Factors that need to be taken into Account when Developing a New National Cyber Security Strategy
By Andria Gotsiridze, Cyber Security Consultant, Founder of Cyber Security Studies & Education Center
The world context and the Russian factor
At the end of the second decade of the 21st century, cyber security is becoming more and more important as a part of state security. Political, military, social and criminal processes have mostly migrated to cyberspace. The cyber domain, the fifth area of confrontation, is constantly used for reaching political, economic or military goals. Developed offensive cyber capabilities enables many states, especially Russia, to successfully use cyberspace during wars, conflicts or peacetime, to obtain geopolitical superiority.
The usage of the cyber elements in inter-state relations and conflicts has experienced a significant transformation in a short period of time. If the cyber-attacks in the first decade of the century were designed to achieve mostly informational-technical effects (it is well known that in the case of a weakly protected infrastructure, even low-tech DDoS and Defacement attacks could result in disproportionately high damage), already from the middle of the second decade, such attacks have mainly made way for cyber operations performed for informational-psychological influence.
For Georgia, Russia’s destructive cyber operations remain to be the substantial threat – aimed at informational-technical, as well as informational-psychological effects, they are rather dangerous for our country. Cyberspace has turned into an important theatre for Russian propaganda content and Russian informational confrontation in general, which is yet another testament to the risks flowing from cyber operations designed to achieve information-psychological results. Russia’s usage of cyber operations to manipulate election results, democratic processes and attack state order has become systematic.
Compared to the cyber-attacks of 2008, the level of cyber threats towards Georgia has grown, which is due to several factors. Russia has not only altered its aggressive cyber policy, but has also significantly increased its offensive cyber- potential and extended the fields of usage of cyber operations, for both the attacks aimed at having technical effect, as well as for psychological influence operations conducted in cyberspace. The information-psychological effect of such cyber operations is to alter perception in Kremlin’s favor and reduce pro-Western sentiments, typically causing the pro-Russian elites to strengthen, which is an important precondition for conventional actions. Hereby it should also be pointed out that compared to 2008, Georgia’s dependence on information and communication technologies in much higher now, which, in case of a cyber-attack, increases the scale of the expected damage.
From January 1, 2018, after the abolition of the State Security and Crisis Management Council, for over a year, there is no coordinating structure in the cyber security architecture of Georgia that would ensure coordinated work of state cyber actors, as well as cooperation with private actors and joint work on strategic documents.
The absence of a coordinating structure is probably one of the reasons why Georgia, unfortunately, met 2019 without a National Cyber Security Strategy; the previous strategy was functional by 2018 and the work for creating a new one started in 2019, is still at an initial stage and will likely last several months.
Despite the fact that the previous two versions of the National Cyber Security Strategy had good assessments from the international community and cyber experts, which was reflected in appropriate ratings, the flaws and failures of the existing conceptual document creates serious problems in terms of ensuring cyber security.
Challenges and Recommendations
- According to the current Georgian legislation, critical infrastructure covers only a part of state networks and does not extend over the business fields critically important for the state. And this despite the fact that it is generally recognized that in a democratic state, the majority of critically important services are located in the private sector. The list of critical infrastructure must be fundamentally reviewed: critical infrastructure must be mainly represented by the private sector, given the fact that in the case of hybrid threats, it is more important for the state security, that the proper working of objects in the private sector (for example the banking sector, healthcare, food industry, energy networks and so on) , then the internet access of any public school
- The current legislation considers the system of the Ministry of Defense of Georgia to be the only critical infrastructure in the defense field, ignoring the objects in the private sector, the functioning of which is vitally important for the field of defense (for example: food industry, military industry, private actors within the logistical chain). The best practices include discussing the threat to the defense capacities of the country based on the scale of attack on the critical infrastructure objects of the country. The division of the existing critical infrastructure into defense field and the rest of public sector must itself be reviewed, as it is difficult to sharply divide the failure of which subject of the private sector could influence the defense capacities of the country.
- Today’s legal framework does not take into account worldwide cyber threats and Russian factor. Through the existing legislation regarding procurement, it is possible to buy ICT equipment, services, hard- and software designated for state institutions or critical infrastructure, from Russian companies or Russian branches of other foreign corporations. The same legislation also makes it possible for business organizations of the occupant country to implement internetization processes and other large projects connected to information technologies and also provide mobile communication services to the state structures. Technically, it is beyond doubt that a mobile network operator has all the means to control its clients’ calls, messaging, spy on their movement, identify location and, upon necessity, use the mobile device itself for intelligence or other undermining purposes. In the case of the usage of mobile data, personal or public life of any client becomes accessible. The strategy must create a conceptual basis for the integration of cyber elements into the state procurement processes on a legislative level: a prohibition must be instituted on buying Russian made or Russian imported information technologies or services. Such a precedent was created by the special services of the United States, where after the famous Kaspersky Scandal, the state structures were given 90 days to uninstall this software.
- In terms of a market economy, information data often ends up in the hands of contractors and in Georgian reality, protecting them is completely dependent on the good will of the company. Businesses, by their nature, are oriented on getting maximum profits with minimum expenditure; hence, they avoid additional expenses for security. This issue requires immediate regulation as nobody knows what amount and type of non-classified, yet sensitive information of the state structures is accumulated in defenseless private networks. Large sets of personal information of public servants and military servicemen transferred to the insurance companies are a good enough example of this. It is necessary to strictly define standards for protecting data that will be obligatory for the contractors to meet in order to participate in state acquisitions. In addition, the state must help private companies, contractors, to process important information in an acceptable level of cyber security.
- Another topic is the proper perception of cyber security problems by top managers in the state and private sectors. The level of perception that allows for the use of non-licensed software or Russian anti-virus programs and e-mail providers by state structures remains an unfortunate reality. For comparison, let us remember that due to cyber risks (data collection, tracking), appropriate Lithuanian state structure recommended the public servants to not use the services of Yandex-Taxi.
- It is necessary for the cyber defense organizations to orient themselves on neutralizing the informational-psychological effect of destructive cyber operations. The expected field of operation can be defined in the following way: identification of threats, researching the sources of threats, informing target groups about possible danger and destructive actors. In the modern cyberspace, counter-measures focused on protecting the network alone are no longer productive, as Russia is not only actively processing technical channels of information, but also modifies its cognitive ingredients;
- It is an axiom that cyber security is a common responsibility and that the state must ensure the inclusion of private sector and wide masses of population in protecting cyberspace. It is necessary for the new strategy to activate effective platforms of public and private employees, also formulating mechanisms necessary for their usage through cyber reserve or the inclusion of volunteers and civil activists.
Hence, taking the threats in Georgian cyberspace and the aggressive nature as well as potential results of Russian destructive cyber operations into account, it is necessary in terms of the new national strategy, to move to a higher conceptual standard of cyber security and integrate cyber security requirements into various fields of state life.