Document Type : Research Paper
Authors
1 Department of Journalism, National Aviation University, Kyiv, Ukraine.
2 Department of Theory and History of State and Law, National Aviation University, Kyiv, Ukraine.
3 Department of Public Administration, Interregional Academy of Personnel Management, Kyiv, Ukraine.
4 Department of Theory of State and Law and Constitutional Law, Interregional Academy of Personnel Management, Kyiv, Ukraine.
5 Educational-Scientific Institute of Law named after Volodymyr the Great, Interregional Academy of Personnel Management, Kyiv, Ukraine.
6 Department of Economics and Business Administration, Interregional Academi of Personnel Management, Kyiv, Ukraine.
Abstract
Keywords
Introduction
The active introduction of digital technologies has become another challenge for humanity, as the problem of information security has become more acute. According to Gartner analysts, global spending on automated information security systems and integrated risk management (IRM) in 2020 reached $ 133.78 billion, which is 6.4% more than a year earlier. Such market growth rates reflect the continued demand for technology for remote operation and cloud security. There is a tendency of increasing automation and further introduction of machine learning technologies and artificial intelligence. And, therefore, to combat attacks, organizations will expand and standardize the work of identifying threats and responding to them. The studies have shown that the cyber risk management technology segment in 2020 showed steady growth due to the risks associated with the global crisis caused by the COVID-19 coronavirus pandemic. The areas of significant risks that will stimulate further demand are related to the emergence of new digital products and services and their use for health and safety, as well as third-party risks such as risks of leakage of customer data or attacks on supply channels. The serious consequences of such risks lead to an escalation of the current data leakage crisis and the acceleration of attacks by extortionist viruses. The figure 1 presents statistics on data leakage over the past fifteen years.
Figure 1. The volume of unauthorized data leaks for 2005-2020.
2020 was a record year for the level of unauthorized use of information. Due to the imperfection of protection, there are unauthorized managers of information, whose activities are partly in the illegal area.
With the development of technology, the importance of information as a resource for development has expanded, and the importance of intellectual capabilities of citizens has increased. However, the lack of knowledge and methodological basis for the practical application of digital methods of processing and storage of information can cause serious engineering and humanitarian and educational problems and even disasters. They require scientifically sound approaches to the definition of fundamental concepts in legislative and regulatory documents: "information", "information resource", "information security" and so on.
Unresolved in Ukraine a number of legal issues related to the information and communication sphere, with the advent of digital technologies is becoming a danger. The communication processes become much more complicated, new types of relationships emerge - all this increases risks and threats, changes their quality, which makes it impossible to confront them with the help of current law. A new type of crime is emerging and becoming more complicated - organized cybercrime. Therefore, the main tasks for the prevention of threats in the information and communication sphere are: protection of critical information infrastructure; protection of personal data; security of information and communication ergasystems, state structures; protection of the working environment and technologies.
Therefore, the digitalization of society and the economy, which is based on the network use of digital information and communication technologies, requires adequate legal support. After all, the digital technologies are associated with the emergence of various new technology-driven risks and threats. In addition, digitalisation is the cause of institutional transformation, which should also have a legal basis. All of the above requires the formation and implementation of a legal mechanism for further development and operation of the system ensuring information security, taking into account the effects of digitalization and transformation of society.
The purpose of the study is to develop scientifically sound proposals and recommendations for implementation legal mechanisms for information security in the context of digitalization.
The object of study - there is a process of formation social relations that arise in the implementation of information processes and relations of subjects under the influence of development of new network systems of communication with the rules and requirements.
Subject of study - features of legal regulation in the field ensuring information security in the context of digitalization.
There is a high level of competition between countries for data resources in the world, and the sovereignty of data in the context of digitalization faces serious challenges. Yes, the United States has a liberal policy on cross-border data flows. Such a policy enables companies operating on the Internet (Facebook, Twitter, YouTube, etc.) to have the primary advantage over the flow of data across borders. Instead, very strict regulatory measures (white list, standard contracts) have been introduced in the EU countries. France has already introduced new cybersecurity rules for critical infrastructure operators. In September 2020, the Chinese Ministry of Foreign Affairs published the Global Data Security Initiative. Yes, it is proposed that global digital governance adhere to the principles of multilateralism, security and development, as well as honesty and justice. Some countries (Japan, Singapore) have already passed laws on personal data protection. At the same time, risk management issues for cross-border data flow remain unresolved.
