Over the past decade, Australia has been a frontrunner in terms of digital transformation; the country ranked 11^th globally on the 2020 Global Connectivity Index and 2^nd in the Indo-Pacific. Australia’s better-than-expected economic performance in 2021 was largely owed to increased government efforts at promoting the digitalisation of businesses and government services, with significant investment being poured into the ICT sector under the Digital Economy Strategy and the Regional Connectivity Program. Meanwhile, however, self-reported losses from cybercrime amounted to more than $33 billion during the 2020-2021 financial year (E), while roughly a quarter of cyber incidents reported during the same period involved Australia’s critical infrastructure or essential services (E). In the cyber diplomacy realm, Australia has traditionally been a prominent member of the ‘like-minded’ group, promoting a vision of a free, open, and secure cyberspace that is very much in line with EU values and efforts.

Internet penetration in Montenegro stands at 83%, while analysis indicates that internet usage increased by 10,000 users (+2%) from 2021 to 2022. [x] As an EU candidate country, Montenegro has strived to align itself with the EU’s cyber priorities and recent strategic documents like the 2018-2021 Cybersecurity Strategy and its 2013-2017 predecessor represent a firm indication of this ambition. In the past five years, however, the Montenegrin government and media outlets have increasingly seen themselves sitting at the bullseye of numerous malicious cyberattacks, suggesting “synchronised action” on the part of several state and non-state actors. [x] A 2022 digital maturity assessment commissioned by the European Bank for Reconstruction and Development and conducted by e-Governance Academy found Montenegro to have only a “basic” level of digital maturity in seven dimensions, including “financing digitalisation, level of digital skill, and access to services”. The same assessment found that the “right conditions” had been generated for the purposes of digitalisation, but implementation fell short. These conditions included “political will and support, the legal framework, digital infrastructure and interoperability, digital identity/signature and security”. Montenegrin policymakers now perceive an increased need to transform their stated strategic goals into concrete action.

In October 2021, North Macedonia became one of the first countries among the Western Balkans partners to issue a digital ID to its citizens [x]; the deployment of the digital identity project is only indicative of the country’s turn towards digitalisation and e-government. With a total population of about 2.08 million, Internet penetration in North Macedonia stands at 84%, while data shows that there are about 2.25 million cellular mobile connections. [x] The rapid drive towards digitalisation, but also its accompanying risks and vulnerabilities, are accounted for by the 2022 Cybersecurity Strategy, the country’s first comprehensive cybersecurity strategy. The document largely reflects the country’s European ambitions and is explicitly based on the “principles of the Cybersecurity Strategy of the European Union and the NATO Cyber Defence Pledge”.

Australia believes that “the foundation for responsible state behaviour in cyberspace is our mutual commitment to existing international law” and that, as per the 2021 report of the Open-Ended Working Group (OEWG), international law is “essential to maintaining peace and stability and promoting an open, secure, […] stable, accessible and peaceful ICT environment.” In particular, Australia has affirmed that the UN Charter applies in its entirety to state actions in cyberspace, including the prohibition on the use of force, the peaceful settlement of disputes, the right to self-defence in response to an armed attack, the law of state responsibility during peacetime, and the doctrine of countermeasures in response to internationally wrongful acts. International legal obligations also include the respect for human rights and fundamental freedoms (especially the right to privacy and freedom of expression), as well as the application of international humanitarian law (IHL) to cyber operations in armed conflict. On the application of IHL, Australia echoes the position taken by the ICRC that “recognition of the application of IHL neither encourages militarisation, nor legitimises resort to conflict in any domain”.

Recalling its EU candidate status, the first substantive session of the 2021-2025 UN Group of Governmental exports (UNGGE) saw Montenegro aligning itself with the EU’s statement that the existing corpus of international law, notably the UN Charter, international humanitarian law, and international human rights law, apply in cyberspace in its entirety. In particular, this includes the principle of state sovereignty, sovereign equality, the settlement of disputes by peaceful means, the provision of the use of force non-intervention in the internal affairs of other states, and the respect for human rights and fundamental freedoms as principles of international law that are applicable to states use of ICTs in cyberspace. [x] Montenegro has also consistently aligned itself with the EU position in a number of key resolutions at the United Nations, including resolutions A/73/27 and A/74/29.

At the first substantive session of the 2021-2025 UNGGE, recalling its candidate status, North Macedonia aligned itself with the EU’s statement that the existing corpus of international law, notably the UN Charter, international humanitarian law, and international human rights law, apply in cyberspace in its entirety. In particular, this includes the principle of state sovereignty, sovereign equality, the settlement of disputes by peaceful means, the provision of the use of force non-intervention in the internal affairs of other states, and the respect for human rights and fundamental freedoms as principles of international law that are applicable to states use of ICTs in cyberspace. [x] North Macedonia has also consistently aligned itself with the EU position in a number of key resolutions at the United Nations, including resolutions A/73/27 and A/74/29.

