Recent Posts
- State Cybersecurity Policy: Ukraine and International Experience 29.03.2025
- Ukraine recovery should be based on development of territorial communities, innovations, involvement of professional domestic community – results of ESUR forum 29.06.2023
- Ukraine repatriates five more seriously wounded Russian POWs 10.04.2023
- Rada intends to include history of Ukraine, foreign language in final certification for general secondary education 10.04.2023
- Rada terminates protocol on joint anti-terrorist measures in CIS territories for Ukraine 10.04.2023
State Cybersecurity Policy: Ukraine and International Experience
Introduction
Cybersecurity has become a key area of state policy worldwide. Ukraine, facing unprecedented pressure from cyberattacks, has recently adopted a new law on the protection of state information resources and critical infrastructure. This analytical paper examines the main provisions of Ukrainian cybersecurity legislation and compares institutional models and policies with leading countries—namely, the United States, the United Kingdom, Israel, China, the Netherlands, and Germany. We analyze the legal framework, structure of state institutions, cooperation with the private sector, workforce development, and veteran-focused programs. The final section includes a comparative table and a separate chapter on the potential role of Kyiv National University of Construction and Architecture (KNUCA) and the Institute of Veteran Reintegration, Rehabilitation, and Professional Development ‘Architecture of Resilience’ in building the national cybersecurity system.
The New Ukrainian Law on Cyber Protection of Critical Infrastructure
On March 27, 2025, the Verkhovna Rada of Ukraine adopted in full the draft law No. 11290 on amendments to laws regarding the protection of information and cybersecurity of state information resources and critical information infrastructure. This new law lays a modern legal foundation for cybersecurity, harmonized with European approaches (notably implementing the NIS2 Directive recommendations). Key innovations of the law include:
• National Cyber Incident Response System.
• Protection of Critical Infrastructure.
• Institutional Development.
• Training and Cyber Hygiene.
Ukraine’s existing national cybersecurity ecosystem already contains certain elements: the basic Law ‘On the Basic Principles of Ensuring Cybersecurity of Ukraine’ (2017), the Cybersecurity Strategy (2021), and a National Coordination Center for Cybersecurity under the NSDC. The new law No. 11290 significantly strengthens these mechanisms.
U.S. Experience: Comprehensive Cyber Strategy and Public-Private Partnerships
The United States has one of the most developed legal frameworks for cybersecurity. A variety of laws and Congressional acts shape its policy: from the Cybersecurity Act of 2015 (which facilitated information sharing on threats) to annual defense budgets that include cyber provisions. In 2023, the administration released a new National Cybersecurity Strategy, shifting focus to proactive defense of critical infrastructure and shared responsibility between government and business. Presidential Executive Orders also play a vital role: Executive Order 14028 (May 2021) ‘Improving the Nation’s Cybersecurity’ reinforced security requirements for federal networks and introduced mandatory standards (e.g., zero trust, multi-factor authentication).
Institutional Model: The U.S. system comprises a wide array of cybersecurity bodies with function-specific roles:
• The Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security is the primary civil agency responsible for protecting critical infrastructure.
• The FBI handles cybercrime investigations and cyber counterintelligence.
• U.S. Cyber Command (USCYBERCOM) within the Department of Defense manages military cyber operations.
• The National Security Agency (NSA) provides intelligence and operates the Cybersecurity Collaboration Center for defense sector cooperation.
• The Office of the National Cyber Director (ONCD), created in 2021, coordinates strategic cyber policy from the White House.
Public-Private Collaboration: As much of U.S. critical infrastructure is privately owned, public-private partnerships are central. Platforms like ISACs (Information Sharing and Analysis Centers) exist across sectors. CISA serves as a bridge between government and industry, organizing briefings, issuing alerts, and conducting joint exercises. CISA’s Automated Indicator Sharing (AIS) platform and the Joint Cyber Defense Collaborative (JCDC) enable real-time threat information sharing.
