Clay Basis of Information Security
Виділіть її та натисніть Ctrl + Enter —
Clay Basis of Information Security
This is the third month of discussion of the paper that in terms of its purpose has a potential for becoming one of the significant documents in the Ukraine’s national security system. This is the Information Security Concept. Developed by the Expert Council on the Elaboration of Information Security Concept and Development of Information Space of Ukraine to be Created under the Ministry of Information Policy that consists of civil servants, scientists and public activists, the paper was published on the 9th June 2015 on the web-site of the Ministry of Information Policy of Ukraine.
In July the OSCE Office of the Representative on Freedom of the Media published their recommendations to the Draft Concept. The OSCE experts believe that some provisions of the Concept may limit the freedom of speech while others have vague wording. The Minister of Information Policy Yuriy Stets said that the Draft Concept will be improved taking into account the OSCE’s recommendations.
Meanwhile the civil society keeps discussing the draft. 7th July, Kyiv had a round-table, it launched other round-tables in oblast centres. Some Ukrainian specialists (e.g. Diana Dutsyk, Yuriy Sheliazhenko) also gave their ideas about modifications to the Information Security Concept. They think the current version of the paper is immature and does not take into account the real needs and problems in the domain, and it may also become an instrument for restriction of the freedom of speech in Ukraine.
The Information Security Concept in terms of its purpose has a potential for becoming one of the significant documents in the Ukraine’s national security system since it makes basis, framework for further public policy. But does this basis outline correctly the future construction? Would it be firm and trouble-free, or it would fail at first attempt to build walls of any kind? Is the criticism of the paper justified; if so – what one can do to fill it with correct and useful content?
The information security matters have been consistently ignored by the Ukrainian State for all 24 years of its existence. No doubt, the elaboration of the Draft Information Security Concept, even the very political decision to do this, is a step up. The draft working group was at its maximum given the undertime. But even the brief overview shows that it is immature and there is still much work to be done in order to make it politically, practically and theoretically significant and, what is the most important, to make it capable to change the situation in Ukraine for the better.
I am not going to repeat here the paragraphs of the OSCE’s recommendations (but I believe that they should be fulfilled completely since they are absolutely reasonable) nor the recommendations expressed by the Telekritika’s Executive Director Diana Dutsyk, I would like to add some details.
I think the Draft Concept has the following key defects:
- Unclear purpose of the paper. It intends to change what? What is its practical advantage? What kind of need does it meet? The answer to this question will define the content of the paper’s sections.
- The interests of the citizen, of the society, of the State in the information domain are not defined. This is a serious methodological mistake, since the threats and public policy tasks are made based on the interests. The paper loses its integrity and consistency without them.
- The definitions of terms partially conform to the present political science.
- There is confusion between the principles and tasks of the public policy.
- The list of threats is rather short, there is no link to the interests. Some of the threats are defined in such a way that they may undermine democratic values. Some of the threats are defined by means of the ‘negative’ characteristic, this is unclear and gives vast field for unrestricted interpretations.
- At the strategic level the Concept sets the administrative mess and does not provide for the construction of efficient system of public administration in information security.
So it is obvious the current version of the Concept cannot become the framework for the State’s information security system creation, or the basis for threat monitoring mechanisms, political decisions making and implementation of information security public policy. It needs to have wider range of competent persons involved to finalize it, and the task of the Expert Council and Ministry of Information Policy is to organize this process properly.
At the moment there are doubts about the efficiency of the way of public discussion that was chosen. It is obvious that every section of the Concept is a separate range of complex strategic issues, and the paper has to reflect the public consensus on these issues. As a matter of fact, the wide expert discussion of the Concept’s provisions should have taken place AT THE STAGE of the draft of elaboration and not AFTER. This was not the case, and the Expert Council when addressing these strategic issues reclined on its own vision and experience; otherwise the paper would have had more concrete and useful provisions. The draft discussion focuses mainly on the regional round tables (only one event was held in Kyiv, and it was attended by some civil society experts and civil servants), though it was obvious that separate discussions of separate blocks of issues or sections of the Concept with competent participants would have been more efficient.