Australia has been actively involved in both norm-building processes that have been occurring under the auspices of the UN, namely the UN Open-Ended Working Group (GGE) and the OEWG. The country’s 2021 International Cyber and Critical Tech Engagement Strategy notes that the 11 voluntary, non-binding norms on responsible state behaviour agreed under the 2015 UN GGE consensus reports serve to “promote predictability, stability, and security” in cyberspace and should be seen as the “point of departure” for any constructive norm-building discussion. Australian diplomats have consistently reiterated the complementarity between international law and norms of responsible state behaviour, stating that “norms are not a panacea” and that they should not be understood as a standalone “normative framework”, since they do not replace existing state obligations under international law. For this reason, Australia stands against the establishment of binding norms or agreements. The country is not prima facie opposed to discussing other states’ proposals for the development of new norms, but Australia’s own “proactive priority” is reaching agreement of guidance on the implementation of the existing norms. In the current environment, Australia believes that “we will have the biggest impact on international peace and stability if we translate norms ‘on paper’ into norms ‘in practice’”. While not discounting the value of “norms agreed among friends”, it has also highlighted that the framework will only be effective when it is any proposals for new norms would first need to be negotiated, agreed upon, and endorsed by universal consensus.

At the first substantive session of the 2021-2025 UNGGE, Montenegro aligned itself with the EU’s position that the “previous UNGGE and OEWG reports, including corresponding UNGA resolutions adopted by consensus” form the unequivocal basis for “any further discussions on the position, role, and implementation of the voluntary non-binding norms, rules and principles of state behaviour in cyberspace (norms)” [x].

At the first substantive session of the 2021-2025 UNGGE, North Macedonia aligned itself with the EU’s position that the previous UNGGE and OEWG reports, including corresponding UNGA resolutions adopted by consensus, form the unequivocal basis for “any further discussions on the position, role, and implementation of the voluntary non-binding norms, rules and principles of state behaviour in cyberspace (norms)” [x]. North Macedonia was also the only EU candidate country to have co-sponsored the 2020 Programme of Action (PoA), which explored the possibility of ending the dual-track discussions (UNGGE/OEWG) in favour of a permanent UN forum.

In recent years, Australia has emerged as a regional leader in conversations surrounding cyber resilience in the Indo-Pacific as well as globally. The new 2021 International Cyber and Critical Tech Strategy constitutes one of the most comprehensive documents of its kind, with “secure, resilient, and trusted technology” representing a crucial objective. Key initiatives include enhanced protections for critical infrastructure
and systems of national significance, as well as greater support for businesses
and individuals to develop their cybersecurity resilience. In the past three years, Australian cyber diplomats have brokered a series of bilateral partnerships in the form of cyber Memoranda of Understanding (MOUs); currently there are agreements with India (2020), Indonesia (2018), Papua New Guinea (2018), Singapore (2020), and Thailand (2019), all of which include capacity-building and information-sharing elements. On a regional level, the country is chairing the Asia-Pacific CERT community and the Asia-Pacific cybersecurity operations network. Australians have also significantly extended their regional outreach through their flagship capacity-building initiative, the Cyber and Critical Technology Cooperation Program. Meanwhile, Australia participates in several multipartite initiatives with a strong cyber component such as the Structured Quadrilateral Security Dialogue (the eponymous Quad) along with India, Japan, and the US, and the tripartite AUKUS coalition along with the US and the UK. In international fora, Australia has been a vocal champion of increased international collaboration in cyber capacity building (CCB), welcoming references to further cooperation within the 2021 OEWG report but cautioning against limiting such cooperation to the protection of national, translational and supranational infrastructure. Australia has also argued that CCB should be mainstreamed into the larger development agenda of the UN, specifically the Sustainable Development Goals.