Workforce Development: The U.S. invests heavily in cyber workforce development. The National Initiative for Cybersecurity Education (NICE) sets skill standards. Programs like CyberCorps: Scholarship for Service fund education in exchange for government work. CISA offers courses and cyber training for state agencies and private partners. Youth programs (CyberPatriot), university Centers of Academic Excellence (CAE), and industry certifications (CISSP, etc.) form a complete educational ecosystem.
Veteran Programs: Veterans are seen as a valuable asset. Policies support retraining through the GI Bill, and initiatives like the Federal Cybersecurity Workforce Expansion Act promote internships and reskilling. Private companies (e.g., Fortinet) offer free cybersecurity training for veterans, creating a pathway from military service to digital defense roles.
UK Experience: National Cyber Centre and Talent Development
The United Kingdom takes a systematic approach to cybersecurity, updating its strategy every five years. The latest National Cyber Strategy (2022–2030) sets priorities including strengthening critical sectors’ resilience, developing technological leadership, and expanding cyber skills. Legally, the key document is the Network and Information Systems Regulations (NIS Regulations 2018)—the UK’s implementation of the EU NIS Directive—requiring operators of critical infrastructure (energy, transport, healthcare, etc.) to implement security measures and report incidents. Post-Brexit, the UK retains these standards and plans to adapt them to NIS2.
Institutional Structure: The UK’s cybersecurity is centered around the National Cyber Security Centre (NCSC), created in 2016 as part of GCHQ. NCSC consolidated earlier entities (CERT-UK, CESG) and now acts as the single point of contact for businesses, government, and society. It provides guidance, incident response, threat alerts, and works as a bridge between the industry and government. NCSC’s intelligence access enhances its protective capabilities.
Other bodies include:
• National Cyber Crime Unit (NCCU) under the National Crime Agency – investigates major cybercrimes.
• Defence Cyber Operations Group and National Cyber Force – military and offensive cyber operations.
• Cabinet Office Cyber Coordinator – for overall policy coordination.
Public-Private Cooperation: The UK emphasizes close cooperation with the private sector. NCSC supports Cyber Security Information Sharing Partnership (CiSP)—a platform for real-time threat intelligence exchange among hundreds of companies and government bodies. Sectoral cyber resilience centers, regional hubs, and events like CYBERUK reinforce the ecosystem.
Skills and Education: The UK is a leader in cyber skills development. School programs promote digital literacy and cybersecurity. The CyberFirst program, under NCSC, offers camps, scholarships, and competitions (e.g., CyberFirst Girls). Universities host Academic Centres of Excellence, and the UK Cyber Security Council sets professional standards.
Veteran Programs: Recognizing veterans’ potential, the nonprofit TechVets helps transitioning service members enter the cyber field by offering free training, mentorship, and career support. Tech companies like Cisco and Amazon run veteran-specific internships. In the military, personnel can acquire cyber skills during service and transfer them to civilian roles. The government’s Armed Forces Covenant encourages businesses to hire veterans, fostering their integration into cybersecurity roles where discipline and reliability are valued.
Israel’s Experience: Cyber Nation and Military-Civilian Synergy
Israel was among the first countries to elevate cybersecurity to a national strategic priority. In 2011, it established the National Cyber Bureau under the Prime Minister’s Office, which laid the groundwork for national policy. The National Cybersecurity Strategy (2017) emphasized cyber resilience and offensive capabilities. In 2022, a draft Cybersecurity Law was introduced, aiming to grant additional powers to the Israel National Cyber Directorate (INCD), reflecting the philosophy of deep collaboration with the private sector and separation between civilian and military cyber functions.
Currently, Israel’s policy is guided by government decisions and sectoral regulations. Critical sectors (energy, finance, transportation, telecoms) must meet protection standards and report major incidents. Israel also practices active cyber defense—proactively engaging threats via military and intelligence means, although this is not formally codified.
Institutional Structure: The INCD, under the Prime Minister’s Office, oversees national cybersecurity policy and the protection of civilian infrastructure. It issues binding directives, assesses national cyber risks, and coordinates sectoral regulators. INCD manages two main centers: CERT-IL for incident response and a national threat information exchange hub shared with the private sector.
