“State-in-a-Smartphone” App Helps Ukraine Weather War and Counter Corruption

Glitzy Washington DC roadshow for “Diia” e-government app shows Ukraine’s resilience, ingenuity, transformation, and mastery of the information space

Jun 02, 2023

On May 22, 2023, crowds of people, chattering in English and Ukrainian, flocked to the historic Warner Theater in Washington DC for “Diia in DC,” a sort of roadshow to advertise the Diia e-government app that Ukraine’s Ministry for Digital Transformation developed with support from the US Agency for International Development (USAID) and the United Kingdom’s Agency for International Development (UKAID), and the Eurasia Foundation.

Entering the Warner Theater, Washington, DC, May 23, 2023 (Photo by Team Natto)

Inside, the atmosphere resembled a rock concert, with Ukrainian music blasting from the slickly lit stage as the audience filed in.

“Diia in DC” Event Stage at Warner Theater, May 23, 2023

Commenting on the atmosphere, USAID Administrator Samantha Power joked, “Government events are famous for being cool.”

The presentation featured Ukraine’s Minister of Digital Transformation, Mykhailo Fedorov; USAID administrator and former US ambassador to the United Nations Samantha Power; Oksana Makarova, Ukrainian Ambassador to the US; Pamela Spratlen, a former ambassador who heads the Eurasia Foundation NGO; and Alfred Kelly of Visa Corporation, with Kara Swisher of New York Magazine as moderator. Fast-paced video clips showed Ukrainians, not only refugees and bombing victims but also people living ordinary lives, benefiting from the amazing features of the Diia app. (The full recording is at https://www.youtube[.]com/watch?v=Ejq0b4i8OKM and an 8-minute summary is at https://www.youtube[.]com/watch?v=aFdOdsk8GA0)

Apparently aimed at potential investors and donors, ranging from tech-savvy entrepreneurs to pennywise legislators, the event delivered several messages:

· Ukraine is spending international aid money well

· Ukraine’s technical savvy has ensured effective resilience during the war and will enable the country’s future reconstruction

· The Diia app is part of a broader Ukrainian commitment to overcome the country’s Soviet legacy of corruption

· This and other Ukrainian inventions can help other countries facing similar challenges

Minister Fedorov’s presentation explained what the Diia app does, how it helped Ukrainian citizens in its first two years of existence, and how it is helping them to survive the war.

The Diia app (Ukrainian: «Дія»; also transliterated Diya, whose name literally means “Action” but can also be read as an acronym for “The State and I”) is not a government service or database in itself, but rather an interoperability system. It connects together different online government services.

In Peacetime

Conceived after President Zelensky’s 2019 election and launched in 2020, Diia helped citizens with paperwork for everyday tasks. These included obtaining passports, construction permits, electronic licenses, bank accounts, and healthcare, opening a small business, sharing electronic documents, paying business taxes, or registering a new baby. Nineteen million users, or about half the Ukrainian population, use it, and 70% of smartphones have Diia installed. Users can confirm their identity in a few clicks, using a QR code. Diia’s digital signature feature can generate a biometric that can be compared with biometric in the Demographic Registry. Some 11.3 mln documents have been signed in this way.

The Diia app is only one component of the Diia ecosystem, which also includes services like a network of business centers and a system for edutainment and reskilling. Diia payments are powered by Visa, benefiting from that company’s security and resiliency measures.

In Wartime: Resilience Against Physical and Cyber Attacks

USAID’s support for Ukraine’s e-government endeavors is only a small part of the $15 billion the agency has spent in Ukraine since the February 2022 invasion, but is a powerful force multiplier. Digital governance platforms help governments respond quickly to crises, as Samantha Power pointed out. For years, USAID, UKAID, the Eurasia Foundation and other international partners have encouraged strong institutions and Ukraine’s vibrant civil society to withstand these attacks. Minister Fedorov stressed that effective digital governance is, in effect, a weapon to help Ukrainians counter Russian attempts to beat them into submission by destroying the country’s physical, political, economic and physical infrastructure.

After the full-scale invasion, Diia app developers adapted the app to the wartime needs of soldiers and citizens and to facilitate the constant rebuilding work that local residents and public utilities are doing after every Russian missile strike on Ukrainian communities. These tools and services included the following:

● A temporary digital document for evacuees that they can show police and territorial defense forces at checkpoints, which helped to prevent unnecessary panic, according to Minister Fedorov. He said that some 17.6 million people have this document.

● A change of address tool for internally displaced persons.

