Members of the national parliament were told that the case is in the investigation phase and the ministry is not involved in the assessment and analysis of the incident, as Bosnia and Herzegovina is the only country in the region in which there is no computer emergency response team (CERT) for public institutions.

A CERT is an essential component of cyber protection, but Bosnia and Herzegovina has not set one up yet, despite repeated urgings calls by the European Union and some of the country’s other international allies.

“These days, not having a CERT is like not having a ministry of foreign affairs,” Arben Murtezic, director of the Centre for the Education of Judges and Prosecutors of the Federation of Bosnia and Herzegovina, has said.

A CERT team’s principal task would be to set up communication channels for collecting all details about potential cyberattacks and other risks that face internet users in Bosnia and Herzegovina.

Bosnia and Herzegovina also lacks a strategic and legal framework for cyber-security. However, after the publication in April 2023 of the Report on Cyber-Threats by the Cyber-Security Excellence Centre, CSEC and BIRN Bosnia and Herzegovina, as well as an audit report pointing to the unpreparedness of state institutions to tackle the threat of cyberattacks, the first steps have now been taken towards the establishment of a CERT team.

Minister of Communications and Transport Edin Forto told BIRN Bosnia and Herzegovina that a CERT was not set up earlier because of “the politics of spite” – a reference to the inter-ethnic political wrangling that has often hindered governance in the country – and a seven-year-long failure to reach an agreement about which ministry should control the cybersecurity unit.

“We could have spent yet another term of office outsmarting and outvoting [each other], but I consider it more important to have a CERT team than where to position it. We unblocked that process and finally began to build capacity for a CERT for Bosnia and Herzegovina’s institutions,” he said.

Forto said that the drafting of a law on cybersecurity is one of his priorities, noting that this requires the full consensus of the Council of Ministers and both the country’s political entities. He noted that a Broadband Internet Access Strategy and Electronic Communications Sector Development Policy have been agreed on, while the drafting of a law on e-communications, services and electronic signatures is underway.

“We are losing time and flailing in the wind without prevention and protection system and a quick response to cyberattacks. Awareness of the significance of this topic will demonstrate whether we have matured, as a society, to put the priorities of the public and the economy ahead of political manoeuvring,” Forto said.

CERT team needs adequate resources

At its 11th session in May 2023, the Council of Ministers gave consent to amendments to the Rulebook on Internal Organisation of the Security Ministry, creating the framework for a CERT team to operate.

“The new rulebook sets up a new organisational unit, the Computer Incident Response Team for the Institutions of Bosnia and Herzegovina, with a total of five systematized work positions, whose terms of reference were drafted in accordance with the recommendations and best practices of ENISA [the European Union Agency for Cybersecurity],” the Security Ministry told BIRN Bosnia and Herzegovina.

The ministry said that efforts have been stepped up following 2022’s cyberattacks on state institutions, which left staff members with no access to email and other digital services for several weeks, as BIRN Bosnia and Herzegovina reported.

However, the establishment of the new CERT still requires several more political decisions, because the ministry has only just started recruiting staff, and lacks the funds to appoint enough people to complete the team.

Meanwhile, the Security Ministry has begun drafting a plan for the operational and institutional establishment of the CERT and fulfilment of its objectives, which has yet to be referred to the Council of Ministers.

“In light of the above, the CERT for the institutions of Bosnia and Herzegovina will become operational once the necessary resources have been provided,” the Security Ministry said.

It added that it is also planning for the CERT team to join international associations, organisations and networks with the aim of exchanging information in the field, which has not yet been regulated by legislation in Bosnia and Herzegovina.

Legislation needed to ensure cybersecurity

Experts told BIRN Bosnia and Herzegovina that one of the major constraints on the development of cybersecurity in the country is the lack of any state strategy in the field that could serve as a basis for legal documents that would provide the public with adequate cybersecurity.

Predrag Puharic, the head of CSEC and the leading information system specialist at the Faculty of Criminalistics, Criminology and Security Studies at Sarajevo University, said that the adoption of the Rulebook on Systematisation for CERT is commendable, but only one in a series of necessary steps.

“In order for the team to have more focused roles and tasks, it is necessary to define a national cybersecurity strategy and speed up the creation of the rest of the legal framework, which will partially spring from the strategy itself,” Puharic explained.

At the state parliament in May this year, four conclusions by members of the House of Representatives of the Parliamentary Assembly of Bosnia and Herzegovina were adopted – the primary goal being the implementation of the conclusions from a review of the cybersecurity situation at Bosnia and Herzegovina’s state institutions. The institutions themselves have not responded to the review yet.

In its conclusions, the House of Representatives told the Council of Ministers to undertake additional measures to update the implementation period, but also to improve information security management policy at state institutions. It also told the Ministry of Communications and Transport and Security Ministry to submit for parliamentary consideration draft laws on IT security and critical infrastructure within the following 90 days.

Aida Barucija, one of the members of parliament who submitted the conclusions to the House of Representatives, said she has still not received answers from any institutions, although the deadlines set out in the conclusions have expired.

Barucija explained that this was not just the case with these conclusions, but with others too, and said that their implementation can only be monitored by means of audit reports.

“You know that even we had no access to computers and our emails, and neither did the entire parliament. There was a sign on our computers saying ‘Don’t turn on’, so we had no access to email,” she said.

“No one was allowed to turn their computer on because, as I heard, one female civil servant accidentally opened something she should not have opened, resulting in a security attack on a state-level institution. That means they were not up to the job,” she added.

In addition to conclusions referring to individual institutions, Barucija also submitted specific questions to the security minister, but has not received an answer yet.

Despite the delays in Bosnia and Herzegovina’s cybersecurity development progress, Puharic said there is a chance that the country will be able to harmonise its solutions with the latest European directives, recommendations and models for best practice.

“There is surely no magic solution or clear-cut answer to what the best solution is, but the mere adoption of documents without any sincere commitment will clearly not result in a successful struggle [against cybersecurity threats] and a satisfactory level of security,” Puharic said.

Domestic and international experts will discuss the shortcomings of the cybersecurity sector in Bosnia and Herzegovina and solutions to the country’s problems at the Bosnia and Herzegovina Internet Governance Forum in October.