine, the Cabinet of Ministers, the Security Service of Ukraine, etc. with a warning about the risks inherent in the system. The IAU believes that the system poses a threat to Ukraine's information security, as it allows for the blocking of almost the entire Ukrainian Internet. Theoretically, in the event of another massive offensive by russian troops, it could be a disaster for the country.

"The system of blocking dangerous websites is fully justified in wartime. After all, Ukraine is facing the task of destroying the achievements of russian propaganda in a matter of months," said military expert Maksym Kukhar.

Sergiy Boyko has a different opinion. According to him, the blocking is currently being carried out "by adopting an ersatz legal act". Thus, the introduction of a centralised mechanism for controlling content by one of the bodies that have extensive powers during martial law.

"It means that, whereas previously blocking decisions have been implemented by providers over a long period of time, and there has been no legal liability for failure to comply with the NSDC's decision, now a provider registered on the automated platform being created must de facto block websites immediately when such a list appears on the platform. Technologically, it is unlikely that the platform will offer anything new compared to what providers have already used," says Sergiy Boyko.

Mind heard even more sharp comments from the participants of the recent meeting. "At a meeting at the National Security and Defence Council, I found out that the initiators of the blocking system were Oleksiy Shaban, Deputy Governor of the NBU, and Oleksandr Klop, Head of the NBU's cyber defence. They apparently confused the NBU with a private entity. Under the guise of fighting phishing, they want to launch a system similar to moscow's for blocking the entire Internet in Ukraine. Such a system is impossible in the civilised world," said Adamant founder Ivan Petukhov.

Telecoms expert Roman Khimich explains that blocking used to be based on a court decision that could be appealed. "Now we are talking about manually blocking everything that an indefinite circle of people with power wants," he said.

"If such a system was created in peacetime, it would be necessary to discuss the mechanism of its operation for a very long time and in detail so that it does not violate the right of citizens to receive information," Kukhar adds.

What other risks are there in the system? The term "phishing" is not defined anywhere in Ukrainian law. Mind sought advice from leading lawyers, and they found grounds for blocking any Ukrainian websites only in the NBU guidelines that came into force on 2 March 2023. According to them, "phishing is a method of social engineering that involves sending emails and/or creating websites that mislead users of information systems and aims to disclose personal data, codes/passwords and/or other confidential data, in accordance with the NBU Guidelines on Operational Risk Management (including cyber risk and business continuity) and ensuring the storage of customer information by payment infrastructure facilities".

Why is it necessary to fight phishing at the state level now? According to the NBU, the number of cyber fraud cases in Ukraine has increased significantly during the period of martial law. The majority of them are direct financial frauds on the Internet. "The most common type of fraud is fake social assistance from state or international organisations to Ukrainians affected by the war. By manipulating the difficult life situation in which many of our fellow citizens find themselves, fraudsters are trying to obtain data to access Ukrainian bank accounts through phishing resources," the NBU said.

Over the past three years, digital crime in Ukraine has changed qualitatively. It has industrialised, transforming traditional criminal groups into full-fledged organisations with a division of labour, specialisation, advanced research, financial and human resources management.

"Before the war, in 2021-2022, there were dozens of criminal call centres in Dnipro and Kyiv engaged in various fraudulent activities. The largest ones employed dozens of people. Along with some countries in Eastern and Southern Europe – Serbia, Romania, Bulgaria – Ukraine is a 'sanctuary' for communities specialising in digital crime," says Roman Khimich. In his opinion, such successes of domestic criminals would not have been possible without the support of the authorities, which are obliged to counteract this crime.

The NBU justifies everything with the war. "The operators of these fraudulent resources are mostly groups from russia. It is confirmed by the NBU's analysis, and it is also clear even from the texts of fraudulent messages. They are often incorrectly translated, with a lot of russianisms and misused words. In other words, in addition to military aggression, a hybrid war is being waged against us with the involvement of cyber groups coordinated at the state level of the russian federation," the NBU said.

Won't the media be blocked under the guise of phishing resources? As lawyer Kateryna Gutgarts explains, according to the regulations, the system is used exclusively to filter phishing domains. The responsibility lies with the NBU's cyber incident response team. The regulations provide for both the procedure for adding and removing domains from the filter at the request of the domain owner or administrator. "Of course, it is impossible to completely exclude the possibility of abuse, as well as the mistaken classification of resources as phishing. Not to mention the fact that there is no legislative definition of phishing and no clear criteria for classifying domains as such," says Kateryna Gutgarts.

Doesn't it violate the Law on Personal Data Protection, since the system stores information about users, which can then be transferred to government agencies? The system's regulations stipulate that "for the purpose of analysis and appropriate response", authorised state bodies are granted access to information about visits to the landing page, i.e. the date, time, and IP address of the visit.  "The Law on Personal Data Protection requires a specific and legitimate purpose for processing personal data. And the structure and content of personal data must be appropriate, adequate and not excessive in terms of the purpose of such processing. Therefore, one would like to hear from the competent authorities an explanation of the need to store user data to combat phishing," explains Kateryna Gutgarts.

Yegor Ogurtsov, the Technology and Investments Practice Lawyer at Juscutum, believes that the introduction of a phishing website blocking system is a problematic issue from the point of view of personal data protection legislation. It creates a potential risk of unlawful processing of personal data of individuals visiting phishing sites through the transfer of their personal data to government agencies for statistical purposes.

"Given the not always sufficient level of awareness of entrepreneurs and civil servants on personal data protection, we can conclude that there is a high risk of non-compliance with the above legislation and human rights violations due to the lack of direct instructions in the order on the need to comply with personal data," says Ogurtsov.

Does the automatic blocking system work in other countries? According to Sergiy Boyko, automatic blocking systems are in place in russia (SORM) and China. "Something similar to an automated blocking system is also being implemented in Turkey, and there is a system of disabling the Internet in India (in particular, in the state of Kashmir), which is used quite often," says Boyko.

"A similar system has been in operation in russia for several years and has repeatedly led to the blocking of a huge number of random Internet addresses, including those linked to critical infrastructure. It is due to conceptual defects in the architecture of the system used in russia and the one decided to be used in Ukraine," says Roman Khimich.

By the way, the European Court of Human Rights recognized the russian SORM as violating human rights.

What is happening now? Following the appeal of the IAU, the NSDC invited representatives of the association to a meeting. On 14 March, employees of the State Special Communications Service, the National Security and Defence Council and CSIRT-NBU met with representatives of the association. The system was suspended until 21 March. It is when the IAU is to provide its vision of the anti-phishing system. According to Mind, the blocking can only take place after the provider analyses which resources the NBU proposes to "close", as well as agreeing on the issue of refusing to transfer users' personal data to third parties.