The EU member states, the NATO members, the international corporations and the experts unanimously recognize Russia and its actions in cyberspace as a major threat to international cybersecurity. Active reconnaissance and sabotage in cyberspace is part of Russia's hybrid war against Ukraine. Russia's destructive activity poses a real threat of acts of cyberterrorism and cyber diversion against the national information infrastructure. The situation is geopolitical in nature, the intensity of interstate confrontation and intelligence and subversive activities in cyberspace is projected to increase. The consequence of such processes is the expansion of the circle of states that will try to form their own cyberspace, to master modern technologies of reconnaissance and sabotage in cyberspace. The need for legal regulation of relations in the information sphere is due to extraterritoriality. Therefore, regulatory mechanisms should be multilevel, given the actual lack of borders for the dissemination of information. An Informatization, the Internet, the digital technologies in public administration have created the latest phenomenon "e-state", "e-government" and so on. This requires appropriate changes in the legal mechanisms of state and legal institutions. Today, information is an important resource of any state on which the national security of the country depends. Adequate and effective legal provision of information security is an urgent need in the conditions of development of Ukraine as a democratic and legal state. The study examines the experience of Ukraine through the prism of world experience of legal mechanisms for information security in the context of digitalization.
Literature Review
The development of information technology is characterized by the expanded and comprehensive use of information technology and systems. The strengthening information security is based on ensuring the reliability, confidentiality, integrity and availability of state information resources, information with limited access, in particular that circulating on the objects of economic information infrastructure in the context of information and hybrid wars (Krasnobayev et al., 2016; 2019). As a result of active implementation technologies in all spheres of life of people and society there are the newest types of interaction of economic agents (virtual or "hybrid world"). Such interactions are the result of a fusion of real and virtual worlds, where it is possible to perform appropriate actions, the consequences of which are felt in the real world through the virtual. Ensuring information security of the national economy, taking into account the processes of digitalization is possible provided that the principles of connectivity, system, synergy, which involves the interaction of security system components at the macro and micro levels (Yanko et al., 2018). As studies show (Kirkham et al., 2013; Yarovenko, 2020; Zavhorodnii et al., 2021) digital transformation affects not only the introduction of digital technologies, but also the transformation of horizontal and vertical business processes, optimization of operating procedures, changes in established models and formats of interaction between participants in the value chain. The latest technological solutions require complementary investment in improving organizational practices, employee competency development, data culture and digital solutions (Iatsyshyn et al., 2020; Romanenko & Chaplay, 2016). New threats and challenges in institutional transformations are emerging, which is a powerful destabilizing factor for the sustainable development of any country. Research identifies a wide range of issues related to information security.
Of course, there is an active scientific search for ways to regulate the development of the economy in the information society, the legal aspects of information security, standardization and development of strategic documents in this area. The need to use standardization to improve information security is emphasized Topa & Karyda (2019). He systematizes cybersecurity strategies in Latin America in his study Kosevich (2020), author considers the impact of information security on the development of countries. The ways of counteracting information threats and risks of different countries are formed in different ways. Influential factor of differences Dincelli (2018) highlights the features of national culture and the confidentiality of people's behavior, which determines the character strategies to combat information threats. External information has a negative impact on the country's information environment, especially under the influenceforeign policy conflicts (Kirilenko & Alexeyev, 2018; Marhasova et al., 2020). Thus, the issue of information space is complex.
The information space of the country is a structurally-segmented complex of communication-content dimension of the life of the country, which consists of different in scale and nature of interaction of different elements. The main elements of the information space of the country are presented in Figure 2.
Information space of the country |
Information fields of territories and large cities |
Communication and content environments of settlements and united territorial communities |
Geopositional points of separate information objects |
Figure 2. Components of the information space of the country
The information space of the country is formed by information fields, information environments and geopositional points of separate information objects:
The information coming into the national information space must be safe for this space.
The information security is a state in which, in the conditions of real and potential threats, self-preservation, sustainable and progressive development of the information sphere is ensured. And this level of security, its criteria for ensuring national interests and inviolability of values, must be enshrined in law and regulated.
The scientific interest in digitalization technologies is represented by research related to the introduction of legal protection in economics, finance and management of blockchain technologies, artificial intelligence, cryptography, cloud technologies, knowledge management, etc.
Klyaus & Gatchin (2020) developed a mathematical model of information protection by means of control of optimization and evaluation of information, ensuring the effectiveness of the security system using the gradient method. Apply the method of fuzzy logic to protect personal data is proposed Dorosh et al. (2019). Blockchain technologies are considered to be promising methods of information protection (Warkentin & Orgeron, 2020). Brozhova et al. (2016) consider qualitative and quantitative data of the network process, options for network development decisions.
