日内瓦安全部门治理中心-西巴尔干地区的网络安全能力建设和捐助者协调（英文）-2021.5-17正式版.doc

Geneva Centrefor Security SectorGovernanceCybersecurity Capacity Building and Donor Coordination in the Western BalkansFabio Barbero, EUISSNils Berglund, EUISS1About DCAFDCAF Geneva Centre for Security Sector Governance is dedicated to improving the se-curity of states and their people within a framework of democratic governance, the rule of law, respect for human rights, and gender equality. Since its founding in 2000, DCAF has contributed to making peace and development more sustainable by assisting partner states, and international actors supporting these states, to improve the governance of their security sector through inclusive and participatory reforms. It creates innovative knowledge prod-ucts, promotes norms and good practices, provides legal and policy advice and supports capacity-building of both state and non-state security sector stakeholders.DCAFs Foundation Council is comprised of representatives of about 60 member states and the Canton of Geneva. Active in over 80 countries, DCAF is internationally recognized as one of the worlds leading centres of excellence for security sector governance (SSG) and security sector reform (SSR). DCAF is guided by the principles of neutrality, impartiality, lo-cal ownership, inclusive participation, and gender equality. For more information visit www. dcaf.ch and follow us on Twitter DCAF_Geneva.DCAF - Geneva Centre for Security Sector GovernanceMaison de la Paix Chemin Eugène-Rigot 2ECH-1202 Geneva, SwitzerlandTel: +41 22 730 94 00infodcaf.chwww.dcaf.chTwitter DCAF_Geneva2Cybersecurity Capacity Building and Donor Coordination in the Western BalkansContentsEXECUTIVE SUMMARY3INTRODUCTION3PARALLEL CAPACITY UNIVERSES IN THE WESTERN BALKANS6THE EUROPEAN UNION6THE UNITED KINGDOM8THE UNITED STATES9THE OSCE10THE WORLD BANK10THE UNITED NATIONS11ENHANCING COORDINATION THROUGH CAPACITY BUILDING PRACTICES12LOOKING AHEAD143EXECUTIVE SUMMARYContinued interest and investment in cybersecurity capacity building in the region clearly indicates that the Western Balkans remains a strategically important region for a number of international actors. Systematic, coordination-by-design methodologies and best practices among donors that utilise whole-of-society and multi-stakeholder approaches can improve the legitimacy, ownership and sustainability of outcomes in the context of persistent chal-lenges to human capacity, political will, and resource scarcity. Furthermore, to better define the roles of different capacity building actors, help identify opportunities for strategic part-nerships, and clarify donor-recipient relationships, donors should seek to strengthen the links between policy objectives and strategies for capacity building interventions. As the interwoven threats and opportunities of cybersecurity and digital development grow more complex, and geopolitical tensions rise, both donors and recipients should look towards a more holistic understanding of capacity building in the Western Balkans that also enables meaningful international engagement on the peace and security of cyberspace.INTRODUCTIONCyberspace is a theatre where states cooperate and compete over their interests and val-ues across all domains: security, diplomacy, criminal justice and development. Digital trans-formation with ubiquitous access to the internet at its core has become one of the key drivers for economic growth and societal changes. It is not surprising, therefore, that cyber-security and resilience have become an important target for domestic reforms and an as-pect for strengthening international cooperation. However, not all states have the resources and expertise required to pursue those objectives in a structured and sustainable manner.As the Cybersecurity Capacity Maturity Model (CMM) Review Reports for the Western Bal-kans countries show1, cyber maturity in the region ranges from start-up to formative levels, scoring differently depending on countries and across dimensions (Fig.1). Despite remark-able exceptions, several states still lack official cybersecurity documents detailing how to establish coordination between key cybersecurity governmental and non-governmental ac-tors or lack an overarching national cybersecurity strategy. Several emergency response teams exist in the region, however the degree of government-led coordination at the na-tional level varies from country to country, together with CERTs affiliation to international consortiums such as FIRST2. Relevant difference exists with regards to the existence of formal categorisation of critical infrastructure and related legislation. National cybercrime legislation exists in most countries in the region, but challenges in the effective prosecution of cyber