● Tools facilitating the distribution of payments for evacuees (6500 UAH), with Diia’s biometric scanning system allowing for secure identification of recipients.

● An E-mortgage tool allows the husband at the front and the wife at home to co-sign—this has benefited 947 families so far.

● Grant programs and relocation help for sole proprietors hit hard by wartime destruction and displacement.

● E-recovery, an easy way to report damage from missile strikes. 10,000 people have received funds to repair damaged buildings.

Diia.radio and Diia.tv kept the population informed during TV blackouts. Diia.radio had 10,000 users every day. On Diia.tv, 1 million users watched the Eurovision song competition, and 1.2 million watched the FIFA world cup final, Fedorov said, not specifying what year he had in mind. The Diia education service received support from Google, which also supplied Chromebooks for teachers amid disruptions in schooling.

The Diia app also had tools that more directly supported the war effort:

● E-enemy (E-vorog), allowing users to inform on enemy movements and share the names of collaborators. Some 500,000 people used the e-enemy chatbot, Fedorov said.

● 954,000 war bonds purchased, named after occupied cities

● Army of drones, an in-app game that collects donations for the war effort, had 100k users, Fedorov said.

Resilience Against Cyber Attacks Continually Tested

Fedorov acknowledged that Ukrainian citizens need to feel their information is safe before sharing their personal information through the app. Currently about half of the Ukrainian population uses it. Fedorov said the Diia app is extremely secure. The developers conduct “red team” exercises to test for any vulnerabilities. The Diia system itself does not store users’ information; rather it connects to the servers of the other Ukrainian government ministries and services.

Ambassador Power added that USAID has been working with the Ukrainian government since 2014 on cyber protections for electricity infrastructure, government bank accounts and other critical services. She noted that Ukraine’s resilience against some 2000 cyber attacks in 2022 is remarkable and deserves more credit. “This is the dog that has not barked in this phase of the war. We should be hearing [this] every day, given how much Russia is investing” in bringing down Ukrainian systems, she said. Every day a temporary outage occurs in Ukrainian telecommunications systems, and every day Ukrainian technicians restore the systems, she pointed out, adding, “Cybersecurity is not an afterthought.”

Russian hackers have long used Ukraine as a testing ground for cyber attacks, forcing Ukraine to become a proving ground for cyber resilience. For example, attacks on the 2014 Ukrainian elections presaged Russian attacks on the 2016 US presidential elections. In 2015 and again in 2016, Russian military hackers used a variety of sophisticated tools to breach Ukrainian electricity distribution networks and numerous other Ukrainian government services

In particular, Russian hackers have sought to exploit Ukrainian e-government tools in wide-ranging attacks on the country. In 2017 Russian military hackers introduced the Petya.A pseudo-ransomware campaign (widely known as NotPetya) through the MEDoc document exchange app that is almost universally used in Ukraine. The malware quickly overflowed Ukraine’s borders, causing some $10 billion in damage worldwide. MEDoc’s web host WNET allegedly allowed Ukrainian web traffic to flow through Russian-occupied Crimea, where Russian intelligence services could access it (https://ain[.]ua/ru/2017/06/01/sbu-provodit-obysk-u-provajdera/). USAID has been working since 2016 to help Ukraine safeguard its cyber supply chain, including the types of products and services that MEDoc represents.

Diia itself suffered setbacks. Weeks before the full-scale invasion of February 2022, Diia systems were among some 70 Ukrainian government sites affected by a Russian military cyber campaign called Whispergate, which combined data exfiltration, data wiping, and website defacement. Diia briefly closed down its services to prevent the spread of the attack. The threat actors likely used stolen access credentials and may have breached the systems even before the January 14 data-wiping and defacements.

On January 14, within hours of that attack, and again in the following weeks, dark web users “Vaticano” and then “FreeCivilian” posted samples of personal information purporting to come from the my.diia.gov.ua website, with some information dated as recently as December 2021, and offered to sell information on millions of Ukrainians as well as data from 48 Ukrainian government domains. By early February FreeCivilian was asking $125,000 for the 765-gigabit database of information it claimed to have stolen from diia.gov[.]ua. By February 10, FreeCivilian’s site said it had sold the 765 GB trove. The leak also reportedly included non-public information of the Diia state company and files containing code for the Diia app’s structure. The Ukrainian Digital Ministry insisted that Diia itself does not store user information but merely channels it to other Ukrainian state agencies and claimed that the leaked data was recycled from years before. A Ukrainian expert who examined the materials agreed that Diia does not store user data but said the files were more recent than Diia claimed. He hypothesized that, if the hackers had indeed breached Diia’s own server well before January 14 2022, they could “do whatever they wanted,” implying that the Russian hackers could have observed and recorded traffic going through the Diia site to other Ukrainian agency sites. As for the code of the Diia portal itself, the hackers may have stolen it from a contractor who helped Diia develop it. The expert concluded that the Digital Ministry’s less-than-completely-accurate claims only bolstered the effect of this likely Russian information operation to undermine citizens’ trust in their government.

