Cybersecurity capacities of South-East Europe
Cyber defense is a critical part of the development of any country. A reliable cyber capacity is essential for the South-East European region to progress in the economic, political and social fields. Many countries on a global scale have already adopted national cyber security strategies and the related legislation.
Statistics show that a growing number of countries have constituted national mechanisms to counter cyber-incidents, engaging their governments as well as the corporate, academic, and NGO sectors. The SEE region, with the increasing digitalization of the service, the commercial and the industrial sector, is also endangered by cyber risks.
This is why it is of greatest importance for all SEE countries to create and maintain a legislative and strategic framework and institutions that are viable enough to be able to implement this framework.
A report by the Geneva Centre for Democratic Control of Armed Forces (DCAF) and DiploFoundation (Diplo), resuming the results of the project “Cybersecurity Capacity Building and Research Programme for South-Eastern Europe”, shows that all Western Balkan (WB) countries are formally aligned with the core international mechanisms in the field of cyber security such as the Budapest Convention, although some countries still need to work on transposing them into domestic legislation. There is particular progress with the legal framework for
fighting cyber crime in all the WB countries
yet the effective implementation of these mechanisms still remains a challenge, the report claims. According to the project conclusions, the cooperation with the private sector on cyber security matters remains at an early stage of development throughout the region.
Few countries, such as Albania and Montenegro, have developed strategic documents on cyber security which consider institutional cooperation with civil society and the private sector in the future. DCAF and Diplo came to the conclusion that there is an ongoing process of cyber security capacity building on educational level in the Balkan region, especially in Montenegro and Bosnia and Herzegovina, which host academic postgraduate programmes.
Taking the Balkan vision toward cyber defense and security into account, several countries are much further progressing, such as Slovenia, Croatia, Albania, Montenegro and Bosnia and Herzegovina, in contrast to the more slowly progressing Macedonia, Serbia and etc. However, multiple researches in the field show that the region has accepted the importance of cyber defense and are taking the necessary actions to fight cyber crime.
Such actions include achieving legal framework compliance with the international perspectives, establishing national bodies to react to incidents occurred in cyberspace, as well as establishing national cyber security strategies. Below we summarize some of the results by country of the cyber security capacity building research conducted by DCAF/Diplo.
As the only EU member state in the region, Croatia was obliged to complete the institutional and legal framework in the cyber security area during its accession process. For this reason, it has fully enacted all the necessary laws and regulations and made them compatible with the EU regulation.
To this end, Croatia adopted its Law on Information Security in 2007, which stipulated the creation of a national CERT (n-CERT), the so-called CARNet. Its main task is the processing of incidents on the Internet, i.e. preservation of information security in Croatia. In addition, there is also a government CERT called ZSIS-CERT, situated in the Information Systems Security Bureau (ISBB).
The ISBB is the central state authority responsible for technical areas of information security of the Republic of Croatia state bodies, which includes: creating standards of information security, security accreditation of information security, managing crypto material used in the exchange of classified information, and coordination of prevention and response to computer threats to information system security.
Other legal documents completing the Croatian CS framework are the Security and Intelligence Systems Act of the Republic of Croatia (2006), the Data Secrecy Act (2007), Regulation on Information Security Measures (2007) and Act on Critical Infrastructures (2013). All these show a well-rounded legal and operational environment.
The National Cyber Security Strategy of the Republic of Croatia and the Action Plan for its implementation were adopted in October 2015. This overarching strategy is the most comprehensive and systematic strategic document related to cyber security in the Western Balkans. The strategy aims to “…achieve a balanced and coordinated response of various institutions representing all the sectors of society to the security threats in modern-day cyberspace.
The Strategy recognizes the values that need to be protected, the competent institutions and measures for systematic implementation of such protection”. It clearly stipulates the need for the creation of strategic documents related to cyber-defense and cyber crime respectively. On an institutional level, the Strategy assumes the creation of the National Cyber Security Council, which will have large competencies in monitoring and coordination of the implementation of the Strategy, its possible changes, and in proposing the organization of national exercises.
However, its work is not constrained to monitoring the implementation of the Strategy – it has the authority to address issues essential for cyber security management and, among other things, to issue periodic assessments of the state of security and define the cyber crisis action plan. On the technical level, the Council will be supported by the Operational and Technical Cyber Security Coordination Group, and more importantly, it is tasked to submit reports directly to the Government.
