日內(nèi)瓦安全部門治理中心-網(wǎng)絡(luò)安全政策制定和能力建設(shè)-加強(qiáng)西巴爾干地區(qū)的區(qū)域合作（英文）-2021.5-24正式版

GenevaCentre

forSecuritySector

Governance

CybersecurityPolicyDevelopmentandCapacityBuilding–

IncreasingregionalcooperationintheWesternBalkans

Dra?enMaravi?

1

AboutDCAF

DCAF–GenevaCentreforSecuritySectorGovernanceisdedicatedtoimprovingthese-curityofstatesandtheirpeoplewithinaframeworkofdemocraticgovernance,theruleoflaw,respectforhumanrights,andgenderequality.Sinceitsfoundingin2000,DCAFhascontributedtomakingpeaceanddevelopmentmoresustainablebyassistingpartnerstates,andinternationalactorssupportingthesestates,toimprovethegovernanceoftheirsecuritysectorthroughinclusiveandparticipatoryreforms.Itcreatesinnovativeknowledgeprod-ucts,promotesnormsandgoodpractices,provideslegalandpolicyadviceandsupportscapacity-buildingofbothstateandnon-statesecuritysectorstakeholders.

DCAF’sFoundationCounciliscomprisedofrepresentativesofabout60memberstatesandtheCantonofGeneva.Activeinover80countries,DCAFisinternationallyrecognizedasoneoftheworld’sleadingcentresofexcellenceforsecuritysectorgovernance(SSG)andsecuritysectorreform(SSR).DCAFisguidedbytheprinciplesofneutrality,impartiality,lo-calownership,inclusiveparticipation,andgenderequality.Formoreinformationvisitwww.dcaf.chandfollowusonTwitter@DCAF_Geneva.

DCAF-GenevaCentreforSecuritySectorGovernance

MaisondelaPaixCheminEugène-Rigot2E

CH-1202Geneva,Switzerland

Tel:+41227309400

info@dcaf.ch

www.dcaf.ch

Twitter@DCAF_Geneva

2 CybersecurityPolicyDevelopmentandCapacityBuildingintheWesternBalkans

Contents

EXECUTIVESUMMARY 4

INTRODUCTION 5

COUNTRYOVERVIEW 9

Albania 9

BosniaandHerzegovina 10

Kosovo* 11

Montenegro 12

NorthMacedonia 13

Serbia 13

REGIONALOVERVIEW 15

WAYFORWARD 18

ThisdesignationiswithoutprejudicetopositionsonstatusandisinlinewithUNSCR1244(1999)andtheICJOpinionontheKosovodeclarationofindependence.

3

EXECUTIVESUMMARY

TheDeclarationof2020ZagrebSummitbetweentheEuropeanUnion(EU)andWesternBalkanleadernotesthatso-calledhybridactivitiesoriginatingfromthird-stateactors,in-cludingdisinformationaroundCOVID-19,havebecomeincreasinglyprevalentintheWest-ernBalkans.Suchincidentsexposethevulnerabilityofsocietiesandinfrastructuretocy-berattacks,cybercrimeandhybridthreats.TheDeclarationcallsforincreasedcooperationtoaddressdisinformationandotherhybridactivities.

TheDigitalandGreenAgendafortheWesternBalkans,theRegionalCooperationCouncil(RCC),theRegionalSchoolofPublicAdministration(ReSPA)andotherregionalinitiativesprovideageneralframeworkforenhancedcooperation.ManyinternationalactorshavesupportedcybersecurityintheWesternBalkansovertheyears.Countriesoftheregionarealsoawareofthebenefitsofregionalcooperation.Closerregionalcollaborationwillthere-forebebeneficialforresiliencebuilding,enhancingcybersecurityandstrategiccommuni-cation.Thecybersecurityworkforceshortageandskillsgaparealsosignificantconcernsfortheeconomicdevelopmentandnationalsecurity,especiallygiventherapiddigitizationofglobalandregionaleconomies.Besides,slowprogressinpublicadministrationreformsishinderingprogressincybersecuritydevelopment.