There is a high risk that so organized discussion would not result in useful recommendations leaving behind many actors that must be involved, and would not lead to thorough and quality finalization of the draft paper.
I had the honour to be involved in the work of the Expert Group as a consultant and I expressed my thoughts and remarks both during and after the elaboration process. But the paper discussion must be public and everything we say must be public as well. And now I am expressing my reasons and ideas. So that some of my colleagues would offer something better. So that our voices would sound stronger and eventually make the Concept to be finalized and supplemented with important modifications that reflect our common position.
So I recount my arguments and remarks to each of the mentioned problems and also give my vision of solutions (and specific changes to the draft where it is possible).
Problem 1. Unclear purpose of the paper.
This strikes the eye of many readers of the draft. The OSCE notes this as well.
Any political decision (and the Concept adoption is) originates from a need and has to cause or prevent changes. With this view its efficiency is measured. So the main question of many experts is: the Concept intends to change what? What is its purpose? What need would it meet?
The Concept’s text gives three versions of answer:
- Preamble: “to arrange conditions for the development of such a potential of information domain of Ukraine that…”
- Article 1: “to ensure information sovereignty” and
- “to define approaches to the protection and development…”
The first two variants are not correct because this is an overall purpose of the public policy not a document. The third one is correct but I doubt that it reflects the real need in the information security domain.
I can only express my position based on the scientific research of information security public policy. I defended my dissertation not too many years ago, and its conclusions are still up-to-date, moreover the time gives new corroborations to them.
The researchers use the term ‘system for information security’. This is a set of public authorities and their actions aimed at ensuring of the information security. To be efficient, the system needs to understand the points:
I. WHAT is to be protected, that is to say what kind of interests the State, the society, the citizen have in the information domain;
II. WHAT are the threats to the interests;
III. WHAT the public authorities do to neutralize these threats, and
IV. HOW they do this.
These points have to be a subject of the wide dialogue, consideration, and to result in a social consensus set forth in a political document. The next step is to create an efficient public management of information security.
All over the history of modern independent Ukraine this consideration has been inconsistent, its results have never been recorded in any doctrine documents. So neither interests nor threats were set forth; consequently, nobody could follow these threats let alone respond to them. The threats monitoring, responding and subsequent decisions are a huge volume of work to be performed by the State. But at first strategic decisions must be made.
The logic says that the purpose of the Concept should be: make the foundation for the operation of the system for information security of Ukraine. For this, the Concept should have had the strategic vision of interests, threats, tasks and methods of information security public policy as well as made the foundation for the efficient management of information security.
But this is my opinion only, it does not claim to have common consensus that I am about. As a matter of fact, the first step should be:
Recommendation: to have the discussion about the mission of the Information Security Concept between the scientists (political sciences, national security, journalism), civil servants (at the level of ministers, senior executives of the National Security and Defence Council and the Security Service of Ukraine) and civil society experts.
This does not mean that the paper should be given a makeover. But the correct formulation of the paper’s purpose will show which of its parts need more details.
Problem 2: Methodological mistake: the interests are not defined.
It has been mentioned above that the interests make the basis of security system. If we do not have any interests, what can threaten us? And what are the tasks of the public policy as regards a non-existent thing? (It should be noted that the authors of the draft do understand this, at least, the term of ‘information security’ and basic approach (Article 4) are based on the information interest, and this is right.)
The Draft Concept has exactly three paragraphs about the information needs and interests, and they are in general phrases. So the paper loses any logic. What were the reasons of the authors when they were defining the threats and tasks of public policy?
Obviously, Article 6 about the interests should be significantly broadened and refined. For example, as a citizen of Ukraine I do not have need for ‘producing of strategic content’ (as the authors believe). But I have need for:
- freedom of expression of my thoughts in convenient manner unless they insult others;
- obtaining of full and truthful information about the developments in the world in the language that I understand;
- access to the pieces of domestic and world culture in the language that I understand;
- access to the information about the activities of public authorities;
- protection against manipulation, ability to distinguish the truth from the lie.
