DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
A COMPREHENSIVE CYBER AWARENESS CAMPAIGN – A ‘PREQUEL’ TO
STRONG AND LASTING CYBERSECURITY PPP IN SERBIA
AUTHOR: Adel Abusara*
Executive Summary
This policy brief deals with the lack of established institutional and legal frameworks to successfully
tackle emerging cybersecurity problems in Serbia, which have been brought on by
unprecedented revolutions in communications and technology. Ad-hoc solutions, scattered
within different state institutions and private companies operating in the country or in the region,
prevent any comprehensive approach to the increasing number of challenges in the cyber
realm. Having in mind the various problems related to the possibility of an overarching partnership
between state institutions (the Government) and the private sector (popularly called publicprivate partnership - PPP), this policy brief suggests a ‘light-weight’ first step: initiating a
comprehensive national cyber awareness campaign that would include both national institutions
and interested private companies. A successful campaign would increase the level of trust and
create stronger ties between all of the parties involved, thus facilitating further steps which are
necessary for the establishment of a national cybersecurity protection system and legislation
supporting it.
BACKGROUND AND ANALYSIS
Serbia does not yet have any piece of
legislation specifically related to the
emerging threats in the realm of
cybersecurity. However, the adopted
Development Strategy for Information
Society in the Republic of Serbia by 2020
has six priorities for development.1 There
are no clear signs that any steps towards
implementing the strategy have been
taken as of yet.
Also, there are no institutions or computer
emergency response teams (CERTs)
dealing with cybersecurity at the level of
the Serbian government. The efforts are
fragmented and ‘compartmentalized’ in
different Ministries (namely the Ministry of
Interior and Ministry of Defence).
Furthermore, there are no public-private
partnerships (PPPs) tackling this issue
(although, law enforcement institutions do
have good cooperation with some
telecommunication providers). 2
The number of internet users, however, is
rapidly increasing, especially in urban
Chief Police Inspector Branislav Vasiljevic,
Ministry of Interior of the Republic of Serbia,
lecture at the Young Faces Network
Cybersecurity Winter School for the Western
Balkans, Petnica, 03/12/2014
Page
http://www.itu.int/en/ITUD/Cybersecurity/Documents/Country_Profiles/Ser
bia.pdf (webpage accessed 03/02/2015)
1
1
2
DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
areas.3 Consequently, the number of
attacks, be it against official web pages
of various institutions/cultural organisations
or related to stealing citizens’ sensitive
information, is increasing and gaining
more and more media attention.
At the same time, it is obvious that neither
the media, nor the citizens and state
institutions have the capacities to
comprehend and rightly perceive the
dangers for the country’s and citizens’
security and economy.4 An internet
security community exists, but its message
and potential to educate and/or
influence public opinion is still limited to
social networks or blogs, while almost
completely absent from the mainstream
media.
Overall, there is the need to adopt proper
legislation and set up an institutional
system at the level of the Serbian
Government.
Besides
Bosnia
and
Herzegovina and Macedonia, Serbia is
the only country in the Balkans without a
proper legal and institutional framework
to tackle the issue of cybersecurity.
As no country can secure itself and its
citizens properly in the cyber realm
without the help (and, in this case
especially, without the funds) of the
private sector, strong PPPs need to be set
up in advance of, or in parallel with,
adopting necessary laws and bylaws and
creating
institutions.
Eurostat,
http://ec.europa.eu/eurostat/documents/393029
7/6406919/KS-GM-13-001-EN-N.pdf/c0610a6822ce-4c1e-9374-8cd85ac98a7e , page 131.
4 An accurate estimation of economic losses of
suffering the most common, DDoS attack on the
country level can be found on: Vladimir J.
Radunovic, “DDoS – Available Weapon of Mass
Destruction”, Diplo Foundation, 2013.
Page
2
3
DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
POLICY OPTIONS
 Push the state to create institutions
and adopt legislation: This would
entail creating a national CERT and
forcing the Ministry of Interior, Ministry
of Defence and Ministry of Justice to
strengthen
or
create
proper
departments (e.g. their own CERTs).
The downside of this solution is that
national institutions have proven to be
rather slow and inefficient (drafting
the Law on Information Security is an
excellent example of the pace of the
progress).
In
addition
to
the
anticipated sluggishness of the
 Create a public-private partnership
initiative
for
a
cybersecurity
awareness raising campaign: This
comprehensive
and
allencompassing
awareness
raising
campaign would have to be
organised on the national level, and
target citizens, small and mediumsized enterprises (SMEs) and large
companies.
Gathering around a large scale
campaign with a number of different
activities would serve to bridge the
mental gap for cooperation on
sensitive security issues between
national institutions and the private
sector; it would be the natural first
step towards creating a sustainable
and overarching PPP aiming to assist
the Government in a number of
cybersecurity issues in its later phases.
This would be a clear win-win situation
for all the partners. It is also a more
cost efficient way for creating a PPP
and working on cybersecurity issues.
In addition, it would create the nexus
of organisations, institutions and
individuals ready to shape future
cybersecurity issues in Serbia and
possibly in the region. Finally, there are
excellent examples from which to
derive inspiration, that could be
adjusted to the local needs and
mentality.
3
This would lead to a further
‘balkanization’ of the topic: constant
overlapping, bad utilization of funds
and limited reach of most of the
efforts/outcomes.
process, a realistic and fairly common
scenario all over the Balkans could
mean that institutions are created
and laws adopted, but without
proper implementation.
Page
 Maintain the status quo: This would
entail waiting for the country to adopt
the Law on Information Security (there
are no signs of it happening soon),
while at the same time working on
alternatives, such as assisting mostly
academic institutions to start working
on various smaller issues that are part
of this all-encompassing topic at the
lower level (RNIDS – Serbian National
Internet Domain Registry, AMRES –
Academic
Network
of
Serbia,
applying for and implementing
various EU-funded projects most likely
within its newest Horizon program for
education institutions) and leaving
the private sector to advocate for
and/or
teach
the
public
on
cybersecurity related issues of their
particular concern.
DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
“Stop.Think.Connect” campaign:
http://www.stopthinkconnect.org/aboutus/overview/ (webpage accessed 13/03/2015)
7
Page
significant efforts and funds in strengthening its
cybersecurity capabilities is an excellent
example:
http://www.idsa.in/idsacomments/TakingStockoft
hePublicPrivate%20_csamuel_311214.html
4
ANALYSIS OF KEY BENEFITS OF A CYBERSECURITY AWARENESS RAISING CAMPAIGN AS THE
FIRST STEP TOWARDS LONG-LASTING PPP
cooperation
in
the
possible
‘allencompassing’ PPP at the national level
The benefits of PPPs in the cybersecurity
in Serbia. A national cyber awareness
realm are multiple. Particularly, states
campaign would maximize the currently
around the world are (usually painfully)
particularized efforts of different public
aware that they no longer have the
and private institutions (see footnote 7).
means to act on their own when
This educational campaign would serve
addressing cybersecurity challenges.5 For
to help the increasing number of digital
this reason, the countries most advanced
citizens in Serbia stay more secure online.
in dealing with cyber issues have either
Individuals and companies “would be
created powerful partnerships with a
able to learn and become more aware of
multitude of private sector companies to
risks in cyberspace, and be empowered
promote different issues, or somehow
to make choices that contribute to […]
‘forced’ private companies to cooperate.
overall security”.7 Its webpage would
Others,
despite
understanding
the
serve as a “one-stop shop” for all issues
necessity, are often unable to bridge this
related to risks in cyber realm.
mental ‘gap’, in order to create
The partnership would also become an
meaningful and lasting relationships.
