During the latest expert meeting on CABAR.asia analytical platform, the experts from four countries of the region (except Turkmenistan) discussed cybersecurity issues in Central Asian countries and measures the governments and civil society take to ensure it.
In Central Asia, the digitalisation process is ongoing both at the state level and in people’s lives. E-document management, digitalisation of public services, online shopping, and e-wallets have already become a part of the everyday urbanised life of the region’s residents and this process continues.
However, its downside is the personal data breach, unauthorised charges, the use of other people’s data in various operations, and other similar risks. Cybercrimes, cyber espionage, and cyber wars are the reality that has already reached the Central Asian region.
Are the countries of the region legally and technically prepared for all the potential risks from the digitalisation process? These and other questions were discussed by the experts: Al-Aidar Amirseit, a cybersecurity analyst at TSARKA Company from Kazakhstan; Artem Goryainov, Deputy Director for Information Technologies of the Public Foundation “Civil Initiative on Internet Policy” from Kyrgyzstan; Asomiddin Atoev, a regional expert in the field of information technologies and cybersecurity, regional coordinator of the SecDev Foundation in Eurasia CyberSTAR project to build the capacity of civil society in the field of digital security; Shukhrat Sattarov, a researcher on information/cybersecurity and international information security, a specialist in the field of countering information threats and cyberterrorism from Uzbekistan.
Of the Central Asian countries, Kazakhstan ranked the highest on the 2020 Global Cybersecurity Index by the International Telecommunication Union – 38th out of 192 countries. Uzbekistan ranked 78th, Kyrgyzstan – 100th, and Tajikistan was 146th according to this Index.
All Central Asian countries have adopted many legislative documents, strategies, and concepts in the field of digital and cybersecurity and are striving to increase their potential realising that the risks and threats in this field will multiply. However, the governments should consider many more aspects to strengthen cyber shields and protect not only their state interests but also the people’s personal data, the experts noted.
In particular, Kazakhstan has already taken many measures to protect its cyberspace from external threats and pays great attention to specialist training, according to Al-Aidar Amirseit, TSARKA Company analyst.
“At the legislative level, we are currently developing the second interpretation of the National Concept “Cyber Shield 2.0”, which includes more practical areas for ensuring security. In addition, we are currently reviewing the personal data protection policy together with the Astana International Financial Centre and the national audit environment to make government agencies and the private sector more secure and more responsible for the personal data storage and processing, as well as their use for artificial intelligence and machine learning,” said the analyst from Kazakhstan.
He also said that now, the Ministry of Digital Development, Innovation, and Aerospace Industry intensifies the work on specialists’ training. By the end of this year, the Ministry intends to produce special vouchers that will be issued to programming schools in the country for the training and retraining of specialists to improve their skills in responding to cyber incidents and to make them more prepared and competent.
In addition, the share of scholarships for the “Information Security” specialty increases in the country annually. In this regard, the private companies’ efforts are important – they select students from universities for internships in their information security centres so the students can gain some experience and develop their skills.
Deputy Director for Information Technologies of the Public Foundation “Civil Initiative on Internet Policy” of Kyrgyzstan Artem Goryainov drew attention to the difference between legal initiatives and norms and their practical implementation to protect cyberspace in the countries of the region.
There are many great initiatives in Kyrgyzstan. A cybersecurity strategy was adopted, which was developed taking into account the interests of all parties; a coordinating council was organised under the Security Council, which included specialists from government agencies, the economic environment, the private sector, etc.
“However, something went wrong as always. Now, cybersecurity is completely under the jurisdiction of the State Committee for National Security. However, you understand that our security committees, due to their mandate, are closed structures. … In reality, cybersecurity implies openness. Whatever they say about it, it implies openness, it implies sharing information. Our National Security Committees, due to their mandate, cannot do this,” believes the expert from Kyrgyzstan.
