This year has made it clear to us that a comprehensive, strategic and practical approach to defence of critical IT infrastructure is necessary.

Saša Šćekić

The scope of the cyber attack that recently “knocked down” most of the public administration services in Montenegro is so large that the Government had to ask for the help of partners – a team of FBI cyber experts was sent from the USA, while France sent over experts from the National Security Agency.

According to latest information from the media, the attack was carried out by the international criminal group Cuba ransomware and lasted for a long time. Information about causes, damage and deficiencies in processes, technology and human resources cannot be released at the moment, as to prevent new attacks. We can only draw conclusions about the state’s readiness to respond to incidents of this type, which we can expect more of in the future.

The timeline of detection, response and recovery from an incident is critical to damage mitigation. It is unknown when the attacks started but, according to public information, they were first detected on August 20 and it took two days to disconnect the infrastructure from the network (and electricity) and limit the attack. Most of the infrastructure has not been restored to operational condition for almost a month. At the moment we don’t know the issues the recovery team is facing, which may cause this recovery to take longer – however, the question arises as to why the recovery did not take place within 2 to 24 hours, as prescribed by the state disaster recovery strategy.

During the incident some departments opened private e-mail addresses and exchanged e-mails with potentially confidential data through them – until it was prohibited. Aside from the good intention to ensure functioning, we can draw a conclusion that there was a lack of coordination, excess privileges in the system enabled access and creation of private email addresses (which is a risk for data leakage) and that there was a lack of awareness of information security overall.

Communication about the incident – which was taken on by politicians – was confused and at times contradictory. Another country was accused of the attack, then criminal groups, bids were made on the method of attack, damages, ransoms… In these complex situations, there must be coordinated communication – that is, a plan: who, what, to whom, when and how to communicate.

When these incidents are behind us, we will have to ask the question – what next and how?

Countries are constantly under attack. This also applies to much more developed economies, such as Germany, where companies lost 203 billion euros due to cybercrime in 2021 alone (Bitkom study). This year made it clear to us that the Western Balkans are not exempt and that a comprehensive, strategic and practical approach to the defence of key infrastructure is necessary. The obvious approach is to build a Defence-in-Depth around the state’s IT infrastructure and data, network segmentation and access control, an effective disaster recovery plan, a culture of testing and remediating vulnerabilities, etc.

Above all, however, protection is needed on the first line of defence, made up of people – through threat awareness on the one hand, and expertise in the field of information security on the other. Awareness is a matter of good organization and a little investment in continuous training, while the issue of expertise is much more complex and requires the vision of the political elite for long-term investment in the development of this personnel in the country.

The University of Montenegro has announced that it is open to support the development of cyber security capacities and the fight against high-tech crime, through education of staff, creation of study programs, as well as availability of university experts. The state should support the University in these efforts – through financing education of professors and bringing in foreign experts. Security teams from the private sector, especially from highly regulated industries such as telecommunications and banking, could provide significant support in education.

Equally important – a strategy of how to retain newly created experts. In addition to continuous training and certification, it should be ensured that they are adequately paid. It is not realistic to expect that experts will remain working in state institutions if they can earn ten times more if in the private sector or abroad.

 

Saša Šćekić is an IT expert with professional experience in the field of digital transformation and information security