Roadmap to higher security - new Law on Information Security

In the last year, attacks on the most important state IT infrastructure have been very frequent, starting with hacker attacks on the Republic Geodetic Institute last year and ending with this year's attack on the Business Registers Agency. Let us remind you that these institutions store data that guarantee the right of ownership of movable and immovable property, data on businesses. Hence, in order to more effectively protect the data of state bodies, citizens and businesses from cyber attacks and timely response to incidents, Serbia should soon get a new institution - the Office for Information Security. It is one of the key novelties of the amended Law on Information Security, which is expected to be adopted during the autumn, after passing through the parliamentary procedure.

- The new law aims to encourage and enable a systematic solution to information security issues in Serbia and contribute to overcoming the challenges we faced up to now, such as an insufficient number of adequately trained people for inspection supervision, incomplete compliance with European regulations and a lack of capacity to detect and respond to incidents in a timely manner. In addition, past practice has shown the necessity of forming a national platform for rapid detection of attacks, incidents, coordinated and timely detection of vulnerabilities in information and communication systems (ICT) - said Jelena Mićić, adviser at NALED.

Back in 2018, the Office for IT and eGovernment and NALED tested the IT security of citizens' data on the premises. The analysis carried out as part of that project showed that out of 63 local governments in Serbia, almost half do not have appropriate regulations on procedures for information security, and it is precisely through the amendment of the Law on Information Security that it will be possible to invest greater capacities in the protection of networks, systems and data and on at the local level.

- Among the most frequently reported incidents during the previous year, port scanning, then an attempt to reveal credentials, ie username and password, as well as an attempt to exploit system vulnerabilities stand out. It is clear that the dangers lurking in the online world are increasingly present and that a comprehensive approach is needed, which can be achieved by adopting a new law - stated Mićić.

The first significant step in the protection and increase of data security in Serbia was the establishment of the Unified Information and Communication Network of Electronic Administration, which enables the secure exchange of data between state authorities, and then the construction of the State Data Center for secure data storage.

The improved legal framework brings with it a number of innovative solutions, such as the establishment of the Office for Information Security. It is a separate organization that will integrate the competences of the National Center for the Prevention of Security Risks in ICT Systems (National CERT) which exists within the Regulatory Agency for Electronic Communications and Postal Services (RATEL) and the competences of the Center for the Security of Information and Communication Systems of Authorities (CERT of the Republic authorities) held by the Office for IT and Electronic Administration. The newly established Office should carry out certification of ICT systems, products and services, professional development of persons working in information security affairs, cooperation at the national level with all relevant institutions.

Another improvement of the previous law concerns the strengthening of the capacities of the National CERT, primarily technological, human and organizational, which would enable the transition from an informative and advisory to a more operational role. In close cooperation with ICT systems of special importance, at their request, CERT will be able to proactively determine system vulnerabilities, and perform non-intrusive network scanning or form a vulnerability database of all risks and threats.

- Such a practice provides a comprehensive insight into the shortcomings of hardware, software, and telecommunication devices used for processing and transmitting information, before they become a potential target of malicious attackers - Mićić pointed out.

Among the other novelties of the Law, it is important to mention the introduction of new concepts and definitions, the revised approach to sharing information about incidents and threats, as well as the issue of supervision over the implementation of provisions.

- Although the existing legal framework has significantly improved the area of information security and detected challenges and threats that need to be resolved, some areas remain open and are a reason for future discussion - concluded our interlocutor.

Given that one of the reasons for the amendment of the Law was harmonization with the current European regulations, i.e. the EU Network and Information Security Directive (NIS2) and the EU Information Security Act, the essence of the new Law is to enable an adequate response to risks and threats related to the use of ICT in carrying out daily activities, providing services and circulating data and to be open to new technological developments in accordance with European Union regulations.

NALED provided direct support for changes to the Law by participating in the working group within the project "Serbia at your fingertips - Digital transformation for development" implemented by the United Nations Development Program (UNDP).