More than three years after the cyber attack on IT infrastructure, "one of the most severe in history", as it is described, the Government of Montenegro has adopted the National Plan for Response to Cyber Threats, Serious Cyber Threats, Incidents and Cyber Crisis.
The plan, as stated in the document, recognizes that the national threat framework must be viewed strategically, not incidentally, and “lays the foundation for understanding, responding to, and recovering from incidents in line with international best practices.”
"Through clearly defined roles of institutions, principles of cooperation and strategic objectives, the Plan contributes to strengthening national stability and security, with a transparent and coherent approach that is aligned with European standards," it states.
The public version, which is available on the Government's website (gov.me), provides an overview of the strategic framework, while operational procedures, protocols, forms and scenarios are of an internal nature and their distribution is limited.
"This model is in line with the practice of EU member states and other international partners, which separate strategic and operational elements to protect institutional security," the document states.
In addition to describing various cyber threats, the National Plan stipulates an obligation for authorities and other entities to assess the impact of a cyber threat or incident on the continuity and quality of service provision, as well as on the confidentiality and integrity of information and systems.
After that, they are required to determine the category of the event.
The CIRT of the state administration and the Cybersecurity Agency are directly responsible for determining the level of negative impact of a cyber threat, a serious cyber threat, and an incident on the continuity of service provision.
The government only appointed the president and members of the Agency Council at the beginning of December.
It is also envisaged that in resolving medium-level or high-level incidents and cyber crises, the Agency and the CIRT of the state administration may use expert assistance from domestic and international institutions and organizations, as well as exchange information with these institutions and organizations.
Cooperation with the private sector, as stated, must be based on the principle "that operational leadership and final decision-making in resolving the crisis remains exclusively within the domain of the state administration's CIRT and the Cybersecurity Agency."
"Private partners act exclusively as a support and advisory force. PPP contracts must explicitly regulate issues of confidentiality and security of data, especially state data, to which private experts access during the rehabilitation," it states, adding that it is necessary to introduce mandatory joint exercises.
Exercises are conducted at the national level, and participation in regional and international exercises is also planned, including activities organized by ENISA, NATO, FIRST and partner countries.
During various threats, incidents and crises, as stated, special attention is paid to combating false narratives and information manipulation. The Plan states that the National Security Agency, the Ministry of Internal Affairs and the Ministry of Defense are specifically responsible for this critical aspect of crisis communication, acting in coordination with the Government and the National Security Council of Montenegro.
"The National Plan contributes to the modernization of the overall security system of the state, strengthening the capacities of institutions and improving inter-institutional cooperation," the document states.
It is particularly significant, it adds, that the Plan "encourages the development of a cybersecurity culture throughout society."
“Digital security is not the responsibility of institutions alone - it requires the engagement of individuals, businesses, academia and the civil sector. By raising awareness, improving knowledge and promoting responsible behavior in the digital space, Montenegro is creating conditions for long-term resilience to cyber risks”…
They write about the attack, not about the attackers.
The Plan, among other things, recalls that in mid-August 2022, Montenegro "suffered one of the most severe cyber attacks in its history", and states that this attack resulted in the infection of hundreds of administrative computers with malicious software:
“Which led to a widespread outage of numerous government websites and services. Among the affected systems were vital segments of public administration, including the infrastructure of the Government, Parliament, Electric Power Industry, Customs and eGovernment. The attack was detected on August 19, after which the group managed to encrypt the government network, demanding a ransom to unblock the system.”
It is also added that the global trend is targeting vital state services by temporarily or permanently deleting or stealing data and services, and that Montenegro was no exception.
"Thus, in 2022, the national critical infrastructure was the subject of one of the most sophisticated ransomware attacks, which resulted in serious disruptions in communication within the entire state sector, and many key services were unavailable for a certain period of time. The recovery process was lengthy and required the engagement and expertise of services from friendly countries, highlighting the international aspect and complexity of the challenge," the document states.
In January 2023, the Police Department announced that it had received a report from the FBI about cyberattacks on government servers in 2022, based on a large amount of data collected through the Ministry of Public Administration's network and monitoring the movement of information between different systems. The report was never made public, and the MPA previously said that it was to remain internal, a recommendation from the FBI.
To this day, it is not known who carried out the cyberattack on the Government in 2022.
Gjokaj: Not enough money for cybersecurity
The Ministry of Public Administration (MPA) is not satisfied with the amount of funds allocated in the budget for this department, because the Proposal for 2026 lacks the financial resources necessary for the development of information infrastructure, cybersecurity, as well as for the Digital Transformation Program.
"Which may result in failure to meet certain obligations from the European Commission's Reform Agenda."
This is the remark of Naim Gjokaj, State Secretary at the MPA. He pointed out that the Ministry's budget for 2026 was planned in accordance with real needs, the Ministry's contracted obligations for development projects and the continuation of the implementation of activities initiated in 2025. In this regard, he stated that the Budget Proposal is smaller compared to the current one, as well as for the previous year 2024. On this occasion, he stated that the Ministry of Public Administration is not satisfied with the allocated amount of funds.
Bonus video:
