For the CMM review in Georgia, the GCSCC collaborated with its latest implementation partner, the Lithuanian technology consulting firm NRD Cyber Security (NRD-CS). The deployment of the CMM marks another step towards closer collaboration between the GCSCC and NRD-CS following the company’s contribution to CMM reviews in Lithuania and Bangladesh in 2017 and 2018. At the invitation of the Data Exchange Agency of Georgia (DEA), researchers of the GCSCC and NRD-CS travelled to Georgia in November 2018.

Key observations from the review:

  • Georgia began implementing its first national cybersecurity strategy in 2012. This strategy was reviewed in 2016 and a third iteration is currently underway.
  • Georgia approaches cybersecurity as a whole-of-nation challenge that cannot be outsourced to any single independent agency. However, not all relevant stakeholders have been involved in efforts to improve the country’s cybersecurity posture to the same extent: while the national cybersecurity strategy recognises the education sector as one of its pillars, resource constraints limit progress in translating this strategic priority into practice.
  • Organisations throughout Georgia have achieved considerable advances in operational capacity, with technical coordination on cybersecurity matters surpassing cooperation on many other security issues, largely thanks to strong personal networks.
  • Georgia faces challenges replicating these efforts at scale due to a lack of affordable training programmes and educational opportunities. A first master’s degree programme dedicated to cybersecurity will open in 2019. In the meantime, Georgia has launched the pilot phase for establishing a cyber reserve, which looks to harness the expertise of cybersecurity professionals working in the private sector for national security purposes without engaging in a competition for scarce cybersecurity talent.
  • Early on, Georgia identified threats emanating from foreign influence operations, and exercises simulating the effects of informational warfare and testing responses have been organised. National scenario-based crisis management exercises, held annually, have also featured cyber-related injects.
  • Georgia’s government CERT and the Ministry of Defence’s Cybersecurity Bureau act as coordinating authorities for the two respective groups. The law requires all critical information system subjects (CISS) to designate information security managers and cybersecurity specialists that are eligible to receive free certificate training from DEA, which also offers free penetration testing services to public organisations.

Important for Georgia’s CERT
Under the Law on Information Security, promulgated in 2012, two first sets of civilian and military organisations entities have been identified as CISS.