A year later, on 23 February 2023, just before the first anniversary of the Russian full-scale invasion, an account calling itself“Free Civilian” posted on the Telegram app more files purporting to come from Diia. This time, evidence suggests the purported leaks are fake, according to Forbes. The Digital Ministry reiterated that Diia does not store information itself but only connects to the databases of other agencies.

Even if Diia itself is completely secure, Ukrainians’ data is only as secure as that of the least secure ministry they access through Diia. As for the registry data that was moved to cloud storage before Russian missiles destroyed the physical data center, it also faces the same risks and threats that any cloud storage system faces, requiring continued vigilance.

Nevertheless, as mentioned above, Ukraine has been remarkably resilient to the thousands of cyber attacks that Russian hackers have attempted since the full-scale invasion.

Transformation: Building a New, Non-Corrupt Ukraine

Minister Fedorov said he prefers not to talk about Ukraine’s “rebuilding” from the war but rather about its “transformation” into a non-corrupt, modern, effective state. One key transformation for Ukraine is from being a country that mainly sold resources for export, to being a country making products for others. He pointed to Diia as one of Ukraine’s attractive high-tech products. Ukraine also has “hundreds of companies making advanced drones that the whole world will buy,” Fedorov said. He said the country’s task, with help from international aid, “is to build our own institutions so in the future they will be able to work effectively and deliver. We want our partners to understand that we want to add value and work effectively; this will be a win-win situation.”

Vladimir Putin’s government has long sought to weaponize gas, trade, investments, corruption, and information operations to gain influence over decision-making in target countries. Russian pressure and local corruption likely contributed, for example, to the fact that Kyrgyzstan, once a raucous if deeply corrupt Central Asian democracy, now rates as an authoritarian regime, maneuvering between Russian and Chinese patrons.

Pamela Spratlen, former US ambassador to Uzbekistan and Kyrgyzstan, is familiar with former Soviet countries’ struggles with a legacy of corruption. She now leads the Eurasia Foundation (EF), a nonprofit international development organization that has worked for decades to strengthen civil society and good governance, including helping post-Soviet societies fight the legacy of corruption. She told the “Diia in DC” audience that since 2016 the EF has implemented the USAID/UKAID-funded Transparency And Accountability in Public Administration (TAPAS) e-governance program in Ukraine. TAPAS’ digital products include e-services hosted on Diia. EF and USAID have also supported the development of tools such as the Prozorro system for transparency in government procurement contracts, and the registry of beneficial owners of companies.

Fedorov listed efforts his ministry is making to reduce opportunities for corruption through practices such as standardized processes; transparent records of fines, fees, payments; and the automatic entry and verification of information into registries without human intervention.

Fedorov noted that one of Ukraine’s most corrupt sectors has been construction. Diia seeks to introduce transparency into project development with a new registry of construction activities and online construction services. The system allows cross-verification of construction permit applications and logs new actions.

Asked about evidence of continued corruption in Ukraine, such as the mid-May arrest of a Ukrainian Supreme Court chief justice and other judges with over a million dollars in bribe money, Fedorov pointed out that his ministry had not begun working on the courts. “The sphere where we did apply our effort—construction—has no cases of corruption.”

Samantha Power added that the US Congress would not have given billions of dollars to Ukraine if not for Diia, because that app’s digital trail ensures that the money goes to needy Ukrainian teachers, health workers and others as intended. Ambassador Power hailed a changing culture in Ukraine, noting that citizens are coming to “believe they are entitled to hold government accountable.” Similarly, speakers at the February 2023 conference “Rebuilding Ukraine, Rebuilding the World” spoke of a “quiet revolution” in Ukrainian attitudes, in which citizens have begun “feeling ownership of state, not to feel distant from the state” (https://www.youtube[.]com/watch?v=3aNkXsXj2dM) and no longer see the state as a hostile power (https://www.youtube[.]com/watch?v=q_Sb9JIhxXk). Researchers from Ukraine have noted that decentralization reforms from 2015 appear to have contributed to Ukrainians’ vibrant civil society (https://www.youtube[.]com/watch?v=FHJbbdTZoMI) and increasing trust in government.

