A recent look towards Cybersecurity in the Western Balkans: How can we improve the cybersecurity level in the region?
Digitalization and Cybersecurity are some of the hot topics in the Western Balkans (WB). The entire region has officially shown its commitment towards digitalization as a process in 2018 by taking on the Digital Agenda for the WB, directly supported by the European Commission. One of the four pillars of the Digital Agenda for the WB is to increase cybersecurity, trust and digitalisation of (the) industry. The rest of the pillars refer to broadband connectivity; strengthening the digital economy and society (enhancing the digital skills); and boosting research and innovation.
While the WB countries are placing efforts to develop and enhance their e-government plans, they still have to place a lot of attention as well as specific efforts in strengthening the level of cybersecurity. Currently, all the WB countries are focusing towards the development of electronic services, enhancement of digital skills among the public officials as well as the citizens, and most importantly, the advancement of the interoperability platforms of the government institutions. It is inevitably noted that in almost all the countries, cyberattacks have been a direct threat to the security of online services and internal databases, especially in recent years. Before exploring the cyberthreats which have occurred in the region, it is also important to understand the current standpoint of each country in terms of cybersecurity efforts.
The Progress Report of the European Commission for Kosovo regarding 2022 notes that Kosovo has developed “basic capabilities” in terms of cybersecurity. Although there is a positive level of political will in the country to tackle and strengthen the cybersecurity level, it is noted that the country is still facing difficulties and lacks the capacities in order to guarantee a full cyber support. Another issue which is noted by the Progress Report is the lack of performance from the prosecution authorities in regard to the reported cyber crimes in the country. From 37 cybercrime cases which have been reported to the Kosovo authorities in 2021, none of them have been prosecuted nor have been directed to the court level. This might demonstrate the lack of capacities among the prosecution in the country for such cases, or lack of commitment from their side to fully prosecute cybercrime cases.
According to the Progress Report for Serbia (2022), the country has been implementing its Strategy and Action Plan to fight Cybercrime 2019–2023. It is reported that Serbia has been taking serious steps in strengthening the cybersecurity level in the country. According to the cybersecurity assessment conducted by the World Bank in 2020 Serbia is considered to have sufficient capacities to address the noted gaps in improving its state of cybersecurity. As a result of a comprehensive cybersecurity policy, and legal framework, the country was able to establish protection mechanisms — such as the National CERT (more on this will be explored as a following point referring to the country’s situations).
The Progress Report for Montenegro (2022) doesn’t note a measurable progress in terms of cybersecurity from the recent year, however it notes that the country is placing some efforts towards the national capacities for the sector of cybersecurity. Montenegro is reported to have adopted its new Cybersecurity Strategy 2022–2026. During 2022 alone, a few cyber attacks have occurred in the Montenegrin government servers which was seen as very alarming, and many critics claimed that the country’s government needs to strengthen the administrative capacities in the sector of cybersecurity as part of the new strategy.
The Progress Report for North Macedonia (2022) notes that the country should prepare an updated version of its current legislation on cybersecurity and to create a system which tackles cybercrime. The National Cybersecurity Strategy for North Macedonia expired in 2022, so the new strategy is reported to be under preparation. On another note, North Macedonia has been placing efforts and promoting safer internet activities by different sectors, which directly contribute towards an increase of awareness regarding cybersecurity in the public, as well as in the private sector.
According to the Progress Report for Albania (2022), the country has aligned further its law on cybersecurity with the EU Directive on the security of networks and information systems. Although there is a comprehensive legal framework in the country, as well as protective mechanisms to combat cybercrime, the country did suffer from many cyberattacks in the recent years.
For a more comprehensive comparison between the WB countries and their cybersecurity performance the following scores are presented according to the Global Cybersecurity Index (GCI) in 2020:
- Serbia 39 rank (89.8 score)
- North Macedonia 38 rank (89.92 score)
- Albania 80 rank (64.32 score)
- Montenegro 87 rank (52.3 score)
Unfortunately there is no available data from GCI in regard to Kosovo.
