Montenegro must pay more for the kind of ICT talent it needs to defend against the growing threat from cyber criminals.
In early May, a text message arrived on the phones of a number of people in Montenegro saying that a parcel had arrived, delivered by the Serbian postal service Posta Srbije, and telling them to click on a link for instructions on how to receive it.
The link opened a webpage where the user was asked to enter their bank card details, but it had nothing to do with Posta Srbije. The text was in fact the latest in a string of phishing attacks targeting individuals in Montenegro, attacks that authorities say are becoming increasingly common.
According to Montenegro’s Cyber Incident Response Team, CIRT, 684 such incidents were reported last year, up from 672 in 2021. In 2011, there was just one registered cyber-attack. Of the 684 last year, malware constituted the most common type of attack.
Experts see raising awareness among members of the public as vital to minimising the impact of such scams, but, said Adis Balota, a professor at the Faculty of Information Technologies in Podgorica, “alone this will not solve the cyber security problem”.
In August last year, a major cyber assault on Montenegrin state institutions paralysed parts of the public sector and underscored the tiny NATO country’s vulnerability to cybercrime.
Almost a year on, experts like Balota say Montenegro must invest much more in its defences and in recruiting the IT security expertise that the public sector currently lacks.
“Unfortunately, from the negative examples of the past year, it can be concluded that the state information systems are currently the most threatened,” Balota told BIRN.
“I’m of the opinion that in order to solve this problem, the government of Montenegro should make a strategic departure from the current way of developing, implementing and maintaining information systems in state bodies.”
Montenegro’s Cyber Incident Response Team, CIRT, data on cyber attacks since 2011. Infographic: BIRN/Igor Vujcic.
Experts needed
The August 2022 attack infected dozens of computers in 10 state institutions and knocked offline a host of public services.
Within days, the National Security Agency pointed the finger of blame at Russia, which Montenegro has long accused of trying to thwart its Western integration ambitions, but offered no evidence; then a cabinet minister said it was in fact the work of Cuba Ransomware, a cybercrime extortion group.
Months later, the National Security Council announced that, “given the specific nature and complexity” of the attack, it had been unable to determine exactly who was behind it, despite the assistance of the FBI in the United States and the French National Cybersecurity Agency, ANSSI.
Powerful as it was, the attack was only the most high-profile of many.
Late last year, even the police were forced to warn the public not to respond to emails purportedly from the then director of the Police Administration, Zoran Brdjanin, or open their attachments, saying they “may contain malicious content”.
A week later, police said they had registered a similar scam via emails claiming to be sent by the head of the criminal police in the Podgorica Security Department, Zoran Basanovic.
The ultimate goal, police said, was “fraud and obtaining financial benefit”.
Over the past few years, Montenegro has also seen a rise in fake prize games on social media, generated via fake websites and asking users to submit photos of their ID cards or follow instructions sent by email.
Balota cautioned that, while Montenegro has cyber security strategies on paper, their implementation is another matter.
The biggest problem, he told BIRN, is the failure to recruit and retain highly-specialised experts in the field of Information and Communications Technology, ICT.
“Such experts cannot be motivated with the salaries of civil servants and state employees,” Balota said. “The motivation of serious and educated personnel to work in state bodies is an extremely important goal.”
If a clear recruitment strategy were in place, “the financial resources for basic functioning could be provided, either from the state budget or from international projects,” he said. “In relation to other parts of the state budget, the amount of money that would be necessary is negligible.”
Instead, “there is a lack of vision, professional staff, specialist training, accompanying finances, and, in the end or at the outset, political will.”
Major cyber threats in Montenegro since 2016. Timeline: BIRN/Igor Vujcic.
Attacks will get ‘more aggressive’
The first big cyber-attack on Montenegrin state bodies occurred in 2016, on the day of parliamentary elections. Then, just as last year, authorities rushed to blame Russia for the Denial-of-Service, DDoS, attacks, with Moscow at the time angered by the prospect of Montenegro’s imminent accession to NATO.
Four days later, another attack targeted parliament’s servers. The following year, 2017, the government reported a new wave of attacks on its portal and sub-portals of state bodies. Blame was laid at the feet of Fancy Bear, a notorious Russian cyber espionage group.
Balota said the government should create a “centralised body or institution at the state level, which would coordinate and manage all IT projects at the level of state bodies and administration bodies”.
This, he said, “would certainly contribute to the rational use of all available resources, to monitor trends and allow the benefits of all implemented solutions to be measured”.
Training will be key, he said.
“Each subsequent attack will be even more aggressive and have greater consequences,” said Balota.