And this is only the beginning of the long list of my needs that, I believe, are similar to the ones of the majority of Ukrainians. At first, this kind of a list must be made, and then there should be a list of matters that may limit the fulfillment of my needs and therefore threaten my information security.
Specific interests lead to specific vision of risks and tasks of public policy.
Similar list of other needs for the society at large and for the State should be made. But this is another and huge work to be done, and the consideration at the Expert Council level is not enough, a separate wide discussion is needed.
Recommendation: to have the discussion between the scientists (political sciences, national security, sociology, interethnic and interdenominational relations, journalism), civil servants and civil society experts in order to define the list of information needs of the citizen, the society, the state. Based on the discussion results, to reconsider the definition of information security threats and public policy tasks.
Problem 3. The definitions of terms partially conform to the current state of scientific discussion.
I am saying this as a person who has scrutinized piles of different approaches to definition of various notions in public policy and information security. This is about all terms, without exception, that are set forth in the Concept: they must be checked in terms of compliance with current approaches of political science.
I am not saying that they are erroneous, quite the contrary, I think some of the wordings are very neat and topical (it is natural given that Georgiy Pocheptsov, one of the most respectable Ukrainian political scientists, is a member of the Expert Council). But we cannot be sure until the scientists bring in their verdict.
Until then I would like to give some observations about some of the terms:
Information sovereignty is a scientific nonsense. Yes, I promised not to repeat the OSCE but… The 21st century keeps erasing the state borders, this makes idle the very idea of sovereignty; so applying this term to the information space that has no boundaries by definition is a nonsense and any political science post-graduate aware of current scientific discourse will confirm this. I know that there are some political issues that make the colleagues keep this term in the paper. But if these reasons were stronger than the scientific common sense, this is going to be a shame at least.
National information product. I attended the Expert Council’s discussion of this term; this definition, to put it mildly, is imperfect, and this is obvious for everybody. It is impossible to define this term in one sentence, we need a complex and vast methodology (like in Canada, France, UK). So the normative document should better skip this definition rather than give the incorrect one.
Sustainable development is not a state (condition) as defined by the Concept but a process. The Concept’s definition of the development is practically identical to the definition of the information security.
Recommendation: to create a working group or to have the discussion with scientists (political sciences, national security) to harmonize the Concept’s terms with the recent achievements of political science (in particular, in matters of security).
Problem 4. Confused principles and tasks of the public policy.
This is about Article 5 of Concept. If the ‘supremacy of law’ is a principle, then the ‘harmonization of Ukrainian legislation with the international law’ is rather a task of public policy.
Recommendation: to reconsider the wording of Article 5 and delete the clauses that repeat the tasks of public policy in information security.
Problem 5. Definition of threats: incomplete list and undemocratic elements.
The first flaring point: the list of threats is ridiculously short. The list of information and psychological threats (I leave commenting of cyber-threats to more competent specialists) has 5 items. (Compare: the Russian list has 35 items).
The list had no place for such threats as:
- escalation of interethnic and interdenominational conflicts;
- information segregation, and the gender, age, ethnical and other discriminations;
- low availability of Ukrainian producer of information product in the national market;
- limitation of access to media and Internet;
- vulnerability/sensitivity of citizens to the manipulation impacts as a result of low medialiteracy;
- existence in the Ukrainian society and purposeful dissemination by interested subjects of the myths and stereotypes incompatible with the independent Ukrainian state and democratic system;
- limitation of legal access of citizens to the information about activities of public authorities;
- inactivity of public authorities in terms of responding to information threats;
- insufficient synergy and coordination of the efforts of the state, media and civil society in terms of information security upgrading.
And this is nothing but the beginning of the list of ‘forgotten’ risks.
Maybe they would be remembered if the draft elaboration process started from the definition of interests. And maybe when we set forth the interests, we will be able to improve radically Article 8.