Military and intelligence cyber activities are separate. The Israel Defense Forces (IDF) operate cyber units such as Unit 8200 (intelligence and offensive operations) and the C4I Directorate (defensive operations). Shin Bet (domestic security) and Mossad (foreign intelligence) also have cyber roles. Coordination with INCD exists but overlaps can occur. The draft law excludes INCD from offensive cyber duties, leaving them to military and intelligence bodies.
Public-Private Cooperation: Israel is often called a ‘start-up nation’ in cybersecurity. The CyberSpark tech park in Be’er Sheva brings together Ben-Gurion University labs, top cyber companies, and INCD units, fostering innovation. Government grants and programs support cyber startups, and INCD holds regular training and collaboration sessions with the private sector. The law proposes antitrust immunity for companies cooperating in cyber defense.
Skills and Education: Military service is the foundation. Teenagers aim to enter elite IDF tech units like 8200, where they gain deep cyber skills. After service, they often join the private sector or remain in defense roles. Civilian programs also exist: youth clubs like ‘Magshimim’ prepare students for cyber service. Universities (Tel Aviv, Technion, Ben-Gurion) are global leaders in cybersecurity research. Demand for cyber talent remains high domestically and globally.
Veteran Programs: Virtually all Israelis serve in the military, many in cyber roles, making veterans highly employable. Specialized retraining for combat veterans exists, offering IT and cybersecurity pathways, often funded by government or private foundations. Israel’s model enables seamless transitions: from military service to tech careers or continued service in reserve cyber units.
China’s Experience: State Control and Mass Workforce Development
China approaches cybersecurity from the standpoint of national sovereignty and control over the information space. The Cybersecurity Law of 2017 mandates security standards for network operators and critical information infrastructure (CII), including data localization. The legal framework was strengthened in 2021 with the Data Security Law and Personal Information Protection Law. The State Council also issued regulations on CII protection, clarifying the scope and responsibilities. The Ministry of Public Security (MPS) oversees technical defense of CII, while the Cyberspace Administration of China (CAC) manages policy and information control. Sectoral regulators implement measures within their domains.
Institutional Structure: At the top is the Central Cyberspace Affairs Commission, chaired by the President of China. CAC executes strategies and censors online content. MPS, through its Cybersecurity Bureau, handles cybercrime and infrastructure protection. The Ministry of State Security (MSS) and the People’s Liberation Army (PLA) conduct offensive operations and cyberespionage. The Ministry of Industry and Information Technology (MIIT) sets technical standards and implements initiatives like secure 5G deployment.
China has a layered protection system: the Multi-Level Protection Scheme (MLPS) requires organizations to classify IT systems by criticality and apply corresponding safeguards. CII protection relies on audits and monitoring. The 2021 crackdown on tech firm Didi showed how these laws are enforced—after its U.S. IPO, authorities deemed it a CII operator and imposed restrictions.
Public-Private Cooperation: Collaboration is largely mandatory. Major tech firms (Baidu, Alibaba, Tencent) must comply with state security demands, including data sharing. The 2017 National Intelligence Law compels firms to assist security agencies. At the same time, the government promotes a domestic cybersecurity industry through grants and showcases like China Cybersecurity Week.
Skills and Education: China faces a significant cyber workforce gap. Over 600 universities offer cybersecurity-related programs. Leading institutions (Tsinghua University, Harbin Institute of Technology) host cyber faculties. The state sponsors contests (e.g., China Cybersecurity Competition) and has established training centers like the National Cybersecurity Center in Wuhan (capacity: 70,000 trainees annually). Cyber awareness is promoted nationwide, from schools to civil service.
Veterans’ Role: While there are few public programs for civilian veterans, many who served in PLA cyber units or cyber police transition to government-affiliated enterprises or regulated private firms. Military experience often leads to continued service in a state-linked capacity. Patriotic duty is emphasized, and the state provides structured career progression to retain talent in key sectors.
