Fragile cybersecurity

Several cyber-attacks and unauthorized interventions in the payment system of the State Treasury questioned the stability and security of the online content of the websites of Kosovo institutions.

Kosovo is among the countries that do not have a law on cybersecurity while security legislation is scattered on several laws and makes some institutions responsible for ensuring security standards in the online presence.

Data shows that in Kosovo 90% of citizens have access to the Internet from their homes, while dozens of services including applications for documents, licenses, and applications for tenders are conducted through online platforms, but in some cases, these platforms have been proven to have security problems.

But the Government servers and those of other institutions of the country have been shown to be vulnerable to attacks and interferences from outside.

The servers crash in cases of excessive traffic and in some cases the interventions have gone so far that the content of the pages has been changed and messages from hackers have been placed on them.

One of the most serious attacks was that of 2018 when after the imposition of tax on Serbian goods, the emails of Kosovo diplomats had been the target of cyber-attacks while investigations according to some information have shown that the interventions came from several countries in the region.

In the Prosecution Offices data there are still no concrete results on who was responsible while the investigation is said to be ongoing.

An extensive investigation was launched after the State Treasury affair, where 2.1 million Euros were transferred from the Treasury on the accounts of a private company.

This case showed high fragility of the public money management system as transactions and misuses were observed only after 9 days.

The investigation showed that the emails and accounts of employees of the Ministry of Infrastructure who were not at work at the time, were used to enable the transfer which was carried out by the Kosovo Treasury offices.

According to the investigative file, a Treasury officer used an email and access credentials of the officer of the Ministry of Infrastructure and using that account made a payment to the company.

The data shows that the transaction has been not noticed for 9 days and during that time the company where the funds were transferred had moved them to over 40 other companies in Kosovo and other countries including Turkey.

The officer was arrested by the Prosecution Office, while the owner of the company to which the funds were transferred is in detention on remand.

The Minister of Finance, Hykmete Bajrami, says that they had no signal that the system could be manipulated.

“There were no cues that something like this could happen. The system has had good investments and we have been told that the whole potential has been concentrated so that no one from outside can have access, but the human factor could not be prevented “, says Bajrami.

She points out that in this case the system was manipulated by inside employees while the money has not yet been retrieved to the country’s budget.

Evidence that the system was thought to be untouchable has collapsed, this led to the establishment of additional mechanisms in the Ministry of Finance to prevent similar transactions and abuses.

The Deputy Minister of Finance, Agim Krasniqi, says that 13 new measures have been imposed by the Director of the Treasury. These measures, according to Krasniqi, are designed to prevent the recurrences of similar situations.

“It has been decided that one person cannot perform all transactions and we have also decided that in cases when we see that officials from other institutions are out of the system we will remove them automatically,” said Krasniqi.

The State Prosecution Office, which is investigating the case did not provide many details about the investigation, except for the fact that some accounts have been blocked and the investigations are ongoing with high intensity.

In addition to interference from human factor, the online systems of Kosovo Government, and systems of other institutions in some cases have had also problems with cyber-attacks from outside.

Data from the Ministry of Internal Affairs and Administration shows that the last attack took place on 3 December 2020, while the institutions that were the target of this attack are not specified.

“Based on the preliminary audit conducted by the Cyber Security Sector in ISA, the hackers targeted the websites of Kosovo institutions. According to this audit, it is not observed that any data has been extracted from the state computer network through this cyber-attack”, it is said on the answer of the Ministry of Interior.

The Information Security Agency is a responsible body for determining the rules of hosting and maintenance of Government websites, but the MIA says that not all institutions have taken measures to comply with such standards.

As a result, certain Government and independent agency websites are exposed to cyber-attacks.

The Agency’s recommendations are not yet legal obligations for all institutions.

Hekuran Doli a cybersecurity expert, points out that the Government of Kosovo has not spared funds to invest in cybersecurity equipment and as a result security is at a satisfactory level.

However, according to him the security of applications hosted within the Government infrastructure is a concern.

“The Government of Kosovo does not have a cybersecurity manual to which foreign contractors who develop applications for the Government of Kosovo should be subjects,” says Doli.

Among the problems, he cites the lack of a security protocol that officials with access permissions to Government websites would work with.

“As a result of the lack of internal cybersecurity protocol, attacks can occur from within, such as the case of the theft of 2.1 million Euro from the Kosovo Treasury. Protection from internal attacks is as important as protection from external attacks, therefore Kosovo institutions still have work to do in this direction,” says Doli.

Similar protocols and mechanisms are currently the responsibility of ISA as the Government aims at increasing the security through the Law on Cyber Security.

The draft law has already been put up for public discussion and it envisages some concrete actions in cybersecurity.

The law provides for compliance with European cybersecurity protocols and standards and provides for the establishment of a Cyber Security Agency within the Ministry of Administration.

The draft law aims to have a security standard for Government websites in Kosovo and a standard for their hosting.

The law stipulates that institutions failing to comply with the standards, will be imposed with fines of up to 10 thousand Euros in case the standards and directives given by the agency are not complied with.

The same law has provided several articles which provide for criminalization and sanctions for persons who carry out cyber interference on the official websites of the country.

The law is currently being drafted and is expected to be approved by the Government and to be submitted to the Kosovo Assembly for final endorsement.

Author: Kreshnik Gashi
The original article was published in Albanian.

This research article was prepared as part of the project “Increasing Citizen Engagement in the Digital Agenda — ICEDA” with the financial support of the European Union. The contents of this research article are the sole responsibility of Open Data Kosovo and the author and in no way can be taken to reflect the views of the European Union.