Remember Ukraine’s “Diia” Digital Governance System? Russian Hackers Brought It Down in December, and It Is Still Partly Down

The Zelensky government’s “state in a smartphone” model of digital identity and governance, once a source of pride and inspiration for other countries, has become a source of derision. 

Regular NC readers are by now no strangers to Ukraine’s “state-of-the-art” Diia (Ukrainian for “action”) digital governance and identity system. For those who are, a quick recap: In December 2022, we reported that Ukraine’s Volodymyr Zelensky government was trying to digitise just about everything it could, including most government services and bureaucracy, even against a backdrop of war, rolling blackouts and internet outages:

Ukraine may be suffering a rising wave of rolling power blackouts and internet outages as the proxy war between Russia and NATO intensifies, but that doesn’t seem to have crimped the Zelensky government’s ambitions to transform the country into a digital wonderland. In the past week alone, Ukraine’s central bank unveiled plans for a digital E-hryvnia and Kyiv signed a digital trade agreement (yep, they do exist) with the United Kingdom.

USAID Funding

In January 2023, Samantha Power, speaking at Davos, the then administrator of Washington’s soft power arm, USAID, heralded Diia as “a great anti-corruption tool” and unveiled US government plans to replicate the “success” of Ukraine’s e-governance app in other countries around the world — including, presumably, the United States itself. As the promotional video below shows, Diia was developed “with support from USAID”.

We called this out back in early 2022 alongside @SikhForTruth @TruthTalkMedia regarding the Digital Transformation of #Ukraine & its Dia platform being heralded as a template for other nations. pic.twitter.com/S8BtGCcIyT

— STOPCOMMONPASS 🛑 (@org_scp) January 20, 2023

Ukraine’s digitisation of government services predated the conflict with Russia, but in the eternal spirit of never letting a good crisis go to waste, it was significantly expanded once the hostilities began.

The purpose of Diia was not just to digitise public services but to automate, outsource and privatise them, as Ukraine’s Minister of Digital Transformation and Deputy Prime Minister Mykhailo Fedorov Fedorov told the WEF’s 2021 class of Young Global Leaders, of which he is a graduate:

The Government needs to become as flexible and mobile as an IT company, to automate all functions and services, significantly change the structure, reduce 60% of officials, introduce large-scale privatisation and outsourcing of government functions. Even in customs. Only such a Government will be able to bring about quick and bold reforms to rebuild the country and ensure rapid development.

Then, in May 2023 we picked apart a shamelessly gushing article by the United Nations Development Programme, another financial backer of Diia, about Ukraine’s accelerating war-time digital transformation:

Despite being plunged into war, Ukraine is forging ahead with a comprehensive re-think of how business is conducted, and how Ukrainian people interact with each other and with their government.

“We are building the most convenient digital state in the world — without corruption, without bureaucracy, absolutely paperless, and open for everyone,” Ms. Ionan [Ukraine’s Deputy Minister of Digital Transformation] says.

The online portal and a mobile application for public services is called Diia, which is Ukrainian for ‘action’.

It aims to move all public services online, cover the entire country with internet access, close the gender and generational gaps in digital literacy, and make Ukraine the most welcoming country in the world for IT companies.

Inconvenient Consequences

That dream has withered already. Ukraine cannot muster much of a welcome for IT companies given that not only is it on the verge of losing its NATO-led proxy war against Russia while also suffering regular nationwide blackouts but large parts of its Diia system are down after being hit by a massive Russian cyber attack in early December. It is as yet unclear how much of the data held on the system has been compromised. But needless to say, the consequences for Ukrainian citizens appears to be anything but convenient, as Kyiv Independent reports:

At the start of December, Ukrainians suddenly found themselves unable to sell cars, file legal claims, or register marriages through the state’s recently digitized government registries.

The Justice Ministry on Dec. 19 formally announced that a Russian hack had taken a laundry list of critical government databases that had been put under the Justice Ministry offline. The databases contain sensitive information from property ownership to biometric data to tax records.

Relevant Ukrainian offices quickly called it an act of war from Russia. “The information space is one of the key directions of the enemy’s attacks,” wrote the State Communications Service, the national cybersecurity agency, in a statement provided to the Kyiv Independent…

XakNet, a hacking group previously tied to Russian intelligence, took credit for the attack, posting on Telegram data they claim to have hacked from the Ukrainian civil registry. The hackers claimed to have deleted at least some of the registry data…

XakNet hackers also claimed to have destroyed backup data in servers in Poland. In its message the hacker group mocks Ukraine’s government, saying: “It’s very telling to store government data on foreign storage — that’s what independence Ukrainian-style looks like, apparently.”

