Cyber Hygiene in Ukraine's Public Sector: Metrics and Progress 2022-2024
Cyber hygiene refers to the routine security practices that organizations and individuals maintain to keep systems and data safe—analogous to physical hygiene practices that prevent disease. Core cyber hygiene practices include maintaining current software patching, using strong unique passwords with a password manager, enabling multi-factor authentication, regularly backing up critical data, and applying network access controls. Ukraine's public sector has undergone a measured but significant cyber hygiene improvement since 2022, driven by a combination of policy mandates, technical assistance from international partners, and the immediate security motivations created by active conflict conditions.
Baseline Conditions in Early 2022
Ukraine's public sector cyber hygiene baseline at the start of the full-scale invasion in February 2022 reflected the general state of government cybersecurity in a middle-income country with recent but incomplete modernization. A significant fraction of government systems ran Windows 7 (which reached end-of-support in January 2020) or older versions. Multi-factor authentication was not mandatory for government systems and was implemented inconsistently. Password policies were enforced unevenly, with audits finding significant prevalence of weak or default passwords in local government systems. Security patching was inconsistent particularly in regional and local government entities that lacked dedicated IT staff.
This baseline meant that many of the Russian cyber operations early in the conflict found that basic network hygiene deficiencies—unpatched systems, weak credentials, absent MFA—provided easy initial access vectors. The response to these findings accelerated an ongoing digital transformation program, with international support adding resources and urgency to the hygiene improvement effort.
Key Cyber Hygiene Metrics
| Hygiene Metric | Q1 2022 Estimate | Q4 2023 | 2024 Target | Remaining Gap |
|---|---|---|---|---|
| MFA adoption (central government) | ~31% | ~74% | 90% | ~16% of accounts |
| Unpatched critical vulns (>30 days) | High prevalence | Reduced ~60% | <5% of assets | Measurement inconsistent |
| Password manager adoption (gov) | <5% | ~20% | 35% | Cost + change resistance |
| Unsupported OS elimination | ~35% running EOL OS | ~15% | <5% | Legacy applications |
| Backup verification rate | Low (untested backups) | 60% verified monthly | 90% | Automation gaps |
Password Manager Adoption in Government
Password manager adoption in Ukraine's public sector was below 5% at the start of 2022—consistent with low adoption globally among non-technical users. SSSCIP's 2022 Emergency Cyber Hygiene Orders mandated that central government IT departments evaluate and deploy password management solutions, with Bitwarden for Enterprises (available with government discount through international assistance programs) and KeePass (open-source, free) identified as approved options for government use.
By late 2023, adoption had reached approximately 20% of central government employees, driven by IT department-initiated rollouts rather than individual employee initiative. User resistance—particularly among older workers unaccustomed to password manager workflows—remained a barrier. Training on password manager use was incorporated into mandatory quarterly security awareness training modules starting in Q2 2023, contributing to improved adoption rates. Reaching the 35% target requires sustained change management effort beyond mandatory policy alone.
Multi-Factor Authentication Coverage
MFA adoption in Ukraine's government accelerated from mandates issued by SSSCIP in March and April 2022, requiring MFA on all email accounts and VPN access for central government employees within 60 days. Microsoft's Government Security Program for Ukraine provided access to Azure Active Directory Premium licenses enabling conditional access and MFA policies across government Microsoft 365 tenants at no cost, removing cost as a barrier. Google's security team provided direct technical assistance for government entities using Google Workspace.
Despite policy mandates, full MFA coverage has been limited by account provisioning gaps (former employees whose accounts were not properly de-provisioned), service accounts (programmatic accounts used by applications that cannot interactively complete MFA challenges), and local government entities outside the central government mandate scope. The ~26% of central government accounts still lacking MFA coverage by late 2023 represented primarily these categories rather than active refusal by individual employees.
Unpatched Systems Reduction
Ukraine's patch management improvement was driven partly by migration from on-premises systems to cloud services—Microsoft Azure and Microsoft 365 cloud services automatically apply Microsoft-managed security patches, removing the patching burden from government IT staff. For on-premises systems, SSSCIP's vulnerability scanning program (using Tenable Nessus, donated with partner support) established a baseline of critical vulnerability prevalence across central government systems. Detected critical vulnerabilities published in the CISA Known Exploited Vulnerabilities (KEV) catalog were prioritized for mandatory 72-hour remediation, while other critical vulnerabilities received 30-day targets.