Finally, although the Strategy stipulates the need for strong public-private partnerships, there is no evidence of such for the time being in Croatia. At the same time, some forms of professional education and capacity building are conducted by the ISBB, the national CERT and the university Center for Information Security.
Albania’s road towards safer and more resilient cyberspace has begun with the National Cross-cutting Strategy on Information Security (2008-2013). The document briefly mentioned cyber security as one of the areas to be considered as a priority. The Strategy also envisaged the creation of the National Agency for Cyber Security (ALCIRT) as the national institution for response to cyber-incidents.
ALCIRT, placed under the Prime Minister’s authority, was created in 2011 with the support of the USAID’s Albanian Cyber Security Program, involving training workshops provided to the government and non-government sector by the Carnegie Mellon University’s Software Engineering Institute (SEI) towards building skills to resist operational threats and develop processes for managing cyber security incidents.
ALCIRT is also in charge of participating in preparing the national cyber security strategy, drafting relevant legislation, cooperating with all relevant institutions, international organizations, CSOs and the private sector and organizing awareness campaigns, trainings and education materials on ICT).
Nevertheless, with only six employees (the director and five experts), it has very limited human and infrastructure capacities and was not able to perform well both on responding to cyber-incidents and on wider activities such as education and initiating sustainable public-private partnership networks. In 2014, ALCIRT took the initiative and led the interagency group for drafting the National Policy Paper on Cybersecurity for the period 2015-2017.
The document was recently adopted and is aimed to assess the current situation and trends in relation to cybersecurity in the country. However, a national cyber security strategy still does not exist, although Working Group for the drafting of the strategy is created. Also, the first draft of the CS law exists and is currently under scrutiny by the main stakeholders in this area. It should be adopted by the end of 2016.
As opposed to other countries of the region, cyber security and cyber-defense is high on the agenda of Albania’s defense-related institutions. In this regard, Albania’s National Security Strategy (2014-2020) classifies cyber-attacks as a type one (highest importance) risk.
As a member of NATO, Albania signed the MoU with the NATO Cyber Incident Response Centre (NCIRC) on enhancing cyber defense in 2013 and is currently negotiating the signing of the new version of this MoU. This version is based on the cyber defense document “NATO Enhanced Cyber Defense Policy”, endorsed by all NATO countries at the Wells summit in 2014.
Moreover, Albania took part in the annual Cyber Coalition exercise, NATO’s largest cyber exercise, as an observer country twice, and will become an active participant as of November 2016. Albania also actively participates in NATO’s cyber security related projects. At the same time, Albania is formally implementing the initial set of OSCE “Confidence Building Measures” for cyberspace as of 2014, and has agreed in principle to further continue the process at hand with the approval of the second set of CBMs.
Montenegro has advanced fast in the cyber security area since 2010 when the umbrella piece of legislation – Law on Information Security - was adopted, along with the Regulation on Information Security Measures.
A national Cyber Security Strategy for Montenegro for the period 2013-2017 was adopted in October 2013. Action plan for Strategy implementation for the period 2013-2015 is part of the Strategy as an Annex, though there was no Action plan for the period 2015-2017 at the time of publishing this report.
In terms of an institutional framework, the first task envisaged by the Action plan was the establishment of the National council for cyber security/information security. This has not happened to date, although it was again in line with the amendments of the Law on Information Security, adopted in January 2015.
Once operational, the Council is supposed to be the key institution related to cyber security issues. The Council will also be in charge of creating procedures for the regular exchange of information between state authorities and key institutions from the private sector, i.e. internet providers, agents for .me domain, banking sector, electric power companies and companies that host e-services in Montenegro.
The national CIRT of Montenegro became operational in 2012, with the assistance of the ITU-IMPACT programme. The n-CIRT is positioned in the Ministry of Information Society and Telecommunications and performs regular CIRT duties. The national CIRT is also very active in promoting the culture of being safe in cyberspace.
In 2015, it developed the document titled “Guidelines for Security and Protection of Information in Cyberspace”. In cooperation with the ITU, CIRT.me organized a cyber drill in September 2015 for CIRT/CERTs from Europe. The drill was attended by more than 50 participants from Montenegro and other countries. In addition, CIRT.me actively participates in the overarching TEMPUS project related to cyber security education in Montenegro.
