In 2022, Kazakhstan will have to assess the effectiveness of both state programmes aimed at mass digitalisation in the country. Expert community has been concerned with the focus on quantity, not quality all this time. So far, this approach has only contributed to the increasing number of cyber threats and encouraged low digital culture of citizens.
Critical national issue
Cyber security is a specific activity of state bodies aimed at protecting the virtual space, the resources of an organisation, and the user from digital attacks. These activities have many components ranging from policies and principles to practices and technologies that can be used to ensure safety at all levels.
For ease of measurement, the International Telecommunication Union (ITU) has divided cyber security of states into five spheres:
- Legal measures: laws and regulatory enactments about cyber crimes and cyber security;
- Technical measures: implementation of technical capacities by national and branch agencies;
- Organisational measures: national strategies and organisations responsible for cyber security;
- Capacity development: information and educational campaigns, motivations for cyber awareness development;
- Cooperation: partnership between companies, agencies, countries.
Since 2015, ITU has assessed cyber wellness of countries by using this framework in the Global Cybersecurity Index. Although, the content of “baskets” remains unchanged, the method of their assessment has been changed significantly for six years. First, all indicators had the equal weight – scored 0, 1 or 2 and were simply added together. By 2021, the number of questions in the questionnaire filled in by member states has increased almost fivefold. Respondents answered closed questions and provided answers with necessary data. Moreover, now every indicator has its own weight depending on its significance, while the scale has been expanded to 100.
Exterior tool for interior assessment
The ITU’s Global Cybersecurity Index is the “main indicator” in cyber security in such strategic programmes as “Cyber shield of Kazakhstan” and “Digital Kazakhstan.”
“Why is it important? Because all sphere looks at this tiny like as the cyber readiness index,” Olzhas Satiev, president of the “Centre for Analysis and Investigation of Cyber Attacks” [TSARKA], tried to explain the logic of the index presence in state programmes.
In 2015, secondary data study allowed the researchers to place Kazakhstan on the 23rd place out of 29. By the way, 14 more countries turned out to have the same ranking, including Syria, which had been at civil war for four years in a row. In 2017, authors of the index dropped the idea of grouping countries with similar indicators, and Kazakhstan was placed on the 82nd place out of 164. In 2019, the republic ranked the 40th out of 175. In the last year’s report, Kazakhstan ranked 31st among 182.
Sabina Sadieva, deputy director of the Kazakhstan Institute of Strategic Studies of the president, is confident that global indexes do not suit national administration systems. According to her, they play “a kind of a substitute”, when the political leadership has no assessment tool for state regulation measures in the society and economy.
“In this regard, international rankings are a convenient tool. The problem is that the tool substitutes the outcome,” she wrote.
Anna Gusarova, director of the Central Asian Institute of Strategic Studies, member of the Expert Team on Digital Rights, also thinks that “the cyber security index does not show the effectiveness of state programmes implementation.” She emphasised that it does not show the extent of problems present in this sphere in the most remote places of the republic. Moreover, the focus on the index only whips up the increasing pace of the country’s digitalisation.
When a user is at risk
The prevailing role of the state, the excessive focus on technological aspects, and the need to get fast quantitative results (read: places in rankings) – these are the specific nature of digitalisation in Kazakhstan. Such a nonstrategic approach has many hazards, wrote Gusarova and Serik Dzhaksylykov in their study dedicated to the personal data protection.
“On the one hand, the question is about vulnerabilities coming from governmental and non-governmental actors,” researchers said.
Vulnerability is a weakness in a computer system, which can be exploited to cause system corruption and failure. Kazakhstanis have seen for themselves the amount of such weaknesses in their domestic systems in recent years.
In 2019, personal data of 11 million Kazakhstanis were leaked from the servers of the Central Election Commission. In 2020, specialists of TSARKA found data leaks from the General Prosecutor’s Office and Healthcare Quality Control System. In the same year, the team of “white hat” hackers checked 91 state web resources for vulnerabilities (see the results below).
100% All state organisations’ domains have issues with protection of HTTP and CSP headers
98% Almost all web resources have insecure port configurations
71% A significant portion of web resources has negative domain reputation
66% More than a half of domains have slow site speed
33% Web resources have high risk of web vulnerability exploitation
13% Web resources have configuration vulnerabilities
6% Web resources have account and password data leaks
In 2021, independent researchers detected access to the capital’s life-support control system when searching for vulnerabilities, and also found out that upon receiving PCR test results, medical data of nearly 7 million citizens can be retrieved from one of the country’s laboratories.
There is state programme and no culture
“On the other hand, there is no vision of the digitalisation culture, promotion of cyber hygiene and digital literacy among citizens,” researchers called another gap in the digitalisation model selected by Kazakhstan.
In 2017, the government submitted the “Digital Kazakhstan” programme. It has five directions of digitalisation and none of them speaks of the need to protect personal data and promote digital culture.
In 2021, researcher Aliya Tlegenova decided to find out the civil society’s attitude to official measures of personal data protection and obtained quite appropriate results. She sent a form with the survey to 160 domestic NGOs. Only 24 organisations replied, and only one-third of employees there attended trainings on information security and cyber hygiene.
“The human factor remains the weakest link in the digital security chain. According to various data, 95 per cent of all cyber incidents occur because of the human carelessness,” said Valery Zubanov, commercial director of Kaspersky Lab in Central Asia.
Meanwhile, rise in labour productivity and created jobs, proportion of electronic public services and internet users, volume of investments to start-ups, and improvement in the Global Competitiveness Index can be found among target indicators of the ‘Digital Kazakhstan’ programme. The “Cyber Shield of Kazakhstan”, among other things, is aimed at the rise in the number of retrained IT specialists and the proportion of domestic software used in the public sector. The time of implementation of both documents end in 2022.
Bleak prospects
Meanwhile, Anna Gusarova cannot predict where the digitalisation path selected by Kazakhstan will bring to; however, she is sure that the Covid-19 pandemic has convincingly demonstrated the scope of all problems existing in the industry. Moreover, the expert is not willing to hold the state liable – the paternalism of Kazakhstanis also hinders notably the process of cyber security development.
“At this stage, I don’t see any desire on the part of the state, business and civil society to work in this sphere,” the researcher said.
However, she thinks that a “good precedent” can be set in terms of cyber security by joining efforts and expertise of all stakeholders. The Expert Group on Digital Rights and BugBounty.kz Initiative can be possibly deemed pioneers in this matter. The former promotes the agenda of respect for human rights in the digital environment, and the latter establishes connections between the IT community, the state and big business in Kazakhstan.
Moreover, the true purpose behind this dialogue should be the search for the proverbial balance between the respect for human liberties and national security efforts in the virtual space. No country in the world has a universal formula of an ideal balance between rights and restrictions in the cyber environment so far. Therefore, the value of constant exchange of opinions in this context does not lose its relevance even fifty years after the advent of the internet.
Title photo: strategy2050.kz