Azerbaijan beefing up defence strategy against cybercrime Review by Caliber.Az

Geopolitical tensions in Eastern Europe, which played the role of a trigger for a new round of network wars, as well as growing global cyber threats of a criminal nature pose serious risks to the corporate, public, and financial sectors of many countries around the globe. Azerbaijan is also exposed to these risks. Azerbaijan is consistently strengthening its fight against cybercrime and implementing reforms aimed at comprehensive protection of the country's digital space.

Taking into account the increased risks, the "Strategy of Information Security and Cyber Security in Azerbaijan for 2023-2027" has been developed. The document was approved on August 28 by the order of Azerbaijani President Ilham Aliyev.

Increased hybrid network warfare worldwide in the last year and a half, as well as new risks for the corporate and financial sectors, are pushing Azerbaijan to take additional measures to protect its cyberspace. According to the region's leading antivirus system Kaspersky, in 2022 alone, Azerbaijan blocked about one million phishing site clicks, with about 60 per cent of all attacks targeting home users and 40 per cent targeting corporate users.

There was an increase in cyber attacks in the form of online fraud, mainly in social networks and messengers, in order to obtain payment data and other personal information. The bulk of identified cyber incidents is related to phishing attacks, social engineering, the creation of clone sites of private and state structures, mass media, banks, and other organisations, as well as attempts to hack into mail and other resources of the corporate sector.

In recent years, the State Service for Special Communication and Information Security (SSSCIS) and other relevant structures in Azerbaijan have been working consistently to protect the servers and web resources of the most important state and public organisations, defence, and industrial systems.

The success of this work is evidenced by the fact that in the cyber security index prepared by the International Telecommunication Union in 2020, Azerbaijan rose 15 points among 169 countries, ranking 40th. In this report, Israel ranked 36th, Switzerland 42nd, and Georgia 55th.

Nevertheless, time is passing and the current cyber security situation, which is subject to external negative factors, requires Azerbaijan to take qualitatively new steps to protect its own network space. The need for this has especially increased amid the innovations in the digitalisation of financial markets being introduced in the modern world. Azerbaijan is moving along this path as well.

Azerbaijan's banking sector is consistently expanding the scope of non-cash payments, and fintech solutions are also being introduced in the payment system in order to expand the range and availability of financial services provided through Internet resources.

It is obvious that the ongoing efforts in our country to digitalise the banking and payment market require equally consistent steps to mitigate information and cyber security risks in financial institutions. A significant step in this direction was taken in April 2022, when the "Rules for Information Security Management in Banks" came into force, defining the minimum requirements for information security of Azerbaijani banks.

The next measure in this direction was the approval by the Central Bank of Azerbaijan in May this year of a new "Strategy of cybersecurity in financial markets for 2023-2026". The document is aimed at creating a sustainable cybersecurity environment in financial markets, provides for effective steps in five priority areas, as well as the relevant modernisation of the regulatory framework in the financial sector.

No less important efforts have been made in the area of cyber defence of Internet providers rendering cyber security services to critical information infrastructure entities. In particular, in July, the AR Cabinet of Ministers approved the relevant "Rules on Ensuring Security of Critical Information Infrastructure in Azerbaijan", addressing the requirements for founders and staff qualifications, technical and software equipment, availability of experience in the field of information technologies and information security, etc.

The logical continuation of all recent efforts was the development of a conceptual document designed to ensure the effective synergy of all efforts undertaken in the country to protect network resources and combat cybercrime. The "Strategy of Information Security and Cyber Security in Azerbaijan for 2023-2027" approved by the order of the head of state became such a main document.

The document defined the basic directions of activity and time-specific steps aimed at creating a strong network barrier. In particular, the creation of the Commission for Coordination of Information Security is envisaged, while the Cabinet of Ministers is responsible for controlling the implementation of the strategy.

Thus, in 2024, proposals for the creation of specialised information security structures in state agencies and their staffing should be prepared, and a year later a public-private partnership platform should be created to assess network risks and identify ways to solve these problems.

Among other things, a register of information security risks will be formed in the country, and the Cabinet of Ministers, together with specialists from the State Information Security Service, the Ministry of Digital Development and Transport, and the State Security Service, will develop and maintain it in 2023-2024.

In the next two years, international best practices will be studied and implemented to ensure the monitoring of information security activities, and criteria and indicators will be defined for detecting and measuring incidents and critical cases in accordance with the specifics of the local network ecosystem.

Within the same two-year period, an electronic information system "Cybercrime" will be formed in Azerbaijan, and a plan will be developed to create an organisational framework, risk assessment, and management to ensure the security of critical information infrastructure, and mechanisms for its management in emergency situations, in war conditions. Minimum cybersecurity requirements for the national digital air space will also be developed and implemented.

In order to develop domestic production in the field of information protection, the Strategy provides measures to prepare national resources in the field of cryptographic protection, as well as improve the protection of personal data, create consulting platforms for information and cyber security, and introduce tax incentives for market participants involved in the development of technologies in the field of network security.

During 2023-2025, the security requirements for the creation, implementation, and utilisation of "smart" systems - unmanned aerial vehicles (UAVs), and robots - are to be ensured, and by 2027, comprehensive solutions to scientific, technological, and legal issues in this area are to be developed.

All of these measures are extremely important, and their implementation provides for the application of internationally recognised standards and best practices to effectively prevent cyber threats. At the same time, along with the implementation of the Strategy, opportunities for training highly qualified personnel in the field of cyber security will be maximised over the next five years. Together, this will help create effective mechanisms that can become a reliable barrier to domestic network resources from international cybercrime threats.