Withclearpoliticalsupportandsharedownership,itwouldbepossibletocreatemorevitalregionalcollaboration,facilitatedbyacustomizedjointframeworkintheformofaregionalhub.WesternBalkaneconomiescouldhavearegionalframeworkforcooperationcommit-tedtosupportingandstrengtheningcybersecuritystrategies,policies,andcompetenceatalllevelsofpublicadministration,fromnon-expertstohighlyskilledprofessionals.Besides,thisregionalframeworkcouldsupporteconomiesoftheregioninraisingcitizens’aware-nessofcybersecurityandpotentialcyberthreatsandspeedupaligningcountries’align-mentwiththeEUacquis.

Economiesoftheregioncouldtaskthepotentialregionalcybersecurityhubtooperateacrossareaswhicharewithintheusualpracticesofnationalcybersecurityauthorities,andwithafocuson:

Providingthoughtleadershipandstrategicdevelopmentdirectionandanalysisinthecyber-securityspace.

Raisingcybersecurityawarenessatalllevelsofgovernment.

Sharinginformation,expertise,andknowledge;and

Establishingandpromotingbestpracticesbasedoncommonchallenges.

Finally,jointactivitiesinthisareacouldpotentiallycountonmoreconsiderabledonorsup-portiftheWesternBalkaneconomiesthemselvescontributeandcreategreatersustainabil-ityofregionalcooperationactivities.

4 CybersecurityPolicyDevelopmentandCapacityBuildingintheWesternBalkans

INTRODUCTION

TheCOVID-19pandemicisaglobalshockthathasnotsparedtheWesternBalkans(WB).Thefinalextentofitsfootprintintermsoflossofhumanlivesanddamagetotheeconomyisstilldifficulttoassess.However,earlyestimatesforeseeadropofbetween4%and6%ofgrossdomesticproductintheregion.DuringtheCOVID-19crisis,inclusiveregionalcoop-erationhasprovenessential.1AttheZagrebSummiton6May2020,theEuropeanUnion(EU)andWesternBalkanleadersagreedthatdeepeningregionaleconomicintegrationhastobeaprominentpartoftheWesternBalkansrecoveryefforts.2Suchacommonregion-almarketmustbeinclusive,basedonEUrulesandbuiltontheregionaleconomicareamulti-annualactionplan’sachievements.

TheZagrebSummitDeclarationnotedthathybridactivitiesoriginatingfromthird-stateac-tors,includingdisinformationaroundCOVID-19,havebecomeincreasinglyprevalentintheWesternBalkans(andTurkey).Suchincidentsexposethevulnerabilityofsocietiesandinfrastructuretocyberattacks,cybercrimeandhybridthreats.AsstatedintheZagrebDec-laration,theEUwillincreaseitscooperationwithWesternBalkaneconomiestoaddressdisinformationandotherhybridactivities.Closercollaborationisthereforemuchneededinresiliencebuilding,cybersecurityandstrategiccommunication.Thecybersecuritywork-forceshortageandskillsgapisasignificantconcernforeconomicdevelopmentandnation-alsecurity,especiallyintheglobalandregionaleconomy’srapiddigitization.

Therearedifferentopportunitiesforenhancedregionalcooperation.Thestartingpointforthisdeliberationcouldbetomaintainthestatusquo.OnedimensionistocontinuewiththeusualbilateralexchangeSbetweenthecountriesintheWBregionandthirdcountries.Secondly,existingregionalforumscouldbeusedforjointactivities,mainlyregardingre-searchactivities.Thishasbeenthecasesofarwithinthisfield,particularlybytheRegionalCooperationCouncil.Bilateralandmultilateraldonorscouldcontinuetoprovidesupporttoindividualcountries,butthiscouldleadtoparallelratherthanjointcapacitydevelopment.Also,existingdifferencesbetweenthecountriesandslowpaceofEUintegrationprospectsfortheregionasawhole,couldbereinforcediftheycontinuetodevelopnationalcapaci-tiesforcybersecurityattheirownpace,withoutthe(additional)possibilityofmakinglargerstepstogether.