The OSCE’s conclusions mentioned the provisions that may be interpreted as undemocratic. Are there any such provisions in fact?
Let’s consider clause 3 Article 8 setting forth the information and psychological threats. I take liberties with long quotes.
3a. external negative information influence on human and public consciousness through mass media and the Internet, exerted to the detriment of the state with the aim of:
- attempting to alter an individual’s mental or emotional state, their psychological and
Wording of a threat as ‘negative influence’ is a tautology. Article 8 is supposed to tell clearly which of the influences we should treat as negative and which not; what exactly should be treated as negative – that is to a threat – is still unclear. WHAT IS THE THREAT TO THE STATE?
Clause 3a is one of those novels that the OSCE specialists wrote about. The wording is logically idle and at the same time gives substantial ground for undemocratic interpretation.
Moreover it has other mistakes: the impact on subconsciousness, non-media channels of influence etc. Psychological and emotional conditions of a human are changed by each and every media product but this does not make it threatening. Otherwise we would find the art to be menacing: from soap operas (because they make us cry) to the National Anthem (because it makes us excited and inspired) as well as the sports events broadcasts.
- controlled influencing of the freedom of choice by cultivating a culture of violence and cruelty, insolence and contempt for human and national dignity, inciting religious, racial or ethnic hatred and discrimination based on any ground such as ethnic origin, language, religion, etc.;
- calling for separatism, overthrow of the constitutional order or violation of the country’s territorial integrity;
The focus on ‘freedom of choice’ (which one? political? geopolitical? Is the canvass ‘controlled influencing’?) is strange, but this is not the point. These two paragraphs repeat other Ukrainian legislation and do not bring anything new to the information security policy.
b) information influence upon the Ukraine’s population, including military personnel and mobilisation reinforcement pool, to impair defence readiness and undermine the image of service in the military;
c) dissemination of corrupted, unreliable and prejudicial information by subjects of information activity to discredit public authorities and destabilize social and political situation, significantly complicating political decision making, inflicting harm on nationalinterests or creating a negative image of Ukraine;
These two paragraphs need substantial reformulation because an opportunity of wide interpretation and the undemocratic use are obvious. And it is evident that detecting of corruption facts in the army may be related to clause b), and any opposition press is definitely regulated by clause c).
What is wrong with these wordings? Firstly, there is no definition of what should be considered a negative consequence again. This is unacceptable for the security doctrine document: it must by definition dot the 'i's and cross the 't's of WHAT is negative and WHAT is not. Instead we allow the state to struggle against the ‘negative’ but its very meaning is still not defined which means that it may be interpreted as the authorities – these, that or subsequent ones – like, and it could be much worse.
I am not going to quote clauses d) and e), I would just say that the former – about the risks of the freedom of speech limitation – is more or less correct (skip the minor changes), and the latter repeats again the current national legislation related to counteraction to terrorism activity.
Recommendation: brush up Article 8 so that it would contain more extensive list of information security threats based on the information interests definition; eliminate the ambiguous interpretation of the Concept’s articles and their harmful use against the democratic system. In this view the OSCE’s recommendations should be performed among other things.
Problem 6: Public administration in information security: the Concept is aimed at chaos preservation
If the start of the Concept development had had the complex consideration to define the problems and needs to be addressed, the need for efficient public management of information security would have been mentioned one of the first.
At the beginning of 2014, these or that information security functions were performed by at least seven public institutions: the National Security and Defence Council, the Security Service of Ukraine, the Ministry of Culture, the Ministry of Education, the MIA, the MFA, the State Committee for TV and Radio Broadcasting; and even the State Committee for Cinema and the Ministry of Defence can be also mentioned here. Distribution of powers between these institutions in the information security was inefficient, their powers were often repeated, and on the other hand whole blocks of functions were without any proper execution. There was no coordination of the information security activities of these structures, there were no strategy or doctrine for this activity, no political will. None of the institutions had proper monitoring of threats; none of them accumulated the data about the state of information space to identify those threats, produced political recommendations for counteraction. The analytical functions were dispersed between the staff of the National Security and Defence Council, the Administration of the President, the secretariat of the responsible parliamentary committee and the National Institute for Strategic Studies resulting in absolutely low efficiency.
