Cybersecurity Reform in Georgia: Existing Challenges, International Practice and Recommendations

News | INTERNET AND INNOVATIONS | Analysis | Policy Document 23 September 2020

The growing importance of cybersecurity in the modern world security architecture makes it necessary to pay more attention to strengthening cybersecurity in Georgia. Georgia is a country that has repeatedly become the subject of cyberespionage and full-scale cyber-attacks. According to statistical data from the Ministry of Internal Affairs, the number of cybercrimes is increasing daily. Consequently, without an effective cybersecurity system, the stability and development of the country remains at risk. Given the fact that Georgia’s existence and development have to contend with the tense geopolitical situation in the region, where non-state actors are becoming more active and cyberspace is used with increasing frequency for political purposes, Georgia may be at high risk of cyber-attacks.


Ignoring or inadequately assessing cyber threats will result in vulnerable economic structures, insufficiently protected critical infrastructure, and weakened overall capabilities, primarily in self-defense. Therefore, ensuring a high level of cybersecurity is vital.


This study shows that the measures taken by Georgia and the current cyber policy are insufficient to ensure cybersecurity and respond to modern challenges. As the country does not have strictly separated functions and responsibilities between state agencies, the mechanisms for coordination, cooperation, and information exchange have not been fully refined, a comprehensive list of critical infrastructure has not been developed, and the whole cyber system is not supported by proper legislative norms.


The study also demonstrates that a well-organized cyberspace architecture, properly distributed responsibilities, and mechanisms of accountability and coordination are key prerequisites for the effective and secure functioning of cyberspace.


Overcoming cyber threats, along with many other factors, depends on political will and proper management. Proper management, in turn, implies the proper redistribution of responsibilities and the refinement of coordination mechanisms. When a country is in a state of constant conflict and the risk of a massive cyber-attack is high, state resources should be mobilized to refine and strengthen the existing organizational system, especially given the fact that the current organizational system is designed with the direct involvement of strategic partners using best international practices. The current reality shows that the problem is in prioritizing cybersecurity as an important component of national security, rather than organizational rearrangement. Creating an effectively protected cyberspace requires a complex approach to the problem. To eliminate shortcomings, it is first and foremost essential to identify existing gaps and take appropriate measures to eliminate them.


Policy Recommendations


The legislative changes initiated by the Member of the Parliament of Georgia, Irakli Sesiashvili, completely change the cyber architecture of the country and regulate critical infrastructure management issues in a new manner. Based on research of international practice, we will highlight issues that need to be considered and addressed to ensure a more secure cyberspace.


Compliance between the National Cyber Security Strategy and Legislation


With the active involvement of international partners and all stakeholders, a draft of the National Cyber Security Strategy has been developed that responds to the challenges facing the country in this field.  It is of utmost importance that this strategy be approved. Therefore, any new legislative initiative, including the Draft Law on Information Security, should be in line with the National Cyber Security Strategy.


Cyber Security Management Model


The National Security Council is currently responsible for the development and implementation of the country’s cyber security policy, management of cyber crises, and coordination of appropriate agencies. However, it is necessary to set up a specialized unit staffed with cyber security specialists to coordinate matters of cyber security.


At the same time, if the Digital Governance Agency is appropriately equipped with hardware, software and personnel, the Agency will be able to ensure the security of the country’s critical infrastructure in coordination with the State Security Service, Cyber Security ​​Bureau, and the National Security Council. 


Therefore, it is important to maintain the existing model of ensuring cybersecurity and to assign the function of overseeing the country’s critical infrastructure to the Digital Governance Agency. By assigning this function to the OTA instead, the Agency is being given additional leverage of public control, which may increase the risk of restriction and/or violation of personal rights and freedoms on the Internet.


Classification and Reporting of Cyber Incidents


It is necessary to classify cyber incidents based on their probability and possible damage in addition to developing cyber incident reporting procedures.


It is important to establish a platform for the secure exchange of information between supervisory agencies and critical infrastructure entities, through which sensitive information will pass, in order to prevent and respond to cyber-attacks in a coordinated manner.


Identification of Critical Infrastructure


It is of vital importance to define the criteria for identifying critical infrastructure on a sectoral basis. This will allow us to protect specific areas more effectively. When identifying critical infrastructure, following criteria must be taken into consideration:


- The importance and role of the organization (governmental or private) in implementing and maintaining social and/or economic activities;

- Degree of dependence on network and information systems;

- In the event of an information security incident, the level of damage caused by the organization’s disruption of service delivery.


When identifying critical infrastructure, it is important to consider the requirements of the NIS Directive, such as the probability of critical service failure and the extent of potential damage. Critical infrastructure regulations should not apply to small businesses and organizations, whose failure or alleged damage does not endanger national interests and the proper functioning of the country.


The Role of the National Security Council and Crisis Management


The National Security Council Charter states that one of the main areas of the Council’s work is analysis of national security policies, including information security policy, identification and assessment of threats, and planning and coordination of policies. The Council also ensures proper coordination between state agencies in times of crisis.


The Georgian draft law on Information Security must include an article emphasizing the role and functions of the Council as the coordinator of the country’s cyber actors. In this way, the Council will be able to carry out its functions, which will be an important supporting factor for the implementation of coordinated and synchronized actions during crises.


Protection of Personal Data


As a result of information security incidents, personal data is compromised. Accordingly, cybersecurity policy enforcement agencies should cooperate with the Office of the State Inspector’s Service to prevent breaches of personal data. The Draft Law on Information Security must include a provision related to the protection of personal data.


Prioritizing Cybersecurity Field and Allocating Appropriate Financial Resources


It is important to make cybersecurity a priority for the state and to spend more financial and intellectual resources on its development.


Providing Public Control Mechanisms


Given the high public interest, it is no less important to have public control mechanisms over the agencies involved in ensuring cybersecurity. This may be implemented through the following activities: 


- Government agencies should implement their activities based on open government principles.

- Ensure the involvement of all stakeholders, including the non-governmental sector, in the development of cybersecurity policies and legislative changes.

- Implement consistent reporting on activities that have been carried out.

- Use the resources of the private and non-governmental sectors in trainings and cyber exercises.

- Organize regular meetings and exchange information on new initiatives.

- Involve non-governmental and private sectors in various educational and awareness-raising activities.


Implementing the recommendations outlined above and continued development of its cyber capabilities will make Georgia adequately protected against cyber threats.



Other Publications on This Issue