Whilstmaintainingthestatusquo,itwouldbepossibletocreatemorevitalregionalcol-laboration,facilitatedbyacustomizedjointframework.WesternBalkancountriescouldhavearegionalframeworkforcooperationcommittedtosupportingandstrengtheningtheenhancementofcybersecuritystrategies,policies,andcompetenceatalllevelsofpub-licadministration,fromnon-expertstohighlyskilledprofessionals.Besides,thisregionalframeworkcouldhelpraisecitizens’awarenessofcybersecurityandpotentialcyberthreats(e.g.phishingattacks,botnets,financialandbankingfraud,datafraud).Itwouldbepossibletodesignregionalinformationcampaignsandtosupportpotentialnationalones,asdemon-stratedbytheDCAFregionalproject.Suchaframeworkcouldguideacceptablepracticestopromotesaferonlinebehaviour(e.g.cyberhygieneandcyberliteracy)usingbothgoodandbadexamplesfromanycountryintheregion.

Furthermore,aregionaleffortcouldhelptospeedupaligningcountries’actionswiththeEUacquis,andengageinpromotingandanalysingcybersecurityacademicandprofessionaleducationbydividingeffortsandspecializationsamongthenationsinsomeway.Finally,allcountriesintheregionsufferfromsimilarchallenges,suchasashortfallincybersecurity

1

2

2020CommunicationonEUenlargementpolicy,Brussels,6.10.2020COM(2020)660final.ZagrebDeclaration,6May2020.https://www.consilium.europa.eu/media/43776/zagreb-declara-tion-en-06052020.pdf

5

skills,whichcouldjeopardizebothnationalsecurityandeconomicdevelopment.Sincetherearemultipleeffortstoapproachtheregion’seconomicgrowth,suchasthemini-Schengeninitiative,theGreenAgendafortheWesternBalkansandothers,itisreasonabletocon-cludethatthesameapproachcouldworkforcybersecurityaswell.Regionalcooperationisvitaliftheeconomiesintheregionmovemorerapidlytowardsdigitalizationande-com-merce.Thispolicypaperaimstodocumentthekeyfeaturesofexistingregionalcooperationinpublicpolicydevelopmentandcivilservantcapacitybuilding,focusingoninstitutionsinchargeofcybersecuritypolicydevelopmentandincidentresponse,whilstprovidingpolicyadviceforfutureimprovements.

Publicadministrationreform(PAR)isessentialforimprovinggovernanceatalllevels.3Suchreformincludesincreasedtransparencyandaccountability,soundpublicfinancialmanage-ment,andadministrationofamoreprofessionalnature.Theexistingcapacitiesforgovern-mentalcybersecuritypoliciesarestronglyrelatedtothecountries’generalpublicadminis-trationreformdevelopments.ModesteffectsconcerningPAR(inareassuchaspublicpolicydraftingandimplementation,accountability,humanresourcesmanagement,andprofes-sionaldevelopmentofcivilservants),areinfluencingcybersecuritypolicies,capacitiesofleadinstitutions,andcybersecurityincidenthandlers.

TheannualEUassessment4isthatAlbania,NorthMacedonia,Montenegro,andSerbiaareonlymoderatelypreparedregardingpublicadministrationreform.InSerbianofurtherprog-resshasbeenmade,asthenumberofactingseniormanagerpositionsremainsexcessive,ratherthanbeingreduced.Kosovo*hasachievedsomelevelofpreparation,whileBosniaandHerzegovinaisatanearlystage.Therehasbeensomeprogressinimprovingpolicyplanning,butfurthereffortsareneededinallcountriestoensuresubstantialcentralgov-ernmentqualitycontrol.Montenegrohasstrengthenedandrationalizedpolicyplanningandachievedareductioninthenumberofstrategicdocuments.Policies,legislationandpublicinvestmentsarestilloftenpreparedwithoutimpactassessments.5Managerialaccountabil-ityandprofessionalizationofthecivilservicestillneedtobeensuredinmostcountries,andexcessivepoliticizationhastobeaddressed.Transparentandmerit-basedproceduresforrecruitment,promotion,demotionanddismissalneedtobeembeddedinthelegislativeframeworksandconsistentlyimplementedacrosspublicservices.Thestructureofthestateadministrationshouldensureeffectivelinesofaccountability.Mostcountrieshavemadeeffortstoimproveservicestocitizensandbusinesses,especiallyintheareaofe-servicedelivery.6TheEUhasconcludedthatenhancedinter-institutionalcoordinationisneededtofullyimplementpublicadministrationreformsintheWesternBalkans.