The situation became more complicated in 2014 because the Ministry of Information Policy was created. I am saying that it became more complicated because instead of the concentration of the functions of information security management in critical situation we observe the dispersion.
Since the very beginning of the war with Russia it was vitally important to organize the efficient management in the information security system. That is:
I) to revise and redistribute the information security management functions in order to enable proper planning, monitoring and implementation of public programs in this domain;
II) to define/create (on the basis of the National Institute for Strategic Studies or the staff of National Security and Defence Council) the institution responsible for information space threats monitoring and for production of recommendations for the public policy based on the monitoring results; to provide with the resources and methodological framework for the operation of this institution;
III) to concentrate the information security powers within one institution (the National Security and Defence Council, the Security Service of Ukraine or a new special body), to provide with the resources and methodological framework for the operation of this institution. To define the cooperation mechanisms of this institution with other public authorities involved in the implementations of the information security public policy.
To this effect, it is necessary to have long-lasting and complex work that has not been done. So it is quite naïve and wrong to expect the Information Security Concept authors to set forth in the Section III the new model of information security public administration – it is not up to them to decide. But they were obliged to expound the creation of such a model as one of the strategic tasks of the public policy.
But they chose another way. Feeling that they take the risk of stirring a complex and politically sensitive problem they simply dodged this question. The current Draft Concept preserves the existing inefficient model of information security management, tolerating the chaos and confusion between the public authorities at the doctrine level.
Let’s review the draft’s text.
The list of information security practitioners is set in Article 9. Many feel natural opposition that the first paragraph mentions the citizens of Ukraine and the civil society. But I do not share this criticism: the information activity is performed both by the state and the citizens, and we are talking about the public policy apart from the policy of other actors. This doctrine regulates the public policy but mentions other actors that implement their policy as well. In terms of political science I see no contradiction.
I would like to mention Article 10 that should have had the powers of different public authorities in information security. The paper authors paid attention to the Ministry of Information Policy (encoded as “special body…”) and the National Security and Defence Council in order to separate the threat responding functions and the information space development functions. And this seems to be the only useful point, while the rest of the text lacks for concrete provisions and leaves the information security management system as vague as before.
Suffice it to say that the MIP and the National Security and Defence Council are the ONLY public authorities with the defined functions. The list of institutions involved in the implementation of the information security public policy is given in three (!!!) paragraphs from different angles: paragraphs 2, 4 and 5 of Article 10. In addition to the MIP and the National Security and Defence Council, the paper mentions seven public authorities and does not give any hint about their place in the information security system and coordination between them and other bodies.
Paragraphs 2-8 of Article 11 gives details about the MIP’s powers, but I would like to note: only paragraph 2 has something to do with the information security public policy, and it repeats fully the powers of the National Security and Defence Council defined in paragraph 4 Article 10.
- paragraphs 3, 4, 5 define the MIP’s powers in the information activity of public authorities;
- paragraphs 6, 7, 8 are about the MIP’s powers in the system of public information policy;
That is to say that paragraphs 3-8 Article 11 Information Security Concept do not address the State’s information security but the peripheral issues.
Recommendation: to change the Section III in accordance with the OSCE’s recommendations. To define the creation of the efficient system of information security public administration as one of the strategic tasks of the public policy within the Concept. Not to set the distribution of the functions of public authorities in the information security system, this should be postponed until the political decision about the powers distribution is taken; or to set the key model of powers distribution and coordination mechanisms (but this needs to have meetings with representatives of involved institutions and negotiations about the possible redistribution of powers, and this has not been done so far). To delete the provisions of Article 11 not related to the information security and to consolidate the MIP’s powers in one article (paragraph 3 Article 10).