The new Cybersecurity Strategy 2022-2026 aims to improve effective mechanism for responding to cyber incidents and response to cybercrime. The new strategy recognises the establishment of a new body Cyber Security Agency which will be umbrella institution when it comes to cyber security. The CIRT team will be transferred to the new Agency. The 2018-2021 Cybersecurity Strategy explicitly establishes a “reliance” on European and Euro-Atlantic conceptualisations of cybersecurity and resilience. The Strategy points to the EU’s 2016 NIS Directive as the primary source of inspiration, notably in its requirements for the adoption of a national cybersecurity strategy, the definition of relevant authorities, and the creation of a Computer Incident Response Team (CIRT). Indeed, since 2012, the Montenegrin CIRT represents “a central point for coordinating prevention and protection against computer security incidents on the Internet and other IT security risk for the area of Montenegro”. The Strategy also features a dedicated section on cyber defence, highlighting the country’s alignment with NATO targets (E 6202 N). In expanding cyber defence capabilities, the document notes that “special attention will be paid to harmonisation with regard to the standardisation of concepts, methods, policies, and procedures in line with the accepted European and international standards”. It also pledges the country to a set of goals: (1) definition and protection of critical information infrastructure; (2) strengthening the resilience of information systems to incidents; and (3) performing analysis of threats to IT infrastructure. Montenegro completed a bilateral ICT cooperation agreement with Thailand in 2013, while it is also a member of the CAMP initiative, the platform where members “prepare themselves with collective actions to keep cyberspace safe” through training, joint exercises, and dialogues.

The 2018-2022 Cybersecurity Strategy dedicates a full section to cyber resilience and the protection of ICT infrastructure. The stated objectives include expanding the capabilities of the national CERT (MKD-CIRT), identifying types of critical infrastructure, developing national procedures for cyber crisis management, developing incident reporting and monitoring mechanisms, and establishing a single and comprehensive legal framework for cyber resilience. In 2021, upon joining NATO, North Macedonia signed a Memorandum of Understanding aiming at enhancing cyber defence cooperation between NATO and the country’s defence authorities; the MoU particularly focuses on information-sharing, exchanging best practices, and increasing resilience. [x]

The 2021 International Cyber and Critical Tech Engagement Strategy recognises that Australia, and the Indo-Pacific region more widely, faces a “worsening” cybercrime landscape characterized by “expanding threats, low barriers to entry, and increasingly resourceful actors”. Australia acceded to the Council of Europe’s Budapest Convention in 2013 and has since been vocal about the Convention’s status as the “most comprehensive and effective basis upon which to pursue a common international approach”. The country voted against the Russia-sponsored UN resolution on the establishment of a new cybercrime treaty; however, upon the passage of the resolution and the subsequent creation of a dedicated Ad Hoc Committee, Australia has been active in advocating for a “transparent, inclusive, and consensus-based process with multi-stakeholder participation”. More specifically, it has stated that the new Convention should “draw heavily” from existing international instruments such as the UN Convention against Transnational Organized Crime (UNTOC), the UN Convention against Corruption (UNCAC), and especially the Budapest Convention, so as to avoid undermining these regimes and ensure the protection of human rights. Australia has additionally placed great emphasis on the need for international cooperation, with the 2021 Strategy noting that “information sharing, discussion and capacity building are vital to any meaningful response to the threat posed by cybercrime”. The country has launched numerous regional cooperation and capacity-building initiatives, partnering with Pacific Island countries (Tonga, Fiji, Samoa, Vanuatu, Solomon Islands, Niue, Tuvalu) to advance cybercrime law reform and ensure alignment with Budapest provisions.

Montenegro is a party to the Council of Europe-sponsored Budapest Convention, ratifying it in 2010. In February 2013, Montenegro signed the regional Declaration on Strategic Priorities against Cybercrime, which “identified strategic priorities” that largely reflect the spirit and content of the Budapest provisions. [x] The 2018-2021 Strategy lists several developments that have contributed towards strengthening the capabilities of law enforcement authorities in dealing with cybercrime: these include the establishment of a dedicated High-Tech Crime Group within the Ministry of Interior, while the National Security Agency is making “significant efforts aimed at creating normative and operational mechanisms for fighting against cybercrime and espionage”. [x]

Many thanks to Ms Ana Minevski for her valuable comments.

North Macedonia has ratified the Budapest Convention and its Additional Protocol [x]. Nevertheless, full harmonisation of the Macedonian legal regime with Budapest provisions is still a primary issue. In terms of institutional setup, analysis has pointed out that North Macedonia is lagging behind compared to other countries in the Western Balkans [x]. That said, the 2018-2022 Cybersecurity Strategy identifies several priorities regarding the “prevention, research, and adequate response” to cybercrime. These include: harmonising the national with international policies; developing a single, comprehensive legal framework for cybercrime; modernising authorities in charge of cybercrime; establishing formal procedures of information exchange; participating actively in the creation of international cybercrime regulations and standards, as well as their implementation on a national level; and providing continuous education and training for law enforcement entities in the field of cybersecurity, cybercrime, and electronic evidence. The country’s law enforcement authorities regularly cooperate with Europol, following the conclusion of a strategic agreement in 2007 and an operational agreement in 2011. [x]