Last month, the Republic of Georgia hosted its first-ever Cyber Security Forum in Tbilisi. The event examined cyber threats to Georgia and policy options to address them. Prime Minister Giorgi Gakharia opened the forum with an acknowledgement that “cyber-related issues, cyber risks, and cyber threats can be very challenging for this country at this critical time,” referring to the issue of election interference at the country’s upcoming parliamentary elections. The Prime Minister stressed the pressing need for “a national-level structure with an appropriate mandate for coordinating the respective sectoral agencies.” Indeed, Georgia has not revised its cybersecurity strategy since 2017, and the active talks of adopting the 2019-2021 strategy have yet to yield tangible results.
During the event, U.S. Ambassador to Georgia, Kelly Degnan called on Georgia’s leaders to urgently develop a comprehensive national cybersecurity strategy and formulate an implementation action plan. The Ambassador encouraged Georgia to “clearly delineate the roles and responsibilities in the cyber sector […] as this will help Georgia be better prepared to eliminate, to reduce vulnerabilities and to respond quickly and effectively when there are attacks..” Degnan emphasised that cybersecurity protection in the lead up to Georgia’s parliamentary elections scheduled for 31st October is of “the utmost importance.” As is the case with a broader national security strategy, a state’s cybersecurity strategy must be updated regularly in order to reflect changes in the political, technological, and institutional environments and capabilities of every country. Georgia’s cyber strategy has largely remained stagnant over the past three years, yet its neighbour, Russia, has continued to increase its cyber and disinformation attacks, while relations between the two sides have further deteriorated.
No digitised country, including Georgia, can afford to ignore cybersecurity. Malicious cyber actors ranging from determined and well-resourced nation-states to opportunistic and increasingly skilled criminals are constantly probing for vulnerabilities in the critical infrastructure. Power plants and energy infrastructure, banking, communications infrastructure, medical facilities, government services, and many other vital assets key to public and private life are targets. Attacks against them have the potential to cause effects ranging from loss of wealth to catastrophic loss of life. They also threaten territorial integrity and undermine hard-fought gains in democratic accountability. Preventing their occurrence, mitigating their effects and minimising their harm are all key components of a national cyber strategy and the need for its adoption.
Although a revised national cybersecurity strategy is the ultimate goal – and one that Georgia cannot afford to keep on the “back burner” much longer – in the interim, an immediate priority is to clearly articulate and formulate an incident response plan to deal with major cyber events and incidents with the goal of devising a broader national strategy. To this end, below are three proposed priorities for the Georgian leadership, designed to aid the drafting and implementation of the country’s national cybersecurity strategy.
Priority 1: Lay the foundation. Malicious cyber actors will not wait for the Georgian government to produce an elaborate cyber strategy before attacking. We have continued to observe this over the past few months, including most recent disinformation and trolling efforts in Georgia (among other countries) tied to the Russian military intelligence, GRU and the infamous Internet Research Agency. That is why establishing a preliminary management structure for dealing with cyber issues, especially a potential cyber incident affecting the Georgian government or critical infrastructure, is essential. To this end, a concise, non-technical “how-to” guide for cyber policy management, as well as an interim cyber incident response plan aimed at empowering Georgian leadership to cut through the “fog of an incident” and react in a smart, deliberate manner to an attack is of vital importance and urgency. Above all else, however, forming an advisory board of Euro-Atlantic-wide experts, practitioners, policymakers and international leaders in this sector is of vital importance as the first step towards developing an interim cyber incident response plan followed by a comprehensive cybersecurity strategy.
Priority 2: Design the architecture. Building on the policy and management foundation established in the previous phase, the next priority is to develop and craft a set of recommendations for a Georgian Cyber Security Strategy. This step should be taken and developed in concert with local cybersecurity and digital diplomacy professionals, with guidance from foreign ally country experts (i.e. the United Kingdom, the United States, Estonia, Germany, etc.) in the technology and broader security sectors.
Priority 3: Implementation. Even the most detailed and well-crafted strategies can and will likely fail if their practical implementation is neglected or otherwise overlooked. Drafting recommendations with implementation practicalities taken into account is an important step in this process. However, the task of developing a detailed implementation plan can only be tackled if the Georgian government has weighed the proposed recommendations and decided on—as well as committed to—a course of action.
A perfectly pristine and completely safe and secure cyber domain is no longer a viable option in the ever-evolving and constantly developing cyberspace. However, effective defence can and should be structured ahead of time in anticipation of an attack, be it cyber or information specific. With no visible red lines, Georgia is not only leaving itself vulnerable to malicious actors but also finds itself without a clear response plan when an attack occurs. Whilst no strategy or national policy on cybersecurity will successfully discourage maliciously inclined actors from pursuing their goals, waiting for a cyber bomb to go off before devising a plan of action post-factum is something that no state can afford— Georgia is no exception.
The logical question is why, if at all, should the wider international community care to help the small Caucasian country surrounded by an enclave of less-than-friendly cyber actors, such as Russia and Iran? The answer is rooted in the nature of the cyber landscape that has borders but not necessarily in the way that we think about territorial borders in the strictly geographical sense. The spill-over effect of cyberattacks gone awry, for example, the notorious 2017 NotPetya ransomware, did not only impact states and nations beyond its immediate target, Ukraine but also produced a boomerang effect harming the country of its origin, Russia.
A cyber strategy has been long overdue for Georgia, and the luxury of time is simply no longer an option. A cyber-strong, resilient and well-equipped Georgia is in the interest not only of the Georgian people but also of the global community writ large. If a consensus within Georgia on whether or how to move forward with a national cybersecurity strategy cannot be reached in a timely manner, a joint European and U.S. voice is needed. Unified Euro-Atlantic action may, in turn, ensure that not only Georgia but the rest of the region and the world do their part in protecting a domain that is impacting the daily lives, safety, and security of every modern citizen, let alone every country’s critical infrastructure and national security.
The opinions articulated above represent the views of the author(s) and do not necessarily reflect the position of the European Leadership Network or any of its members. The ELN’s aim is to encourage debates that will help develop Europe’s capacity to address the pressing foreign, defence, and security policy challenges of our time.
Image: Flickr, Idaho National Laboratory