Issues of information security relate to information, the phenomenon of cybercrime and the prevention of cyber threats, risks, research on information security issues at the level of society, the state of the individual.
In his scientific research Li et al. (2021), Kuznetsov et al. (2019) provide a methodology for identifying risk areas and classifying the level of risk to support early warning decisions. D'elia (2018) suggested that in order to improve the mechanism of cybersecurity, industrial policy should take into account market-oriented goals and no less important tasks related to data protection and technological independence.
The success factors of information security management are investigated in accordance with the security of business activities, support of senior management, security control and organizational awareness (Ključnikov et al., 2019; Singh & Gupta, 2019). An effective means of information security management in the enterprise is to build an automated security information system (Bekmuratov et al., 2020; Klochanet al., 2021). An important aspect is the legal provision of information security of man, society, state (Hubanovaet al., 2021; Bondarenko et al., 2021).
There are enough laws and regulations on information security and data security in the world.
The legal regulation of information security is a form of authoritative legal influence on public information relations, which has carried out by the state in order to organize, consolidate and ensure them.
However, as practice shows, in general, such laws and regulations are not yet fully developed, which reveals problems such as the lack of comprehensive legislation and further interpretation, as well as inadequate coordination between protection and development. The legislation has limited territorially through different laws on different continents (Sagan et al., 2020; Bondarenko et al., 2021). In addition, the internationalization of data circulation, possession of personal data exacerbates the need for a legal framework with international standards to resolve data issues and resolve disputes between countries.
Thus, the literature review showed the main directions of scientific research to ensure information security by legal mechanisms:
1) the legal regulation of information security of the country is determined by the degree of regulation by national legislation and norms of international law of public relations in the field of combating threats to national interests in the information sphere. A national data protection strategy needs to be developed. That is, the issue of ensuring information security by means of strengthening the coordination of the information security strategy with the national security strategy and national strategic resources is actualized.
2) The cyber influence is carried out in the information space via the Internet, so, in our opinion, it is necessary to include cybersecurity in the information security of the country.
3) The regulatory policies for the cross-border flow of critical data and user information in key areas such as communications and finance need to be further improved. The assessment of cross-border data flows should be strengthened and appropriate international standards and regulations established.
4) The legal regulation of information security of the country - a single system of legal support of public relations in the field of countering threats to national interests. Therefore, it is important to promote the rule of law in the field of information security and data confidentiality. Implementation rules for existing laws and regulations need to be refined. The scope for adjusting existing laws needs to be expanded, and data ownership laws need to be drafted quickly to clarify the extent of big data ownership. At the present stage, the state information policy should envisage and solve tasks related to the harmonious provision of information security of the individual, society and the state.
5) The issue of improving the classification of data and the system of hierarchical supervision of information is relevant. The system of management and protection of information and data will help to maximize the detection of data value, while protecting data security and personal confidentiality. The data classification system should be started in terms of improving the effectiveness of supervision and adopt different regulatory measures and legal requirements for data of different classification units. At the business level, it is advisable to develop a classification and evaluation system based on industry practices of data protection, data flow and data compliance.
Methodology
The basis of this study were the methodological principles and approaches of legal science, which were used to solve problems. The work used a comprehensive analysis of legal mechanisms, measures and results of information security of Ukraine. The analysis was performed using general scientific methods - description, analysis, synthesis, induction, deduction, abstraction, classification. The method of induction, which consists in the generalization and systematization of empirical material, was used to conduct a comprehensive analysis of information securityas an important component of national security. The interrelations of the main components of information security of the state are clarified, justified interdependence of the state of information legislation and legal support of information security of Ukraine.
The conceptual scheme of information security of the country has presented in Figure 3.
Information security system
|
Figure 3. Conceptual scheme of information security
The system approach allowed approaching the consideration of the structural components of the information security system of Ukraine. The Figure 4 shows the main features of information security. The system approach acts not only as a determinant and "measurer" of the system of the subject, but also a kind of breeder in choosing the necessary legal regulators (Anderson & Moore, 2006; Babenko, 2020). In this study, the systems approach is reflected in the consideration of information security as a system of public relations, as well as in the proposals formulated on its basis for systematization of legislation and activities of the national cybersecurity system aimed at protecting information security. The structural and functional political analysis allowed to clarify the roles and functionality of structural units that provide information security, functioning of subjects of information security of the state, established collegial advisory bodies for information protection at the executive bodies of state power.