In October 2014 the Government of Montenegro adopted the Methodology of identifying Critical Information Infrastructure (CII) and the Action plan for its implementation. This document was prepared and published despite the lack of a Law on critical infrastructure of Montenegro, and due to the importance of making additional progress in this area.
This is the only national document related to CII in the Western Balkans. Moreover, in 2015, the Ministry for Information Society and Telecommunications developed the methodology for assessing the cyber security capacity maturity model.
This methodology was drafted with the financial assistance of the World Bank and in cooperation with the Oxford University Global Cybersecurity Centre’s existing Cybersecurity Capacity Maturity Model. Montenegro has an official university master-level program on cyber security policy, developed and delivered by the DonjaGorica University in Podgorica, which gives a unique mix of technical and policy-based knowledge on a variety of cyber security issues. The DonjaGorica University is also a partner in the above mentioned EU-funded TEMPUS project.
Bosnia and Herzegovina
Bosnia and Herzegovina (BIH) has not adequately progressed in the cyber security field, nor has it harmonized its legislation accordingly and still lacks a comprehensive overall strategic approach to address the issue of cyber crime and cyber security threats.
Namely, just as it is the case with the security management structure in Bosnia and Herzegovina, the legislation in the country reflects the complex and decentralized organization of the country. The existing legislation on the state level that may be related to cyber security only scarcely and partially addresses relevant issues, and has not fully implemented the provisions of the international framework it adheres to, such as the Convention on Cybercrime.
BIH does not have a state-level law on information security. Instead, its entity, Republika Srpska, has adopted the Law on Information Security. Also, the only document on the state level that directly tackles cyber security issues is the Strategy for Establishment of a CERT in Bosnia and Herzegovina. However, although this Strategy was adopted in 2011, and the Working Group (WG) envisaged the BIH-CERT to be created, it still does not exist and the Action Plan drafted by the WG is still pending adoption due to political reasons.
On the other hand, the Department for Information Security within the Agency for Information Society of the Republika Srpska became operational in June 2015. This unit is tasked to coordinate prevention of and protection from computer security incidents and to supervise implementation of standards and measures of information security, but only in Republika Srpska. It cooperates closely with relevant departments of the Ministry of Interior of Republika Srpska, especially its High-Tech Crime Prevention Unit.
As for the possibilities in education, BIH hosts the South-East Europe Cyber Security Centre (SEECSC) – a research and development unit at the American University in Bosnia and Herzegovina. The university offers cyber security education (both on a professional and academic level – through MA and PhD courses) and cooperates with security, intelligence and defense institutions in BIH.
Serbia’s legal and institutional framework in the area of cyber security is based on the Law on Information Security, which was adopted at the beginning of 2016. Important bylaws (on protection measures, on the list of operators performing activities of public interest including critical infrastructure, on reporting incidents) are being drafted, though mainly within the government circles and without broader consultations.
The Law stipulates that the operators of ICT systems of special importance (some of which will be listed as critical information infrastructure) have to adopt an act on ICT system security with dedicated protection measures, supervision of their ICT systems and persons responsible to perform these tasks. Furthermore, the Law envisaged the creation of the Body for the Coordination of Information Security, with the option of establishing expert working sub-groups that could include representatives of other public bodies, industry, the academic community and civil society.
The necessity to establish a proper cyber security related system has been recognized at the strategic level, in the Strategy for Development of Information Society in the Republic of Serbia until 2020 which puts information security as one of its six priority areas.
As a follow-up, the Working Group for developing the national strategy on cyber security has been established in 2016 and has held its first sessions; the strategy is expected to be adopted by the in the first quarter of 2017. However, a critical information infrastructure has not been defined yet, and cyber security standards are not yet approved.
The Law mandated the creation of the n-CERT in the regulatory agency for electronic communications and postal services (RATEL). While formally established, it is in the development phase and currently lacks technical capabilities and resources; with proper capacity building, it was expected to become operational in 2017.
