CYBERSECURITY IN THE WESTERN BALKANS: POLICY GAPS AND COOPERATION OPPORTUNITIES Executive summary
DiploFoundation in partnership with DCAF October 2016
1
IMPRESSUM
Cybersecurity in the Western Balkans: Policy Gaps and Cooperation Opportunities Published by DiploFoundation (2016) E-mail: diplo@diplomacy.edu Website: http://www.diplomacy.edu Researchers: Adriana Minović, Adel Abusara, Eranda Begaj, Vladimir Erceg, Predrag Tasevski, Vladimir Radunović and Franziska Klopfer Publication: Adel Abusara and Vladimir Radunović Editing: Jelena Dinčić Illustrations: Vladimir Veljašević Layout and design: Viktor Mijatović Research commissioned and funded by the Swiss Federal Department of Foreign Affairs (FDFA) Conducted in partnership with the Geneva Centre for Democratic Control of Armed Forces (DCAF)
Except where otherwise noted, this work is licensed under http://creativecommons.org/licences/by-nc-nd/3.0/
Executive summary As cyberspace becomes an essential component of modern society, it brings new challenges to countries, which are still bound by the borders of their national sovereignty. The very logic of cyberspace disregards these borders – a myriad of cybersecurity-related issues have to be addressed through cross-stakeholder, regional and international cooperation. Countries of the Western Balkans are generally lagging behind in introducing and implementing national cybersecurity legislation and strategic frameworks, and setting up national mechanisms for response to cyber-incidents. The importance of including all actors (the government, corporate, academic and civil society sectors) in cybersecurity-related endeavours is not yet well understood throughout the region. Political awareness of the problem is weak, thus preventing strengthening of the institutional capacities to recognise the risks and act upon them on a national as well as a regional level, which in turn also inhibits regional cooperation. The research report, Cybersecurity in the Western Balkans: Policy gaps and cooperation opportunities, aims to analyse policy-related gaps and map the existing institutional frameworks in the Western Balkans, in order to enhance regional cooperation and stimulate efficient investments in the region. The report offers a number of recommendations for the possible next steps towards improving the state of play in Western Balkans countries and a more systematic regional approach by international organisations.
The research report was drafted under the project “Cybersecurity Capacity Building and Research Programme for SouthEastern Europe�, implemented by DiploFoundation in cooperation with the Geneva Centre for Democratic Control of the Armed Forces (DCAF), and the support of the Swiss Federal Department of Foreign Affairs (FDFA). The research team was selected from among several successful participants of the Cybersecurity Winter School for Western Balkans, held in 2014, one of the activities organised within the framework of the above mentioned project, accompanied by two experts from Diplo and DCAF. Qualitative research was conducted from February to May 2016. This illustrated executive summary presents the key findings and main recommendations stemming from the research report. For more information and specific examples on each finding and/or recommendation, a reference to the chapter in the full report can be found next to the icon. The full report is available at: www.diplomacy.edu/cybersecurity
1
Western Balkans
countries have all embarked on the process of rounding up their national cybersecurity frameworks pertaining to legal, policy and educational matters. As the study showcases, this process varies across the region and often lacks the strategic efforts, political awareness and cooperation, efficient operational mechanisms, capacities and resources to cope with the growing likelihood of a cyber-attack taking place. Although legal and strategic frameworks do exist, their implementation remains a challenge.
2
Some international organisations and donors
that have presence and are active in the Western Balkans support the above mentioned process, without, however, a systematic regional approach. This sometimes leads to overlapping activities, thus duplicating the efforts made, and therefore resulting in non-rational budget spending.
Regional cooperation
in cybersecurity in the Western Balkans is under-developed, nonsystematic and primarily characterised by an ad-hoc approach. The majority of regional organisations do not have cybersecurity as their primary focus. tSome, however, manage to tackle it alongside more pressing, mostly economyrelated, issues.
3
Cybersecurity environment in the Western Balkans
Status on the national level is assessed based on the existence of key cybersecurity/information security elements: a proper cybersecurityrelated law, cybercrime law, and a cybersecurity strategy; an established national CERT (n-CERT); substantial public-private partnerships (PPP) and cybersecurity-related education (especially multidisciplinary). In the table, the double line denotes that (at least) the basics are in place, the single line denotes that some early developments are underway, while no line denotes there are no significant developments recorded. [Chapter 4.8]
ALB CS/IS Law Cybercrime (in) Law CS/IS Strategy n-CERT Substantial PPP CB/Education
4
BiH
CRO
KOS
MKD
MNE
SRB
Problems related to advancing the cybersecurity agenda in Western Balkans countries
Lack of political vision and capacities to comprehend the complexity and importance of cybersecurity.
Lack of policymaking capacity among key institutions in charge of developing, adopting and implementing legal and strategic frameworks.
Lack of operational capacities in state administrations (funds, training, travel, human resources and equipment).
Lack of cooperation between the private and civil sectors and lack of understanding of the importance of this cooperation.
5
Marginal sustainLack of overall able capacitycybersecurity building or educa- culture. tional programmes in cybersecurity policy, or their efficient use by the governments.
6
International Organisations in the Western Balkan countries For international organisations (IOs) that have presence and are active in the Western Balkans, the field of cybersecurity is “policy-in-creation�. They tackle some of the issues related to cybersecurity (in line with the specific organisation’s priorities), frequently resulting in overlapping and duplicating efforts made, thus leading to non-rational budget spending. There is no regional approach to this issue. Instead, IOs deal with it mostly on a country-by-country basis. However, there are multiple funding and support opportunities in the region (though not exclusively for the region). Some programmes even require countries in the region to pair with one another in order to be eligible, thus potentially fostering regional cooperation in cybersecurity. On the other hand, however, Western Balkan countries either lack general awareness of these possibilities or lack the resources to apply for available programmes. [Chapter 5]
7
8
Regional cooperation in cybersecurity Regional cooperation in cybersecurity is under-developed, non-systematic and primarily characterised by an ad-hoc approach. Initiatives are mainly fragmented and have no clear direction or grand vision, and as such, they are predestined to make no real impact, and to die down due to personnel changes and the drying out of available project funds. The majority of existing regional institutions and initiatives in the Western Balkans scarcely tackle cybersecurity, and only alongside more pressing issues, failing to acknowledge this issue as a “Tier 1� level when it comes to its potential impact on security. On the other hand, many of these organisations are not set up to focus directly on actual cooperation in the field, in the sense of developing policy standards, facilitating the exchange of information or other forms of bilateral or regional cooperation in cybersecurity, and are thus incapable of addressing the actual pressing issues in this field. Finally, a number of regional organisations whose portfolio is suitable for dealing with cybersecurity are rather dormant in practice, without any activities and initiatives. When it does arise, regional cybersecurity cooperation mostly occurs between experts and professionals in specific areas. [Chapter 6]
9
Recommendations
10
11
Recommendations for improving the state of play in the Western Balkans countries [Chapter 8.1]
1 Adopting the remaining legislative and strategic documents and implementing them.
2
3
Establishing efficient, well‑resourced and bureaucracy-free operational mechanisms for responding to cyber incidents, combating cybercrime, undertaking regular risk and threat assessments, preparing national situational awareness reports etc.
Raising awareness and introducing a strategic vision among high-level decision makers, about the political and socioeconomic importance of digital technologies, especially of cybersecurity.
12
4
Increasing institutional capacities of all stakeholders within each country in the region to implement a cybersecurity normative and policy frameworks, as well as cooperation across sectors. Increasing operational capacities of law enforcement agencies (LEAs), n-CERTs and gov‑CERTs.
5
6
Creating multidisciplinary educational programmes, building the capacity of end-users/the general population, developing excellence and expertise in cybersecurity research and increasing overall cybersecurity culture.
Creating strong ties of decision-makers with the private, academic and civil society sectors, through meaningful and operational public-private partnerships and multistakeholder policy shaping. Assisting these actors in jointly applying for funds provided by international organisations and donors.
13
Recommendations for International Organisations operating in the Western Balkans [Chapter 8.2]
International organisations should use their existing bodies in the Western Balkans to foster cooperation and the exchange of knowledge among stakeholders. This is particularly applicable to the EU, as it has the greatest number of programmes and funds available for the region as well as the strongest political leverage.
