Balkans states might be prepared on paper, but in practice they are struggling to confront the growing threat from cyber-attacks. Bosnia doesn’t have a state-level strategy.
It wasn’t voting irregularities or the counting of postal ballots that delayed the results of last year’s parliamentary election in North Macedonia, but an audacious denial-of-service, DDoS, attack on the website of the country’s election commission.
Eight months on, however, the perpetrator or perpetrators behind the most serious cyber attack in the history of North Macedonia have still to be identified, let alone brought to justice.
While it’s not unusual for hackers to evade justice, last year’s Election Day attack is far from the only case in North Macedonia still waiting to be solved.
“Although some steps have been taken in the meantime to improve the situation, it’s still not enough,” Eurothink, a Skopje-based think-tank that focuses on foreign and security policy, told BIRN in a statement.
“The low rate of solved cyber-crime cases is another indicator of the low level of readiness to solve cyber-attacks, even in cases of relatively ‘less sophisticated’ and ‘domestic’ cyber threats.”
Across the Balkans, states like North Macedonia have put down on paper plans to tackle the threat from cyber terrorism, but the rate of attacks in recent years – coupled with the fact many remain unresolved – point to serious deficiencies in practice, experts say. Alarmingly, Bosnia and Hercegovina does not even have a comprehensive, state-level cyber security strategy.
“I am convinced that all countries [in the region] are vulnerable,” said Ergest Nako, an Albanian technology and ecosystems expert. “If an attack is sophisticated, they will hardly be able to protect themselves.”
In the case of Albania, Nako told BIRN, “the majority of targets lack the proper means to discover and react to cyber-attacks.”
“With the growing number of companies and state bodies developing digital services, we will witness an increasing number of attacks in the future.”
Ransomware a ‘growing threat’ to Balkan states
The COVID-19 pandemic has underscored the threat from cyber-attacks and the impact on lives.
According to the 2021 Threat Report from security software supplier Blackberry, hospitals and healthcare providers were of “primary interest” to cyber criminals waging ransomware attacks while there were attacks too on organisations developing vaccines against the novel coronavirus and those involved in their transportation.
Skopje-based cyber security engineer Milan Popov said ransomware – a type of malware that encrypts the user’s files and demands a ransom in order access – is a growing danger to Balkan states too.
“Bearing in mind the state of cyber security in the Western Balkans, I would say that this is also a growing threat for these countries as well,” Popov told BIRN. “While there haven’t been any massive ransomware attacks in the region, there have been individual cases where people have downloaded this type of malware on their computers, and ransoms were demanded by the various attackers.”
A year ago, hackers targeted the public administration of the northern Serbian city of Novi Sad, blocking a data system and demanding some 400,000 euros to stop.
“We’re not paying the ransom,” Novi Sad Milos Vucevic said at the time. “I don’t even know how to pay it, how to justify the cost in the budget. It is not realistic to pay that. Nobody can blackmail Novi Sad,” he told Serbia’s public broadcaster.
A local company announced the following that it had “eliminated the consequences” of the attack.
In Serbia, cyber security is regulated by the Law on Information Security and the 2017 Strategy for the Development of Information Security, but Danilo Krivokapic of digital rights organisation Share Foundation said that implementation of the legal framework remained a problem.
“The question is – to what extent our state bodies, which are covered by this legal norm, are ready to implement such measures?” Krivokapic told BIRN. “They must adopt [their own] security act; they need to undertake measures to protect the information system.”
Political battles waged in cyber space
North Macedonia was the target of a string of cyber attacks last year, some attributed to a spillover of political disputes into cyber space.
In May 2020, a Greek hacker group called ‘Powerful Greek Army’ hacked dozens of e-mail addresses and passwords of employees in North Macedonia’s finance and economy ministry and the municipality of the eastern town of Strumica.
The two countries have been at odds for decades over issues of history and identity, and while a political agreement was reached in 2018 tensions remain. Similar issues dog relations between North Macedonia and its eastern neighbour Bulgaria, too.
“Cyber-attacks can happen when a country has a political conflict, such as the current one with Bulgaria or previous one with Greece, but they are very rare,” said Suad Seferi, a cyber security analyst and head of the Informational Technologies Sector at the International Balkan University in Skopje.
“However, whenever an international conflict happens, cyber-attacks on the country’s institutions follow.”
Bosnia without state-level strategy
In Bosnia, the state-level Security Ministry was tasked in 2017 with adopting a cyber security strategy but, four years on, has yet to do so.
“Although some strategies at various levels in Bosnia are partially dealing with the cyber security issue, Bosnia remains the only South Eastern European country without a comprehensive cyber security strategy at the state level,” the Sarajevo office of the Organisation for Security and Cooperation in Europe, OSCE, told BIRN.
It also lacks an operational network Computer Emergency Response Teams (CERTs) with sufficient coverage across the country, the mission said.
The Security Ministry says it has been unable to adopt a comprehensive strategy because of the non-conformity of bylaws, but that the issue will be included in the country’s 2021-2025 Strategy for Preventing and Countering Terrorism.
So far, only the guidelines of a cyber security strategy have been adopted, with the help of the OSCE.
Predrag Puharic, Chief Information Security Officer at the Faculty for Criminalistics, Criminology and Security Studies in Sarajevo, said the delay meant Bosnia was wide open to cyber attacks, the danger of which he said would only grow.
“I think that Bosnia and Herzegovina has not set up the adequate mechanisms for prevention and reaction to even remotely serious attacks against state institutions or the citizens themselves,” Puharic told BIRN.
The country’s defence ministry has its own cyber security strategy, but told BIRN it would easier “if there were a cyber-security strategy at the state level and certain security measures, such as CERT”.
‘Entire systems jeopardised’
Strengthening cybersecurity capacities was a requirement of Montenegro when it was in the process of joining NATO in 2019, prompting the creation of the Security Operations Centre, SOC.
According to the country’s defence ministry, protection systems have detected and prevented over 7,600 ‘non-targeted’ malware threats – not targeted at any particular organisation – and more than 50 attempted ‘phishing’ attacks over the past two years.
“In the previous five years several highly sophisticated cyber threats were registered,” the ministry told BIRN. “Those threats came from well-organised and sponsored hacker groups.”
Previous reports have identified a scarcity of cyber experts in the country as an obstacle to an effective defence. Adis Balota, a professor at the Faculty of Information Technologies in Podgorica, commended the strategies developed by the state, but said cyber terrorism remained a real threat regardless.
“Cyber-attacks of various profiles have demonstrated that they can jeopardise the functioning of entire systems,” Balota said. “The question is whether terrorists can do the same because they are using cyberspace to recruit, spread propaganda and organise their activities.”