At the same time, several other CERTs exist or are in formation: the academic CERT is part of the Academic Network (AMRES) and protects the network of education, scientific and research institutions; the Ministry of Interior has established its own CERT to protect sensitive citizens’ databases and the system that operates the databases; the national Internet domain registry RNIDS is setting up the CERT for national domains .rs and .srb, while the civil sector is working on establishing an independent CERT to help responding to attacks against the media. At the moment, however, there is no interaction among these.
Similar to other countries in the region, the legal mechanisms to fight cyber crime are in place. The Criminal Code provides norms on criminal offences in accordance with legal frameworks of theCoE and the EU. The Criminal Code does not regulate cyber terrorism as an offence, although cyber terrorism can be prosecuted on the basis of existing offences on terrorism and computer data. With regard to an institutional framework, a High-Tech Crime Unit within the special prosecutor’s office has been established.
Moreover three specialized units - for crime analysis; terrorism and extremism; and drug prevention, addiction and repression have been established within the MoI. All these units are in need of further staffing, and specialized training and adequate budgetary resources are needed. The level of inter-agency cooperation, information flow and exchange between law enforcement agencies needs to be further improved.
However, internal cooperation between the police and the special prosecutor’s office for cyber crime is improving. There is no proper multidisciplinary cyber security education on the policy level. General awareness-raising about online safety, especially among the youth, is tackled through the campaign “Smart and Safe” driven by the Ministry of Trade, Tourism and Telecommunications, but its scope is limited.
Republic of Macedonia
Macedonia does not have an overarching law dealing exclusively with cyber security. Instead, a number of legal documents touch upon some cyber security related issues – the Law on Personal Data, the Law on Electronic Commerce, the Law on Electronic communications, the Law on Interception of Communications, the Law on free Access to public Information, the Law on Data in an Electronic Form and Electronic Signature.
In addition, the amendments to the Law on Criminal Procedure adopted in 2013 specifically tackle cyber crime and crimes committed with the use of computers, as well as the collection of digital evidence by the law enforcement authorities. Although some international organizations facilitated discussions during the preparation of the National Cybersecurity Strategy (for example, the UNDP commissioned an Assessment Study for the Requirements for Preparation of a National Cyber Security Strategy), the national Strategy is still in the drafting process.
The national academic and research network MARnet, created in 2010, took over the capabilities and duties of the academic CERT, which was previously situated in the Ss. Cyril and Methodius University in Skopje.
However, with an impetus acquired through implementation of the EU-funded cyber security pilot project under the EU ENCYSEC, a national MKD-CERT was formed in 2015 as part of the Agency for Electronic Communication (AEC), performing regular CERT functions. In terms of institutional capacities to deal with cyber crime issues, the Cybercrime Unit located within the Department for Suppression of Organized and Serious Crime and the Forensic Department of the Ministry of Interior merged into a single Cybercrime and Digital Forensic Department, thus forming a more efficient and effective investigative unit.
According to the report, there is progress in formally establishing the legal and operational frameworks in most of the countries of the Western Balkans, except for BIH and Macedonia which are lagging behind. They are all making efforts to meet the criteria for EU membership, and are being assessed regularly through the EU country reports. Since all the countries are on the EU track, there is a formal follow-up on implementing the EU requirements as well, both on a policy and on an operational level.
There are significant differences and important similarities in the development of cyber security policy across the Western Balkan region. In most countries, specific legislation on information security seems to be in place. It is remarkable however, that Montenegro had already passed such a law in 2010, whereas in Serbia for instance, it was not adopted until early 2016. Bosnia and Herzegovina on the other hand has not yet managed to develop any significant state-level legislation on cyber security.
More progress seems to have been achieved with cyber security strategies and comprehensive risk assessments. Again, Montenegro has led the trend, whereas Serbia has yet to finalize a strategy and Bosnia and Herzegovina has not even started working on one. Still, Western Balkan countries seem to be slow in implementing strategies.
Whereas progress is seen in some countries in making law enforcement activities in the field of cyber crime more efficient, staff at the CERTs and in LEAs generally still lack resources and capacities. Hardly any serious educational policies have been undertaken in any of the countries in the region. Very little to no outreach to the private sector has happened and no significant public-private partnership with private sector actors have been set up.
(“Cybersecurity Capacity Building and Research
Programme for South-Eastern Europe”)
LATEST issue 4/2018