The Western Balkans, like many regions across the world, is navigating the disruptive effects of COVID-19 on their economies, while also digitalizing numerous critical sectors. Critical infrastructure (CI) is defined as “the physical and cyber systems and assets that are so vital to [a country] that their incapacity or destruction would have a debilitating impact on physical or economic security or public health or safety.” Recent threats emanating from malicious individual and nation-state actors remind us that cybersecurity considerations are vital to mitigate potentially widespread and devastating effects. In fact, the need to focus on network and system securities is only accelerated with the unique nature of digital challenges brought on by the COVID-19 pandemic in the region.
Understanding the Risk
Without appropriate cyber measures to secure CI assets (transportation, energy, healthcare, water transmission, etc.) across the region, these economies face large-scale implications with potential financial loss, mass failures, and even loss of life. This article explores efforts by the European Union and the U.S. Government (USG) to identify infrastructure investment gaps and support these entities in the region. These initiatives create opportunities to integrate cybersecurity resilience protocols with the digitalization of new infrastructure development. In particular, these efforts must address vulnerabilities caused by the convergence of enterprise information technology (IT) and operational technology (OT) networks. While IT networks house critical company data and connect computers and related devices across departments, OT networks support industrial control systems, within the manufacturing, utilities, and defense sectors, as well as key building infrastructure and facility systems such as lights, heating, and cooling. In the past, OT systems were mechanical or unnetworked, but as ‘smart’ systems proliferate with the Internet of Things (IoT)-connected sensors, IT and OT systems are increasingly interconnected.
As IT and OT converge, CI entities (owners, operators, and oversight bodies) face new vulnerabilities and threats to their assets. In 2017, the WannaCry ransomware attack infected computers in 150 countries and disrupted 80 percent of PetroChina gas stations. Perhaps a more devastating event the same year was the Notpetya malware attack, deemed by the White House as “the most destructive and costly cyberattack in history,” costing companies such as FedEx and Merck alone at least $400 million and $670 million, respectively to rebound, though its overall cost is unofficially estimated in the billions. While the attack has been attributed by the White House to the Russian military’s efforts to destabilize Ukraine, the effects spread much further, affecting various IT systems and approximately 25 percent of all oil-and-gas companies worldwide. The challenges with proliferation and convergence of IT networks with OT systems are further compounded by OT systems that run existing CI often with aging software and obsolete hardware, making them difficult to patch and highly vulnerable.
Picture from Pxfuel.
Infrastructure Development and New Opportunities in the Western Balkans
Fortunately, the European Union and USG have increased activity in the Western Balkans in the context of infrastructure development and digitalization. On October 6, the European Commission adopted an Economic and Investment Plan to utilize €9 billion of grant funding from the Instrument for Pre-Accession (IPA III) for the period 2021 to 2027, with CI at the heart of its 10 flagship initiatives. Moreover, the new Western Balkans Guarantee Facility can potentially mobilize up to €20 billion of investments in the next decade. The USG has also increased activity in the region, particularly in the latter half of 2020. On September 4, the White House facilitated the signing of the Economic Normalization Agreement between Serbia and Kosovo. Since then, several instrumental agencies such as the new U.S. International Development Finance Corporation (DFC, formerly OPIC) and U.S. Export-Import Bank (EXIM) have been mobilized to support the two countries and the wider region. As a statement of intent as to the prioritization of the region for DFC, on September 22 the agency opened its first permanent overseas office in Belgrade—a significant development given the implications of the 2018 BUILD Act, empowering the DFC with more than $60 billion in equity investments. Other agencies, such as the U.S. Agency for International Development, continue to pave way for regional stability with capacity building programs. In May, the agency awarded its first bilateral cybersecurity project to DAI and its consortium, a flagship initiative to reduce cybersecurity vulnerabilities in Ukraine’s CI sectors. These combined efforts by European Union and U.S. institutions are crucial in not only shoring up investment gaps in areas such as CI, but also in mandating rule of law and good governance.
Efforts to secure and modernize critical infrastructure in the Western Balkans continue with new and ongoing internationally backed projects in the region:
The U.S. Department of Energy is exploring the feasibility to share the Gazivode/Ujmani Lake between Serbia and Kosovo for a reliable water and energy supply.
The European Union, along with U.S. agencies such as DFC and EXIM, have committed to supporting the “Peace Highway,” linking Pristina in Kosovo to Niš in Serbia.
The European Commission and local entities are continuing to make substantial progress with the major “Corridor Vc” motorway and rail corridor initiative linking central European capitals through Sarajevo in Bosnia and Herzegovina to the Croatian port of Ploče on the Adriatic coast.
In renewable energy, the 210-megawatt Scavica Hydro Power Plant in Albania on the Black Drin is expected to begin work next year following procurement, after feasibility support by the European Union and European Bank of Reconstruction and Development.
Finally, national broadband is being rolled out across the Western Balkans to reach rural areas, with proposals to support trustworthy data centers that align to European Union rules and values, alongside the ongoing Balkans Digital Highway led by the World Bank.
As these projects take shape and advance to benefit the region, it becomes crucial to synergize these efforts by recognizing cybersecurity resilience as essential from the onset and not as an afterthought. For instance, regional entities with new projects can work with a greater level of care with original equipment manufacturers to integrate security controls to holistically protect OT environments. Moreover, the projects can be incentivized and supported to take advantage of innovative technologies by trusted companies from the European Union and United States, providing secure and trustworthy cloud services, machine learning, building information modeling, sophisticated project controls, new IoT, augmented reality, and blockchain capabilities.
Picture from Pikrepo.
However, the European Union and United States are not the only major powers active with capital and institutional support in Western Balkans. China sees the region as an important pillar in its foreign policy. In 2017, Chinese technology giant Huawei signed a contract with Belgrade to provide “Safe City” surveillance equipment to Serbian cities, consisting of 1,000 high-definition cameras in the city, alongside establishing the Huawei Innovation Center for Digital Transformation. Other investments by Chinese state-owned enterprises and institutions include the new Bar-Boljare highway in Montenegro, connecting Belgrade with the port city of Bar, financed by China’s Exim Bank and being constructed by the China Road and Bridge Corporation.
In light of this, the United States has taken initiative in this space to enable economies in the Western Balkans to address certain technology imbalances. With the onset of 5G spectrum being auctioned and technology deployed in the next several years, the Serbia-Kosovo Economic Normalization Agreement includes a provision for the countries to “prohibit the use of 5G equipment supplied by untrusted vendors in their communication networks. Where such agreement is already present, both parties commit to removal and other mediation efforts in a timely fashion.” While “untrusted vendors” aren’t specifically defined, this provision is undeniably targeting to position the future technology landscape of the region toward the West.
The next three to five years will therefore be pivotal for developing strong cybersecurity measures across people, processes, and platforms employed in the Western Balkans. As digital transformation accelerates, supporting this region with coordinated and targeted efforts to develop the capacity for open, secure, and interoperable digital tools will be vital.