Author: Mr. Saša Šćekić, IT expert and former Vice President of the AmCham Digital Transformation Committee

This year, a wave of ransomware and DDoS cyberattacks caused unavailability of public services and data loss across the Western Balkans. Serbia’s Republic Geodetic Institute – which manages the real estate data of citizens, companies and the state – was down for several weeks. In case of Albania, it was the attack on the e-Albania public administration services and the border police system. In addition to the unavailability of digital services, there was also a loss of data, as the email communication of the prime minister, the minister of defense and the minister of the interior was posted on the Internet.  North Macedonia’s government and banks were attacked at the beginning of the year, and recently the website of the Ministry of Education and Science was also hacked. Kosovo’s public institutions were cut off from the Internet due to a hacker attack.

Montenegro has been facing what is probably the worst attack on its critical IT infrastructure so far – as large number of digital services became unavailable and business processes were slowed down to a halt. While domain gov.me is now being recovered – the fact is that it was down for almost a month along with all Government portals, as well as portals of state institutions, eUprava – the central point for digital public services – the portal of the national scheme for electronic identification, the service of the tax administration… The customs clearance procedure for imported goods was slowed down causing higher costs for businesses. Public procurements were stopped. Electronic fiscalization as well (although partially recovered in the meantime). Parents still cannot submit applications for child allowance, the start of the implementation of the professional training program has been postponed, license plates for cars are delayed, etc. Parts of the critical infrastructure went offline, and even state electricity company (EPCG) switched to manual operations.

The attack is so complex that Montenegro requested the help of its partners. USA sent the FBI CAT team (Cyber ​​Action Team), while France sent experts from the National Security Agency. They provided onsite support to local teams in forensics, incident response and remediation. A few days ago, the team from Great Britain took their place – with the objective of helping Montenegro to strengthen its cyber-attack resilience.

Lessons learned from Incident Detection and Response

What happened, how much damage there is and what vulnerabilities and potential deficiencies led to such serious consequences? At this moment, answers to these questions are not available and probably will not be for some time – as they could very well enable new attacks. However – based on information that has been published – we can draw certain conclusions about the state’s readiness to respond to cyber-attacks of this magnitude.

The team from France has detected an attack that has been going on since January of this year – but so far it did not confirm correlation with recent incident. Nevertheless, the question arises: how is it that there has been an attack on the state’s IT infrastructure, that has not been detected for so long?

It is also important to consider the time it took to respond to the incident, limit the attack and reduce the damage. It took at least 2 days in this case – as incident was registered on August 20^th, while the response was made on August 22^nd, when the affected infrastructure was taken offline.

Recovery of key digital services is ongoing for a month now. It may be that the recovery team is facing issues due to which the recovery takes this long. On the other side, we do need to raise a question why the recovery of these services did not take place within 2 to 24 hours, as prescribed by the Strategy of Data Security in case of disasters, defined for the needs of state and administrative bodies of Montenegro. Basically, why services where not recovered and business continuity ensured by switching to Disaster Recover Site (DRS) in Bijelo Polje. It is possible that the IT systems at DRS have been compromised as well – considering that it is connected to the primary Data Center through the network that was the target of the attack.

It’s quite clear that there is an urgent need to review technical and process controls – as well as the availability and expertise of teams that are needed in order to detect, respond to and recover from this kind of complex incidents, as soon as possible.

During the incident, governmental institutions under the gov.me domain opened private email addresses and used them to exchange emails with potentially confidential data. Putting aside the good intentions to get the job done, this situation leads to a conclusion that there was a lack of coordination and that the excess of access rights in the system enabled use of private email addresses – introducing additional risk for data loss. In general, this points out to the lack of information security awareness.

Finally, we should consider the communication element of incident response process. Consultation with experts could have helped in avoiding the confusion about who carried out the attack. They probably wouldn’t be too quick to point fingers, considering how unlikely it is to determine the true source of an attack – as actual IP addresses could be hidden behind Tor network, VPN encrypted communication in combination with multi-hop servers and an army of botnet computers that have been “conquered” around the world, from where the attacks are carried out. Communication with citizens and businesses is quite important – what is happening, which services are impacted, when recovery is expected, what they can do in the meantime… Managed approach to this could have helped in avoiding confusion and contradictions in the reporting. This kind of complex incident situations require a coordinated and planned communication: who, what, to whom, when and how to communicate.

Investing in people

These attacks are not isolated and have been happening even to significantly more developed economies. For example, according to the Bitkom Research, German companies lost 203 billion euros due to cybercrime in 2021 alone.

In the past period Montenegro has made significant advances related to cyber security regulatory framework. Next to several laws and regulations, with the support of the professional community, comprehensive strategic documents have been agreed to guide digital transformation and information security developments.

Now it urgently needs to implement these strategies – and build up technical, process and human capacities for Defense in Depth. This includes segmentation and access control at the network, server and data level, solutions for intrusion detection and prevention, data loss prevention, solutions for collecting and correlating security events, a culture of regular testing and remediation of vulnerabilities – from regular automated scanning to penetration testing, an efficient recovery plan in in case of disaster, etc.

But, above all, this means ensuring strong first line of the defense – the people. It is needed to have both awareness of threats on the one hand and expertise in the field of information security on the other. Awareness is a matter of organization and some investment in continuous training of citizens and employees of state institutions. The issue of expertise is a much more complex one – and requires our political elite to have the vision to support long-term investment in the development of such experts.

The state should certainly support the University of Montenegro, which has indicated willingness to contribute to the development of cyber security capacities and the fight against high-tech crime by establishing numerous programs and education of IT personnel. Security teams from the private sector, especially from highly regulated industries such as telecommunications and banking, could provide significant support in this education. Likewise, the IT sector and associations like ICT Cortex, which has already offered support.

It is extremely important to devise a strategy of retaining established experts and keeping them engaged in the protection of state infrastructure. In addition to continuous training and certification, the state should also budget a financial motivation necessary to keep these experts in the country and in the civil service.

Former CEO of CISCO, John Chambers, once stated: “There are only two types of organizations: those that have been hacked and those that don’t know it yet! “. Montenegro now without a doubt knows that it has been hacked – and that it has a clear and important task of building the necessary capacity for effective cyber defense – by cooperating with institutions, the private sector and its foreign partners.