A December 20 article published by RBC Ukraine suggests that the impact of the cyberattack on the basic functioning of the Diia app was extensive, with over 20 of the app’s services left “temporarily unavailable, including worker reservations, business registration, online marriage registrations, property ownership services, vehicle re-registration, ‘eRestoration’, ‘eHousing,’ and many others.”

Given the Zelensky government’s ambition to do away with all old-fashioned, paper-based bureaucracy in its mad rush to create the perfect paperless state, it would be interesting to know whether it left in place analogue backups for these bureaucratic processes.

Ukraine’s Justice Ministry recently insisted that all of its state registries were ready to operate but that access to some registers was still limited, as their data still needs to be updated. Access to government services through the Diia app would be available in the near future, it said on Jan. 20 — over six weeks after the initial cyber attack. On January 23, UNN reported that it is now once again possible to obtain a preferential mortgage and change your place of residence online through the Diia app.

“We are working to restore all services in the app and on the portal,” said Fedorov.

Crumbling Public Trust

But the hack is likely to further undermine public trust in the Zelensky government. As even the New York Times reported recently, the high popularity that the Ukrainian president enjoyed in the early days of the Russian invasion, with an approval rating of about 90 percent, has dipped badly in recent months. Of course, given that Zelenksy’s government has cancelled elections for as long as the war goes on, this doesn’t matter much.

But Ukraine’s reputation as a pioneer in digital governance is also under fire. For the first time since the Diia system’s launch in February 2020, media in the country and abroad are beginning to question the wisdom of digitising government services so quickly and then centralising the system and data into a single digital portal under the control of just one government department, the Ministry of Justice. What was once a source of pride for the government is fast becoming a source of derision.

Just six months ago, the industry publication Biometric Update reported that Diia was continuing to attract all the right sort of attention, especially from US-based organisations. Ironically, the Center for Strategic and International Studies (CSIS), a highly influential Washington-based think tank, even touted Diia as an example of how digital public infrastructure can make government registries resilient against crises like war. Last week, Biometric Update reported that Russia’s hack of Diia had revealed “flaws in the system”.

In its article, the Kyiv Independent warned that the hack posed a major informational threat, highlighting how vulnerable government and Ukrainians’ personal data is to cyber attacks:

 In pushing to digitize its services quickly, the government also may have taken shortcuts that opened the door to digital onslaughts. Attacks of these kinds also erode public trust in the government, experts say.

The core problem, as (cybersecurity specialist and frequent coordinator of Ukrainian hackers, Karla) Wagner, diagnoses, was the pace at which Ukraine rewired systems ranging from passports to tax payments into a single digital portal, all under the auspices of the Justice Ministry, in order to show positive results to foreign observers.

Presumably this is in reference to Diia’s armies of financial backers, including USAID, the UN Development Programme, the Swedish government, and the European Union, as well as the US tech giants that were closely involved in its roll out, including Amazon Web Services, Apple and Google. As Ukraine’s Minister of Digital Transformation and Deputy Prime Minister Mykhailo Fedorov proudly admitted in December 2022, Google is effectively running (or at least was) large parts of Diia:

“Google services have become our infrastructure. The tools provided by the company allowed the Government to function quickly and efficiently despite the shelling and constant threats of cyber attacks. In addition, Google ensures protection and security of Ukrainians’ data and promotes development of our entrepreneurs.”

That protection and security has now been seriously compromised. As the Kyiv Independent article notes, hackers can often find backdoors in IT systems left open to governments, as revealed by a series of legal battles to compel Apple to extract data for US intelligence agencies. According to Wagner, one of the main reasons for Diia’s vulnerability to outside attacks was the widespread corner cutting that took place amid the mad rush to get the system up and running, presumably so that it could then be wielded as an example to the world:

“It was very, very, very, very, very fast progress,” says Wagner. “And any IT project that has the heat on to make fast progress will cut corners where needed and save resources where needed with the best of intentions, which is meeting the deadlines and satisfying the requirements. (That) created not only a long string of vulnerabilities but also over-centralization in tech admin infrastructure.”

When Diia was attacked, exposing the myriad flaws in Diia’s security architecture, a system touted for its speed and convenience suddenly stopped working — for well over a month — and became extremely inconvenient. As Kyev Independent reports, questions are now being asked about just how Russian agencies could use the hacked information:

The hack “provides opportunities for Russian intelligence to obtain additional information about Ukrainian military and civilian government employees, and identify vulnerable or otherwise suitable people in Ukraine who can be recruited or coerced into conducting espionage activities and sabotage,” analysts at cybersecurity firm Flashpoint wrote in a comments to the Kyiv Independent.

“However, more likely uses of such information include conducting future cyberattacks on other organizations in Ukraine using the information from public registries for reconnaissance, identity theft, social engineering, doxxing, harassment, and crafting convincing phishing emails,” Flashpoint wrote…

Mykyta Knysh, who formerly worked in cybersecurity for Ukraine’s security services, the SBU, and currently runs the hacking collective “HackYourMama,” says the agencies involved should have known better.