Netherlands’ Experience: Public Trust and Interagency Coordination
As an EU member, the Netherlands aligns its cybersecurity policies with European directives. The 2018 Network and Information Systems Security Act (WBNI) implemented the NIS directive, requiring essential service providers (energy, finance, water, etc.) and digital service providers to follow security norms and report serious incidents. In 2022, the government adopted a new National Cybersecurity Strategy (2022–2028), emphasizing government responsibility for protecting citizens and businesses, enhancing public-private collaboration, and reinforcing international cooperation. A new cybersecurity bill to comply with NIS2 was submitted in 2024.
Institutional Structure: The National Cyber Security Centre (NCSC-NL), under the Ministry of Justice and Security, serves as the expert body monitoring threats, issuing alerts, providing guidance, and coordinating incident response. It evolved from the National Coordinator for Counterterrorism and Security (NCTV). To improve oversight capacity, the government plans to merge NCSC with the Digital Trust Center (DTC) and CSIRT-DSP by 2026, creating a unified national authority.
Currently, the landscape includes:
• NCSC-NL – works with government and critical infrastructure.
• DTC – supports small and medium-sized enterprises (SMEs) with guidance and funding.
• Cyber police – handle cybercrime investigations.
• Intelligence services AIVD and MIVD – conduct cyber counterintelligence and operations.
• Sector regulators – supervise implementation in fields like healthcare, finance, energy.
The Cyber Security Council advises the government. It includes members from the public, private, and academic sectors who provide policy recommendations.
Public-Private Cooperation: The Netherlands fosters a trust-based culture between government and industry. NCSC and DTC run joint events and trainings. DTC supports group projects for SMEs (e.g., sharing a cybersecurity expert or monitoring system). In finance, the central bank uses TIBER-NL—ethical hacking to test resilience. Dutch companies actively share incident data via NCSC platforms. The Netherlands hosts global cybersecurity forums (e.g., Europol’s EC3 and OPCW), reflecting its role as an international hub.
Skills and Education: Education combines formal programs and retraining. Universities offer specialized master’s degrees, like the Cyber Security Academy in The Hague. Government funds academic cyber research and offers training for public servants. The Netherlands participates in NATO and EU exercises (e.g., Locked Shields). Youth engagement is promoted through initiatives like the European Cybersecurity Challenge.
Veteran Programs: Dedicated programs for veterans are limited. However, military-trained cyber personnel often transition to civilian cybersecurity roles, especially in private industry. The government recognizes military-acquired qualifications. Veteran support schemes cover reskilling, and events like Open Days introduce them to tech careers. Veteran organizations collaborate with companies to help interested individuals enter the cyber field.
Germany’s Experience: Federal Responsibility and Technical Standards
Germany has developed a comprehensive legal and institutional framework for cybersecurity within its federal system. The 2015 IT Security Act required critical infrastructure operators to report cyberattacks and follow minimum security standards. The 2021 IT Security Act 2.0 expanded the sectors covered and granted broader powers to the Federal Office for Information Security (BSI), including equipment certification and vulnerability assessment. NIS and NIS2 directives are implemented through adjustments to BSI law and sectoral legislation. The Cybersecurity Strategy (2021) prioritizes protecting state networks, boosting BSI’s role, supporting cryptographic solutions, and promoting European digital autonomy.
Institutional Structure: BSI is the national authority for cybersecurity, part of the Ministry of the Interior. It develops standards, certifies IT products, coordinates incident response (through CERT-Bund), and leads awareness campaigns. It also runs the Alliance for Cybersecurity (ACS), engaging thousands of businesses in threat information sharing.
Other relevant bodies include:
• Federal Office for the Protection of the Constitution (BfV) – counterintelligence against cyberespionage.
• Federal Intelligence Service (BND) – foreign cyber intelligence and offensive operations.
• Bundeswehr’s Cyber and Information Space Command (KdoCIR) – handles military cyber defense and operations.
• State-level CERTs and cybersecurity units – coordinate with BSI for local incident response.
Germany is strengthening federal-state coordination, including a new joint cybersecurity center launched in 2022.