On the basis of the structural-functional method, the activity of ensuring information security by the executive bodies of state power of Ukraine was considered, the conformity of normative-legal acts with which the modern system of legal provision of information security of the state has associated with real public relations in this sphere and international standards is determined. The institutional method allowed analyzing the activities of public authorities that make up the system of information security of Ukraine.
Informational security |
Subject |
State |
Economic agents |
Human |
Object |
Information, knowledge |
Information systems |
Consciousness, psyche of people |
Spheres |
Financial and economic |
Political |
Military |
Technological |
Tools |
Software tools |
Technical means |
Methodical means |
Information media |
Remedies |
Mechanisms |
Special institutions |
Special units |
Specialists |
Purpose - protection against threats related to unauthorized access, use, disclosure, violation, modification or destruction of information |
Figure 4. Key components of information security
The comparative legal methodis the basis of a study of international experience in the legal provision of information security of the state. To understand the evolution of the concepts of information society, as well as concepts for the organization of public administration, which are associated with rethinking the role of the state in society in the context of digitalization, used historical-descriptive method of historical knowledge. The analysis of statistical data, qualitative analysis of the documents used in research was carried out. The methods used together allowed to identify priority legal mechanisms and develop recommendations for optimizing the activities of the national cybersecurity system to ensure information security. The information and factual basis of the study was formed by the laws of Ukraine, decrees of the President of Ukraine, the regulatory framework of relevant ministries and departments, reporting and analytical information of the State Statistics Service of Ukraine; data from the World Bank, Eurostat, Global Web Statistics “Statoperator”; analytical reviews of international rating agencies Deloitte, IBM, e-Governance Academy, International Telecommunication Union, Ponemon Institute, etc .; internal documentation of banks and enterprises; research results.
Results
Current state of information security, index analysis
The digital business has created a new ecosystem in which partners add new business opportunities and new security threats. CISOs must strike a balance between what is needed in cybersecurity and the risks that each participant must take in order to be able to develop, with proper cybersecurity management (Burke et al., 2019). The input data that characterize the interdependence of the following factors were selected for the study:
- the level of information security of the country;
- the level of development of the country.
Stage 1. Let's define the indicators used to determine the level of information security of the country. To this end, a study of official sources in the field of information security and the results of scientific achievements of modern researchers in the field of information security (Yunis & Koong, 2015; Jazri et al., 2018; Yarovenko, 2020; Warkentin, & Orgeron, 2020; Bondarenko et al., 2021). As a result of the study, five indicators have been identified that characterize the individual components of information security, but together they can become the basis for identifying key issues and areas of information security - Fig. 5.
Figure 5. Information security indicators
Indicators that determine the state and prospects of information security at the macro level are as follows:
We propose to call the group of selected indicators that measure information security indicators of the country's digital capability and cybersecurity.
Stage 2. Let's consider each of the selected indicators - to identify problematic aspects of information security.
1) The Global Cybersecurity Index (GCI) measures the level of cybersecurity of states, as well as their readiness to prevent cyber attacks and cybercrime in five areas - technical measures, legal measures, organizational measures, capacity building, cooperation (GCI, 2020). According to the report, the top five included Britain, the United States, France, Lithuania and Estonia. The index indicators of these countries, as well as Ukraine, are presented in Figure 6.
|
|
|
|
|
|
Figure 6. The Global Cybersecurity Index (GCI) of the countries with the highest level of cybersecurity, as well as Ukraine (GCI, 2020)
The experts have referred Ukraine to the group of countries that are "maturing" in the cybersecurity sector. The analysis of the data presented in the table confirms the existence of unresolved problems in Ukraine on cyber security and the need to improve both organizational, legislative and technical measures that have already been implemented in leading countries and have achieved high global index.
2) The National Cyber Security Index (NCSI) 2020 has identified Ukraine as the 25th largest country in the world (Fig. 7).
Figure 7. The National Cyber Security Index, Ukraine (NCSI, 2020)
The main problems of Ukraine in the field of security National Cyber Security is:
The information security threats:
If we compare the ratings of the countries on the Global Cybersecurity Index (GCI) and the National Cyber Security Index (NCSI), the data show that the GCI index of most countries has ratings above average, while NCSI - the vast majority have average values. So, obviously, the problems are related to the ability of the tools used by a particular country to overcome all kinds of cyber threats. Studies have shown that in general the general state of the national cybersecurity system is fully consistent with the level of economic development of the country. That is, there is a direct impact of the level of development on the state of information security of the country.
