Cybersecurity

Digital transformation helps to improve the quality and efficiency of public administration and optimize financial and human resources. In the context of growing digital interdependence accelerated by the COVID-19 pandemic and the complexity of the threat landscape, there is an increasing need to ensure the security of the technological infrastructure of state institutions and the protection of citizens' personal data.

According to the World Economic Forum (WEF) estimates in 2020, the total number of detected malicious programs and ransomware increased by 358% and 435% accordingly.

The WEF experts admit that 95% of cybersecurity issues are related to the human factor.

At the same time, the global shortage of cybersecurity specialists is 3.5 million people.

According to the results of the Check Point Research analysis, in 2021, the number of cyberattacks on corporate networks per week increased by 50% (compared to 2020).

The international average was 925 cyberattacks per week per organization. The most significant increase in the number of cyberattacks was recorded in the European region.

Weekly Attacks per Organization by Region (2020 vs 2021)

in 2020

in 2021

Africa

0

APAC

0

Latin Americas

0

Europe

0

North America

0

Source: Check Point Research Report

Attitude of EU citizens to cybersecurity issues

Think they can protect themselves from cyberthreats52%

Believe that the risk of becoming a victim of cybercrime is growing76%

Believe that their personal data are compromised46%

Source: Special Eurobarometer 499 Survey, January 2020

The main targets of cyberattacks

According to the^[1] European Union Agency for Cybersecurity (ENISA), the main targets of cyberattacks in 2021 were: state administrative institutions (198 incidents), digital service providers (152 incidents), medical institutions (143 incidents), the financial and banking sector (97 incidents), and the transport sector (54 incidents). The most common types of cyberattacks include ransomware, cryptojacking^[2], data breaches, malware, disinformation, non-malicious threats, threats against availability and integrity, and supply-chain attacks.

According to the "Cost of a data breach 2021" IBM report, new digital threats emerge fast, which makes it hard for organizations to prevent them.^[3] The transition to remote mode in the context of the COVID-19 pandemic was carried out to the detriment of organizations interests in information security. In 2021, the average financial damage caused by a data breach amounted to $4.2 million. This is a record for the last 17 years.

^[1]Results: April 2020 to July 2021

^[2]Cryptojacking is the unauthorized use of devices to generate cryptocurrency.

^[3]The study is based on the analysis of leakage data from more than 500 companies happened from May 2020 to March 2021. In total, the organization analyzed about 100 thousand violations.

Approaches to assessing the effectiveness of cybersecurity policy

ITU recommendations on improving the level of digital security of States

The ITU notes an increase in the cybersecurity level of States worldwide. According to the indicators of the Global Cybersecurity Index^[1](GCI), by the end of 2020, 127 countries had adopted national information security strategies, and 142 had conducted information campaigns on cybersecurity issues. The leaders are the U.S. (100 points), Estonia (99.48), the UK and Saudi Arabia (99.54 points equally); South Korea, Singapore, and Spain (98.52 points equally); and Russia, the UAE, and Malaysia (98.06 points equally).

Legal Actions

167 countries have cybersecurity legislation in place
133 countries have data protection laws
97 countries have developed legal mechanisms to protect critical infrastructure

Technical measures

131 countries have National Information Security Centres
101 countries have mechanisms in place to protect children from the dissemination of illegal information on the Internet

Organisational measures

127 countries have developed national cybersecurity strategies
National cybersecurity strategies are updated in 98 countries
60% of the above 98 countries audit the performance of cybersecurity strategies

Development of professional capacity

142 countries have conducted cybersecurity awareness campaigns
94 countries have launched cybersecurity research programs

International cooperation

90 countries have bilateral cybersecurity agreements
112 countries participate in multilateral cybersecurity initiatives
In 2020–2021, 140 countries participated in international events, such as conferences on cybersecurity and educational seminars.

Source: ITU Global Cybersecurity Index Report

Despite the progress made, there are still areas that need further improvement: modernization of critical infrastructure protecting measures in accordance with new cyber threats, strengthening the legal regulation of work with personal data, and increasing the overall level of digital literacy.