criminals and in the alignment of laws with regional legal instruments such as the Council of Europes Convention on Cybercrime remain. Different levels of awareness ex-ist around the protection of personal information and the security of personal data, with a growing but still insufficient cybersecurity culture among citizens, which varies greatly depending on internet penetration, the uptake of e-commerce and e-government in the na-tional economy, and the availability of cybersecurity education in national curricula.12CMM reviews have been conducted for all WB countries. All except Montenegro published their CMM reviews, which are accessible here: https:/gcscc.ox.ac.uk/cmm-reviewsThe graphic below was compiled by the authors based on publicly available CMM reviews: Each of the CMM stages of cyber maturity, i.e. start-up, formative, established, strategic, and dynamic was assigned a score from 1 (start-up) to 5 (dynamic). A score for each dimension was calculated based on the average score of each factor within said dimension.At time of writing, only Serbia and Montenegro are members of Forum of Incident Response and Security Teams (FIRST). https:/www.first.org/members/map4Cybersecurity Capacity Building and Donor Coordination in the Western BalkansThe need to close the gap between those most and least advanced as well as to continue advancing the global levels of cyber readiness against the background of evolving cyber threats and digital risks is what has attracted everybodys attention to the existing mecha-nisms such as technical cooperation and capacity building/development.Cyber capacity building (CCB) can be broadly defined as the development and reinforce-ment of processes, competences, resources and agreements aimed at strengthening na-tional capabilities, at developing collective capabilities and at facilitating international co-operation and partnerships in order to respond effectively to the cyber-related challenges of the digital age. These CCB activities can contribute to preventing cyber-related risks, to protecting citizens, infrastructures and processes, to the pursuit of criminal acts in cyber-space and to the response to malicious cyber events.3Amid an evolving threat landscape and an upsurge in investment, the Western Balkans have seen a proliferation in cyber CCB activities carried out by both national and interna-tional actors. Despite the existing gaps, progress in the understanding of the importance of building adequate capacities has increased in the region, allowing Western Balkans nations to become players and partners as opposed to mere recipients.Given the increasing number of stakeholders involved in the field globally, the 2018 Council Conclusions on EU External Cyber Capacity Building Guidelines4 recognised that such a proliferation, “creates opportunities for synergies and burden- sharing but also poses chal-lenges in terms of coordination and coherence.” As such, it called upon the EU and its Member States “to continuously engage with key international and regional partners and34Pawlak P. (2018) (ed.), “Operational Guidance for the EUs International Cooperation on Cyber Capacity Building”. Available at: https:/www.iss.europa.eu/content/operational-guidance-eu%E2%80%99s-interna-tional-cooperation-cyber-capacity-building. See also the Delhi Communiqué on a GFCE Global Agenda for Cyber Capacity Building (2017) at: https:/thegfce.org/wp-content/uploads/2020/04/DelhiCommunique.pdf Council of the European Union (2018), EU External Cyber Capacity Building Guidelines, Council Conclu-sions (26 June 2018). Available at: https:/data.consilium.europa.eu/doc/document/ST-10496-2018-INIT/ en/pdf5organisations as well as with civil society, academia and the private sector in this field with the aim of avoiding duplication of effort given the limited resources.”The COVID-19 pandemic has brought new challenges to CCB activities in the region. As policymakers face the health crises and its social and economic impacts, more competing priorities limit the financial, human and time capacities that can be devoted to cyber capac-ity building. For donors and implementors, shifting political priorities may make the recep-tion of CCB activities more challenging, while the broadening of the surface attack due to COVID-19 - comprising for example hospitals and the health supply chain - brings forward new areas for capacity building. On the other hand, the pandemic makes coordination even more important as it allows for more efficient allocation of resources. Yet, in the absence of venues for physical meetings and venues for networking, coordination between donors and implementors has been disrupted to a great extent.In this context, our discussion paper explores how cyber capacity building