3) ICT Development Index (ICTDI) - an integrated indicator, calculated since 2009 on the basis of 11 indicators, which are grouped into sub-indices for three groups of processes: access to ICT, use of ICT and ICT skills. In 2018, the index was supplemented by three new indicators: subscriptions to mobile broadband Internet traffic, the percentage of mobile phone owners and the percentage of people with information and communication technology skills.
The index brings these indicators together as a single criterion that serves to compare the achievements of countries in the development of ICT and can be used as a tool for comparative analysis at the global, regional and national levels. The main goals of IDI are to measure:
The process of ICT development in conjunction with the evolution of the country on the formation of the information society is a three-stage model (Fig. 8).
Figure 8. The model of evolution of the country - the formation of the information society
According to the presented model, the formation of the information society includes the following stages:
Stage 1: ICT readiness - reflects the level of network infrastructure and access to ICT;
Stage 2: ICT intensity - reflects the level of ICT use in society;
Stage 3: Impact of ICT - reflects the effects / results of more efficient and effective use of ICT.
Studies show that mobile and broadband Internet traffic services are available in most European countries (Figure 9).
Figure 9. Availability of mobile and broadband Internet traffic services - by income level in Europe, 2020
Note: The prices in terms of adjusted monthly income per capita for the average, bottom 40 per cent and highest 40 per cent consumers are shown on the left vertical axis; every green square indicates a population decile that can afford a basket (price relative to adjusted monthly income is 2 per cent or less), conversely, every gray square indicates a population decile that cannot afford a basket.
* Data for Albania, Georgia, Moldova, Ukraine, Serbia and Turkey are based on consumption distribution.
Source: Price data from ITU and A4AI; income and consumption expenditure data from World Bank PovcalNet
As can be seen from Figure 8, the unavailability of services - due to low incomes - has already led to significant digital gaps, which inevitably affects the ability of countries to ensure their information security.
The reference mobile broadband basket was available to the entire population in 22 of the 40 countries covered. Despite the generally good state of communication in Europe, a large part of the population cannot afford broadband Internet traffic in the Eastern part of Europe: in Bulgaria and Northern Macedonia (40 percent of the population).
In Ukraine, about 30 percent of the population cannot afford any of the baskets.
4) the Networked Readiness Index (NRI) - is a comprehensive indicator that measures the level of development of ICT and digital economy in the world by 62 main parameters, which are grouped into four main groups:
The 2020 study made methodological changes to two subcomponents: trust (conceptually and significantly enhanced by the inclusion of indicators related to two aspects of digital trust: trust, environment and behavior) and the contribution to the CSR (redesigned so that each indicator was clearly tied to the specific task of the CSW: good health and well-being; quality education; gender equality; available and clean energy; sustainable cities and communities).
A significant feature of the top 10 countries (2020) is that they are successful in most NRI parameters (Table 1).
Table 1. Leading countries in terms of NRI, top 10, 2020 (NRI, 2020)
In Western Europe, there is a dominance in the ranking of countries that are in the top ten ranking of countries with the most developed ICT and digital economy. Signs that distinguish the indicators of the economy with the highest rating:
Ukraine continues to be an outsider in the European region (+3 positions, 64th place out of 134 countries analyzed, or 49.43 points, while the average number of points in the European region is 64.21 points) (Fig. 10).
Figure 10. The Network Readiness Index, Ukraine, 2020 (NRI, 2020)
Ukraine is classified as a low-income country.
In four main groups, according to which the analysis of countries was conducted, Ukraine took:
According to the level of achievement of the UN Sustainable Development Goals - Ukraine ranks 91st. The weaknesses of Ukraine include:
The strengths of the country include:
Thus, the indicators in the NRI (2020) are directly related to the level of income. Thus, the thesis of the direct dependence of the country's ability to ensure the appropriate level of information security and the level of economic development of the country has confirmed.
5) the Digital Development Level (DDL) characterizes the level of digitalization of the country. This index has calculated as the average percentage that the country received from the maximum value of the "ICT Development Index" and the "Network Readiness Index". The comparison of countries by DDL and NCSI allows to determine the degree of digitalization of the country corresponds to the level of its cybersecurity, which contributes to the formation of recommendations for adjusting the cybersecurity program (Fig. 11).
Figure 11. The Digital Development Level (DDL), Ukraine, 2020
The results of DDL analysis indicate the following:
Stage 3. Forming recommendations for adjusting the cybersecurity program.
The analysis showed a direct dependence of the country's development and its ability to ensure an adequate level of information security.
The crisis of the "digital divide" between countries deepening in the world,the threat to Internet security is growing. Thus, the “digital divide” that existed before the current global crisis, as a result of the COVID-19 pandemic, has exacerbated inequalities and drawn additional attention to the challenges of digital infrastructure, digital skills, security and safety in digital networks.
