Ukraine has begun moving sensitive data outside its borders

Ukrainian government officials have begun storing sensitive data outside the country to protect it from Russian cyber and physical assault, and are negotiating with several European nations to move more databases abroad.

Since the start of the war, around 150 registries from different government ministries and offices, or backup copies of them, have been moved abroad or are in discussions to be transferred, said George Dubinskiy, Ukraine’s deputy minister of digital transformation.

Previously, much of the government’s information trove was held in data centers in Ukraine, and needed first to be moved to the cloud before backup copies could be transferred, he said. The government prioritized important databases to move from old legacy data-storage systems, and created copies of those registries for storage in clouds outside Ukraine, he said.

“To be on the safe side, we want to have our backups abroad,” Dubinskiy said.

Moving databases to the cloud adds a layer of security because government officials can still access it even if a data center in Ukraine were demolished by Russian weapons, he said. The government specified legal and security provisions to help protect the databases from cyber and other threats, he added.

In the early days of the war, for instance, a government data center was damaged by Russian missiles, Dubinskiy said. But no data was lost because backups were available.

“It definitely was a red flag for us that we have somehow to save and secure our critical data storages,” he said.

That threat has been overt since the invasion began. Russia struck a military base outside Kyiv on Feb. 24, the first day of the invasion, and has attacked Ukrainian government buildings since. Last month, the U.S., U.K., European Union and other countries blamed Russia for a cyberattack on a satellite-communications company the very day of the invasion, which took down internet service for thousands of Ukrainians and Europeans and disrupted remote-control systems for wind farms in Germany.

Russia has consistently denied launching cyberattacks. But its siege quickly crystallized the Ukrainian government’s thinking on data protection: “In case of emergency, we need to make sure our IT systems continue operating,” Victor Zhora, deputy chief of the country’s State Service of Special Communication and Information Protection, said last month.

Ukraine is already storing some government data in Poland, in a specially designed private cloud, Dubinskiy said. He declined to elaborate on the technology, but said the server hosts only Ukrainian information, and Ukrainian and Polish officials tested it together. He is working on similar arrangements with other countries, including Estonia and France.

Dubinskiy’s office gave priority to “VIP” databases—those necessary to support Ukraine’s economy—to be moved first. Even during war, services for citizens, such as digital identification, need to continue and the government needs access to tax data and other information, he said.

“We’re responsible for the personal data of our citizens, we’re responsible for all sensitive data,” he said. Whatever the cost, “it’s a question of security.”

Governments risk losing data completely or having it manipulated by hackers if they keep only one copy, and the physical and cyber risks only increase during a war, said Chris Kubecka, a cyberwarfare specialist at the Middle East Institute, a think tank in Washington.

“If someone attacks that single point of failure, well, great, fantastic for them. But not for you, the government. It’s become a serious problem,” said Ms. Kubecka, who visited Ukraine in the early weeks of the war, in part to consult on cybersecurity.

How a government classifies data and determines what is sensitive or risky can change during war, Ms. Kubecka said. Russia could use Ukrainians’ personal data in malicious ways for strategic goals in regions it wants to take over. For instance, information on individuals could make it easier to track their movements and contacts.

Transferring sensitive government databases abroad entails reviewing legal and security requirements for protecting data, such as the level of encryption, Dubinskiy said. Some government registries are massive, with around 1.5 petabytes of data, and officials in some cases spent weeks designing a data storage system, testing it, then adjusting it, he said.

Government officials overseeing the moving of data abroad need to consider whether they can trust the telecommunications networks enabling them to sync data kept in the cloud, Ms. Kubecka said. They should also clarify with their counterparts in the host country whether domestic cyber defense teams would step in to assist in a cyberattack, she added.

That process could be expensive, and would require additional support staff to oversee exported data. “It’s not an overnight thing,” she said. Wall Street Journal