actors and ini-tiatives in the Western Balkans could be better coordinated, while considering the barriers to reaching cyber maturity in the region. Firstly, we offer a non-exhaustive overview of proj-ects, donors, and implementors active in the Western Balkans, based on desk research and a series of interviews with relevant stakeholders. Secondly, the paper will explore best practices on coordination through the framework of the Operational Guidance for the EUs International Cooperation on Cyber Capacity Building5. Lastly, based on the above, some conclusions and broad recommendations are proposed, with an eye to future CCB invest-ment.PARALLEL CAPACITY UNIVERSES IN THE WESTERN BALKANSCyber capacity building is inexorably linked to ongoing international debates about the peace and stability of cyberspace.6 As a process focused on human resources develop-ment, organisational arrangements and legal and institutional frameworks, CCB activities can generally be understood as promoting an implicit or explicit set of political and social ar-rangements that reflect the values and priorities of a given donor. While such projects build capacity by strengthening infrastructure and skills, they function as diplomatic mechanisms for aligning positions on cyber-related issues.7 Rather than purely technocratic endeavours for socioeconomic development, then, capacity building initiatives implemented by inter-national actors are also a form of political instrument, oriented around the advancement of foreign policy interests. As such, different actors engage in the Western Balkans with par-ticular strategic priorities and policy objectives, that tend to shape the nature of their cyber capacity building interventions.THE EUROPEAN UNIONThe EU cybersecurity strategy published in December 2020 expressly stated that “EU cyber capacity building should continue to focus on the Western Balkans and in the EUs neigh-bourhood . The EU efforts should support the development of legislation and policies of partner countries in line with relevant EU cyber diplomacy policies and standards8”. The doc-5678Pawlak P. (2018) (ed.), “Operational Guidance for the EUs International Cooperation on Cyber Capacity Building”. Available at: https:/www.iss.europa.eu/content/operational-guidance-eu%E2%80%99s-interna-tional-cooperation-cyber-capacity-buildingSee for example A/RES/74/173 in the United Nations General Assembly, adopted in December 2019. Pawlak, P. (2016). Capacity Building in Cyberspace as an Instrument of Foreign Policy. Global Policy, 7(1), 8392. Available at: https:/doi.org/10.1111/1758-5899.12298European Commission (2020), “Joint Communication to the European Parliament and the Council: TheEUs Cybersecurity Strategy for the Digital Decade”. Available here: https:/ec.europa.eu/digital-sin-6Cybersecurity Capacity Building and Donor Coordination in the Western Balkansument calls upon the EU to develop a training programme dedicated to EU staff in charge of the implementation of the unions digital and cyber external capacity building efforts. A clear nexus is also drawn between malicious cyber activities and the integrity and security of democratic systems and societies.9 Moreover, the EUs economic and investment plan for the Western Balkans from October 202010 stressed that the EU should support cyberse-curity capacities with particular regard to infrastructure and the digital transition, “developed based on a needs assessment to be conducted in 2021.”11 As a self-described enabler of that transition, the EU called for the Western Balkans to focus on reform priorities, including “cybersecurity capacity and the fight against cybercrime, especially by implementing the EU toolbox regarding cybersecurity risks to 5G networks.”With the Council of Europe, the European Union has been funding joint regional projects on cooperation against cybercrime under the Instrument of Pre-Accession (IPA) . The Cy-berIPA programme12 (2010 -2013) was utilised to further align legislation to the Budapest Convention, support the set up and specialisation of high-tech crime units in police and prosecution services, and foster a regional network of cooperation. From January 2016, the 48-month project iPROCEEDS13 funded under the IPA II Multi-country Action Programme 2014 focused on strengthening the capacity of authorities to search, seize and confiscate cybercrime proceeds and prevent money laundering on the Internet in Albania, Bosnia and Herzegovina, Montenegro, North Macedonia, Serbia, Turkey and Kosovo*. From January 2020, a second iteration of the project was launched, targeting Albania, Bosnia and Her-zegovina, Montenegro, Serbia, North Macedonia, Turkey and Kosovo* for an additional 42 months. Based on the previous capacity building efforts,