Ukraine is in dire need of systematic measures to transform the Ukrainian economy and effectively use the country's potential to increase the competitiveness of the economy and the welfare of the population.
Ukraine's weaknesses include: the quality of state institutions, political instability, imperfect legislation, including in the part related to the regulation of ICT activities, the low level of the internal market and the welfare of the population, which form the delayed demand for goods and services, including ICT services, as well as insufficient branching and innovation of telecommunication infrastructure, high cost of mobile phones compared to the income of the population, low possibility of using digital platforms in rural areas, etc.
Ukraine's strengths still remain the level of education of the population, namely: adult literacy, the percentage of those with higher education, the quality of education and the professional level of those involved in business; creativity and innovation; as well as e-commerce legislation, the possibility of adapting the legal framework to new technologies, ensuring gender equality, affordability of mobile services, ease of starting a business, e-democracy, the availability of innovative technologies and the number of patent applications in the field of ICT, the possibility of using large data, etc.
Thus, the main recommendations for Ukraine are:
1) modernization of infrastructure, acceleration of the transition to alternative energy, expansion of access to energy resources and ICT;
2) pursue a state regulatory policy in the field of ICT, which would promote digital transformation in the country, create a competitive environment for telecommunications services, including broadband throughout the country at affordable prices;
3) promote digital innovation by preserving intellectual property rights;
4) to ensure the increase of digital potential and skills of the population, as well as small business, public sector in terms of using the opportunities of digital technologies;
5) to improve the legislation in the field of rail technologies and to improve the formation of state policy in terms of the activities of the Internet of Things and the smart city;
6) ensure the protection and security of Internet connections, as well as take care of the security of users, especially children - on the Internet, detect and stop any types of abuse (which are classified as criminal activity);
7) ensure the protection of personal data from misuse by both the state and the private sector;
8) ensure systematic monitoring and collection of accurate and up-to-date data on ICT activities.
The analysis revealed the existence of potential opportunities for Ukraine to develop various components of its information security.
The digitalization is a stimulating driver for the development of the national economy, and the formation of comprehensive mechanisms for information security will have a positive impact on national security in general.
The legal bases information security in the context of digitalization
The specific features of digital transformations of technological processes in the conditions of digitalization to ensure the legal basis of information security have presented in table 2.
Table 2. The digitization of processes of providing legal bases of information security in the country
Processes, their properties |
Transformation in the context of digitalization |
The level of legal support |
Degree of integration of processes and data |
Availability of a single information space for continuous data exchange between different areas of activity, the use of Big-Data technologies and artificial intelligence |
Provisions of the Doctrine of Information Security. The document defines the national interests of the country in the information sphere. |
Process virtualization |
Creating electronic duplicates |
Concept information security of Ukraine. National Security Strategy of Ukraine. Information security strategy. |
Data management |
Continuous management of data about objects, throughout their life cycle, including automatic collection, accumulation, modification and analysis of information, as well as the generation of similar data |
The concept of information security of public administration. Development and implementation of a coordinated information policy of public authorities. |
Process management |
Continuous accumulation and big data analysis (Data), including with the help of machine learning algorithms (Machine Learning), digitization makes possible advanced management |
Ministries and other central executive bodies develop state target programs and other programs on the basis of sectoral strategies for the implementation of state policy in the areas of national security and defense in the manner prescribed by law. |
Flexibility processes |
Operational interaction geographically distributed entities via the Internet |
Ensuring compliance with the Law of Ukraine "On National Security of Ukraine" regulations of ministries and other central executive bodies |
The legal basis of information security of the country includes the following components, according to the levels of legal regulation:
Thus, the basis of ensuring the information security of the country is the formed information security policy. Such a policy has based on theoretically applied and scientifically sound theories of its provision, of which there are currently many. The government adopts legal provisions on the basis of their theoretical justification, which leads to the emergence of relevant ministries and eclectic regulations.
The information security, as defined in the draft Information Security Strategy, is an integral part of Ukraine's national security, the state of protection of vital interests of man, society and the state, which establishes an effective system of protection and combating harm through the spread of negative information influences, including coordinated dissemination.
The legal basis for ensuring information freedom is informational legal relations. This isregulated by law social relations arising in the process of interaction of subjects, on the implementation of their goals to meet the interests of having the necessary information, to transfer some available information to other entities, as well as to preserve such information and protect it from unauthorized influence of others parties.
To realize the interests of the subjects of public relations, the object of which is information, a necessary condition is a stable and secure functioning of the information infrastructure of society. The composition of the information infrastructure and the content of social relations that arise in connection with its use have determined by the level of development of society, its economic capacity to implement the results of scientific and technological progress. The Figure 12 shows the components of the information infrastructure.
Figure 12. The components of the information infrastructure in the information security system
The modern information infrastructure includes the following components:
1) organizational and managerial:
2) technological
3) information
The legal aspects of such relations are due, on the one hand, the significant social importance of interactions, and on the other - the difficulty of achieving the desired social result without the state. The information legal relations are directly related to the object of information security (Fig. 13).
The objects of legal relations in the field of information security
|
Figure 13. The objects of legal relations in the field of information security
Thus, the objects of legal relations in the field of information security are: national values, national interests, national goals in the information sphere - the content of each of the selected objects is enshrined in legislation.
The legal basis of relations in the field of information security is the Constitution of Ukraine, the laws of Ukraine, the National Security Strategy of Ukraine, approved by the Decree of the President of Ukraine of September 14, 2020 № 392/2020 "On the decision of the National Security and Defense Council of Ukraine of September 14, 2020."
On the National Security Strategy of Ukraine ”, the Cyber Security Strategy of Ukraine was approved, as well as international agreements, the binding nature of which was approved by the Verkhovna Rada of Ukraine. At present, the Information Security Strategy has not been approved in Ukraine.
According to the Law of Ukraine "On Basic Principles of Cyber Security of Ukraine" (№ 2163), strategic management and coordination of cybersecurity agencies is entrusted to the National Security and Defense Council of Ukraine, which reports to the Center for Cyber Threat Response in the State Special Service. The latter should develop a comprehensive system of cybersecurity of strategic objects and monitor the activities of companies that audit such strategic objects.
The State Center for Cyber Attack Response is subordinated to the State Special Communications Service, and its unit, CERTUA, monitors and identifies potential cyber threats. The Cyber Police of Ukraine is responsible for the prevention and investigation of cybercrime. The Ministry of Defense and the General Staff provide protection for military facilities and critical infrastructure during war and emergency. The SBU prevents terrorist attacks in cyberspace and has the right to inspect critical infrastructure. The list of facilities belonging to the critical infrastructure has determined by the Cabinet of the Ministers of Ukraine, and cybersecurity in the banking sector is taken care of by the National Bank of Ukraine. However, the law does not define the areas of responsibility between the various state and law enforcement agencies.
Despite Ukraine's relatively high NCSI rating, the National Security and Defense Council of Ukraine (NSDC) reported that as of August 2020, there were approximately 1 million cyber threats, including network attacks, network scan attempts, WEB-attack attempts, phishing, and widespread denial attacks in the maintenance ('DDoS') and distribution of malicious software.
It is advisable to consider the experience of the most successful countries in the world in the field of information security. The foreign experience shows that the institutional and functional support of cybersecurity involves two main areas: the formation of cyberpolice units, expanding their competence and the establishment of the National Cybersecurity Centers. The organizational measures to ensure information security, which were carried out in economically developed countries include:
The technical measures include:
To ensure cybersecurity, the International Telecommunication Union (INU) has developed a global cybersecurity program. According to this program, each state cooperating with INU must have a national computer incident response team - CERT.
Today there are 305 CERT teams in 66 countries. For example, in the USA - 72 teams, in Japan and Germany 23 teams each in Lithuania - 5, in Russia and Poland 2 teams each. They coordinate the actions of state computer security units of state authorities, telecom operators, as well as other subjects of information infrastructure to stop violations related to unauthorized interference in the work of information, telecommunications and information and telecommunications systems and networks. Let's analyze the formation of a cybersecurity system in the leading countries of the world (table 3).
