Montenegro’s draft IT security law – a response to a massive cyber-attack on state institutions – raises questions about overlapping jurisdictions, practicality and the risk of political influence, experts say.
Information security expert Branko Dzakula also called for clarification of their roles.
“The CIRT should be focused on protecting only state infrastructure, while the Agency could have a broader role in protecting the wider cyberspace, including the private sector,” Dzakula told BIRN. “Such a division could increase efficiency, strengthen coordination between these institutions and avoid conflicts of jurisdiction or duplication of tasks.”
He also questioned whether the law could be implemented in practice.
“Montenegro’s cyber security index significantly lags behind the European Union average and there are traditional problems with financial, technical, and human resources,” Dzakula said. “It’s debatable whether the public and private sectors can adequately implement the new requirements in practice.”
Draft law ‘aligned’ with 2022 EU directive
The 2024 Global Cybersecurity Index, published by the UN’s International Telecommunication Union, ranks Montenegro’s information security level as ‘establishing’, the third tier of five.
That puts it on a par with the likes of Bulgaria, North Macedonia and Ukraine but behind the ‘advancing’ countries such as Croatia, Albania, Israel and Switzerland. Fellow ex-Yugoslav republics Serbia and Slovenia are in the highest tier – ‘role-modelling’ – alongside Britain, Germany, France and others.
Montenegro’s vulnerability was exposed in August 2022, when the government server was hit with ransomware, which locks and encrypts the victim’s data and critical files and demands payment to unlock and decrypt them.
The attack took offline a number of ministries, the Property Administration, the Revenue and Customs Administration and courts.
A hacker group called Cuba-Ransomware claimed responsibility but authorities have never officially identified the perpetrator. A report by experts from the US Federal Bureau of Investigation, FBI, was submitted to Montenegrin police in January 2023 but it has yet to be published.
Since 2012, when it was established, the CIRT has operated under the Directorate for the Protection of Secret Data, whose head is nominated by the defence minister, and is responsible for all cyber security incidents in Montenegrin cyberspace.
Under the draft law, the CIRT will come under the Ministry of Public Administration and protect only the state administration’s information system from cyber threats.
Dusan Polovic, head of the state Directorate for Infrastructure, Information Security, Digitalisation and e-Services, told BIRN that the draft law is aligned as much as possible with the EU’s NIS2 Directive, adopted in November 2022 to raise the overall level of cybersecurity in the bloc, which Montenegro is seeking to join.
Montenegro needs to adopt the law, he said, to meet the demands of Chapter 10 accession negotiations with the EU concerning Information Society and Media.
“The focus of this law is on transposing as much as possible the NIS2 EU Directive that defines this area, taking into account Montenegro’s obligations in the accession process,” Polovic said. “This law also falls under Chapter 10, which Montenegro aims to close as soon as possible.”
Risk of undue political influence
Montenegro’s 2022-26 National Cybersecurity Strategy calls for a Cybersecurity Agency as an umbrella body responsible for state cybersecurity, within which the CIRT would operate.
The draft law is not completely aligned with the Strategy, Polovic said, in that it calls for the CIRT to be placed under the Ministry of Public Administration and to operate separate from the Cybersecurity Agency. Polovic said this was “absolutely necessary”, “rational” and “efficient”.
According to the draft, the head of the Cybersecurity Agency will be appointed by the agency’s Council, which will have a president and four members appointed by the government.
The Ministry of Public Administration will propose the president of the Council, while the University of Montenegro, the Chamber of Commerce, the Montenegrin Academy of Sciences and Arts, and the Agency will each nominate one member for approval by the government.
Dzakula warned that the process risked stuffing the agency with political appointees, given that all four institutions are considered close to the authorities and are dependent on public coffers for their funding.
“Given the crucial role the agency will play in protecting state infrastructure and the broader cyberspace, it is imperative that its composition is based on expertise, experience, and impartiality, not on political criteria,” Dzakula said.
He called for a “transparent and rigorous selection process” to ensure the appointment of experts “with proven cybersecurity experience”.
“Politically motivated appointments could undermine the credibility and efficiency of the agency,” he added.
Last year, during a public debate on the draft, IT experts and organisations called for the agency’s Council to include at least one member from the cybersecurity expert community but the ministry rejected this.
Polovic insisted the Cybersecurity Agency would have a “professional and well-paid staff” free of political influence.
Concerns over supervisory powers
Dzakula also raised concerns about data privacy under the new law, which, he said, introduces broad powers for supervisors at the Cybersecurity Agency in assessing IT security at a given body, which is obliged to give them access to IT equipment and requested data. Some experts are concerned that the draft has not been aligned with the Personal Data Protection Law, which stipulates that personal data cannot be processed in a greater scope than necessary for any given purpose.
“It is crucial to balance strengthening cybersecurity and preserving privacy rights,” Dzakula said. “It is necessary to ensure that supervisory powers are clearly defined to avoid potential abuse or excessive oversight.”
The Agency for Personal Data Protection and Free Access to Information told BIRN that it had not received the draft law for review and that it had not been officially contacted by the Ministry of Public Administration.
Polovic said: “Implementing information security standards prescribed by the law and expert supervision are very important. The obligation of two-way cooperation between inspectors and supervisors is clearly defined.”
According to a Ministry of Finance estimate, implementing the new law will cost 2.62 million euros.
Dzakula questioned the outlay, “in a country like Montenegro”, where human and financial resources are limited.
Forming new bodies like CIRT “could lead to unnecessary resource wastage,” he said.
“It would be more rational for the Cybersecurity Agency to integrate a special department dedicated to protecting state institutions, thereby achieving better coordination and resource savings.”