In order to increase security, the government is expected to draw up a list of unreliable information and communication technology equipment and services. This is defined in the specific guidance that is being drafted, according to which the “Black List” of devices will be classified information. Information technology experts say that Kosovo has many outdated and outdated systems, which pose a great risk to cyber security.
The Ministry of Internal Affairs (MIA) is in the process of drafting several documents related to increased security to protect against potential cyber attacks.
Among them is the administrative instruction which determines the drafting of the list of information and communication technology equipment and services that are unreliable.
“Untrusted ICT technology refers to information and communication technology (ICT) equipment and services that do not meet established security standards and requirements, thus posing potential cyber security risks. An IT Security Assessment Institution operates under strict guidelines and is accredited by national or international cyber security authorities to guarantee impartiality, security and reliability in the assessment process,” the document reads.
Regarding public institutions, the procurement of certified ICT products and services, depending on the internal assessment, according to the Directive, will be limited only within the perimeter of the network and information systems that provide essential services or digital services. Thus, they will not extend to all networks and information systems that have no role in providing such services. The Agency for Cyber Security (ASK) is the entity responsible for assessing whether ICT Products and Services possess technical specifications and appropriate security features. This institution will identify and compile a list of unreliable technologies, which will be considered classified information.
“Once approved, all listed products and services will be prohibited to be used within the country, in the categories of subjects described in article 5, paragraph 1. The list is considered classified information according to article 6 paragraph 1, number 1.4 of Law no. 08/L-175 for the Protection of classified information and the “confidential” classification level has been applied to the list. The list is disclosed only on the basis of the need to become familiar with the categories of subjects described in Article 5, paragraph 1,” the instruction reads.
Article 10 of the document defines the Criteria for identifying unreliable Information Technology technologies.
“KAS will identify unreliable ICT technologies according to the principles expressed in Annex II and include them in the national list if one or more of the following criteria apply: ICT technology does not meets established safety standards; Evidence of illegal activities, such as data eavesdropping or unauthorized collection of information; History of security breaches or incidents; Knowledge of the invalidity of a previously recognized valid national or foreign certificate; Termination of technical support by the manufacturer or provider; The ICT technology is considered unreliable in the allied countries of the Republic of Kosovo”, he writes in the Instruction.
Information technology experts, while welcoming the adoption of such documents, say they do not address cyber risks.
“The drafting of this Administrative Instruction is a positive step, but my opinion is that this instruction has more to do with political than technical issues. Its purpose should be to prevent the use of equipment that is blacklisted by the United States of America, as is the case with ‘Huawei’ products in telecommunication network equipment. I cannot know for sure if Kosovo currently uses devices that will be banned by this directive, but what I know for sure is that Kosovo has many outdated and outdated systems, which pose a great risk to cyber security.” said Kastriot Fetahaj.
According to him, the recent attacks in Albania occurred as a result of the use of outdated services and software. “This highlights the importance of keeping security systems up-to-date and properly managed,” he said.
Fetahaj has mentioned the dangers that threaten Kosovo in the cyber field and adds that the investments so far are not enough.
“Kosovo is at risk just like all other countries in the Balkans and in Europe. The main risks include cyber-attacks by state actors and criminal groups, as well as weaknesses in the digital infrastructure that can be exploited to interfere with public systems. A well-known case is the attack on state institutions through ‘ransomware’ or interruption of services, which has happened before in other states of the region, including Albania. This type of attack remains a potential threat to Kosovo as well, given the existing weaknesses in the cyber infrastructure, he said. “The government has not made enough investments in cyber security. The operationalization of the Cyber Security Agency has been delayed a lot and this is a sign that the government does not take the risk in cyber security seriously.”
In addition to the document on the list of devices that are considered dangerous, the Ministry of the Interior has issued for public consultation the Administrative Instruction on the procedures and response measures for operators of essential services in the event of a cyber incident, as well as the Instruction on the criteria for reporting cyber incidents related to with digital service providers.
According to Fetahaj, Kosovo should apply the best international practices for addressing the risks of cybercrimes, starting from the creation of a clear legal framework that includes all aspects of cyber security.
“Then there is the increase in cooperation with international organizations such as NATO, EUROPOL and ENISA; Functionalization and empowerment of the Cyber Security Agency; Advancement of CERT (Computer Emergency Response Team) for quick and effective response to incidents; Investment in education and awareness; Providing training for public and private institutions in identifying and protecting against cyber attacks; Educating the public to prevent ‘phishing’, ‘ransomware’ and other common attacks,” he said.
Fetahaj also mentioned the importance of exchanging information with neighboring countries and international partners, as well as Kosovo’s participation in regional simulations for responding to cyber incidents. According to Fetahaj, there should also be incentives for private companies to adopt good security practices through subsidies and public-private initiatives.
Kosovo also has a National Strategy for Cyber Security 2023-2027, approved last year. According to this document, the use of information and communication technology has expanded rapidly since 2000, while ICT plays an important role in all aspects of society. According to world internet statistics, internet penetration in Kosovo is 90.4 percent with 1.6 million internet users. According to the government, this trend of Internet distribution and the use of Information Technology devices is comparable to the developed countries of the EU, “even the behavior of Kosovo citizens on the Internet seems to be similar to global trends”.
“Cyberspace can be considered unstable ground. Criminal activities are constantly creating a conflictual context, while state actors must combat criminal activities that threaten governmental or economic sovereignty. In accordance with this, a wide range of attackers, motives and techniques have evolved, which prove to be more and more threatening for Kosovo”, writes in the Strategy. “Criminal activities are constantly creating a conflictual context, while state actors must combat criminal activities that threaten governmental or economic sovereignty. In accordance with this, a wide range of attackers, motives and techniques have evolved, which prove to be more and more threatening to Kosovo”.
The document also promises that Kosovo will strengthen international cooperation in cyber security by supporting initiatives, as well as expanding Kosovo’s dialogue with the EU, NATO and OSCE in this field.