Table 3. Experience of countries in the formation of cybersecurity
Country |
Characteristics of the cybersecurity system |
France |
Five main directions are introduced in relation to: general stability; fight against cybercrime; cybersecurity issues under the Common Security and Defense Policy; industrial issues; international policy in the field of cyberspace. An in-depth review of its defense and national security policies was conducted in 2008 and 2013 and new priorities were identified: preventing and responding to cyberattacks. In 2009, the French Network and Information Security Agency (ANSSI) and the National Information Security Agency were established as an inter-ministerial agency. This agency is part of the Prime Minister's Office, is a national body for the protection of information systems. |
Japan |
On June 10, 2013, the Information Security Policy Council adopted the Cyber Security Strategy of Japan. The strategy aims to develop "world-leading", "sustainable" and "dynamic" cyberspace and to transform Japan into a world leader in cybersecurity. The state body that regulates cybersecurity in Japan is the National Center for Information Security (NISC), which develops draft government standards for information security measures, formulates recommendations based on the results of cybersecurity assessments, and promotes cybersecurity measures. |
South Korea |
Prospects in the system of cyberspace protection in South Korea are: encryption for network access; creation of an intrusion prevention system (IPS); expanding threat resilience (APT); internet security. There are three institutions in South Korea to address cybersecurity issues: the National Cybersecurity Center; Korean Internet Security Agency (KISA); Cyber Terror Response Center of the National Police Agency. These agencies are responsible for detecting, preventing and responding to cyber attacks and security threats. In addition, a school specializing in cyberwarfare and training security experts has been established. |
The United Kingdom of Great Britain and Ireland |
The United Kingdom is the country with the highest global cybersecurity index. The UK uses two ways to tackle cyberspace vulnerabilities: disclosing the vulnerability so that it can be captured and benefit global technology users; maintain knowledge of this vulnerability and use it in the future for intelligence purposes to disrupt the activities of those seeking damage in the United Kingdom. A board of leading world experts from three agencies (GCHQ, NCSC and the Ministry of Defense) has been established. The UK-established National Center for British Cybersecurity is the most efficient and fifth in the world. |
Finland |
The cybersecurity strategy was adopted in 2013. The National Cyber Security Center has been operating in Finland since 2014. Activities are aimed at ensuring security in cyberspace, providing guaranteed protection and access to users of information and communication networks of general and special communication, overcoming cyber threats. |
The analysis of organizational measures in the world's leading countries on the formation of cybersecurity shows that they implement appropriate cybersecurity measures, have their own strategies, defense and national security policies, created new agencies, national centers, teams to respond to computer incidents. Such organizational structures are able to coordinate the actions of state units of computer security of public authorities, telecom operators, as well as other subjects of information infrastructure and the team to respond to computer incidents - CERT.
For Ukraine, 2020 was a year of active initiation of cybersecurity reform (SSSCIP, 2021). One of the key goals for 2021 is:
In October 2020, the Government of Ukraine adopted two key regulations governing IP facilities (№ 1109, 2020) and CII objects (№ 943, 2020). In December 2020, the Government by its resolution (№ 1295,2020) determined the order of functioning of systems for detecting vulnerabilities and responding to cyber incidents and cyber attacks. Basically, this procedure is aimed at establishing a system for responding to cyber incidents at state-owned facilities.With the transfer of banking services to an online format, risks and cyber threats have increased significantly. The response to this situation was the Resolution of the National Bank of Ukraine (№151, 2020), which defines the means of CII in the banking system of Ukraine.
For Ukraine, accelerating the optimization of the institutional system of cybersecurity is an effective tool that provides for two key areas: legal and organizational. The legal - initiative development of the necessary regulatory framework and its continuous improvement in order to form the relevant legal norms, which have reflected in the Cyber Security Strategy and the Law of Ukraine "On the basic principles of cyber security of Ukraine". The organizational - in improving the efficiency of responsible institutional structures - cybersecurity entities, ministries, other central executive bodies and civil society institutions by increasing their capacity, eliminating duplication in the exercise of their powers, joining forces under the auspices of the working body of the National Security and Defense Council of Ukraine - National Coordination Center for Cyber Security, taking into account the best practices of international and European experience in this field.
Conclusion
This study examines the main aspects implementation legal mechanisms for information security in the context of digitalization. It has proved that the problems of ensuring the country's information security have related to the ability of the means used by a particular country to overcome various types of cyber threats. The studies have shown that in general, the general state of the national cybersecurity system is fully consistent with the level of economic development of the country. That is, there is a direct impact of the level of development on the state of information security of the country. The analysis shows that the most significant mutual influence is demonstrated by a group of indicators of the state's institutional capacity and a group of indicators of the digital capacity of the national economy and cybersecurity. A significant obstacle is the low level of information infrastructure of society, which is also due to the level of development of society, its economic capacity to implement the results of scientific and technological progress. The objects of legal relations in the field of information security are: national values, national interests, national goals in the information sphere - the content of each of the selected objects is enshrined in legislation. An important component of the development of legal and institutional support for cybersecurity in Ukraine is:
Conflict of interest
The authors declare no potential conflict of interest regarding the publication of this work. In addition, the ethical issues including plagiarism, informed consent, misconduct, data fabrication and, or falsification, double publication and, or submission, and redundancy have been completely witnessed by the authors.
Funding
The author(s) received no financial support for the research, authorship, and/or publication of this article