Embed Size (px)
Citation preview
Global Cyber Security Capacity Centre
University of Oxford
18/6/2015
Cybersecurity Capacity Assessmentof the Republic of Kosovo
2 | P a g e
Document Administration
The author of this draft Dr. Maria Bada submits a draft to the academic board of the GlobalCyber Security Capacity Centre, composed of Professors and experts from the Oxford MartinSchool, the Department of Computer Science of the University of Oxford, Said Business School,and the Oxford Internet Institute. Upon internal review, this report is submitted to the WorldBank Group for their internal review process. Following completion of World Bank Group’sreview, the report is submitted to the host team (Ministry of Economic Development of theRepublic of Kosovo) for their review. Once all edits have been agreed upon by all parties, andfollowing government approval, the report is to be made available to the public and submittedto stakeholders who took part in the consultation.
Until this review process is complete, this document is not to be circulated outside of theaforementioned parties.
Version Date4.0 18.06.15
3 | P a g e
ContentsIntroduction...................................................................................................................................... 6
Assessment of Cybersecurity Maturity ............................................................................................. 8
Graphic I: Assessment Results....................................................................................................... 8
Table I: Assessment Results .......................................................................................................... 9
Dimension 1: Cybersecurity Policy and Strategy.................................................................................14
D1-1: Documented or Official National Cybersecurity Strategy .....................................................14
D1-2: Incident Response ..................................................................................................................15
D1-3: Critical National Infrastructure (CNI) Protection ...................................................................16
D1-4: Crisis Management .................................................................................................................17
D1-5: Cyber Defence Consideration.................................................................................................18
D1-6: Digital Redundancy.................................................................................................................18
Dimension 2: Cyber Culture and Society .............................................................................................20
D2-1: Cybersecurity Mind-set ..........................................................................................................20
D2-2: Cybersecurity Awareness .......................................................................................................20
D2-3: Confidence and Trust on the Internet ...................................................................................21
D2-4: Privacy Online .........................................................................................................................22
Dimension 3: Cybersecurity Education, Training and Skills ................................................................23
D3-1: National Availability of Cyber Education and Training .........................................................23
D3-2: National Development of Cyber Security Education .............................................................23
D3-3: Training and Educational Initiatives within the Public and Private Sector ..........................24
D3-4: Corporate Governance, Knowledge and Standards ..............................................................25
Dimension 4: Legal and Regulatory Frameworks ................................................................................27
D4-1: Cybersecurity Legal Frameworks ..........................................................................................27
D4-2: Legal Investigation..................................................................................................................28
D4-3: Responsible Reporting...........................................................................................................29
Dimension 5: Standards, organisations, and technologies .................................................................31
D5-1: Adherence to Standards.........................................................................................................31
D5-2: Cybersecurity Coordinating Organisations ............................................................................31
D5-3: National Infrastructure Resilience .........................................................................................32
D5-4: Cybersecurity Marketplace ....................................................................................................33
Recommendations ...............................................................................................................................34
Dimension 1 ......................................................................................................................................34
4 | P a g e
Dimension 2 ......................................................................................................................................35
Dimension 3 ......................................................................................................................................36
Dimension 4 ......................................................................................................................................37
Dimension 5 ......................................................................................................................................37
Conclusion ............................................................................................................................................38
5 | P a g e
Abbreviation List
ARKEP Regulatory Authority of Electronic and Postal Communications
SMEs Small and medium-sized enterprises
CISCO Computer Information System Company Organisation
CNI Critical National Infrastructure
CPD continuing professional development
EC TAIEX Technical Assistance and Information Exchange instrument of the EuropeanCommission
FP7 Seventh Framework Programme
GIZ Deutsche Gesellschaft für Internationale Zusammenarbeit
GoK Government of Kosovo
ISO International Organisation for Standardisation
KEK Kosovo Energy Corporation
KIPA Kosovo Institute of Public Administration
KJI Kosovo Judicial Institute
KPA Kosovo Property Agency
MED Ministry of Economic Development
NAPDP National Agency for Protection of Personal Data Protection
NRC The National Research Council
KPIs Key performance indicators
PTK Post and Telecom of Kosovo
STIKK Kosovo Association of Information and Communication Technology
UNCTAD United Nations Conference on Trade and Development
6 | P a g e
Cybersecurity Capacity Assessment of the Republic of Kosovo
IntroductionThrough a Collaboration Agreement with The World Bank, The Global Cyber Security CapacityCentre has facilitated a self-assessment of cybersecurity capacity in the Republic of Kosovo(Kosovo). The objective of the self-assessment is to enable Kosovo to determine the areas ofcapacity the country might strategically invest in to become more cyber secure.
During February 9th-11th 2015, stakeholders from the following sectors participated in a three-day consultation to evaluate cybersecurity capacity in Kosovo:
Ministries: Ministry of Economic Development, Ministry of Internal Affairs – KosovoPolice, Ministry of Internal Affairs – Agency of Civil Registration, Ministry of PublicAdministration – Agency for Information Society, Ministry of Trade and Industry,Ministry of Finance – Tax Administration of Kosovo, Ministry of Finance – KosovoCustoms, Ministry of Justice, Ministry of Education, Science, and Technology(hereinafter - Ministry of Education), Ministry for the Kosovo Security Forces,Regulatory Authority of Electronic And Postal Communications.
Academia Internet governance representatives Internet Society chapters Criminal justice Intelligence community Legislators National security representatives CERT1 teams Major commercial sectors and SMEs Finance sector Telecommunications companies
The consultations were premised on the Centre’s Cybersecurity Capacity Maturity Modelwhich is composed of five distinct areas of Cybersecurity Capacity, a) Cybersecurity policy andstrategy; b) Cyber culture and society; c) Cybersecurity education, training and skills; d) Legaland regulatory frameworks; e) Standards, organisations, and technologies.
There are multiple factors in each dimension, which describe what it means to possesscybersecurity capacity. In each factor, there are indicators, which describe the five levels ofmaturity, whereby the lowest stage implies a rather ad-hoc level of capacity and the highest
1 The name Computer Emergency Response Team is the historic designation for the first team (CERT/CC) atCarnegie Mellon University (CMU). CERT is now a registered service mark of Carnegie Mellon University that islicensed to other teams around the world. Throughout the report this term will be used.
7 | P a g e
stage both a strategic approach and an ability to dynamically adapt or change againstenvironmental considerations. These are the following:
• Start-up: At this level either no cybersecurity maturity exists, or it is very embryonic innature. It could also include initial discussions about cyber capacity building, but noconcrete actions have been taken. It also includes a lack of observed evidence in thisparticular indicator.
Formative: Some features of the indicators have begun to grow and be formulated,but may be ad-hoc, disorganized, poorly defined - or simply "new". However, evidenceof this activity can be clearly demonstrated.
• Established: The elements of the sub-factor are in place, and working. There is not,however, well-thought-out consideration of the relative allocation of resources. Littletrade-off decision-making has been made concerning the ‘’relative’’ investment in thevarious elements of the sub-factor. But the indicator is functional and defined.
• Strategic: Choices have been made about which parts of the indicator are important,and which are less important for the particular organization or nation. Everything can’tbe as important as everything else due to finite resources, therefore certain choicesmust be made. The strategic level reflects the fact that these choices have been made.They should have been made contingent on the nation or organization's particularcircumstances.
• Dynamic: At the Dynamic level, there are clear mechanisms in place to alter strategydepending on the prevailing circumstances: for example, the technology of the threatenvironment, global conflict, a significant change in one area of concern (e.g.Cybercrime or privacy). Dynamic organizations have developed methods for changingstrategies in stride, in a "sense-and-respond" way. Rapid decision-making, reallocationof resources, and constant attention to the changing environment are feature of thislevel.
Following the self-assessment in Kosovo, results are being displayed in the present report,including recommendations on the next steps to be taken into consideration by theGovernment of Kosovo (hereinafter – GoK).
8 | P a g e
Assessment of Cybersecurity MaturityIn this section we provide an overall presentation of the cybersecurity capacity in Kosovo.First, the graphic below (Graphic I), presents the maturity estimates in each dimension. Thestages of maturity for each factor extend out from the middle as an individual bar, and eachdimension is a fifth of the graphic.
As seen in this graphic, for most factors cybersecurity capacity in Kosovo lies between anInitial and Formative stage of maturity, while for factor D2-4 (Privacy Online), maturity seemsto be at a higher (Established) stage.
Graphic I: Assessment Results
The table below (Table I) presents a summary of the results on the stage of maturity for eachfactor, including a brief description of these results. In support of these, links of existingpolicies, strategies, laws and other additional information are provided.
9 | P a g e
Table I: Assessment ResultsDimension Capacity Factor Stage of
MaturityBrief Description Links
Dimension 1Cyber SecurityPolicy and Strategy
D1-1 NationalCybersecurityStrategy
Start-up No national cybersecurity strategyexists, but some cybersecurityissues are covered by ElectronicCommunication Sector Policy –Digital Agenda for Kosovo 2013-2020 (hereinafter – Digital Agendafor Kosovo) and sublegal acts
ElectronicCommunication SectorPolicy – Digital Agenda2013-2020http://mzhe.rks-gov.net/repository/docs/Electronic_Communication_Sector_Policy_2013-2020.pdf
D1-2 IncidentResponse
Start-up A governmental CERT exists but nonational level incident responsecapacity exists. A national CERT,KOS-CERT is now being developed.According to the Digital Agenda forKosovo, a national CERT has to beestablished and fully functional nolater than in 2016
ElectronicCommunication SectorPolicy – Digital Agenda2013-2020http://mzhe.rks-gov.net/repository/docs/Electronic_Communication_Sector_Policy_2013-2020.pdf
D1-3 CriticalNationalInfrastructure
Start-Up No formal list of critical nationalinfrastructure (CNI) assets has beendeveloped by the government
Law on ElectronicCommunications No.04/L-109 regulates socialrelations pertaining toelectroniccommunicationsnetworks and serviceshttp://mzhe.rks-gov.net/repository/docs/Ligji_i_KE_i_Publikuar_%28Anglisht%29.pdf
D1-4 CrisisManagement
Start-up Cybersecurity exercises at thenational level have not beenconducted, only planned within theKosovo Police
D1-5 Cyber DefenseConsideration
Start-up A Strategy for Security of theRepublic of Kosovo and The ActionPlan of Strategy for Security of theRepublic of Kosovo exist and areapproved by the Government(Strategy - Decision No.01/129 ofdate: 15.06.2010 and Action Plan -DecisionNo.02/24 of date:20.07.2011).
According to The Plan of StrategicDocuments for 2015 thedevelopment of a new securitystrategy (3rd row) and the DefenceStrategy (41st row) is planned. Nocyber-defence policy or strategyexists; no coordination in responseto malicious attacks on military
http://www.kryeministri-ks.net/repository/docs/Analysis_of_Strategic_Security_Sector_Review_of_RKS_060314.pdf
http://www.kryeministri-ks.net/?page=1,250
http://www.kryeministri-ks.net/repository/docs/Plani_Vjetor_i_Dokumenteve_Strategjike_2015.pdf
10 | P a g e
information systems and defencenetwork infrastructure has beenestablished
D1-6 DigitalRedundancy
Formative Emergency-response assets aremapped and identified, includingdetails on their location and theirdesignated operators, but this listhas not been formalised
Dimension 2Cyber Culture andSociety
D2-1 CybersecurityMind-Set
Formative There is increasing awareness ofcyber risks in the public and privatesector, but society-at-large ischaracterised by a general feelingof fear of cyber threats
D2-2 CybersecurityAwareness
Formative An awareness campaignprogramme has been developed ata national level by the NationalAgency for Personal DataProtection (NAPDP), the ’Privacyand Digital Age AwarenessProgramme’
Privacy and Digital AgeAwareness Programmehttp://www.pda-ks.com/?page=1,5
D2-3 Confidence andtrust on the Internet
Formative Trust in online services has beenidentified as a concern, with thebanking sector promoting trust inonline services. E-Governmentservices are under development,provision of e-services is limitedand e-commerce has not been fullydeveloped
D2-4 Privacy Online Established There is adherence to the EUDeclaration of Human Rights andthe Strasbourg Convention. TheLaw on Data Privacy, which is nowunder development, is compliantwith EU Law and the BudapestConvention
Law on Protection ofPersonal Data (03/L-172)http://www.kuvendikosoves.org/common/docs/ligjet/2010-172-eng.pdf
The Annual Report(2013) of the DataProtection and PrivacyNational Agencyhttp://www.amdp-rks.org/web/repository/docs/Final_ENG_ASHMDHP_Raporti_Vjetor_i_Pun_s_2013.pdf
Dimension 3CybersecurityEducation, Trainingand Skills
D3-1 NationalAvailability of CyberEducation andTraining
Formative There are educational offerings ininformation-security education andtraining as well as courses oncybersecurity. The University ofPristina is the only institution in thecountry providing PhD studies; ithas courses on cybersecurity.Cybersecurity training is usuallyprovided by Law Enforcement or byvarious private organisations
D3-2 Nationaldevelopment of
Formative The Ministry of Education hasplaced ICT and security issues as
National Backgroundreport on ICT research
11 | P a g e
cybersecurityeducation
part of the curricula for all levels ofeducation, and the NationalResearch Council (NRC) has placedcommunication and technology asa priority research area. This isreflected in the efforts to buildprogrammes in cybersecurity
for Kosovohttp://wbc-inco.net/attach/KosovoICTReportFINAL_01_12_2009.pdfNational ResearchCouncil (NRC)http://www.masht-gov.net/advCms/documents/NRP_%28Draft%29_English.pdf
D3-3 Training andeducationalinitiatives withinpublic and privatesector
Formative The Kosovo Institute for PublicAdministration develops andimplements training policiesdeveloped by the Ministry of PublicAdministration.
The Ministry of EconomicDevelopment encourages thedevelopment of informationtechnology training systems. SeeAppendix 18-XXIV.
http://www.kryeministri-ks.net/repository/docs/Rregullorja_02-2011-e_miratuar_nga_Qeveria-finale.pdf
D3-4 CorporateGovernance,Knowledge andStandards
Start-up Boards and executives withinprivate and state-ownedcompanies have some minimalawareness of cybersecurity issues;however ICT and finance industryboards are more informed
Dimension 4Legal andRegulatoryFrameworks
D4-1 CybersecurityLegal Frameworks
Formative There is no standalonecybersecurity law. But in the future(subject to EU legislativedevelopments in cyber security),there may be sub-legislationdeveloped.
Kosovo Assembly has adopted theLaw on Protection of Personal Data(03/L-172) and the agencyresponsible for its implementationis the National Agency for PersonalData Protection;
The Substantive Law of Kosovocovers the prevention and combatof cybercrime;
The Law on Information SocietyServices No. 04/L-094 aims toenable the legal use of electronicdocumentation, and to facilitatethe implementation of e-commerce, e-signature and e-payments;
Law on Protection ofPersonal Data (03/L-172)http://www.kuvendikosoves.org/common/docs/ligjet/2010-172-eng.pdfLaw on Prevention andFight against CyberCrime Law No.03/L–166http://www.kuvendikosoves.org/common/docs/ligjet/2010-166-eng.pdfThe Law on InformationSociety Services No.04/L-094http://mzhe.rks-gov.net/repository/docs/LIgji_i_SH_SH_I_(Anglisht).pdfThe Law on ElectronicCommunications No.04/L-109http://www.art-
12 | P a g e
Law on Electronic CommunicationsNo. 04/L-109, Article 85 imposesobligations on telecom operatorsamong others (i) when requestedto provide information aboutassessment of the security and/orintegrity of the public electroniccommunications services andnetworks, including documentedsecurity policies; (ii) to takeappropriate technical andorganizational measures toappropriately manage the risksposed to security of networks andservices; (iii) notify ARKEP inaccordance with the regulation setby it of a breach of security or lossof integrity that has had asignificant impact on the operationof networks or services; and (iv)provides ARKEP with competenceto issue binding instructions aimedat increasing network integrity andsecurity, e.g. to perform securityaudit carried out by the qualifiedindependent body.
ks.org/repository/docs/Electronic%20communication.pdf
D4-2 Legalinvestigation
Formative The Cyber Crime InvestigationCentre within the police force hasthe technical capacity and trainingto investigate computer-relatedcrimes but this has not beentransferred to prosecution orjudicial services
The Kosovo JudicialCouncil’s (KJC) StrategicPlan for the period 2007– 2012http://www.kgjk-ks.org/repository/docs/Kosovo-ICT-strategy_389023.pdf
D4-3 ResponsibleReporting
Start-up No mechanism has beenestablished for responsiblereporting, on receiving anddisseminating information onvulnerabilities.
Dimension 5Standards,organisations, andtechnologies
D5-1 Adherence tostandards
Formative The private sector implementsinternal ISO standards. Also GoK isusing Microsoft Platform as astandard in developing software.
D5-2 CybersecurityCoordinatingOrganisations
Start-up No command-and-control agencyhas been established but a nationalincident-response organisation isnow under development
D5-3 NationalInfrastructureResilience
Formative National technology infrastructureis managed informally, with nodocumented processes, roles andresponsibilities outlined;Specifically for IPKO, networks andsystems are outsourced mainlyfrom Slovenia
13 | P a g e
D5-4 CybersecurityMarketplace
Start-up There are no cybersecurityproducts or cyber insurancemarketplace in general (but welldeveloped insurance market forbanks provided from a foreigncompany)
14 | P a g e
Dimension 1: Cybersecurity Policy and StrategyNot every government has a national level cybersecurity policy and strategy or responsiblebody, for cybersecurity as a policy area is still evolving. However, importance of designatingan overarching government body for cybersecurity coordination and having a nationalcybersecurity strategy and policy cannot be overemphasized. International experience showsthat those governments better cope and mitigate against cyber incidents and attacks that dohave a designated government body and cybersecurity strategy and policy in place. Thisdimension explores the capacity of the government to design, produce, coordinate andimplement a cybersecurity strategy as well as policies upholding the strategy.
D1-1: Documented or Official National Cybersecurity StrategyCybersecurity policy and strategy are essential to mainstreaming cybersecurity agenda withingovernment because they help prioritize cybersecurity against other important policy areas,determine areas of responsibility and mandate of different cybersecurity government actors,and direct allocation of resources to the emerging and existing cybersecurity issues andpriority areas.
Start-up: There is no documented or official national cybersecurity strategy in Kosovo. TheMinistry of Economic Development (MED) as the Ministry responsible for electroniccommunications, has responsibility and authority (under the Law on ElectronicCommunications, Article 7) to develop the policy and national strategies in the electroniccommunications field. It has undertaken, therefore, an initiative to draft a national ElectronicCommunication Sector Policy in consultation with multiple stakeholders. The ElectronicCommunication Sector Policy – Digital Agenda 2013-20202 includes cybersecurity and thedevelopment of ICT infrastructure as important components (national CERT capability,awareness raising, the development of broadband electronic communication networksthroughout the national territory and promotion of the use of electronic communicationservices). This Policy is in compliance with the objectives set out in the Communication fromthe European Commission of 19th May 2010 to the European Parliament, the Council, theEuropean Economic and Social Committee and the Committee of the Regions "A DigitalAgenda for Europe" (COM (2010) 245 final) and aligned with the Communication from theEuropean Commission of 3rd March 2010 “A strategy for smart, sustainable and inclusivegrowth" (COM (2010) 2020 final). Ministry of Economic Development (MED) in coordinationwith Office of Strategic Planning –OSP (within The Office of Prime Minister), Ministry ofInternal Affairs and Agency of Information Society (within Ministry of Public Administration)are in the process of consulting on how to proceed with the drafting of a nationalcybersecurity strategy.
Public administration entities and ministries have internal security policies that inform theoperations of their internal independent networks. The Agency for Information Society isresponsible for cybersecurity with regard to the government network. The agency isresponsible for any security breach which occur using the states’ network. The Law No. 04/L-
2http://mzhe.rks-gov.net/repository/docs/Electronic_Communication_Sector_Policy_2013-2020.pdf
15 | P a g e
1453 recognised the establishment of the Agency for Information Society as a governmentalexecutive agency within the Ministry of Public Administration. The Agency is the centraladministrative body for development and implementation of Information andCommunication Technology for public institutions of Kosovo.
However, stakeholders express a high level of concern about security of their own networks.Although there is sufficient protection of national technological infrastructure, there is nocomprehensive national cybersecurity strategy that drives and coordinates a centrallymanaged strategic approach to cyber security. There is consensus among variousstakeholders for the establishment of an ICT Ministry which will be responsible also for cybersecurity, but this remains under discussion and has not been developed further.
D1-2: Incident ResponseThis sub-dimension speaks about the capacity of the government to identify and determinecharacteristics of national level incidents, events or threats in a systemic way - preferably,through a central registry. It also assesses the government’s capacity to organize andcoordinate an incident response.US Department of Homeland Security defines4 a cyber incident as the violation of an explicitor implied security policy. It can have many forms such as:
Attempts (either failed or successful) to gain unauthorized access to a system or itsdata;
Unwanted disruption or denial of service; The unauthorized use of a system for processing or storing data; and Changes to system hardware, firmware, or software characteristics without the
owner's knowledge, instruction, or consent.
Start-up: It was generally agreed across all stakeholders that incidents are not categorised orlisted at a national level. There is coordination between government stakeholders and LawEnforcement but coordination remains limited to the governmental network. With regards tothe public electronic communications network, article 85 of the Law on ElectronicCommunications5 obliges operators to notify national authority for electronic and postalcommunications (ARKEP)6 of a breach of security or loss of integrity that has had a significantimpact on the operation of networks or services. ARKEP in turn holds the right tocommunicate information about such breaches publicly. Relevant bylaw establishing theprocedure of notification has not been established at the moment of drafting this report.
There are sublegal acts regarding incident response. The Incident Management Policy (Ref.:KC_DACP_07) aims at ensuring that Kosovo establishes a strategy for managing informationsecurity incidents resulting in a coordinated and orderly response and also at ensuring that
3http://www.kuvendikosoves.org/common/docs/ligjet/Law%20on%20information%20society%20government%20bodies.pdf4 http://www.dhs.gov/how-do-i/report-cyber-incidents5 http://www.art-ks.org/repository/docs/Electronic%20communication.pdf6 http://www.arkep-rks.org/?cid=2,1
16 | P a g e
security incidents are not only managed but also analysed with a view of learning from themand preventing their recurrence.
Within ministries there are teams for incident response: the Ministry for the Kosovo SecurityForce has built their own strategy based on that of NATO; the Ministry of Finance maintainstwo agencies with separate operational teams, and the Ministry of Public Administrationowns a stand-alone system.
Kosovo Customs as part of the Ministry of Finance maintains a Security Information EventManagement System, which is tested periodically. However, a central body has not beendesignated to collect emergency threat information and there is no specific mandate for anational cyber-response agency. Following ENISA guidelines for establishing a CERT, there isa security unit specifically set up to address and protect the systems of the governmentnetwork maintained by the Ministry of Public Administration.
It must be noted that there is incident response capacity in Kosovo, since there is agovernmental CERT, and a national CERT is now being developed under the ARKEP.Administrators of the governmental CERT are responsible for identification of incidents,which result in informing law enforcement. Law enforcement then coordinates activities forcombating cybercrime. As far as coordination is concerned, the responsibility for incidentresponse has been allocated within each public administration entity and ministry, and thereis no clear cooperation yet between public and private sector.
D1-3: Critical National Infrastructure (CNI) ProtectionThis sub-dimension studies the government’s capacity to identify CNI assets and the risksassociated with them, engage in response planning and critical assets protection, facilitatequality interaction with CNI asset owners, and enable comprehensive general riskmanagement practice including CNI risk management.
Start-up:Regarding Critical National Infrastructure (CNI), responses varied between the various publicadministration entities and ministries. At a national level, no list of CNI industries has beendefined, nor a framework for collaboration between CNI has been identified during theconsultations. It should be noted that for Law Enforcement, the Ministry of Justice, and theForensic Agency, as well as the Ministry of Economic Development and Ministry of PublicAdministration, a general list of CNI assets has been created, but without any identified risk-based priorities. In general, telecommunication providers, energy providers, and the CivilRegistration Agency are referred to as “critical service providers”, however the breadth of CNIremains small for broader development reasons: CNI infrastructure is being still developed,and smart technologies have not yet been prevalent in this domain.
CNI is also mostly state-owned, and no reporting requirements for CNI operators are in place.The Electronic Communication Sector Policy – Digital Agenda for Kosovo 2013-2020 requiresthe assessment of services and their maintenance, but it was admitted by the intervieweesthat there is limited interaction between government ministries and owners of critical assetswith regard to cyber security.
17 | P a g e
The Law on Electronic Communications, No. 04/L-1097 regulates social relations pertaining toelectronic communications networks and services, associated facilities and services; use ofelectronic communications resources as well as social relations pertaining to radioequipment; and terminal equipment and electromagnetic compatibility. This regulation isrequired to ensure an equivalent level of protection of rights concerning personal data, andin particular the right to privacy, with respect to the processing of personal data in theelectronic communication sector. The law addresses the issues related to reliability andsecurity of the services provided over public electronic communications networks.
Response planning for an attack on critical assets is under discussion, but no formal plan existsas of yet and no protection processes or procedures have been agreed. Each public/privateorganisation has a business continuity plan. For the governmental network, there are nodetailed procedures or instructions regarding response planning in the event of an attack. Onthe other hand, response planning has been established for the banking sector. Information-protection procedures and processes have been established within banks, supported byadequate technical security solutions.
As far as coordination is concerned, it is under discussions and the National Security Councilbrings together appropriate stakeholders (ARKEP, Ministries), but basically onlytelecommunication companies have some formal reporting procedures established under theLaw on Electronic Communications. Dialogue between the public and private sector followsinformal procedures while lacking parameters for information sharing: such procedures aregenerally on an individual or unstructured basis, or are non-existent.
Moreover, risk management is considered only if there is an ICT component to a specificindustry. Usually telecommunication companies and energy organisations have basiccapabilities to detect, identify, protect, respond and recover from cyber threats, but suchcapabilities are uncoordinated and vary in quality. In the banking sector security measuresand guidelines for CNI cyber best practice have been established and incident-responseprocedures have been defined with insider-threat detection being accounted for. WithinMinistries (e.g. the Ministry of Finance), cyber security is not yet taken into consideration asan operational risk.
D1-4: Crisis ManagementCrisis management planning and evaluation capacity, bolstered by functional protocols andstandards, is critical to implementing cybersecurity policies that are results-oriented andsustainable. Crisis management planning usually entails but is not limited to conduct ofspecialized needs assessments, training exercises, and simulations that produce scalableresults for policy development and strategic decision making. Through qualitative andquantitative techniques, cybersecurity evaluation processes aim to produce structured andmeasurable results that would solicit recommendations for policymakers and otherstakeholders and inform national strategy implementation but also inform budgetaryallocations.
7 http://mzhe.rks-gov.net/repository/docs/Ligji_i_KE_i_Publikuar_%28Anglisht%29.pdf
18 | P a g e
Start-up: In Kosovo, there is some understanding that crisis management is necessary fornational security. There are cyber exercises being planned, but only within the Police, not ata national level. Within the Police, there is a security IT Unit, a strategy regarding data lossand key performance indicators (KPIs) for internal affairs. Although there is some evaluationtaking place after penetration testing at a local level (e.g. banks have an internal regulationon PIN testing), results from exercises do not inform overall crisis management at a nationallevel.
Within GoK, there is a recovery centre and a strategy regarding data loss. There is avulnerability-scanner application to scan systems for vulnerability issues, and based on thisthere is an effort to increase security according to its results. According to the vulnerabilityissues detected, there are measures being taken. But, no exercise has been conducted yet.
For the banking sector, realistic-high level scenarios inform plans to test information flowsand decision-making, and new information is fed into the exercise at key points. There is aswell an internal regulation on PIN-testing once a year.
D1-5: Cyber Defence ConsiderationThis sub-dimension explores whether the government has the capacity to design andimplement a cyber defence strategy and lead its implementation including through adesignated cyber defence organization within executive branch. Among others, it alsoassesses the level of coordination among various public and private sector actors in responseto malicious attacks on military information systems and critical national infrastructure.
Start-up: A national security policy exists and a national defence strategy is under preparationbut no cyber-defence policy or strategy exists. The Ministry for the Kosovo Security Forces isunder the governmental network but also maintains its own Command and Control Centre.While, there are Cyber Defence operation units incorporated into the different branches ofthe armed forces, no central command-and-control structure exists.
The Security Force in Kosovo is in transition and the majority of the employees at all levels ofits units lack training. Kosovo, as a partially recognised state in Southeastern Europe, isrequired to follow European standards. It was commonly agreed that no coordination existsin response to malicious attacks on military information systems and defence networkinfrastructure.
Moreover, some implementation of standards and minimal acceptable practices has beencarried out, but not in a coordinated manner.
D1-6: Digital RedundancyDigital redundancy foresees such a design of a cybersecurity system in which duplication andfailure of any component is safeguarded by the proper backup. This sub-dimension assessesgovernment’s capacity to plan and organize redundancy communication among stakeholders.
19 | P a g e
Formative: In Kosovo, emergency-response asset priorities and standard operatingprocedures are established in the event of a communications disruption in the emergency-response network. Moreover, stakeholders convene to identify gaps and overlaps inemergency-response asset communications and authority links.
Regarding digital redundancy, there is capacity within government and Law Enforcement. Themajority of servers are on one network, where there are digital redundancy measures.Government data servers have routine backups. There is a business continuity plan and arecovery centre, in a location outside of Pristina, for both the Ministry of Finance and theKosovo Customs as part of the Ministry of Finance.
Kosovo Law Enforcement also maintain physical back-up and own a disaster recovery centrein another city outside of Pristina. In the future there will be similar disaster recovery centresfor the Security Forces established. Although emergency response assets are mapped andidentified, including details on their location and their designated operators, this is not carriedout in a formal manner but rather done informally and at a local level. Several United NationsConference on Trade and Development (UNCTAD) documents specify the procedure inoccurrence of an incident, and these have been implemented.
20 | P a g e
Dimension 2: Cyber Culture and SocietyEven the most forward-thinking cybersecurity strategy and policy are of little help ifnongovernment actors do not understand their roles and responsibilities in safeguardingsensitive data and protecting their personal and organizational resources as they interact withthem daily through digital means. This dimension assesses important elements of a cyberculture on an individual and organizational level and their perception by various stakeholders.As well, it determines the level of trust in e-government and e-commerce services andadherence to privacy standards by the entities that engage in provision of these services.
D2-1: Cybersecurity Mind-setThis sub-dimension evaluates the level of recognition and priority attached to cybersecuritymind-set by government, private sector, and society at large. Cybersecurity mind-set isunderstood as a predisposition and, in certain cases, as a consistent behavioural model towardalignment of one’s actions with cybersecurity priorities on an individual level or in anorganizational setting. A cybersecurity mind-set consists of values, attitudes and practices,including habits, of individual users, experts, and other actors in the cybersecurity ecosystem.
Formative: Cybersecurity has been recognized as a priority across GoK, and therefore risksand threats have begun to be identified. At a governmental level, cyber security is a concern,there are some initiatives such as seminars, conferences and courses, organised by NAPDP asawareness initiatives, but these remain uncoordinated. Most strategies or policies contain acyber-element.
After consultation with stakeholders from civil society and academia, it has been identifiedthat large organisations such as banks or IT companies have begun to place priority on acybersecurity mind-set by identifying high-risk practices, and they are characterised by aproactive cybersecurity mind-set as well as a higher degree of awareness of cyber threatsthan small and medium-sized enterprises (SMEs). A survey, conducted by the University ofPristina during 2014, also revealed that private companies are more aware of cyber securitythan organisations in the public sector8.
Civil society is aware of cyber threats and privacy issues but takes no proactive steps toimprove cybersecurity. It has also been noted that there is an important distinction incybersecurity mind-set among different age groups. It is more common for young people totake proactive steps to improve their cyber security. Society-at-large is characterised by ageneral feeling of fear of cyber threats, but this is possibly because there is a lack of awarenessand understanding of the benefits of digital citizenship.
D2-2: Cybersecurity AwarenessFormative: Awareness-raising across society-at-large remains at a low level, with theexception of young people. The Ministry of Education, National Agency for Personal DataProtection, and the Ministry of Local Government Administration developed a TV and radioawareness campaign programme at a national level, the ’Privacy and Digital Age Awareness
8 Rexha, B., Halili, A., Rrmoku, K., Imeraj, D. Impact of secure programming on web application vulnerabilities.Faculty of Electrical and Computer Engineering, University of Prishtina, Kosovo, (Unpublished).
21 | P a g e
Programme’9, aimed at informing the general public on their data protection rights. TheNational Agency for Personal Data Protection (NAPDP) has created a plan for increasing theawareness of citizens, a responsibility derived from the Law on Protection of Personal Data.Through the campaign, the Agency’s aim is to further increase the knowledge ofconstitutionally guaranteed rights for protection of personal data, especially in the context oflocal and international legislation and conventions protecting these rights across key groupsof citizens. The target groups in these cases are all citizens of Kosovo, with a special focus onyouth and especially students, their teachers, state institutions and the private sector. Thecampaign uses various methods to spread its messages, such as printed, broadcast andelectronic media, as well as organization of events. The campaign aims to make citizens awareof their right to complain whenever they consider that their private data are not beingprocessed according to the relevant legislation.
NAPDP has based their practices on research on Internet usage in Kosovo. Research asindicated by NAPDP shows that Kosovo citizens are some of the most frequent users ofInternet10. The group of users with the highest Internet usage are youth aged 16 to 18 yearsold. This group is also the most vulnerable one because, apart from frequent use of IT andInternet services, they represent a target group for data theft and mishandling of private data.Therefore the campaign organised by NAPDP ‘’Privacy in Digital Age’’ aims to inform high-school youth, students, and generally users of Internet on data protection issues.
In cooperation with the Ministry of Education and experts from EU, NAPDP aims at creating amodule for IT teachers called ‘’Safe usage of IT’’. In this context, the campaign will targetspecifically those students who are studying IT related subjects and who aim to become ITprofessionals in the future. The Ministry of Education has already allocated a budget for thisinitiative.
Despite the ongoing implementation of cybersecurity awareness raising, it is not necessarilycovering all of stakeholder groups. Moreover, there is no coordinated measurementframework to evaluate the effectiveness of this campaign.
D2-3: Confidence and Trust on the InternetThis sub-dimension assesses the level of stakeholders’ trust in the use of online services, ingeneral, and e-government and e-commerce services, in particular.
Formative: Trust in use of online services is identified as a concern. A few infrastructureoperators and the banking sector consider measures to promote a higher level of trust inonline services, however these have not yet been established.
E-government services are currently under development. The Ministry of Finance hasdeveloped online tax-form submission services, but no actual financial transactions take placeonline as of yet. These services do not necessarily recognise the need for the application ofsecurity measures to promote trust in e-services. Moreover, the private sector, specifically
9 http://www.pda-ks.com/?page=1,510 http://internetisigurte.org/home/wp-content/uploads/2013/09/Internet_Safety_Report_English.pdf
22 | P a g e
the banking sector, recognises the need for the application of security measures to promotecitizens’ trust in e-services. As a result, banks use a notification of a completed banking servicetransaction, which enhances the feeling of trust for their customers.
Some of the e-government services currently provided are government payments and budgetmanagement system, electronic register of property taxation, and a system for vehicleregistration and drivers’ licenses. Moreover, citizens and businesses use the online electronicbill payment program ‘’pay at the Bank’’ for services provided by the Post and Telecom ofKosovo (PTK), Kosovo Energy Corporation (KEK), Kosovo Property Agency (KPA), the KosovoCustoms, and other billing organisations.
Mainly due to a limited number of e-government services provided online, no securitybreaches have been reported to date in Kosovo. With the expansion of e-governmentservices, maintaining cybersecurity and promoting trust in their use will become moreessential. Provision of e-services is currently limited and e-commerce is not fully developed.The need for security in e-services has been recognised by stakeholders and users and it wasadmitted that foreign websites are usually more trusted than the domestic ones.
D2-4: Privacy OnlineThis sub-dimension assesses the level of salience of privacy issues on the government agendathrough enactment of relevant practices, laws, and regulations, and the level of engagementand advocacy around them by civil society. It also evaluates how national legislative normsadhere to regionally and internationally recognised standards for human rights.
Established: In support of UN Universal Declaration of Human Rights, the EuropeanConvention for the Protection of Fundamental Human Rights and Freedoms, the Convention108 of 1981 on Personal Data Protection and Privacy during automatic processing of personaldata and (of) Directive 95/46 of 1995, the right to protection of personal data and privacy isconsidered to be a fundamental human right, which is essential for the functioning of ademocratic society. In Kosovo, this right is additionally protected by the Constitution and theLaw on Protection of Personal Data.
The government adheres to the EU Declaration of Human Rights and the StrasbourgConvention. Concerning the Law No.03/L-172 on the Protection of Personal data there areregular workshops organised with participation of all relevant stakeholders. Moreover, theLaw on Data Privacy, which is now under development, follows relevant EU Law. All relevantactors from civil society are actively driving changes in practice, law, and regulation thatimpinge on freedom of expression privacy issues.
Privacy in the workplace is recognised as an important component of cybersecurity and isbeginning to be institutionalised in local employee programs, while employers maintainprivacy policies that provide a minimum level of privacy for employees. Furthermore, there isa good understanding of data protection in the workplace both in public and private sectorand employees are aware that their personal data is protected. Within public entities, the lawand standards on privacy are followed more strictly than in the case of private entities.
23 | P a g e
Dimension 3: Cybersecurity Education, Training and SkillsThis dimension assesses the availability and quality of cybersecurity education, training, andskills in Kosovo for various groups of government stakeholders, private sector, and populationas a whole. In particular, it evaluates existing educational offerings and national developmentof cybersecurity education; training and educational initiatives within public and privatesector; and corporate governance, knowledge, and standards.
D3-1: National Availability of Cyber Education and TrainingThis sub-dimension speaks to the importance of availability of high quality cybersecurityeducation and training options, their integration and synergies, in order to ensure adequateand sustainable supply of cybersecurity skills for the needs of public and private sectors. Ittakes stock of existing educational offerings in schools and universities and training offeringswithin private sector and beyond it in the field of information security and cyber security andprovides a superficial evaluation of their structure and components.
Formative: There is an evident marketplace for information security education and trainingin Kosovo. There are educational offerings in information security. Courses on cybersecurity,(such as IT security, data security, information assurance and security, cryptography, technicalissues, legal, ethical and social issues in ICT, forensics, e-commerce, etc.) are offered byuniversities within a number of bachelor and master degrees.
The University of Pristina provides teaching syllabi in the area of Internet and broadbandtechnologies and is the only institution in the country providing PhD studies in the fields ofsecure mobile programming and cryptography. Also, the newly-established public Universityof Prizren offers academic programs in the field of ICT within its Faculty of Computer Sciencein two departments: Information and Telecommunication Technology, and Software Design.Besides, the American University in Kosovo, AAB-Riinvest College, Iliria College, and UBTCollege have also started offering study programs in the field of ICT.
Training in information security does take place, but is rather ad-hoc and uncoordinated.Training is usually provided by Law Enforcement and by various private organisations withinthe American University of Kosovo, such as The Computer Information System CompanyOrganisation (CISCO), the International Organisation for Standardisation (ISO), CACTTUSSh.a., and STIKK-Kosovo Association of Information and Communication Technology. Also, itis common practice for big private organisations to train their employees in other countries,such as the UK, Germany or the USA.
D3-2: National Development of Cyber Security EducationThis sub-dimension explores what kind of incentive structure exists for the nationaldevelopment of cybersecurity education: for example, whether any education strategy fordeveloping cybersecurity skills exists; whether cyber security as a discipline is given priority ineducational curricula; whether adequate budget allocation is present.
24 | P a g e
Formative: There are incentives for training and education, while state budget for training,research and development have been allocated. The Ministry of Education has placed ICT andsecurity issues as part of the curricula for all levels of education, and there is budgetaryallocation for this effort. The National Research Council (NRC)11 has placed communicationand technology as a priority, and this is a reflected in the efforts to build programmes incybersecurity.
In 2004, the Ministry of Education adopted a Strategy for Development of Higher Educationin Kosovo 2005-2015. The main objectives determined in this strategy are advancingmanagement and coordination in higher education, advancing capacity for research andscientific work, and development of a complete and functional infrastructure in highereducation.
Kosovo followed the European practice of fostering research in ICT, which was one of thehighest-priority themes of the EU’s Seventh Framework Programme (FP7) for Research andTechnological Development. Kosovo is entitled to participate in FP7 with the InternationalCooperation Partner Country status.
Research is among the main objectives of the higher education strategy. The researchobjectives include building of a common network infrastructure, a data-store centre, and aservices repository for government; developing e-learning software, hardware and a legalpolicy infrastructure; securing resilient infrastructures; empowering the e-governmentportals with support for e-business to attract participation of business and customers; and toadopt standards of software engineering in the ICT industry and others.
In 2008, the Ministry of Education of Republic of Kosovo and the Federal Ministry of Scienceand Research of Austria signed a Memorandum of Understanding for Kosovo-AustriaInstitutional Partnership12 in the field of Higher Education and Research including research incybersecurity issues. The Partnership included the development of interfaces to research andinnovation and interaction between universities and the local economy.
D3-3: Training and Educational Initiatives within the Public and Private SectorCyber security is a highly technical specialized field, and therefore strategic development anddeployment of skillsets and tools to support them is central to maintaining organizationssecure and mainstreaming cybersecurity culture within organizational structures. Apart fromthe question of strategic staffing, this sub-dimension assesses the scope of horizontal andvertical cybersecurity knowledge transfer within organizations and how it translates tocontinuous skills development.
Formative: Cybersecurity training programmes are executed in Kosovo but in an ad-hocmanner. Few trained IT personnel within public sector and private are designated to supportcybersecurity issues as they occur. Although appropriate skillsets may exist within theworkforce, experts with such skills are not easy to allocate.
11http://www.masht-gov.net/advCms/documents/NRP_%28Draft%29_English.pdf12 http://wbc-inco.net/attach/KosovoICTReportFINAL_01_12_2009.pdf
25 | P a g e
The Ministry of Economic Development encourages the development of informationtechnology training systems (Appendix 18-XXIV)13. The Ministry of Public Administration hasestablished an Executive Agency in order to support Kosovo Public Administration throughstaff training on Information Technology. Kosovo Institute for Public Administration (KIPA)develops and implements these training policies developed by the Ministry of PublicAdministration.
Training is usually provided by Law Enforcement and accredited training is provided by variousprivate and educational organisations, such as The Computer Information System CompanyOrganisation (CISCO) (within the American University of Kosovo), CACTTUS Sh.a., and STIKK-Kosovo Association of Information and Communication Technology, according to ISO 27000series of standards that have been specifically reserved by the International Organization forStandardization (ISO) for information security matters. Private ICT companies are betterorganised in terms of cybersecurity training and education initiatives and overall they followrisk-management policies. Yet, the majority of them still lack specific cybersecurity training,and there is no organised knowledge-transfer to their peers in companies.
At the University of Pristina, a Centre of Cyber Information Security (Research &Development) is currently being established. The Centre will engage in research activities oncyber information security.
D3-4: Corporate Governance, Knowledge and StandardsAny organisation represents a dynamic environment, where needs should be continuouslyassessed and addressed for the realization of an organization’s mission and strategic goals.This sub-dimension specifically looks into how private and state-owned companies’, asrepresented by the highest executive level of senior management (C-level management),understand cyber security and react to changes related to the cybersecurity status quo.
Start-up: Awareness of cyber security at the C-level management remains limited. Boards andexecutives within private and state-owned companies have some awareness of cybersecurityissues but this has been appraised as minimal. Although board level members are usually nottrained in cyber security, organisations are a dynamic environment, where needs arecontinuously assessed and addressed. As a result, even if board members might not recognisethe need for a possible certification, they will be informed through internal communicationsand may take specific steps to meet this need.
The National Agency for Personal Data Protection (NAPDP), in cooperation with Ministry ofPublic Administration and the Kosovo Institute of Public Administration, has organizedtraining for officials on personal data protection. The purpose of this activity was to provideofficials with knowledge about the Law on Protection of Personal Data, its implementation,and the duties and responsibilities of NAPDP, as well as the relation of these officials withNAPDP.
13 http://www.kryeministri-ks.net/repository/docs/Rregullorja_02-2011-e_miratuar_nga_Qeveria-finale.pdf
26 | P a g e
In the private sector, board members usually have an understanding of the risks associatedwith cyber security. However, in the case of state-owned companies, board members areusually not trained in cyber security and they are not therefore aware of how cybersecurityissues might affect their organisations, nor which direct threats they might face.
27 | P a g e
Dimension 4: Legal and Regulatory FrameworksInternational experience attests to the crucial role legal and regulatory frameworks play inmainstreaming cyber security across sectors while presenting prevention, mitigation, anddispute mechanisms to individuals and organizations affected by cyber threats. Thisdimension looks into the government’s capacity to design and enact national legislation andaccompanying by-laws directly and indirectly relating to cybersecurity, with a particularemphasis placed on the topics of ICT security, privacy and data protection issues, cybercrime,and on the stakeholder groups represented by law enforcement, prosecution services, andcourts.
D4-1: Cybersecurity Legal FrameworksThis sub-dimension assesses availability and comprehensiveness of ICT security and privacyand data protection legislation, its relation to human rights legislation, as well as country’sstatus in relation to regional and international treaties directly or indirectly related to cybersecurity.
Formative: The Law on Electronic Communications, developed by the Ministry of EconomicDevelopment, includes references to ICT as well as more specific provisions addressingsecurity and integrity of public electronic communication network and services, and is alignedwith sectorial EU legislation. There is currently no stand-alone cybersecurity Law. But policymakers and the Ministry of Economic Development are considering of introducing in thefuture a proposed ICT legislation related to cyber security, depending on the changes in EUICT legislation.
The Law on Electronic Communications foresees number of bylaws to be developed thatshould establish implementation procedures of the rights and obligations envisaged by thelaw. Such as, for instance, provision of the information about the major security breaches,performance of security audits. Those bylaws are pending to be developed. There aredifferent pieces of legislation that speak to cybercrime (the Law on ElectronicCommunications, the Law on the Information Society Services chapter 14, the Law onCopyright and Related Rights, the Law on Protection of Personal Data, the Law on Preventionand Fight Against Cybercrime).
Comprehensive data protection legislation and regulatory procedures have beenimplemented, where domestic law provides for the individual’s right to privacy, specifyingnotice, purpose, consent, security, disclosure, access and accountability of personalinformation. In 2010, Kosovo Assembly adopted the Law on Protection of Personal Data (03/L-172)14 and the agency responsible for its implementation is the National Agency for PersonalData Protection (NAPDP). The Law defines the rights, responsibilities, principles and measuresconcerning the protection of personal data.
NAPDP reports directly to the Assembly of Kosovo and, as an independent institution, haslegal responsibility for overseeing the implementation of the rules and regulations on
14 http://www.kuvendikosoves.org/common/docs/ligjet/2010-172-eng.pdf
28 | P a g e
protection of personal data. Advising public and private bodies, deciding on complaintssubmitted, conducting inspections and audits, as well as providing support and promotion ofthe fundamental rights in the field of personal data protection, are the main functions of theAgency. In this way, NAPDP wants to ensure that the right of each individual to privacy isrespected and protected during personal data processing. International cooperation inrelation to protection of personal data is an important part of the permanent mission of theAgency, given the priority of the Government of Kosovo towards EU integration.
Data Protection Officers are established in each public administration entity and in privateinstitutions, dealing with privacy issues. The Annual Report15 (2013) of NAPDP includes all thedetails on the activities of the Agency in the area of personal data protection, the transfer ofpersonal data as well as the assignment of data protection officers.
The Substantive Law on Cyber Crime of Kosovo covers the prevention and mitigation ofcybercrime. The Law on Prevention and Fight against Cyber Crime No.03/L–16616, which wasdeveloped with assistance from the Council of Europe, aims to prevent and combatcybercrime with concrete measures to prevent, discover and sanction violations throughcomputer systems by providing observance of the human rights and safeguard of personalinformation. Article 16 of the Law refers to child pornography through computer systems,Article 9 refers to penal acts against confidentiality, integrity and availability of the computersystems, while Article 14 refers to computer-related penal acts.
Cybercrime is part of the Criminal Code in Kosovo. In addition to the above mentionedCriminal Law, partial legislation exists in Procedural Cybercrime Code. The International LawEnforcement Cooperation Unit (ILECU) is the coordinating body for investigation intocybercrimes.
D4-2: Legal InvestigationThis sub-dimension studies the capacity of executive branch of government to prevent,combat, and investigate cyber incidents, attacks, and crimes, and of judiciary branch toprosecute cybercrime and electronic evidence cases. It also looks into the dynamic of formaland informal collaboration between different branches of government and betweengovernment and court system.
Formative: Some investigative capacity exists to investigate computer-related crimes, inaccordance with domestic law, however it is minimal and lacks human resources. Inparticular, the Cyber Crime Investigation Unit within the Kosovo Police has the technicalcapacity and training to investigate computer-related crimes.
Prosecutors are not trained adequately, although the Council of Europe has provided sometraining on cybercrime matters. With the support of CyberCrime@IPA, two trainers fromKosovo Judicial Institute have attended a basic training for judges and prosecutors and an
15 http://www.amdp-rks.org/web/repository/docs/Final_ENG_ASHMDHP_Raporti_Vjetor_i_Pun_s_2013.pdf16 http://www.kuvendikosoves.org/common/docs/ligjet/2010-166-eng.pdf
29 | P a g e
advanced training course in October 2012. They are able now to deliver training to otherjudges and prosecutors. One representative from Kosovo was funded to participate in theMaster of Sciences (MSc) programme in Forensic Computing and Cybercrime Investigationoffered by UCD. But, the majority of Judges do not have specialized training on cybercrimecases, electronic evidence or computer-related crimes, in general. Moreover, there is noformal mechanism for collaboration between judges concerning cybercrime cases.
There is support for continuing professional development (CPD) of the judiciary. Institutionaldevelopment inputs are provided by the Kosovo Institute of Public Administration (KIPA), theleading institute for training members of the public service, and the Kosovo Judicial Institute(KJI), a training institute for judges and public prosecutors. The Deutsche Gesellschaft fürInternationale Zusammenarbeit (GIZ) GmbH also assists KIPA and KJI in developing newtraining modules and in training trainers to use modern teaching methods.
The Kosovo Judicial Council’s (KJC) Strategic Plan17 for the period of 2007–2012 markedintroduction of ICT in the Kosovo Judiciary as one of critical preconditions for fulfilment ofKJC’s duties and responsibilities. In order to proceed in an organized and systematic way withits ICT efforts in the future, KJC requested technical assistance from the Technical Assistanceand Information Exchange instrument of the European Commission (EC TAIEX) and theGovernment of Norway in preparation of the ICT Strategy for the period 2012–201718.Through implementation of the ICT Strategy, KJC will work towards the following specificobjectives: transformation of Kosovo courts into e-courts, which will use a central databaseenvironment; adequate ICT infrastructure and exchange of data and documents in e-forminside Kosovo judicial system, as well as with all other relevant ICT systems in Kosovo andabroad; availability of online services for citizens through creation of a judicial web portal;creation of KJC in-house human resources, who will possess knowledge and skills necessaryfor execution of this ICT strategy, as well as providing court staff with adequate training andhardware equipment for everyday and undisrupted usage of KJC’s applications, e-mail andInternet. One of the main goals of “ICT strategy for judicial system” is to optimize secure ITservices and recourses and establish cyber defence capabilities for Kosovo Judicial Council(KCL) web services.
D4-3: Responsible ReportingThis sub-dimension explores if the public and private sectors enact a responsible disclosure policyand if there is sufficient capacity on part of both to continuously review and update this policyand synchronise it with recognised international responsible disclosure mechanisms. It alsoanalyses existing capacity of stakeholders to receive, analyse, and disseminate vulnerabilityinformation gleaned through the responsible disclosure mechanisms.
Start-up: The need for a responsible disclosure policy in public and private sectororganisations is neither acknowledged nor understood, and therefore there is no formaldisclosure framework. Internal and informal disclosure mechanisms for each publicadministration entity do exist, however nothing has been formalised. The Law on the
17 http://www.kgjk-ks.org/repository/docs/Plani_strategjik_ANG_275311.pdf18 http://www.kgjk-ks.org/repository/docs/Kosovo-ICT-strategy_389023.pdf
30 | P a g e
Protection of Personal Data, (No.03/L–172) and the Law on Classification and Verification ofInformation (03/L-178)19 refer specifically to the disclosure of personal data.
There are internal procedures for Regional Municipality Networks interactions and there arereporting requirements within government. Also, in case of a data breach in atelecommunication company, public disclosure is mandated according to the Law onElectronic Communications.
19 http://www.assembly-kosova.org/common/docs/ligjet/2010-178-eng.pdf
31 | P a g e
Dimension 5: Standards, organisations, and technologiesThis dimension brings forward the importance of implementation of cybersecurity standardsand minimal acceptable practices; existence of well-functioning and high capacityorganisations coordinating cyber security with formal authority over multiple stakeholders;and existence of a vibrant cybersecurity marketplace of technologies and cyber insuranceservices.
D5-1: Adherence to StandardsThis sub-dimension assesses government’s capacity to design or adapt from other jurisdictionsand implement cybersecurity standards and minimal acceptable practices, especially thoserelated to procurement procedures and software development. These standards and practicesprovide a minimum necessary baseline in the context of which strategic government decisions,especially organizational (resource) and financial (budgetary) ones, should take place.
Formative: Information-security standards have been identified for use. Generally, theprivate sector adheres to international standards such as ISO, and the Government of Kosovois using Microsoft Platform as a standard for software development. It is the initiative of eachpublic administration entity to adhere to standards in order to advance their investments.
Procurement, cyber-security standards, practices and procedures are currently underdevelopment nationally. The private sector already adheres to standards on procurement.Methodologies for software-development processes focused on integrity and resilience arepromoted by government and professional communities. The Kosovo Business RegistrationAgency (KBRA), which falls under the responsibility of the Ministry of Trade and Industry, andKosovo Customs use secure software and implement public key infrastructure (PKI).
Kosovo does not have a systematic method of software development as required by softwareengineering. Small and medium ICT companies (SMEs) have progressed to use CASE tools forcertain phases of software development such as programming, but are not using fast toolsfor other phases such as analysis, design and testing. Moreover, they do not follow well-defined software methods and processes throughout the software cycle. Softwaredevelopment is usually external, but when software is developed locally SSL standards areimplemented.
D5-2: Cybersecurity Coordinating OrganisationsThis sub-dimension assesses government’s capacity to provide a comprehensive nationalsituational awareness and adequate incident response and coordinate both of these functionswith other relevant stakeholders through a formally established authority with strictly definedcybersecurity functions, enhanced automation, and sufficient resources.
Start-up: No Cybersecurity Command and Control Centre exists at a national level. Within theKosovo Police and the Kosovo Security Force there is a Cybercrime Unit, but its capacityremains limited due to a lack of human resources. The Cybercrime Unit works in collaborationwith telecommunication companies in order to address cyber incidents but cooperationbetween the actors remains rather informal.
32 | P a g e
Incident-response capacity is not coordinated and is performed in an ad-hoc manner. It hasto be noted that the National CERT is now under development. According to the Law onElectronic Communications (no. 04/l-109), Article 10 Point 2120 regarding the ARKEP, it isstated that ‘’a computer emergency response center functions with the aim to deal withthreats to public electronic communication systems’’.
Incidents across government are reported to the Agency for Information Society (APA: Agencyof Public Administration) whilst the private sector reports directly to Law Enforcement. TheAgency of the Ministry of Public Administration serves as a governmental CERT, but it is not anational CERT. Moreover, there is no official communication framework and no official work-flow between different departments of government.
D5-3: National Infrastructure ResilienceThis sub-dimension assesses how effectively the government deploys and managesinfrastructure technologies (own government networks and systems) and how it performsmonitoring and evaluation of the costs for infrastructure technologies and their resilience. Inaddition, it looks into existence and exercise of government’s capacity to engage in strategicplanning and maintain sufficient scientific, technical, industrial, and human capabilities.
Formative: Deployment of technology infrastructure and processes is performed in publicand private sectors but not in a strategic manner. There are online government servicesoffered, such as online submission of tax forms within the Ministry of Finance. Also,information and digital content are available online, but implementation and process arelimited.
The Ministry of Public Administration provides network provision, network operation, but itis informally organised. The Internet-service infrastructure is reliable (in the case of IPKO, itfollows Slovenian standards because of a parent company Telekom Slovenije), whereas e-commerce transactions follow more general international standards. National infrastructureregarding cybersecurity is managed informally, with no documented processes, roles andresponsibilities. However, the government makes use of a state-owned network managed bythe Ministry of Public Administration.
There are three major Internet service providers (ISPs) in Kosovo, all with licenses that allowthem to connect directly to the international Internet backbone: IPKO TelecommunicationsLLC, Kujtesa, and the Post and Telecommunications Enterprise of Kosovo (PTK). The maintelecommunication infrastructure provider is PTK, which is considered to be reliable. Thereare several other smaller ISPs that focus on extending Internet access beyond the serviceareas of these three ISPs. All three providers report relatively high Internet usage bybusinesses21. ISPs are continuing to expand and to upgrade their infrastructure but theirpresence is mostly limited to urban areas.
20 http://mzhe.rks-gov.net/repository/docs/Ligji_i_KE_i_Publikuar_%28Anglisht%29.pdf
21 http://pdf.usaid.gov/pdf_docs/PNADK675.pdf
33 | P a g e
D5-4: Cybersecurity MarketplaceThis sub-dimension studies availability of competitive cybersecurity technologies and theirstrategic deployment and maintenance by public and private sectors. It also assesses the statecyber insurance marketplace and its offerings through the study of perception of financial risksby public and private sectors and perceived demand for cybercrime insurance.
Start-up: There are no cybersecurity technologies produced domestically. Specifically, somelocal companies provide services or produce software but they do not produce technologyproducts. It is common practice for software-security firms to develop security mobilesoftware applications, but the development of the software products is outsourced.
The need for a market in cybercrime insurance has not been identified in Kosovo through theassessment of financial risks for the public and private sectors. It has to be acknowledged,though, that cybercrime insurance is established specifically for the banking sector, coveringunauthorised access and loss of data, and products suitable for SMEs are also on offer.Cybercrime insurance is available for the banking sector thanks to a foreign private company’sofferings from Austria22 and is not a development of the public or private sector in Kosovo assuch. It was a common concern, however, that this market is overpriced and as a result thereis limited take-up.
22 Note: The information about existence of such an insurance was obtained during a field mission from localbanking stakeholders however it was not confirmed through the desk research.
34 | P a g e
RecommendationsFollowing the information presented on the assessment of the cybersecurity maturity of theRepublic of Kosovo, the Global Cyber Security Capacity Centre has produced a set ofrecommendations to be considered by the Government of Kosovo.
These recommendations refer to all five dimensions of cyber capacity and aim to provideadvice and steps to be followed for the enhancement of existing cybersecurity capacity inKosovo.
Dimension 1Capacity Gap – develop a national cybersecurity strategy
As stated, there are plans in place to develop a comprehensive national CybersecurityStrategy for Kosovo. Currently, the Ministry of Internal Affairs is responsible for collectingpersonal data for all citizens, so it is important for this Ministry to be involved in the effort ofdeveloping a national cybersecurity strategy.
It is recommended that a government entity with a mandate in ICT sector development (theMinistry of Economic Development) play the leading role in this process. It is as importantthat the development of the strategy be premised on multi-stakeholder consultation withsuch entities as the Agency for Information Society, the Regulatory Authority forTelecommunication (ARKEP), the National Agency for Personal Data Protection (NAPDP), aswell as other Ministries.
Although there is some coordination between government stakeholders and LawEnforcement, this coordination remains limited to the governmental network. Therefore, itmay be optimum for the country to draft regulations on this matter before the developmentof the national cybersecurity strategy.
Furthermore, there is no plan for a draft standalone ICT law related to cybersecurity. But inthe future cybersecurity-focusing sub-legislation may be developed. The work in this area isexpected to promote adoption of international standards and best practices, such as ISO,since it is now upon the decision of each public administration entity to adhere to standardsin order to advance their investments.
A very critical point in well-established software provision is the availability, reliability andsecurity level of data and services as well as the communication network. Securitytechnologies serve to protect user privacy. All current technologies based on e-servicesdepend heavily on secure data exchange. This aspect is an essential issue to be consideredduring the development of the Cybersecurity Strategy.
As far as coordination is concerned regarding Critical National Infrastructure (CNI),telecommunication companies have formal procedures established. The initiative of a formal
35 | P a g e
coordination between public and private sector and especially between different banks wouldbe expected to provide the necessary parameters for information sharing.
Regarding crisis and risk management, conduct of exercises-simulations at a national level, atleast once a year, would be expected to provide valuable insight and inform the overall crisismanagement.
Recommended Course of Action: Develop a National Cybersecurity Strategy. Assign the Ministry of Economic Development as a government entity
responsible for the development and implementation of the NationalCybersecurity Strategy.
Prioritise drafting of regulations on incidents’ listing and categorizing them ata national level before developing a national cybersecurity strategy
Establish a national programme for promoting standards’ adoption inprocurement or software development.
Conduct crisis and risk management exercises-simulations at a national levelat least once a year.
Strengthen formal coordination regarding Critical National Infrastructure(CNI) and information sharing between public and private sector andespecially between different Banks.
Dimension 2Capacity Gap – maintain and expand the national cybersecurity awareness campaign
The Ministry of Education, the National Agency on Personal Data Protection, and the Ministryof Local Government Administration have developed a cybersecurity awareness campaignprogramme at a national level. It is essential that this programme be not a standalone activity,be maintained to expand its reach to as many different target groups as possible, and belinked to the current planning process on development of a national cybersecurity strategy.
In addition, reinforcement of effective communication between government entities and civilsociety would lead to accomplishment of its maximum success. It is also extremely importantthat the awareness programme be evaluated for its effectiveness, thus leading to its furtherimprovement according to the needs of cybersecurity stakeholders and beneficiaries, and thelessons learned during its implementation to date.
Use of online services requires a certain level of trust from users. Therefore, the efforts topromote the trust in online services, both e-government and e-commerce ones, are highlyrecommended, since only few infrastructure operators and the banking sector implementmeasures to promote trust in online services.
36 | P a g e
Recommended Course of Action: Maintain and expand the existing awareness programme to cover various
target groups and link the programme to the national cybersecurity strategydevelopment.
Enact evaluation measurements to study effectiveness of the awarenessprogramme.
Promote trust in e-government and e-commerce services through regulationensuring personal data privacy and adherence of e-government services tothe highest cybersecurity protection standards.
Dimension 3Capacity Gap – information security training and education need to be engrained through allstages of education
There are educational offerings in information security education and training. More deeplyengrained information security training and education through all stages of education, fromprimary to secondary school, as well as from university to continuing professionaldevelopment level, is expected to not only raise awareness of society at large on cyber threatsand their prevention, but also enhance the ability of cybersecurity stakeholders tostrategically locate experts on cybersecurity issues, and enhance supply of cybersecurity skillsin workforce.
In addition, a national-level register of experts will facilitate their effective move to themarket. It is imperative for the country to be able to identify and allocate expertise whereneeded.
Recommended Courses of Action: Engrain information security training and education through all stages of
education. Allocate additional resources to cybersecurity education and training for
public universities. Develop partnerships for the development of interfaces to research and
innovation and interaction between universities and the local economy. Develop government-sponsored certification programs on cybersecurity. Introduce a regular mandatory cybersecurity training for public sector staff. Create a national-level register of cyber-security experts. Create obligatory cybersecurity modules for students and teachers in a new
Strategy for Development of Higher Education in Kosovo for the periodbeyond 2015.
Conduct cybersecurity trainings for public sector employees and boardmembers of the state-owned enterprises in a regular manner and in asufficient scope responding to emerging and existing cybersecurity issuesencountered by the population of Kosovo.
37 | P a g e
Dimension 4Capacity Gap – strengthen investigation capacity for computer-related crimes and develop aresponsible disclosure policy
Some investigative capacity exists to investigate computer related crimes, in accordance withdomestic law. In order for prosecutors to have the capacity to prosecute computer-relatedcrimes, adequate training should be provided. Also, judges need to receive training oncomputer-related crimes and develop a formal collaboration mechanism to exchangeinformation on computer related cases.
The need for a responsible disclosure policy in public and private sector organisations has tobe enacted and a formal disclosure framework has to be developed.
Recommended Courses of Action: Provide training and education of prosecutors and judges on computer
related crimes. Allocate additional resources to cybersecurity education & training for
prosecutors and judges. Introduce regular mandatory cybersecurity training for prosecutors and
judges. Ensure cybersecurity knowledge transfer from KIPA and KJI to public sector
and maintain cybersecurity cooperation with international donors. Develop a responsible disclosure policy within public sector and facilitate its
adoption in the private sector through targeted outreach.
Dimension 5Capacity Gap – promote the adoption of international standards within the public sector, andestablish cooperation between academia and research & development (R&D) industry tostrengthen the software-engineering competencies of domestic ICT companies
Adherence to international standards such as ISO is common practice for the private sector.The establishment of a programme by the Government of Kosovo for the promotion ofinternational standards and best practices could lead to their adoption not only in the privatebut also public sector. It is suggested that the Agency for Information Society, in collaborationwith the Ministry of Economic Development, consider initiating such a programme whileleveraging public funding. A national ICT strategy should include measures enablingpromotion of adherence to international standards.
A Cybersecurity Command and Control Centre has been established within the Kosovo Police.The Cyber Crime Unit, also within the Kosovo Police, needs to advance its capacity throughenhancement of human resources.
As far as incident-response capacity is concerned, it is essential for the national CERT that isbeing currently under development, to have enough resources and experts with sufficient and
38 | P a g e
accredited training, so that it can perform its functions in a coordinated and sufficientmanner. It is also important to advance preparation of the relevant secondary legislation thatwill allow CERT to be operational from the regulatory framework standpoint.
Kosovo has recently improved its ICT performance. However, further investments arerequired to support R&D in ICT. A cooperation established between academia and research& development (R&D) industry can strengthen the software-engineering competence ofdomestic ICT companies. Updated curricula at universities, including software-engineeringcourses can contribute to building intellectual capacity in the field and promote adherence tostandards in the public sector.
Recommended Courses of Action: Establish a programme to strengthen government’s capacity to adapt or
adopt international standards. A national ICT strategy should include measures enabling promotion of
adherence to international best standards. Establish a national Command and Control Centre23. Coordinate performance of the national CERT, currently under development,
allocating sufficient resources and accredited training to its employees. Invest in ICT research and cooperation between academia, research and
industry to strengthen the software-engineering competencies of domesticICT companies.
ConclusionThe Republic of Kosovo is in the process of developing different aspects of cybersecuritycapacity. Implementation of the national cybersecurity strategy, the preparation for whichshould be launched in 2015, and launch into operation of the national CERT, currently underdevelopment, are expected to set the foundations for an advanced capacity in the future. Therecommendations presented above provide further guidance for increasing capacity in thedifferent dimensions of cybersecurity maturity.
23 The Command and Control Centre is established by the Government. A national Command and Control Centre,receives and correlates information from incident response capability organisations, public/privateorganisations, Layered Service Providers, Critical Information Infrastructure, defence and intelligenceorganisations, and provides advanced situational awareness.
The Global Cyber Security Capacity Centre is funded by theUnited Kingdom Foreign And Commonwealth Office andhosted by the Oxford Martin School, University of OxfordOld Indian Institute, 34 Broad Street, Oxford OX1 3BD,United Kingdom
Tel: +44 (0)1865 287430 • Fax: +44 (0) 1865 287435Email: [email protected]: www.oxfordmartin.ox.ac.uk
![Constitution of the Republic of Kosovo - … of the Republic of...CONSTITUTION OF THE REPUBLIC OF KOSOVO ... [EQUALITY BEFORE THE LAW] ... and entire Europe by creating relations of](https://img.pdfslide.us/doc/110x75/5b2d61b97f8b9ae16e8bbeed/constitution-of-the-republic-of-kosovo-of-the-republic-ofconstitution-of-the.jpg)