The ITU guidelines to improve the cybersecurity level of States are the following: regular monitoring of how effectively the cybersecurity strategy is being implemented, improving the resource base of national information security centers, the need to intensify international cooperation, and sharing best practices to counter cyberthreats.

^[1]The Global Cybersecurity Index (GCI) was first published by the International Telecommunication Union (ITU) in 2015 and is updated every two years. The objective of the project is to assess the information security system of 193 ITU Member States in 5 focal areas: legal measures, technical measures, organizational measures, professional development, and international cooperation.

Cybersecurity – Case Studies

SAI: Austrian Court of Audit

Title: Coordination of Cyber-Security

Date: April 22, 2022

Link: Proceed

In 2021, the SAI audited the effectiveness of cybersecurity systems in a number of Austrian federal agencies (Federal Chancellery, Ministry of the Interior, Ministry of Defence, and Ministry of Foreign Affairs). The SAI focused on the assessment of the cybersecurity regulatory framework and strategic and operational management. The SAI identified a number of weaknesses, such as the lack of cybersecurity incident operational management plans and an inadequate risk management system. The SAI stressed the need to improve the information security strategy of agencies and recommended they establish a standing cyberspace response team as well as an emergency response center.

Auditor General Office of Denmark

Case
Description

SAI: Auditor General Office of Denmark

Title: Five government authorities’ compliance with 20 technical minimum information security requirements

Date: January 15, 2022

Link: Proceed

As a result of an audit conducted by the Auditor General Office of Denmark in 2021, the auditors concluded that the Ministry of Finance, the Ministry of Justice, the Ministry of Health, the Ministry of Climate, Energy and Housing, and the Ministry of Food, Agriculture and Fisheries had failed to comply with the 20 technical minimum information security requirements that were to be met by 1 January 2020.

Contact Committee of the Supreme Audit Institutions of the European Union

Case
Description

SAI: Contact Committee of the Supreme Audit Institutions of the European Union

Title: Audit Compendium: Cybersecurity in the EU and its member states

Date: December 7, 2020

Link: Proceed

On December 7, 2020, the Contact Committee of the EU Supreme Audit Institutions published the "Audit Compendium. Cybersecurity in the EU and its Member States." Based on the results of research conducted by the supreme audit institutions of the EU member states, the collection is devoted to the issue of how resilient EU critical information systems and digital infrastructure are to information attacks. It provides background information on the problem of cybersecurity, EU strategic initiatives, and the legal framework; it identifies the main challenges and risks faced by EU citizens and Member States as a result of the digital data misuse. The study was based on the results of 12 audits conducted by the audit institutions of EU member states and the European Court of Auditors on issues related to cybersecurity. The audit results made it possible to identify the vulnerability of digital infrastructure and personal data storage systems (Estonia, France, and Sweden), the lack of resources and the effectiveness of the information security system management (Ireland, Latvia, and Finland), non-compliance with the security standards set by European regulations (Poland and Portugal).

European Court of Audits

SAI: European Court of Auditors

Title: Special report: Cybersecurity of EU institutions, bodies and agencies: Level of preparedness overall not commensurate with the threats

Date: March 29, 2022

Link: Proceed

Due to numerous cases of hacker attacks on the EU information systems, the European Court of Auditors, from January 2018 to October 2021, audited ^{^[1]} the effectiveness of the EU institutions information security policy. Special attention was paid to the activities of the European Union Agency for Cybersecurity (ENISA) and the EU Computer Emergency Response Team^{^[2]} (CERT-EU). According to the European Court of Auditors, the resilience level of EU information systems differs from one institution to another and generally does not correspond to the current scale of cyberthreats. In particular, only 58% of EU institutions have an agreed information security strategy at their management level. The reasons behind the unpreparedness of EU institutions for cyber threats are the following:

A system for assessing information systems stability or inconsistency is absent;
Outdated corporate cybersecurity practices;
Lack of systemic training of employees on information security issues, as well as lack of advanced training programs for specialists of the relevant departments;
Inadequate information security management system of institutions and selective risk assessment;
Uneven funding of programs to increase the level of cybersecurity in the EU institutions;

External audit of information security systems is absent in a number of departments.

^[1]The EU Institutions, Bodies, and Agencies (EUIBAs) are the constituent units of the EU apparatus that help to implement its tasks and functions, act on behalf of the EU, and have a certain competence, structure, and authority. Currently, the following institutions are included: the European Parliament, the European Commission, and other institutions.

^[2]The EU Computer Emergency Response Team (CERT-EU) is an independent expert group that regularly monitors the emergence of new threats to information security, especially if these threats affect a wide range of users and companies in the European Union.

The European Court of Auditors has called on EU institutions to coordinate information systems more coherently and to take a consistent approach to the development of cybersecurity strategies. It is recommended that the European Commission introduce mandatory cybersecurity rules, increase funding for the CERT-EU, and promote inter-institution cooperation on this issue.

National Audit Office of Finland

SAI: National Audit Office of Finland

Title: Supplement to the follow-up report: Organizing cyber protection

Date: April 12, 2022

Link: Procceed

In 2022, the SAI of Finland assessed how its recommendations for cybersecurity measures improvement were implemented, following an audit of the Ministry of Finance in 2017. The SAI concluded that the recommendations were partially implemented.

The SAI noted that some operational processes to implement cybersecurity measures need to be improved and provided the auditee with recommendations to improve their performance:

The Ministry of Finance is recommended to take into account cybersecurity issues at all stages of financing and the "life cycle" of government digitalization projects;

It is also proposed to establish between the Ministry and relevant departments a permanent channel of communication and exchange of data on threats and possible illegal actions in the digital environment.

UK National Audit Office

SAI: UK National Audit Office

Title: Cyber and information security: Good practice guide

Date: October 28, 2021

Link: Procceed

In 2022, the SAI of Finland assessed how its recommendations for cybersecurity measures improvement were implemented, following an audit of the Ministry of Finance in 2017. The UK NAO concluded that the recommendations were partially implemented.

The UK NAO has prepared a guidance for audit committees for reviewing cybersecurity services and assessing the risks of using information systems based on current government requirements. The key issues to be considered when auditing such systems and services are:

The organization's overall approach to cybersecurity and risk management;
Resources needed to ensure cybersecurity;
Individual issues, in particular - risk management in the field of information security and data, network security, emergency management, protection against malware, remote work of employees, etc.;

Related areas, in particular - cloud services, research and development of new technologies.

Government Accountability Office of the United States, GAO U.S.

SAI: Government Accountability Office of the United States, GAO U.S.

Title: Federal Response to SolarWinds and Microsoft Exchange Incidents

Date: January 01, 2022

Link: Procceed

In 2022, the SAI of Finland assessed how its recommendations for cybersecurity measures improvement were implemented, following an audit of the Ministry of Finance in 2017. The SAI concluded that the recommendations were partially implemented.

In 2022, GAO analyzed the measures that federal agencies took in response to the hacker attacks on SolarWinds and Microsoft Exchange networks. In January 2019, SolarWinds, a Texas-based software development company whose services are widely used by the U.S. federal government, was hacked. In March 2021, Microsoft reported the use of vulnerabilities to gain illegal access to multiple versions of Microsoft Exchange Server. These hacking attempts were one of the largest hacking attacks ever conducted against the federal government and the U.S. private sector. GAO notes that the U.S. federal agencies reached several conclusions following the hacking attacks:

coordination with private sector companies has helped to make the incident response measures taken more effective;
a centralized platform for dialogue between government bodies and private sector companies created has improved coordination among all stakeholders;
the information sharing between federal agencies has often been slow and time-consuming;

the evidence-gathering process was limited due to differences in data retention practices across agencies.

Cybersecurity

Cybersecurity