2
1
IOs should create new cybersecurity programmes and synergies specifically for the region, thus supporting cybersecurity cooperation at the regional level. The EU has only one cybersecurity programme (iPROCEEDS) that encompasses the whole of the Western Balkans. This practice should spill over to cybersecurity issues other than cybercrime.
Country field offices of different IOs should work together on cybersecurity issues. Some field offices (the OSCE Mission to Serbia, the OSCE Mission to Skopje, the UNDP Mission to Albania) have smaller projects where different deficiencies are tackled on a national level. However, a regional approach would increase the outcomes of these projects and allow for better communication and knowledge exchange between similar institutions.
14
3
Recommendations for enhancing regional cooperation through existing regional institutions [Chapter 8.3.1]
An exchange of best practices on drafting and implementing regulations, especially at decision-making levels, will help policy makers overcome the inertia that prevents the implementation of the many already drafted policy documents. Good experiences on setting up PPPs also need to be exchanged.
With limited resources available for education, it might be advantageous to enhance academic exchanges and initiate collaborative and sustainable multidisciplinary education programmes in the region.
Given the transnational nature of cybercrime, the need for efficient cooperation between LEAs from the region in joint investigations is obvious. Specific joint training activities might enhance their capacities. Regional organisations with successful footprints in the field of police and judicial cooperation should provide the framework.
It is immensely important to place cybersecurity at the top of the regional political agenda. Such development would boost further activities and enable the drafting of a regional roadmap for cybersecurity, including the coordinated usage of international support mechanisms. There are several organisations that have the potential to be used for this purpose (SEECP, RCC etc.).
15
Creating a regional cybersecurity centre of excellence The innovative, yet highly efficient solution for enhancing regional cooperation would be the creation of a new regional knowledge-based institution as a platform for shaping policies, developing technical knowledge and sharing best practices in the region. The so-called Cybersecurity Centre of Excellence would work on several levels: a) Technical – connecting regional CERTs in a joint effort of sharing information about incidents and defending regional computer networks from attacks. b) Policy – connecting stakeholders for creating best institutional and legislative solutions for the region, and exchanging best practices. c) Capacity building – delivering tailor-made cybersecurity policy capacity building programmes as well as advanced technical programmes, targeting various stakeholders. d) Public-private partnership – initiating a regional form of public-private partnership, such as regional awareness raising campaigns and mechanisms for building cybersecurity competences. [Chapter 8.3.2]
16
17
Authors Authors
Ms Adriana Minović, Digital Watch, the Geneva Internet Platform Mr Adel Abusara, OSCE Mission to Serbia Ms Eranda Begaj, National Agency on Information Society, Albania Mr Vladimir Erceg, Belgrade Centre for Security Policy, Serbia Mr Predrag Tasevski, University of Donja Gorica / Founder of CyberSecurity.mk Mr Vladimir Radunović, DiploFoundation Ms Franziska Klopfer, Geneva Centre for Democratic Control of Armed Forces (DCAF)
18
About About DiploFoundation
DiploFoundation is a leading global capacity development organisation in the field of Internet governance. Diplo was established by the governments of Switzerland and Malta with the goal of providing low cost, effective courses and training programmes in contemporary diplomacy and digital affairs, in particular for developing countries. Its main thematic focuses are on Internet governance (IG), e-diplomacy, e-participation, and cybersecurity. Diplo’s flagship publication ‘An Introduction to Internet governance’ is among the most widely used texts on IG, translated into all the UN languages and several more. Its online and in situ IG courses and training programmes have gathered more than 1500 alumni from 163 countries. Diplo also hosts the Geneva Internet Platform (GIP). Diplo also provides customised courses and training both online and in situ.
19
20
DIPLO FOUNDATION Malta: Anutruf, Ground Floor, Hriereb Str, Msida, MSD 1675, Malta T. +356 21 333 323, F. +356 21 315 574 Switzerland: Rue de Lausanne 56, CH-1202 Geneva, Switzerland T. (41) 22 741 0420; F. (41) 22 713 1663 Serbia: Diplo Centar, Branicevska 12a, 11000 Belgrade, Serbia T. (381) 11 3230 291 F. (381) 11 3063 323 E-mail: ig@diplomacy.edu www.diplomacy.edu/cybersecurity