When it comes to cyber attacks, this risk does not spare any of the WB countries, regardless of their level of cybersecurity performance and protective mechanisms. Recalling the case of Albania in 2022, many of its government servers were under serious cyberattacks, where as a result of those, many personal data of its citizens were leaked therefore posing a direct threat towards protection of personal data. As the government portal of e-services e-Albania was temporarily dysfunctional from these cyberattacks back in July 2022, similar cyberthreats were noted in Kosovo too. In September 2022 many of the public institutions including Post-Telecommunication authority were targets of cyberthreats. This caused the internal database and the e-mails to be temporarily inaccessible for the internal officials of this authority. Likewise, in Montenegro as well as in North Macedonia cyberattacks targeted different state institutions and their respective portals only in 2022: in North Macedonia as one of the targets of such attacks was the Ministry of Education, whereas in Montenegro the government servers were hit by ransomware attacks. If compared, one can say that more cyberattacks have occurred in one particular WB country than the other (taking into consideration the last year only), however the conclusion remains the same for all the WB countries: each of the countries are vulnerable towards cyber threats.
Among each countries’ plans to fight the surge of cyberattacks, significant efforts taken by the WB countries are worth highlighting at this point:
In 2022, Kosovo adopted a new draft-law regarding cybersecurity through which prevention of cybercrimes remains at its center. This draft law has also paved the way for the creation of a State Agency for Cybersecurity. In line with this, a 24/7 contact point at the Kosovo Police is set to be established to handle the cybersecurity threats in the country. This a positive effort in terms of the legal framework, and a full implementation of the draft-law is expected to be achieved shortly. This is considered to provide better cybersecurity for Kosovo. On another note, the Kosovo government is also currently preparing its e-Government Strategy 2027, which also places a focus on the cybersecurity level. Experts from the field are part of the working group for this strategy. The Strategy is expected to be open for consultations and later expected to be approved during 2023.
It was previously mentioned that Serbia has been taking on protective mechanisms to ensure a good level of cybersecurity in the country, as the GCI score shows. By creating the Regulatory Agency for Electronic Communications and Postal Services better coordination regarding the prevention of the information security risks is enabled. Any noticeable risks can be reported through their website, and the agency further informs and advises the ICT management teams in the country.
Reportedly, in North Macedonia, Montenegro, as well as Albania, amid the cyber threats, a higher focus is shared towards the increase of capacities in the national levels in order to prevent and support the cybersecurity level. Currently, an EU funded project is being implemented by the e-Governance Academy (e-GA) targeting the three countries. The aim of the 1.8 million project is to strengthen cybersecurity governance in these countries through the expert advice towards the country’s cybersecurity legislations, as well as raising the professional capacities towards the Computer Security Incident Response Teams to respond to cyber crises.
Considering the current country efforts, and the cybersecurity concerns in the WB, as a final point of this article, the following recommendations shall be taken into consideration for the future (by all relevant stakeholders):
- Adapt more strict steps as part of the legislative reforms regarding cybersecurity in the country level;
- Establish a responsible national agency/body (if not established) to prevent the cyber crises;
- Provide professional trainings to national officials towards cybersecurity management;
- Prioritize cybersecurity as part of the Digital Agenda plans in each of the WB countries;
- Enforce the regulations on data safe-guarding, including the legal requirements and existing dispositions;
- Provide more support, financial and human, towards the regulating authorities for cybercrime.
This educational text was prepared with the financial support of the European Union. The contents of this text are the sole responsibility of the authors and can in no way be taken to reflect the views of the European Union.
The project “Increasing Civic Engagement in the Digital Agenda — ICEDA” is implemented by the Metamorphosis Foundation (North Macedonia), e-Government Academy (Estonia), Levizja Mjaft! (Albania), Partners for Democratic Change (Serbia), NGO 35mm (Montenegro) and ODK — Open Data Kosovo (Kosovo). The project is implemented with financial support from the European Union.