“I understand that the Justice Ministry doesn’t necessarily have to have this kind of expertise, but the State Office of Security and Communications, the Digital Transformation Ministry, the SBU — they should have that expertise,” says Knysh…

“At the beginning of the full-scale invasion we realized that Ukraine’s digital infrastructure was overly centralized, according to the old Soviet model,” says Wagner. “Centralization and single points of failure are a well-known anti-pattern. And it’s highly vulnerable”…

Knysh is especially concerned that authorities provided no details on the hack, citing “a whole monopoly on what they are saying.” Given that hackers re-use hacking techniques, he was concerned for other nations.

This, surely, is the most important point. As noted at the beginning of this article, both USAID and the UN Development Programme have been working around the clock to export Ukraine’s Diia model to other countries around the world that are struggling with corruption and transparency issues. In its 2023 promotional piece on Diia, the UNDP announced that “Diia is ready to go international”, and that Ms. Ionan, Ukraine’s Deputy Minister of Digital Transformation, “is eager to share Ukraine’s knowledge and resources with the world.”

A slightly closer look at the UNDP article reveals why the UN agency is so enthusiastic about Diia. In small print under one of the photos is this disclosure:

“The UNDP, with funding from Sweden, supported the development of 23 e-services, which were launched by the Ministry of Digital Transformation of Ukraine on the Diia app and portal.”

Meanwhile, Samantha Power, speaking at Davos in 2023, said that she saw Diia as part of a broader effort to help democratic reformers around the world deliver for their people, adding that countries would be selected accordingly. From Axios:

“We want to look at the bright spots, at the countries that are committed to transparency and an anti-corruption agenda, that are bucking the global trends,” Power said. She noted that Moldova’s reformist government has already expressed interest in Ukraine’s e-governance approach.

Power also hopes to partner with countries in the global south. Given the current “economic headwinds,” even leaders who are working to clean up corruption and improve governance may struggle to improve the lives of their citizens, she said. An app that allows citizens to file taxes or access birth certificates without waiting in line for hours could be one tangible improvement, she argued.

Once held up an example to the world, Diia should now serve as a clear warning to governments of all stripes and, more important still, global citizens: these digital governance systems, and the data they harvest and hold, are not secure. In a time of growing state-to-state conflict, rolling out easily compromised systems of digital governance and digital identity needlessly puts the basic security of those countries at serious risk.

Back in 2022, Kyiv signed a digital trade agreement (yep, they do exist) with the United Kingdom. The DTA included a provision for collaborating on digital identity. Fast forward to today, the UK’s Keir Starmer government is intensifying its push to launch a digital identity system, including by implementing digital IDs for age verification in pubs and clubs this year. In recent weeks, the propaganda to support the roll out of digital IDs in the UK has kicked into gear. And the main selling points, as always, are speed and convenience.

Security issues, by contrast, are being widely ignored despite the UK government’s long, chequered history with IT projects. What the Starmer government isn’t telling UK residents in its digital ID PR campaign is that many of its current IT systems are dangerously lacking in basic cybersecurity. This is the damning conclusion of a new report by National Audit Office (NAO), which found that the government is so far behind on its 2022 target to harden systems against cyberattacks by 2025 that it is unlikely to achieve the target even by 2030.

Of the 228 legacy systems that were analysed, 28% were red-rated, meaning they posed a high likelihood of operational and security risks occurring. The remaining 72% were not red-rated but still presented a risk, the report said.

“We have seen too often the devastating impact of cyber-attacks on our public services and people’s lives,” said Geoffrey Clifton-Brown, MP and chair of the Public Accounts Committee. “Despite the rapidly evolving cyber threat, government’s response has not kept pace. Poor coordination across government, a persistent shortage of cyber skills, and a dependence on outdated legacy IT systems are continuing to leave our public services exposed.”

The NAO report, said Clifton-Brown, should serve as a wake-up call to government to get on top of this pernicious threat. But instead, the UK government, like the Zelensky government in Ukraine, is in too much of a rush to expand its digital public infrastructure  while playing little more than lip service to security concerns.

But not all governments in Europe are quite so blasé about IT systems security. As we suggested in early December, fear of hybrid war with Russia is one of the reasons why some of northern Europe’s governments appear to be rethinking the wisdom of abandoning cash and embracing a fully digitised economy. The Daily Telegraph even published an article warning that “Going Cashless Risks Playing Straight into Putin’s Hands.” Perhaps (and this is probably wishful thinking on my part) Russia’s recent hack of Diia will have a similar sobering effect on Europe’s plans to unleash eminently hackable digital governance and ID systems.