In addition to all other digitalisation initiatives, including the creation of a state cloud for state information systems, the country is developing a digital code that will include the regulation of the digital space and a cybersecurity component. A law on cybersecurity is being developed; it will include the norms for the protection of critical information infrastructure, said Goryainov.
“Unfortunately, little can be said about their work. Once again, I want to highlight that the main task of the server is to exchange information, including threats, warning and analysis of threats, and so on. However, since the structure is quite closed, there is not much information about this,” he said.
The expert from Kyrgyzstan noted the positive initiatives of the government and said that 14 or 13 years after the creation and adoption of the Law on Personal Information, the Agency for Protection of Personal Data was established and worked well in the country.
According to another cybersecurity index by the Estonian e-Governance Academy, Tajikistan ranks 143rd. Among other Central Asian countries, including Afghanistan, Tajikistan ranks 6th or 5th – after Afghanistan and ahead of only Turkmenistan, said Asomiddin Atoev, a regional expert in the field of information technologies and cybersecurity.
In Tajikistan, this issue is regulated by the Concept of the Information Security of the Republic of Tajikistan, the Concept of State Information Policy, and a number of other departmental laws related to countering cybercrime and violent extremism online and offline.
At the practical level, the private sector, the banking sector, and the telecommunications sector have good potential. Each company has its own servers.
Unfortunately, at the national level, there are no such servers for either the state or the nongovernmental sectors. There are units in law enforcement and security agencies that cooperate and counter cybercrime as part of the countering extremism and terrorism strategy, Atoev noted.
“According to the Concept of the Information Security of the Republic of Tajikistan, information security is the protection of national interests in the information space, including the Internet. The national interests include the interests of the individuals, society, and the state. I really like to present this formula in this form: the interests of an individual multiplied by the interests of society, multiplied by the interests of the state. In this form, the formula shows the importance of the definition the Concept gives for everyone’s role in this process. If the interests of one subject are not considered or are affected, they will equal zero for the general national interests. This brings information security to naught,” said the expert from Tajikistan.
Currently, Uzbekistan realises the importance of digital security issues and has already taken quite good measures, said Shukhrat Sattarov, an information security researcher from Uzbekistan.
In 2019, the Law on Personal Data Protection was adopted. It structured the concept of personal data and how and where it should be stored. The amendments tightening the state sanctions policy for the personal data disclosure were made in 2021. Sattarov believes that this has certain pros and cons.
“The fact that this Law provides for the storage of data in information systems, including global social media, on the territory of Uzbekistan, is a normal procedure from the point of view of global practice. However, from the point of view of its execution and implementation at the technical level, this is a rather serious issue. Who and how will store this information on the territory of the country? Who will pay for it? Who has the capacity and resources for this?” the expert wonders.
Sattarov highlighted that the state pays great attention to the development of the digital sector. At the beginning of this year, the Law on Cyber Security was adopted in Uzbekistan. Even though it is more related to the issue of ensuring cybersecurity of the state, it still defines the understanding and concepts of the cybersecurity system itself.
He believes that “it may sound controversial but СOVID has greatly contributed to the development of information services in Uzbekistan. For example, the banking sector has rapidly developed in a year, beginning with deliveries, to a huge number of digital services,” he said.
Meanwhile, all experts noted a very low level of digital literacy among the population in Central Asia. This is caused by the lack or low level of implementation of state programs to develop an awareness of the population in Central Asian countries.
“I would say that the level of digital literacy among the population in Kazakhstan is quite low. As I mentioned earlier, people send copies of their IDs, or some of their passport data via WhatsApp, Telegram, or other messengers, to anyone who asks for it. This creates a very big threat of personal data theft, the registration in some unauthorised wallets, or some kind of fraud,” said Al-Aidar Amirseit.
The experts believe that the countries of the region and nongovernmental organisations should intensify their work on the development of education in the field of digitalisation among the population, pay close attention to personnel training, and strengthen work to protect their own digital space.
Watch the full version of the expert meeting here: