Georgian Cybersecurity Strategy: What Has Been Done So Far

Next Article

საქართველოს კიბერუსაფრთხოების სტრატეგია: განვითარების გზა დღემდე

As a result of modern conflicts, non-traditional methods are increasingly used alongside traditional ones. Cyberspace is one of the most obvious examples of this. Cyber-attacks are one of the biggest security challenges facing the country, as Georgia has already experienced during the 2008 Russian-Georgian war. It has become a catalyst for Georgia to increase its cyber security and to make as many efforts as possible in this regard.

According to Giorgi Iashvili, Executive Director of the Georgian Information Security Association (GISA), our experience in 2008 was most notable in the beginning of serious efforts in the area of cyber security. In an interview with the Diplomat magazine, he spoke of Georgia’s long road in terms of cyber security development: “In 2010, the Data Exchange Agency (now the Digital Governance Agency) was established, a law on information security was passed in 2011-12; in 2013, the National Cyber Security Strategy was developed based on a threat assessment document that used the concept of national security. So, many actions were taken in the five years since 2008, including the creation of a major cyber security body, the development of legislation, and the definition of critical information infrastructure.” - said Iashvili.

The third cyber security strategy, developed in 2021, is more advanced and sophisticated than previous efforts. Georgia’s National Cyber Security Strategy 2021-2024 has as one of its main goals the promotion of cyberculture in the information societies and organizations, as well as the enhancement of the Georgian cyber defense capabilities. In an interview with Diplomat magazine, Luka Mgeladze, Director of Cyber Security Bureau of Georgia, said that the current strategy is more sophisticated compared with past strategies, which is expected owing to the lack of experience in previous years.

Establishing and raising public cyber awareness is one of the primary purposes of the strategy, as is forming public-private partnerships. Mgeladze stressed the importance of defining and regulating critical infrastructure. A number of amendments were made in the Law of Georgia on Information Security, bringing the categorization of critical information system entities up-to-date; the scope of the Law was extended to include private entities as well; in 2021, the Government of Georgia approved the list of subjects of critical information system of the first, second and third categories.

“Recently, cyberspace has begun to pose a challenge for the country. Whereas in 2008 the country was relatively less dependent on information systems, we see today that its dependencies of critical infrastructure and various business structures are growing rapidly. This is a space (digital transformation) that simplifies business processes, but also provides opportunities for the cyberattack, noted Luka Mgeladze in conversation with Diplomat magazine.

It should be noted that an existing cybersecurity strategy is a step forward if we consider the features that make it better than previous approaches (degree of detail, more focus on public private partnership, etc.). Implementation of the strategy, however, presents many challenges.

Iashvili identified two main problems that impede the implementation of relevant activities: a shortage of human resources in the responsible agencies, who are supposed to carry out these activities. The second issue concerns the budget, the financial resources. “The strategy doesn’t specify much about monitoring, and it is not clear whether it will be implemented or to what extent this or that activity will take place.” Iashvili further stressed the importance of active work in this direction, and he cited a project by the British government launched a few months ago that specifically envisages the implementation of the strategy, and supports state in this regard, saying that such actions create increased optimism.

Iashvili and Mgeladze emphasized the importance of Georgia’s participation in the international arena. According to Luka Mgeladze, the country will take part in one of the largest NATO cyber training exercises in the near future. At the same time, Georgia is a representative of the Regional Cyber Defense Center, which is based in Lithuania.

Luka Mgeladze stressed that integration with the international community was essential. “Without sharing information, it is very difficult to deal with this space in isolation, as it is challenging to comprehend where and how the attack takes place, because it is much easier to cover up.” Mgeladze said.

As Iashvili mentioned, Ukraine has been active in this direction: It applied for membership in the NATO Cyber and Defense Center last year, and it has already joined as a contributing member this year. The country, although not a member of NATO, is a full member of NATO’s main cyber defense institution and successfully makes use of the opportunities available to it. Considering the experience Ukraine has to its credit, the country has refined the area of cyber security well; “the Russian-Ukrainian war shows how well Ukraine has been able to respond to threats in cyberspace since the very beginning, “there has been a lot of mobilization by the state,” said Giorgi Iashvili.

In the present day, when the process of weaponization of information is obvious, it is necessary for Georgia’s security to take cyberspace’s threats seriously. The significance of these threats was made even clearer when NATO designated cyberspace as the fifth domain. This implies that, along with air, sea, land, and space, cyberspace is a real, significantly more meaningful arena for confrontation today. Consequently, as cyber-awareness grows, an increased perception of the threat posed by cyber-attacks will develop, and the readiness to live in a world in which all wars are synchronized with the cyber element will also increase. This is especially relevant today because it is exactly what we are experiencing now.