Nationalauthoritiesfocusingoncybersecurityshouldbasetheirworkonstrategiesandactionplansdevelopedinaninclusiveprocessthatbenefitsfrominputfromacademia,thebusinesssectorandcivilsocietyorganizations.Theyshouldhavesignificanthumanresources,bothintermsofnumbersofpersonnelandcompetences,andrelyonasolidretentionpolicytoenablelong-termdevelopmentstobeputinplace.Publicadministrationshavealwaysbeeninformation-processingorganizations.Ingeneral,publicadministrationbodiesmusthaveIT-relatedbusinessprocessesthataresecurebydesignandahighlevelofrelatedknowledgeforallmembersofthepublicadministration.Clearaccountabilityandreportinglinesforstaffareessential,andforallseniormanagersdealingwithsensitivepublicinformationandpersonaldata.Publicorganizationsaredealingwithahighvolumeofsensitivedataandmanyhavevulnerablecyberdefences,whichinsomecasesposesariskforregionalgovernmentorganizationsandthepublicsectoringeneral.

3

4

5

6

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52019DC0260

2020CommunicationonEUenlargementpolicy,Brussels,6.10.2020COM(2020)660FINAL.https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52019DC0260https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52019DC0260

6 CybersecurityPolicyDevelopmentandCapacityBuildingintheWesternBalkans

Furthermore,digitalizationofpublicadministrationservicesisavitalpriorityforWesternBalkancountries.Themoregovernmentorganizationsembracetechnology,themoreex-posedtheyaretothreatsincyberspace.Nowadays,digitalgovernmentagendasworld-wideseektokeepabreastofdigitalnetworkinganddigitalchangesinasocietybasedoninformationtechnology.Ever-increasingdigitalizationleadstofundamentalchangesinthebusinessprocessesofpublicadministrationsastheytrytooffercustomer-friendlyservicestocitizensandbusinesses.

Consideringthis,governmentsneedtoimplementnewsafeguardsintheformofcontinu-ousinformationsecurityandlegallycompliantdataprotection.Cybersecuritymeasuresarecontinuallyimproving.Justascriminalsaredevelopingunknownattackvectors,firewalls,encryptionandothersecuritymeasuresarebecomingmorerobust.Itwouldbeamistake,though,tothinkofthisasaprimarilytechnology-relatedissue.Thegreatestweaknessofpublicorganizationswillalwaysbethehumanfactor.Thebiggestthreatwillusuallycomefromwithin–eitherfromamaliciousactionorafundamentalhumanerror.

Attacksarestillmostlyduetosomeonemakingamistake–eitherrevealinginformationthroughanemailorclickingonasuspiciouslink.7Therefore,themostcrucialtoolforpro-tectinginternalsystemsistoensurethatstaffareadequatelytrained.Thiscanbeinitiatedbydevelopingacomprehensivetrainingprogrammeforeveryonefromtop-levelmanage-menttothemostjuniorofficeassistants.Theymustrealizetheimportanceoffollowingsecurityprotocols.

TheWesternBalkangovernmentsshoulddeveloprobustframeworksforcybersecurity,inlinewithEUstandards,includingadoptingstrategiesandactionplans.SincetheEUprescribesframeworkswhicharecontinuouslybeingdeveloped(forexample,theEUan-nouncedanewcybersecuritystrategy8inDecember2020),countrieswouldbenefitfromfollowingthesedevelopmentsand‘movingtargets’setbytheEU.Theroleoflineminis-triesistoensureafunctionallegalframeworkinlinewithEUlegislationandcybersecuritystrategies.Still,thereisusuallyadelayintheharmonizationprocess,duetotheheavynormativeagenda,politicalprocesses,frequentcallsforearlyelections,andotherchal-lenges,includingthelackofcivilservicemembersskilledincybersecurity.Besides,lineministriesshouldensureanadequatelevelofhumanresourcesforthecompetentauthor-itiestoensureeffectivecybersecurity,suchascomputersecurityincidentresponseteams(CSIRTs).AsdefinedbytheDirectiveonsecurityofnetworkandinformationsystems,thenationalcompetentauthorities,whichmaydifferfromthelineministryinchargeofpublicadministration,shouldensurepropercyberresilienceandcapacitytodealefficientlywiththreatsandattacks.Sincepublicadministrationreformrequiresastrongfocusonmultipledivergentissues(forexample,capacitybuildingvsdownsizingwithinthecivilservice),thiscouldproveademandingtaskfornationaladministrationsstrugglingtoenablebetterhor-izontalcooperationandawhole-of-governanceapproachtoreforms.Reinforcedregionalcooperationcouldproveusefultokeepthemomentumofcapacitybuildingincybersecurity,ifsomecountriesatagivenmomentfocusmoretowardsdownsizingtheiradministrationordecreasingwagesinordertomaintainfiscalstability.Thecompetentauthoritiescouldprovidemoreefficientregionalcooperation,andwiththeEU,whensupportedbyaneworenhancedregionalframeworkforcollaborationwiththelineministries.

ThefunctionofallCSIRTsinthesixWesternBalkancountriesisverysimilar,whichisun-surprising.TheyhaveallbeenstructuredprimarilyinlinewithEuropeanUnionAgencyforCybersecurityguidelines.9Therefore,itseemsthataregionalapproachmakessensebe-

7

8

9

https://www.itsecurityawareness.ie/public-administrationhttps://ec.europa.eu/commission/presscorner/detail/en/IP_20_2391https://www.enisa.europa.eu/

7

causeleadinginstitutionswithsimilarfunctionsandsetupsalreadyexist.Asingleregionaleffortcouldprovidemomentumandqualityassuranceincybersecuritypoliciesandpractic-esinsuchanenvironment.

8 CybersecurityPolicyDevelopmentandCapacityBuildingintheWesternBalkans

COUNTRYOVERVIEW

Albania

Albania10ismoderatelypreparedinthereformofitspublicadministration.Still,itcontinuestomakeeffortsinseveralrelatedareas.Albaniahasachievedprogressinenforcingtheguidelinesonregulatoryimpactassessmentsacrosslineministries,developingthelegisla-tivepackagerelatedtopolicyplanning,increasingthenumberofe-services,andimprovingtransparencyindatacollectionandhumanresourcesmanagementbetweenthecentralandlocallevels.Managerialaccountabilityisnotyetprotectedinthelegislationandinadmin-istrativepractice.Decisionmakingintheinstitutionsiscentralizedand,inpractice,amin-imalnumberofdecisionsaredelegated.Verticalaccountabilityisveryweakbetweenpoli-cy-makingandpolicy-implementingentities.Governancearrangementsensuringstrategicplanswithdefinedobjectives,performanceindicators,andprecisemonitoringandreportinglinesbetweenparentministriesandsubordinatedagencies,arestilllacking.

TheEUspecifiesintheprogressreportfor2020thatAlbaniashould11establishamoreef-fectivelaw-enforcementresponsefocusingonthedetection,traceabilityandprosecutionofcybercriminalsandaddressthegrowingphenomenonofchildpornographyonline.

TheAlbanianSchoolofPublicAdministration’s(ASPA)trainingprogrammescontributetotheprofessionaldevelopmentofcivilservants.However,anintegratedtrainingmanage-mentcyclestillneedstobeestablished.TheASPAhasdevelopedtwotrainingcoursesoncomputersecurity,a3-dayintroductorycourseanda2-dayadvancedlearningcourse.Withinthepublicinstitutions,trainingoncybersecurityissuesforITstaffandgeneralstaffisminimal.Itoftendependsontheinstitution’sindividualmanagementpolicy,todeterminewhetheraspecificstaffmembercanattendanavailablecybersecuritytrainingorcertifica-tioncourse.InternationallyaccreditedITsecurityandgovernancetrainingandcertificationcoursesarebeingofferedinAlbania.Asmentionedbythereviewparticipants,thepercep-tionofcybersecurityheldbytheprivatesectorboardsandCEOsrequiressignificantim-provement.AnotherconcernsharedbytheparticipantsisthechallengeofretainingsecurityprofessionalswithinAlbania,astheyoftenleavethecountrytoseekbetteropportunitiesintheEUorinNorthAmerica.12

TheLaw‘OnCyberSecurity’isonlypartlyalignedwiththeEUDirectiveonsecurityofnetworkandinformationsystems(NISDirective).Albaniahasestablishedalistofcriticalinformationinfrastructuresandthenecessaryimplementinglegislation.In2019,theNa-tionalAuthorityforElectronicCertificationandCyberSecurity(AKCESK)draftedanationalcybersecuritystrategythatstillneedstobeadopted.Albania’scommitmenttocybersecurityandcyberresiliencehasnotablyprogressedafteradoptingvariousnationaldigitaltransfor-mationandnationalsecuritystrategies.

ThreecentralauthoritiesareresponsiblefordifferentpartsofincidentresponseinAlbania.TheMinistryofDefence(MoD)isresponsibleforhandlingcyberincidentsrelatedtotheMoDandtheairforce.TheCybercrimeInvestigationUnitoftheAlbanianStatePoliceandtheprosecutor’sofficeaddressescybercrime.However,theAKCESKservesastheofficialnationalcoordinatingbodytoreportandmanagecybersecurityincidentsforkeyinformationinfrastructuresandcriticalinformationinfrastructureoperators.

10

11

12

Basedonthe2020EUProgressReportforAlbania,https://ec.europa.eu/neighbourhood-enlargement/

sites/near/files/albania_report_2020.pdf,andReportonCybersecurityMaturityLevelinAlbania,https://

.al/Publikime/2019/AlbaniaCMMReport.pdf

https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=SWD:2020:354:FIN

/wp-content/uploads/2019/10/AlbaniaCMMReport.pdf

9

TheLawNo.2/2017‘OnCyberSecurity’definesCriticalInformationInfrastructuresaswellasImportantInformationInfrastructuresandtheirresponsibilityforreportingincidents.

Anationalprogrammeforraisingcybersecurityawareness,ledbydesignatedorganizations(fromanysector)whichaddressesawiderangeofdemographics,isyettobeestablished.Inthelastfewyears,AlbaniahasperiodicallycarriedoutawarenessactivitiesforasaferinternetandparticipatedinactivitiesoninternationalSaferInternetDay.AlbaniacelebratesOctoberascybersecurityawarenessmonth.OnesuccessfulinitiativeistheAlbanianCyberAcademy,whoselast(4th)edition,in2020,wassupportedbyDCAF.13Moreover,thereisaweekinMarchthatisdedicatedtochildcybersecurity.Theofficiallyrecognizedcomputerin-cidentresponseteam–AKCESK–isthelegallymandatedagencycreatedbythedecisionoftheCouncilofMinisterstoorganizeawarenesscampaigns,training,andtopublishinfor-mativematerialsfortheprivateandpublicsectors.AKCESK,inconjunctionwiththeMin-istryofEducation,SportandYouth,andthebankingsector,conductedapilotprogrammeforschoolsonraisingawarenessoncyberbullying.Additionally,theCybercrimeUnitworkswithNGOsvisitingschoolsandprovidingtrainingforchildren.Theprivatesectorisstartingtoconsidercybersecurityawareness;however,itisstillatanearlystage.

BosniaandHerzegovina

TheEUprogressreportfor202014findsthatBosniaandHerzegovina(BiH)isstillatanearlystagewithregardtopublicadministrationreform.AccordingtotheEUreport,therehasbeennosubstantialprogressinensuringaprofessionalanddepoliticizedcivilserviceandacoordinatedcountrywidepolicy-makingapproach.Alllevelsofgovernmenthavead-optedthestrategicframeworkonpublicadministrationreformandnowneedtoembracetherelatedactionplan.Apoliticalbodysteeringthecoordinationofsuchareformhasnotyetbeenestablished.15Professionalcivilserviceproceduresmustbebasedonprinciplesofmeritandfreefrompoliticalinterference.Humanresourcesmanagementremainshighlyfragmented.Civilserviceagenciesandtrainingunitsdonotcoordinateappropriately.Ingeneral,governancestructuresneedtobefullyfunctionaltoprovideatoolforimprovementinanyrelatedarea,suchascybersecurity.

Theadministrativecapacitiesandcoordinationofcivilserviceagenciesandintegratedtrainingunitsneedtobestrengthened.Managerialaccountabilityisnotyetembeddedintheorganizationalcultureofthepublicsector.Acrossgovernmentlevels,basicaccountabilitymechanismsbetweenministriesandsubordinatedagenciesarenotinplace,andeffectivemanagementofsubordinatebodiesisnotensured.

TheBiHCivilServiceAgencyadoptedatrainingplanfor2020withtwocoursesoffered:computernetworkssecurityandweb-basedapplications.Trainingforjudgesandprosecu-torsremainsinsufficient.Significantimprovementsinthedurationandqualityofmandatorytrainingareurgentlyneeded.

BosniaandHerzegovinaneedstoestablishacomputersecurityincidentresponseteam(CSIRT)networktofacilitatestrategiccooperationandinformationexchange.16Ingeneral,thecountryneedstofurtheralignitslegislationoncybercrimewiththeEUacquisanden-surethereareadequatetoolsandenoughwell-trainedstafftodetect,traceandprosecutecybercrimes.Wecouldconcludethatwithoutthesefoundationsasaprecondition,itwould

13

14

15

16

.al/publicAnglisht_html/aktivitete/aca4.html

BosniaandHerzegovina2020ProgressReport,https://ec.europa.eu/neighbourhood-enlargement/sites/near/files/bosnia_and_herzegovina_report_2020.pdfhttps://eur-lex.europa.eu/legal-content/EN/ALL/?uri=SWD:2020:350:FIN

GuidelinesforaStrategicCybersecurityFrameworkinBosniaandHerzegovina,Sarajevo,October2019,/files/f/documents/1/a/438383.pdf

10 CybersecurityPolicyDevelopmentandCapacityBuildingintheWesternBalkans

bedifficultforlawenforcementauthoritiestotakepartinawhole-of-governanceapproachtobuildingresilientcybersecurity.

Unfortunately,BiHlacksanofficialandagreedstrategicapproachandframeworkforre-spondingtocybersecuritythreats.Althoughsomestrategiespartlyaddresscybersecurity,BiHremainstheonlycountryinsouth-easternEuropewithoutanational-levelcybersecuritystrategyandCSIRT.

Inadequatecoordination,aninsufficientlyharmonizedapproach,deficientcapacities,andtheabsenceofastrategicvisionremainissuesofconcern.Moreover,existinglegislationisyettobefullyharmonizedwiththerelevantEUacquis,andthereisnooverarchinglawoninformationsecurity.The2017DecisionoftheCouncilofMinistersofBiHonthedesigna-tionofacomputeremergencyresponseteamforBiH’sinstitutionsstillrequiresinstitutionaloperationalization.Also,keynationalprioritiesinthe2017–2022informationsecurityman-agementpolicyfortheBiHinstitutionsareyettobeoperationalized–namely,establishingmechanismstoadequatelyrespondtothecurrentchallengesofthedigitalage.AllthisleavesthepublicandprivatesectorsinBiH,aswellasindividualcitizens,highlyvulnerabletotheevolvingthreatsofcyberspace,includingcyberattacksandterrorismtargetingc