In early March 2022, a security expert found a way to strengthen Ukraine’s cybersecurity defenses by replacing one of the weakest links–passwords–with security keys.
Hideez CEO Oleg Naumenko saw a need early on in the war for a better authentication system for government agencies and critical infrastructure organizations. He asked Yubico for help deploying the security keys to the Ukrainian government.
“We needed to have a lot of keys to deploy but we didn’t have this amount of keys in our warehouse,” he said. “When we asked for help, we got a reply the same day from Stina.”
Yubico has distributed 10,000 keys currently and plans to donate 10,000 more.
Stina Ehrensvard, CEO and founder of Yubico, said the collaboration with Hideez and the Ukrainian government combined smart card tech with FIDO security keys to create one access point for all services.
“With a smart card you can log on to PCs, but you can’t log into G Suite or Twitter or cloud services, so we added both functionalities on the same key,” she said.
The Hideez authentication server now supports smart cards, FIDO authentication and YubiKeys. The keys are in use at many organizations, including:
- SSSCIP, State Service of Special Communication and Information Protection of Ukraine
- Ministry of Digital Transformation, heading IT modernization and next generation of government e-services
- Government owned energy companies and power plants
- Ukraine’s .UA domain managing organization Hostmaster.UA
A cybersecurity executive at a Ukraine energy plant said in a blog post on the Yubico site plant operators could not rely on legacy or mobile-based authentication because of the advanced types of phishing and man-in-the-middle attacks, as well as the overall volume of cyberattacks.
“An important aspect of the YubiKey is that it is built as a multi-purpose and multi-protocol device, which allows us to use the same authenticator for PC login, VPN access, cloud-based productivity, email systems, ERP system and mobile applications,” the executive said.
Workers at the plant had been changing their passwords daily as an additional security measure and due to the stress of working in a war zone.
“The YubiKeys significantly increased the security and also made access across many IT systems faster and easier, which has been a tremendous relief to our employees,” the executive said. “We believe YubiKeys are as important for our cyber defense as the bullet proof vests that are protecting the soldiers and others that are on the front lines of the ground war.”
Ehrensvard said 2FA via text messages and authentication apps are not strong enough to withstand the current level of cyberattacks.
“We started this work 10 years ago, and this is the evidence that we have developed something that works, that is scalable and that makes a difference,” she said.
Stolen credentials are the biggest single problem in internet security, and the same is true during a war, Ehrensvard said.
“Half of the war is in the physical world and half is in the cyber world, and if heating systems and communications systems go down, a country will not function,” she said.
Deploying security keys in a war zone
Hideez is a cybersecurity company that specializes in authentication and identity management. The Hideez Key is an all-in-one digital key for wireless authentication, password management and RFID locks. Naumenko started the company when his bank account information was stolen along with his savings. Hideez has offices in Virginia and a development office in Kyiv.
Yuriy Ackermann, vice president of war efforts at Hideez, said Yubico engineers have worked closely with his company and Ukrainian officials.
“We are dealing with very stressed out people and the Yubico key fits perfectly within this context,” he said, particularly given the legacy technology government agencies use.
Hideez worked with Ukraine’s State Service of Special Communications and Information Protection of Ukraine to certify the YubiKey 5 Series for use in government agencies.
Oleksandr Potii, deputy chief of SSSCIP, said in a blog post on Yubico’s site that his agency expedited a normal six-month plus certification process to get the YubiKey 5 Series validated for use across all Ukraine government and military agencies and their employees. The agency is also deploying 3,000 Yubikey for its staff to use in the electronic document management system.
The SIPCC had a security policy framework in place for government ministries and agencies which guided the deployment of the keys.
Ackermann said deploying the keys requires some user training, especially for people who are accustomed to using passwords. Hideez and Yubico engineers streamlined the enrollment process to make it easy to roll out.
“The key uses an on-device pin code and this is a huge benefit because users just need to remember the pin,” he said.
Ackermann said that traditional cybersecurity measures can be very expensive while the Yubico keys are not.
“The reality is the defense for authentication is far more critical and it is not such a huge expense,” he said. “This work will be a great example of how you develop great defenses.”
Ackermann said that people are starting to realize that the current state of constant cybersecurity warfare around the world requires a better solution than passwords.
“When we are assessing future security policy, passwords are not only bad for security in general but they’re actually going to cause more problems as employees struggle a lot more under pressure,” he said.
Ackermann said that the war in Ukraine has put cybersecurity work in a completely different context when this expertise is vital to defend national security.
Oleg said life in Ukraine changed completely on Feb. 24, 2022 when he woke up to a loud explosion. Despite losing homes, jobs and even family members to the war, Ukrainians are determined to defend and rebuild the country, he said.
“We have a huge aim to make a new life and a new country in Ukraine,” he said. “A lot of companies are changing their business model as they start thinking about how to build a new country.”