Security Scorecards and External Assessment
Ukraine adopted security scorecard tracking through SecurityScorecard and Bitsight platforms—external assessment tools that measure an organization's externally observable security hygiene indicators including open ports, SSL certificate issues, exposed services, and IP reputation. SecurityScorecard provided free access to Ukrainian government entities as part of its crisis response program. These external scorecards enabled SSSCIP to benchmark government ministry performance against each other and against international peers, and provided donors and international partners with independent verification of hygiene improvement over time.
FAQ
- Why is cyber hygiene still treated as a significant challenge in 2024?
- Despite significant improvement since 2022, cyber hygiene remains a challenge because the scale of Ukraine's public sector (hundreds of ministries, agencies, regional and local governments, state-owned enterprises, and critical infrastructure operators) means even a small percentage of non-compliant entities creates significant attack surface. Additionally, wartime staff turnover—experienced IT staff being mobilized for military service, replaced by less experienced personnel—creates recurring baseline capabilities gaps that require ongoing effort to address.
- How does password manager deployment typically proceed in a large organization?
- Successful enterprise password manager deployments typically follow a phased approach: IT administrators and high-privilege accounts in the first phase, followed by all employees in security-sensitive departments, then company-wide rollout. Key success factors include mandatory training before deployment (explaining why and how to use the tool), a designated help desk contact for password manager issues, pre-loading commonly used work credentials to demonstrate immediate value, and clear policy that password managers are the approved method for managing work credentials. Forcing password complexity requirements simultaneously incentivizes adoption.
- What percentage of Ukrainian government systems are still running end-of-life operating systems?
- SSSCIP estimates that approximately 15% of central government workstations were running end-of-life Windows versions (primarily Windows 7 and Windows 8.1) as of late 2023, down from approximately 35% at the start of the war. Regional and local government percentages are higher—estimates suggest 20-30% in some regions. The main barriers to migration are legacy applications that require older operating system versions to function correctly and budget constraints for hardware upgrades when older systems cannot run current Windows versions.
- How do security scorecards measure cyber hygiene externally?
- Security scorecard platforms measure observable indicators from outside an organization's perimeter: open ports and services visible on internet-facing systems, SSL/TLS certificate validity and configuration quality, IP address reputation (indicating whether organization IP ranges have been associated with malicious activity), exposed application vulnerabilities detectable through passive scanning, evidence of data breaches in breach databases, and patching cadence based on version information visible in application banners. These metrics capture the externally observable attack surface rather than internal hygiene, and correlate with but do not fully represent the complete internal security posture.
- What is the single most impactful cyber hygiene improvement for Ukrainian public sector?
- Among available hygiene improvements, comprehensive MFA deployment provides the highest security-to-effort ratio for Ukraine's public sector. Microsoft research based on enterprise telemetry indicates that MFA blocks approximately 99.9% of account compromise attacks. Given that credential phishing and password spraying are among the most common initial access techniques used by Russian APT groups against Ukrainian targets, eliminating the effectiveness of these attacks through universal MFA would prevent a high proportion of successful intrusions. SSSCIP guidance consistently identifies MFA completion as the top priority cyber hygiene action for entities that have not yet achieved full coverage.
Sources
- SSSCIP — "Ukraine Cybersecurity Status Report 2023," cip.gov.ua
- Microsoft — "Government Security Program: Ukraine Support Report," microsoft.com 2023
- SecurityScorecard — "Ukraine Government Security Scorecard Report," securityscorecard.com 2023
- CISA — "Known Exploited Vulnerabilities Catalog," cisa.gov/known-exploited-vulnerabilities-catalog
- USAID — "Cyber Security for Critical Infrastructure in Ukraine (CCIS) Program: Phase II Results," usaid.gov 2024
Cyber Operations Analysis: Cyber Hygiene in Ukraine's Public Sector: Metrics and Progress 2022-2024
The Russia-Ukraine conflict has generated the most comprehensively documented state-sponsored cyber operations in history, with Cyber Hygiene in Ukraine's Public Sector: Metrics and Progress 2022-2024 representing a significant dimension of this digital warfare environment. Cyber attacks have targeted Ukrainian government systems, critical infrastructure, financial institutions, and military communications since well before the physical invasion began in February 2022. Understanding the technical characteristics, attributable actors, and strategic effects of cyber operations related to Cyber Hygiene in Ukraine's Public Sector: Metrics and Progress 2022-2024 provides essential context for assessing both immediate operational impacts and broader implications for cyber conflict doctrine.
Russian state-sponsored threat actors including Sandworm (GRU Unit 74455), APT28/Fancy Bear (GRU Unit 26165), Cozy Bear/APT29 (SVR), and Turla (FSB) have conducted sustained campaigns against Ukrainian and allied targets with objectives spanning espionage, sabotage, and influence operations. Cyber Hygiene in Ukraine's Public Sector: Metrics and Progress 2022-2024 intersects with this threat actor ecosystem in specific ways, whether through the deployment of particular malware families, targeting of specific sectors, or employment of novel techniques that reveal evolving adversary capabilities and intentions.
Ukraine's cyber defense architecture, significantly strengthened with Western assistance through programs including the EU's Cyber Resilience for Ukraine project and bilateral cooperation with US Cyber Command, has demonstrated growing resilience against Russian operations. The Ukrainian Computer Emergency Response Team (CERT-UA) has published hundreds of threat intelligence advisories, contributing to global understanding of Russian cyber tactics, techniques, and procedures (TTPs). Cyber Hygiene in Ukraine's Public Sector: Metrics and Progress 2022-2024 informs this evolving defensive picture, highlighting areas where Ukrainian defenses have proven effective and where vulnerabilities remain.
The strategic calculation surrounding cyber operations related to Cyber Hygiene in Ukraine's Public Sector: Metrics and Progress 2022-2024 involves complex trade-offs between operational effect, attribution risk, and escalation management. Russia's decision to employ destructive wiper malware, distributed denial-of-service attacks, and infrastructure-targeting operations reflects a calibrated use of cyber as a coercive instrument alongside physical military operations. The international response—including intelligence sharing, cyber defense assistance, and potential offensive cyber operations by allied nations—shapes the cost-benefit calculations of Russian cyber strategists.
Lessons for Global Cybersecurity Policy
The cyber dimensions of the Russia-Ukraine conflict represented by Cyber Hygiene in Ukraine's Public Sector: Metrics and Progress 2022-2024 have generated critical lessons for national cybersecurity strategies worldwide. The importance of pre-positioning defensive measures before conflict onset, the value of international cyber defense cooperation frameworks, the role of private sector cybersecurity companies in supporting national defense, and the limitations of cyber operations as a strategic coercive tool have all been illuminated by Ukrainian experience. These lessons are reshaping cybersecurity investment priorities, information sharing architectures, and incident response frameworks across NATO and partner nations.
Frequently Asked Questions
What are the main Russian cyber attacks on Ukraine?
Russia has conducted sustained cyber operations against Ukraine since at least 2014, with a major escalation in February 2022. Key campaigns include the NotPetya attack (2017), attacks on energy infrastructure, the Viasat hack at war's start, and continuous operations against government, military, and civilian targets throughout the full-scale invasion.
How has Ukraine defended against Russian cyber attacks?
Ukraine's cyber defense has benefited from pre-invasion preparation, Microsoft and Western tech company assistance, CERT-UA operations, and the support of allied intelligence services. Ukraine developed significant cyber resilience by distributing government data to cloud infrastructure before the invasion.
What is the role of cyber warfare in the Ukraine conflict?
Cyber warfare in the Ukraine conflict operates alongside conventional military operations. Russia uses cyber attacks to disrupt infrastructure, spread disinformation, and support physical strikes, while Ukraine has developed offensive cyber capabilities to target Russian systems, including oil and gas infrastructure and military networks.
Who are the main cyber actors targeting Ukraine?
Russian state-affiliated cyber groups targeting Ukraine include Sandworm (GRU), APT28 (GRU), APT29 (SVR), Turla (FSB), and various GRU units. Ukrainian cyber forces, international volunteer hacker groups (IT Army of Ukraine), and allied intelligence cyber units operate on the Ukrainian side.
What can other countries learn from Ukraine's cyber defense?
Ukraine's cyber defense offers critical lessons: distributed cloud infrastructure reduces vulnerability to physical and cyber attacks, international information sharing accelerates threat response, pre-conflict preparation matters enormously, and the integration of civilian tech expertise with military cyber operations creates strategic advantages.