Ingenuity for Export

“Grain and brain” is a phrase Oksana Makarova, now Ukrainian ambassador to the US, coined to describe Ukraine’s products for export. Traditionally a global breadbasket, Ukraine has struggled to export grain amid a Russian blockade. But Ukrainians for years have also been a major power in the brains department. Ukraine has long had a well-developed education system in math and computer-related sciences, a legacy of the Soviet era, and since independence has developed a flourishing export trade in IT products and services. According to Ambassador Power, USAID has invested since 2014 in the tech industry. Last year, Ukraine’s tech sector saw its biggest increase in export of services. On the illegal side, Ukrainian hackers used to work together with Russian hackers in sophisticated cybercrime rings, now somewhat disrupted by the war.

As the “Diia in DC” speakers explained, Ukraine’s Digital Ministry plans to make Diia code open-source and has already begun to help other countries adopt it. Estonia—which for decades has itself been the leading country for e-government—has adopted elements of Diia. Ambassador Power noted that USAID will work with Colombia, Kosovo, and Zambia to explore collaboration on improving current systems and building new digital services.

Speakers noted that exporting Ukraine’s ingenuity could help make other governments less corrupt. While Putin seeks to win the information war in Global South, the Diia presentation highlighted Ukraine’s effort to market to such countries its own attractive counter-example of a democratic, dynamic, crowd-sourced, non-corrupt economy and model for governance.

Ukraine as Israel?

President Zelensky has said he wants to turn Ukraine into a “big Israel” in the sense of having the military toughness to withstand constant threats from hostile neighbors. Even Zelensky’s constant wearing of khaki bolsters this tough image. Zelensky has said that, like Israel, Ukraine would be a democracy but not “absolutely liberal” like Europe. Both countries also share a reputation of IT savvy, prompting references to Ukraine as a “start-up nation” like Israel. In the words of an editorial in The National Interest, Zelensky cultivates this image of Ukraine as similar to Israel: “A symbol of democratic values in a hostile region, with its educated population and an advanced economy, that could turn into another start-up nation, with a large and powerful diaspora, all translated into American congressional and public support.” In another parallel, some commentators have suggested that NATO’s ongoing support for Ukraine should resemble the “porcupine strategy” of deterring Russian aggression by arming Ukraine heavily in the long term even without accepting it into NATO, an approach they have taken with Israel.

PR Savvy : Dominating the Information Space

Like Israeli president Benjamin Netanyahu, President Zelensky has been “an effective global marketing operator... telegenic and charismatic, …and familiar with the cultural codes of the Western elites’ political Zeitgeist,” in the words of the National Interest.

Zelensky’s effective PR has ensured the constant flow of western support without which Ukraine might already have lost the war. Control of the information space – getting one’s message across and preventing the adversary from undermining your population with his own message--- has been recognized as key to the war effort for both Russia and Ukraine. Ukraine’s success in this area over Russia has been striking. Ukrainian memes and imagery—from tough soldiers nurturing cute kittens, to the Ukrainians defiantly shouting “Russian ship, go f**k yourself!” to the rallying cry “Bakhmut holds!” – have helped create an image of Ukrainian courage, humanity and love of freedom.

The ”Diia in DC”presentation also showed Ukraine’s skillful efforts at spreading its message to supporters and doubters, amid fears that the world will tire of supporting Ukraine to the end of its grinding war with Russia. (For more on this, see “Stymied in Ukraine, Putin’s Government Resorts to Covert Sabotage and Panic-Mongering in the West).

The setting in the ornate theater, the pounding music, and the attractive and fast-paced videos and well-choreographed presentations lent an air of competence, modernity, and effectiveness. Multiple scenes showing President Zelensky’s involvement in and support for this transformative app also capitalized on Zelensky’s own reputation as a global hero and the public face of Ukraine (Zelensky comes up for reelection in March 2024). The symbolism continued in the name of the fictitious sample person in the promotional videos; she is named “Diia, Nadiya Volodymyrovna.” Her first name is Ukrainian for “hope,” and the patronymic (middle name based on father’s name) is based on Volodymyr, a very common name that happens to be Zelensky’s first name.