Public-Private Cooperation: BSI works closely with businesses through ACS and regular security dialogues. It publishes the IT-Grundschutz—a set of cybersecurity guidelines that many companies voluntarily adopt. In 2021, legislation introduced mandatory security assurances for suppliers of critical IT equipment (e.g., telecoms), reinforcing regulatory oversight.
Skills and Education: German universities offer robust cybersecurity programs (e.g., Ruhr University Bochum, TUM). BSI collaborates with academia on research and internships. The government created the Cybersecurity Innovation Agency to fund cutting-edge research and support young scientists. Education reform (Digitalpakt Schule) brings digital literacy and cybersecurity to schools. BSI also supports competitions and hackathons for youth.
Veteran Programs: Germany has relatively few veterans due to limited combat deployments. However, the Bundeswehr’s cyber command provides technical training, and veterans can transition to civilian roles in BSI or industry. Programs like ‘Career after Bundeswehr’ support retraining, with job fairs and consultancy. Associations like Deutscher BundeswehrVerband also help with career planning. While formal ‘cyber for veterans’ programs are rare, entry paths exist through recognized qualifications and defense-industry links.
The Role of KNUCA and the Institute of Veteran Reintegration ‘Architecture of Resilience’ in National Cybersecurity Development
An essential component of Ukraine’s cybersecurity ecosystem is the involvement of educational institutions and veteran-oriented initiatives. The Kyiv National University of Construction and Architecture (KNUCA), traditionally focused on engineering disciplines, has recently launched a cybersecurity department and a full-fledged academic program in this field. This diversification supports the nationwide demand for cybersecurity specialists and widens the pool of trained personnel. Notably, many of the students in KNUCA’s cybersecurity program are military veterans—former service members and participants of the Anti-Terrorist Operation (ATO) or Joint Forces Operation (JFO).
KNUCA also hosts the Institute of Reintegration, Rehabilitation, and Professional Development of Veterans ‘Architecture of Resilience’—a structural unit aimed at supporting veterans and their families through education, professional training, and psychological rehabilitation. The Institute assists veterans in transitioning to civilian life, discovering new career paths, and receiving job placement support. Cybersecurity is emerging as one of the key retraining areas within the Institute.
The university and the Institute jointly provide practical cybersecurity training, including access to cyber ranges, partnerships with tech companies, and mentoring. Veterans are given hands-on opportunities to acquire the skills needed for the digital defense of Ukraine.
Specific contributions of KNUCA and the Institute to national cybersecurity include:
• A pipeline of highly motivated personnel: Veterans trained at KNUCA bring discipline, resilience, and crisis-response experience. Their background makes them ideal candidates for roles in government cyber teams, cybersecurity divisions in critical infrastructure, and cyber policing.
• A national research and methodology hub for cyber resilience: Leveraging KNUCA’s engineering expertise, the Institute could pioneer interdisciplinary studies on how to integrate cyber protection into physical infrastructure (e.g., secure smart buildings, protected city systems).
• Cyber hygiene training center: The Institute could develop and deliver short-term training programs for civil servants, local governments, and utility workers. Veteran instructors can educate public-sector staff on threat awareness, basic cyber hygiene, and emergency protocols.
• Pathways into state cybersecurity agencies: The Institute’s strong ties with veteran communities and government entities enable identification and recruitment of skilled individuals into cybersecurity roles in the National Coordination Center for Cybersecurity, CERT-UA, cyber police, or SBU. Accelerated bootcamps and selection-based programs could help veterans quickly gain core competencies and take on key positions.
• International collaboration and grants: The Institute and KNUCA can pursue EU and U.S. grant programs that support veteran education and cybersecurity. Grants can fund cyber labs, simulation platforms, and up-to-date training materials, benefiting students, veterans, and the broader public sector.
In summary, KNUCA and the Institute ‘Architecture of Resilience’ are uniquely positioned to serve as a tripartite platform for education, veteran reintegration, and applied cybersecurity research. Their combined efforts could make a substantial contribution to national cyber resilience by transforming war veterans into digital defenders.