umbrella for various smaller campaigns
(Some) states find it hard to let go of the
focused on particular cybersecurity risks
monopoly over any security issue, while
that would become parts of the central,
(some) private companies cannot grasp
continuous campaign. Finally, the PPP
various business opportunities arising from
could at the very beginning use the
this sort of partnership and burden sharing.
campaign to initiate different capacity
The latter are also afraid of losing ‘the
building projects aiming at increasing
edge’ in fierce market battles if they share
cybersecurity of different categories of
any information either with the state
citizens (e.g. increasing digital literacy in
institutions or with other competitors on
6
the rural areas, subsidizing SMEs focused
the market.
on cybersecurity, building capacities of
For the reasons stated above, to start a
CSOs dealing with internet technologies
PPP in this not-so-sensitive area of
to advocate for various cybersecurity
awareness raising would present an easy
issues etc.).
first step and lay an excellent foundation
A PPP created in this way might, in a next
for more profound and overarching
phase (once all the stakeholders agree on
the need to broaden its scope of work),
5 More on this in Buckland, Winkler: “Public Private
serve as the consultative body of the
Cooperation: Challenges and Opportunities in
Government in setting up the legal and
Security Governance”, DCAF Horizon 2015
institutional framework related to various
Working Paper No. 2, p.9
6 The case of India, a country which invests
cybersecurity issues.
DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
Its expert body (see below) could explore
and present different existing models for
dealing with cybersecurity, it could also
aid in drafting the laws, bringing the
world’s leading experts in this field to assist
in fine-tuning the system (once the most
appropriate one is chosen), etc.
As with any collaboration, it is easier and
more cost efficient to work together and
combine efforts. This is particularly visible in
the case of a cyber awareness raising
campaign. For instance, the lack of PPPs
clearly
leads
to
an
unnecessary
duplication of efforts.10
Ultimately, this overarching partnership
should be the leading standing forum of
experts and politicians related to the
whole range of cybersecurity issues.
However, broadening the PPP’s scope of
work could happen only if the level of trust
among its participants is increased and
the best possible way for this to happen is
joint national cyber awareness campaign
as the beneficial trust-building exercise.
The
campaign
would
lead
to
collaboration between companies that
work throughout the region and the
Serbian government. Having this in mind,
should this pilot idea prove successful, it
could spill over to the region and lead to
cooperation among a number of regional
governments that are not always prone to
work together. This could lead to the
creation of a nexus of organisations,
institutions and individuals with the same
core goal: creating an overarching PPP in
cybersecurity.
For instance, the campaign led by the Ministry
of Trade, Tourism and Telecommunications “Click
safe”,
http://kliknibezbedno.rs/sr/naslovna.1.1.html is a
fairly good one, but was badly advertised
(probably due to lack of funding), so as to reach
the target audience, which makes it a failure to
some extent (webpage accessed 02/02/2015)
9 Microsoft considers the decline in usage of
pirate software the greatest benefit of industrygovernment partnerships in many countries, for
8
example in Russia:
http://news.microsoft.com/download/archived/
presskits/antipiracy/docs/piracy10.pdf (accessed
02/02/2015)
10 For instance, Microsoft has announced
launching a regional cyber awareness campaign
on 28 January this year, thus duplicating already
existing governmental efforts. However, the
campaign starts with promo video in English,
which does not lead to the conclusion that the
campaign will be tailor-made for the region. See:
http://www.personalmag.rs/software/microsoftkampanja-podizanja-svesti-o-internet-privatnostii-bezbednosti-podataka/ (accessed 02/02/2015)
11 http://www.stopthinkconnect.org/
12 https://www.getsafeonline.org/about-us/
5
On the other side, as already stated
above, this is an ideal business opportunity
for the private sector. Through advocating
for responsible behaviour on the internet,
companies could easily reach the widest
possible audience and build their
customer base through, for example,
promoting the usage of legal software.9
Finally, but not the least important, there
are excellent examples of successful
ongoing campaigns from which to derive
inspiration; most notable are the
Stop.Think.Connect11 campaign by the
National Cyber Security Alliance (US) and
the GetSafeOnline12 campaign (UK). Both
were initiated by state institutions
(Department for Homeland Security on
President Obama’s initiative in the US and
HM Government in the UK) and
Page
In addition, an awareness raising
campaign as a first step is a clear win-win
situation for all actors involved. On the
one side, state institutions constantly lack
funds8 for this sort of engagement, while
this would not be a problem for leading
organizations in interested sectors (such as
Microsoft, Eset or even Comtrade, to
name just some of the potential partners).
DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
1. The initiative for the creation of a PPP
in successful cases (US and UK) came
from the state. However, it is difficult
to
believe
that
the
Serbian
Government, or any of the interested
line Ministries, could spark dialogue on
this topic. Therefore, in Serbia the
initiative should come from one or
several partner companies from the
private sector. One or several wellembedded
companies
(e.g.
Microsoft) should initiate a coalition
that
would
approach
the
Government with a proposal to start a
dialogue on a joint national cyber
awareness campaign project, as
explained above.
2. A decision on how to organize a PPP
would require careful consideration,
even if it is a sort of ‘proto’- PPP as
envisaged in this case. Prior to
commencing with planning the
campaign, decisions regarding the
organizational
setting,
rules
of
procedure, and most importantly,
finances need to be made. Although
this should be left to interested parties
Stop.Think.Connect campaign became global
in 2012 with as many as 30 partners all over the
world. See:
http://www.stopthinkconnect.org/getinvolved/international-program/ (webpage
referenced 02/02/2015)
13
3. A decision to expand the activities
should be taken only after the cyber
awareness raising campaign has
some measurable results, not before.
Having in mind that the Serbian
society is still in transition, some steps
should not be rushed. Joint action on
such a scale (considering that a
cyber awareness raising campaign at
the national level is a goal in itself)
must be successful, in order to build
trust with all the partners. Then, and
only then, will it be possible to make
cultural and behavioural change and
expand cooperation to so-called
6
POLICY RECOMMENDATIONS AND STEPS
TO BE TAKEN
to deal with, at the beginning one
could assume that the lion’s share
should be on the side of private
companies, with the Government’s
full support. This discrepancy could be
adjusted later. As for the organization,
although there are a number of ways
to enable a smooth and proper
functioning of the PPP, the US model
of a National Cyber Security Alliance
(with a joint Secretariat and another
two bodies, an Advisory Board and a
Board of Directors) is recommended.
The Board of Directors, tasked with
providing strategic guidance, would
encompass
CEOs
of
private
companies
and
national-level
political actors (Ministers, Assistant
Ministers or State Secretaries). The
Advisory
Board,
responsible
for
transforming the strategy into clear
recommendations,
would
be
comprised
of
operational-level
officers from both sides. Finally, the
Secretariat
would
comprise
of
professional project managers, fundraisers and campaign/media experts.
Page
embraced by leading organizations in
banking, retail, internet, security and other
sectors. These campaigns could be seen
as models for creating a national (and
afterwards possibly regional) cyber
awareness raising campaign, or could
even be replicated.13
DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
‘sensitive’ areas, such as information
sharing. In order to reach this, part of
the ‘package’ for the inception
phase of the cyber awareness raising
campaign should be establishing
tools for measuring activities and,
more importantly, outcomes.
* Mr. Adel Abusara was a Senior Project Assistant in the Democratization Department of the OSCE Mission
to Serbia when taking part in the DCAF Young Faces Network 2014 cycle. All opinions and evaluations
contained in the paper are those of the author and cannot be attributed to DCAF or any institution to
which he is affiliated. The factual background for the paper might have been overtaken by events since
early 2015.
Page
7
http://www.dcaf.ch/Region/Southeast-Europe/DCAF-Southeast-Europe-Regional-Young-Faces-Network