The messaging of the “Diia in DC” event aligns with Ukrainian President Zelensky’s indefatigable efforts to argue Ukraine’s case. In one week of May, he visited European leaders, attended the Arab League summit, and flew to Japan for the summit of the G-7 group of countries, where he gained promises of additional military support and personally appealed to wavering leaders like Indian President Narendra Modi. Fresh from circumnavigating the globe, by May 23 Zelensky was back in Ukraine, at the front lines, greeting Ukrainian marines on their national holiday. President Zelensky’s constant travel and very public messaging, domestically and internationally, has kept Ukraine’s struggle in the forefront of people’s minds.

Ukraine has skillfully controlled the information space ever since before the full-scale Russian invasion, seeking to demoralize and blind the adversary, to bolster the morale of its own citizens, and to maximize support from allies. Ukrainian cyber authorities mustered the IT Army of Ukraine, a group of volunteers, to harass and steal information from Russian entities. Domestically and in international reporting, the Ukrainian government imposed a unified message by taking over oligarch-controlled media, imposing some restrictions on journalists, and bringing together top broadcasters in the so-called United TV Marathon. The TV Marathon has drawn criticism for being too close to the Ukrainian government. On the other hand, as Ukrainian journalist Olga Tokariuk stresses, Ukraine’s media landscape remains “diverse and vibrant,” with room for debate.

The “Diia in DC” event does not appear to have been intended to convince Americans to adopt the app for the United States, as many US citizens fear excessive government involvement in their private lives. Event moderator Kara Swisher said wryly, “It would be so nice to have an app like theirs in the US but we don’t. Good for them.” Rather, it appeared intended to attract donors, investors and entrepreneurs to help Ukraine develop similar innovative projects. Mykhailo Fedorov instead explained, “What is in it for you? Each of you is a social investor in our future victory, an investor in the change taking place in our country. Ukraine is now the best testing ground for technologies. Start working with us. We will get valuable joint experience.”

A Ukrainian acquaintance of Team Natto writes: "I was skeptical about Diia at the very beginning, questioning the security of sensitive documents like my passport and taxpayer number. When I received feedback on Diia from friends and it proved to be secure, I installed the app and never regretted that. [It has a] user-friendly interface, wide range of options, safety and reliability. Just imagine having 24/7 access to your ID, international passport, drivers license, vaccination certificates etc on your phone... the Ministry of Digital Transformation keeps improving the functionality of the app. I enjoy my experience with Diia and I feel proud of this product. I hope Ukraine will become an example and a trendsetter in terms of government digitalization."

What Could Go Wrong?

This miracle app, and more generally Ukraine’s efforts to withstand Russian attacks and transform itself into a corruption-free state, face many challenges. A few specific ones include:

● Continuously evolving tactics of cyber threat actors, including threats to data stored in the cloud. A new CosmicEnergy malware, targeting electric grids, bears similarities to Crashoverride (Industroyer) malware that Russian military hackers used as part of a campaign to bring down numerous Ukrainian government services for weeks in December 2016. Russian military hackers could step up attacks amid Ukraine’s expected counter-attack and in the months preceding Ukraine’s presidential election of March 2024.

● The Diia app’s feature allowing citizens to identify Russian collaborators could be used to settle personal scores.

● Questions also arise about the possibilities that unscrupulous Ukrainian government officials or agencies could use the app for surveillance, violating citizens’ privacy. Fedorov responded that his ministry plans to put in a tool that alerts the user whenever someone checks their files. Furthermore, the facial signature is necessary to access services, so even if someone steals or confiscates a user’s phone, they can’t use the app.

● Finally, President Zelensky is up for reelection in March 2024. If a more pro-Russian, corrupt or authoritarian leader comes to power, that person could attempt to reverse the progress Ukraine has made against corruption and could abuse tools like Diia for surveillance. As of May 2023, this seems unlikely. However, as NattoThoughts has described elsewhere, Putin’s government will likely continue its efforts to undermine the Zelensky administration and international support for Ukraine. The outcome of elections in Russia, the United States, and other countries could also affect Ukraine.

In the coming months, Natto Thoughts will continue to write about Ukraine’s efforts at rebuilding and overcoming the legacy of corruption.

Meanwhile, regardless of the challenges facing developers and users of Ukraine’s miracle app, any app has vulnerabilities, particularly if it is developed in a country with a history of espionage or surveillance. All users should remember common-sense rules of cyber hygiene. For example:

● Do not reuse passwords between different accounts. Ideally, change passwords regularly.

● Use a service like https://haveibeenpwned.com/ to see whether your email address or phone number has appeared for sale on an underground database. If so, particularly if a password has also been breached, change that password.

● Do research on apps before downloading them. Check to see what country their developers are in. For more on Chinese-owned apps such as Temu, see this recent NattoThoughts post: