Necessary urgent investments in cyber capacities of police and prosecution organizations

Centre for Civic Education (CCE) expresses concern about the underdeveloped awareness of the importance of capacity building to fight cybercrime within the prosecutorial and police organization, and in the conditions of the pronounced vulnerability of the Montenegrin system to cyberattacks. The CCE urges decision-makers to put this issue on the agenda so that the entire system can more efficiently deal with this increasingly common form of crime.

In accordance with the Free Access to Information Law, the CCE requested information from the Police Administration and the Supreme State Prosecutor’s Office about the human resources that are deployed to deal with cybercrime, the reports submitted that include these criminal or misdemeanour acts, and their epilogue. The CCE received answers from the Ministry of Internal Affairs, as the competent authority, the Higher State Prosecutor’s Office in Podgorica, as well as the basic state prosecutor’s offices in Podgorica, Nikšić, Bar, Berane, Kolašin, Rožaje, Herceg Novi, Plav and Pljevlja.

Based on the obtained data, the CCE notes that the organizational, technical, and personnel capacities in the field of cyber security in these institutions are at an alarmingly low level. Specifically, within the Police Administration, in the Criminal Intelligence Department, there is a systematized Unit for Combating High Tech Crime, which consists of only five officers at the state level. There are no specialized prosecutors responsible for this area in the Prosecutor’s Office, as these matters fall within the general jurisdiction of prosecutors.

Only since 1 January 2023, these five police officers have handled a total of 160 reported cases from individuals/legal entities. Out of that number, 139 were qualified by the competent prosecutor as criminal offences subject to official prosecution, while 21 cases were not qualified as criminal offences. The review process is still ongoing for 49 of these reported cases.

The Higher State Prosecutor’s Office in Podgorica filed the most criminal charges against 20 persons, which resulted in 17 convictions and 3 acquittals. Despite a significant number of cases, in various stages, this Prosecutor’s Office also does not have a competent prosecutor for cyber security issues. These cases were much less represented in the basic prosecutor’s offices. Also, in several cases, the formed cases were handed over to the judicial authorities of Great Britain, Spain and France, while some state prosecutors dismissed those criminal charges, assessing that there was no reasonable doubt that this criminal act had been committed.

For some time now, Montenegro has been a popular target for cyber attacks, and we witnessed a culmination of this when the infrastructure of the Government, as well as the judiciary and some other institutions, were severely affected in August 2022. The functioning of these institutions was hindered for months afterwards, and the consequences are still present today. The Montenegrin public has never learned who was responsible for these attacks and what the outcome of the investigations was, nor the actual extent of the damage or the measures taken to prevent such incidents in the future.

CCE reminds that the problems in the field of cybersecurity have been recognized in the Cybersecurity Strategy for the period until 2026, which states that Montenegro lacks adequate mechanisms for detecting cyber threats, as well as those for a timely response and recovery from cyber attacks. It is illustrative that, according to the Strategy, only 1% of employed public officials have received training on cybersecurity, which indicates a lack of awareness on this issue and limitations in human, technical, and related resources in this field.

It is worth noting that the EU launched the Digital Agenda for the Western Balkans in 2018, and a recent assessment of the progress of the 2022 Agenda revealed that the entire region is struggling to effectively address cybercrime, and digital literacy remains low among the general population as well as in the state administration.

In that context, the positive announcements regarding the establishment and operation of the Cybersecurity Agency, as well as the urgent investments in this field and the work on the Information Security Law, are encouraging. However, it is evident that this issue is still in need of attention from decision-makers and that tangible results are yet to be produced in this area.

CCE calls for decision-makers to promptly prioritize the issue of cybersecurity and to dedicate themselves to the systematic development of cyber capacities throughout the entire state administration, particularly within the State Prosecutors’ Offices and the Police Directorate, which should have specialized human resources. These institutions are crucial for detecting and prosecuting perpetrators of cybercrimes, which can have not only a repressive but also a preventive dimension.

Milica Zindović, Programme Associate