Compare
Compare
Internet penetration in Montenegro stands at 83%, while analysis indicates that internet usage increased by 10,000 users (+2%) from 2021 to 2022. [x] As an EU candidate country, Montenegro has strived to align itself with the EU’s cyber priorities and recent strategic documents like the 2018-2021 Cybersecurity Strategy and its 2013-2017 predecessor represent a firm indication of this ambition. In the past five years, however, the Montenegrin government and media outlets have increasingly seen themselves sitting at the bullseye of numerous malicious cyberattacks, suggesting “synchronised action” on the part of several state and non-state actors. [x] A 2022 digital maturity assessment commissioned by the European Bank for Reconstruction and Development and conducted by e-Governance Academy found Montenegro to have only a “basic” level of digital maturity in seven dimensions, including “financing digitalisation, level of digital skill, and access to services”. The same assessment found that the “right conditions” had been generated for the purposes of digitalisation, but implementation fell short. These conditions included “political will and support, the legal framework, digital infrastructure and interoperability, digital identity/signature and security”. Montenegrin policymakers now perceive an increased need to transform their stated strategic goals into concrete action.
The United States has historically been a strong partner in cyber diplomacy for the EU based on common values (human rights, rule of law), goals (open, stable and secure cyberspace) and interpretation of international law. Cyber diplomacy with the US has also been operationalised in the form of information-sharing and cooperation to tackle cybercrime, cooperation on cyber defence via NATO and cyber capacity building in third countries. Despite differences over certain foreign policy issues, the EU and the US remain close allies in cyberspace.
According to the International Telecommunications Union (ITU), as of 2021, Peru had an internet penetration rate of around 71.1 %. However other indexes place this number in the mid 60’s. Although many improvements were made in the past few years, Peru still possesses low network coverage, especially in rural areas and a relatively low network performance.
The government of Peru has been implementing initiatives to increase connectivity in rural areas, including a national broadband plan and a program to deploy free Wi-Fi hotspots in public spaces, with a year-on-year increase of almost 100 %.
Peru ranked 86 out of 182 countries surveyed in the ITU’s Global Cybersecurity Index in 2020.
The government of Peru has been implementing initiatives to increase connectivity in rural areas, including a national broadband plan and a program to deploy free Wi-Fi hotspots in public spaces, with a year-on-year increase of almost 100 %.
Peru ranked 86 out of 182 countries surveyed in the ITU’s Global Cybersecurity Index in 2020.
Recalling its EU candidate status, the first substantive session of the 2021-2025 UN Group of Governmental exports (UNGGE) saw Montenegro aligning itself with the EU’s statement that the existing corpus of international law, notably the UN Charter, international humanitarian law, and international human rights law, apply in cyberspace in its entirety. In particular, this includes the principle of state sovereignty, sovereign equality, the settlement of disputes by peaceful means, the provision of the use of force non-intervention in the internal affairs of other states, and the respect for human rights and fundamental freedoms as principles of international law that are applicable to states use of ICTs in cyberspace. [x] Montenegro has also consistently aligned itself with the EU position in a number of key resolutions at the United Nations, including resolutions A/73/27 and A/74/29.
The US believes that international law is applicable in cyberspace. As part of the ‘like-minded’ coalition, the US recognises a need to acknowledge the full breadth of relevant international law, including international humanitarian law (IHL), human rights law, customary international law on the responsibilities of states for internationally wrongful acts. The general applicability of IHL in cyberspace is not to be misconstrued as a tacit endorsement of aggression in the cyber domain; instead, it only serves to remind states of the responsibility to respect and protect civilians in the event of armed conflict.
In the context of multilateral fora, US diplomats have specifically emphasised the applicability of the right to self-defence under Art. 51 of the UN Charter, noting that a State may lawfully take cyber-based or non-cyber-based countermeasures in response to internationally wrongful cyber activities attributable to another State, but only subject to the requirements of the doctrine under international law and the principles of necessity and proportionality. Peru is one of the Latin American countries to have signed and ratified the Council of Europe’s Convention 108+.
The country has also participated in the United Nations Open-ended Working Group (OEWG) on Developments in the Field of Information and Telecommunications in the Context of International Security. As a matter of fact, after the third substantive session of the OEWG, Peru issued a statement supporting the primacy of the UN Charter and the application of international law in the use of ICTs and in cyberspace, as well as the future establishment of legally binding obligations.
On the other hand, Peru along with Chile and the United States of America, has a divergent view on the notion of cyber attack and the applicability of international law. Peru states that in order for a cyber operation to be considered an attack, it results in direct death, injury or physical harm.
In the context of multilateral fora, US diplomats have specifically emphasised the applicability of the right to self-defence under Art. 51 of the UN Charter, noting that a State may lawfully take cyber-based or non-cyber-based countermeasures in response to internationally wrongful cyber activities attributable to another State, but only subject to the requirements of the doctrine under international law and the principles of necessity and proportionality. Peru is one of the Latin American countries to have signed and ratified the Council of Europe’s Convention 108+.
The country has also participated in the United Nations Open-ended Working Group (OEWG) on Developments in the Field of Information and Telecommunications in the Context of International Security. As a matter of fact, after the third substantive session of the OEWG, Peru issued a statement supporting the primacy of the UN Charter and the application of international law in the use of ICTs and in cyberspace, as well as the future establishment of legally binding obligations.
On the other hand, Peru along with Chile and the United States of America, has a divergent view on the notion of cyber attack and the applicability of international law. Peru states that in order for a cyber operation to be considered an attack, it results in direct death, injury or physical harm.
At the first substantive session of the 2021-2025 UNGGE, Montenegro aligned itself with the EU’s position that the “previous UNGGE and OEWG reports, including corresponding UNGA resolutions adopted by consensus” form the unequivocal basis for “any further discussions on the position, role, and implementation of the voluntary non-binding norms, rules and principles of state behaviour in cyberspace (norms)” [x].
As stated in the 2018 National Security Strategy, the United States views voluntary, non-binding norms of state behaviour during peacetime as essential components of a framework of responsible State behaviour in cyberspace. The US has participated in all iterations of the UN Group of Governmental Experts (UNGGE) as well as the latest Open-Ended Working Group.
In these multilateral fora, US diplomats have typically opposed attempts at shifting to a legally binding status for norms of responsible state behaviour, arguing that such discussions are “premature” and do not represent the best way to address the immediate threats given the fast pace of technological developments.
The starting basis for any further discussions on the part of the US rests on the current buildup of consensus surrounding the norms identified in the 2015 and 2021 GGE reports. Efforts should be concentrated on the implementation of existing consensus norms, not the creation of entirely new normative concepts (i.e. in relation to harmful hidden functions and specific critical infrastructure sectors). Peru stresses the need to make a distinction between 'cyber attacks' (which involve 'damage being caused to a militarily relevant target, which may be totally or partially destroyed, even captured or neutralised') and an 'abrupt disruption of communications in cyberspace', i.e. cyber operations that cause inconvenience, even extreme inconvenience, but not direct injury or death, or destruction of property. Accordingly, Peru emphasises the determination of the legality of cyber operations in the context of the use of force by taking into account whether they may result in death or injury to persons or property.
Peru has noted the difficulty of attribution in cyberspace. Coinciding with other American states, Peru has focused on the state's duty to ensure that its territory is not used by non-state actors to launch attacks. In this regard, Peru states that the inertia of a state towards a non-state actor that could unleash a cyber-attack on another state and that it was in a position to control could make its behaviour attributable to the state.
In any case, Peru highlights the validity of various human rights in cyberspace, including 'the right to privacy and intimacy, freedom of information, freedom of expression, free and equal access to information, bridging the digital divide, intellectual property rights, free flow of information, the right to secrecy of communications'.
In these multilateral fora, US diplomats have typically opposed attempts at shifting to a legally binding status for norms of responsible state behaviour, arguing that such discussions are “premature” and do not represent the best way to address the immediate threats given the fast pace of technological developments.
The starting basis for any further discussions on the part of the US rests on the current buildup of consensus surrounding the norms identified in the 2015 and 2021 GGE reports. Efforts should be concentrated on the implementation of existing consensus norms, not the creation of entirely new normative concepts (i.e. in relation to harmful hidden functions and specific critical infrastructure sectors). Peru stresses the need to make a distinction between 'cyber attacks' (which involve 'damage being caused to a militarily relevant target, which may be totally or partially destroyed, even captured or neutralised') and an 'abrupt disruption of communications in cyberspace', i.e. cyber operations that cause inconvenience, even extreme inconvenience, but not direct injury or death, or destruction of property. Accordingly, Peru emphasises the determination of the legality of cyber operations in the context of the use of force by taking into account whether they may result in death or injury to persons or property.
Peru has noted the difficulty of attribution in cyberspace. Coinciding with other American states, Peru has focused on the state's duty to ensure that its territory is not used by non-state actors to launch attacks. In this regard, Peru states that the inertia of a state towards a non-state actor that could unleash a cyber-attack on another state and that it was in a position to control could make its behaviour attributable to the state.
In any case, Peru highlights the validity of various human rights in cyberspace, including 'the right to privacy and intimacy, freedom of information, freedom of expression, free and equal access to information, bridging the digital divide, intellectual property rights, free flow of information, the right to secrecy of communications'.
The new Cybersecurity Strategy 2022-2026 aims to improve effective mechanism for responding to cyber incidents and response to cybercrime. The new strategy recognises the establishment of a new body Cyber Security Agency which will be umbrella institution when it comes to cyber security. The CIRT team will be transferred to the new Agency. The 2018-2021 Cybersecurity Strategy explicitly establishes a “reliance” on European and Euro-Atlantic conceptualisations of cybersecurity and resilience. The Strategy points to the EU’s 2016 NIS Directive as the primary source of inspiration, notably in its requirements for the adoption of a national cybersecurity strategy, the definition of relevant authorities, and the creation of a Computer Incident Response Team (CIRT). Indeed, since 2012, the Montenegrin CIRT represents “a central point for coordinating prevention and protection against computer security incidents on the Internet and other IT security risk for the area of Montenegro”. The Strategy also features a dedicated section on cyber defence, highlighting the country’s alignment with NATO targets (E 6202 N). In expanding cyber defence capabilities, the document notes that “special attention will be paid to harmonisation with regard to the standardisation of concepts, methods, policies, and procedures in line with the accepted European and international standards”. It also pledges the country to a set of goals: (1) definition and protection of critical information infrastructure; (2) strengthening the resilience of information systems to incidents; and (3) performing analysis of threats to IT infrastructure. Montenegro completed a bilateral ICT cooperation agreement with Thailand in 2013, while it is also a member of the CAMP initiative, the platform where members “prepare themselves with collective actions to keep cyberspace safe” through training, joint exercises, and dialogues.
The March 2021 Interim National Security Strategic Guidance states that “[the US] will make cybersecurity a top priority, strengthening our capability, readiness, and resilience in cyberspace.” Following the recommendations of the 2020 Solarium Commission, the US government has adopted the concept of ‘layered resilience’ and is gradually rolling out a comprehensive arsenal of resilience measures across a variety of domains.
The US has been active in engaging in strategically-minded capacity building with partners; US capacity building in Africa with organisations such as the African Union and SADC, for instance, have been largely motivated by Washington’s wish to promote an open, secure, and democratic model for Internet governance across the African continent.
In relation to cyber defence, there have been several joint operations and military exercises, both bilaterally (e.g. between the US Cyber Command and the Montenegrin military) and under the auspices of NATO. Recent regional engagement efforts such as the dialogues in the context of the tripartite AUKUS coalition and the Structured Quadrilateral Security Dialogue (the eponymous Quad) also heavily feature references to collaborative cyber-capacity building. In multilateral fora, the US has also welcomed the inclusion of confidence-building measures in the GGE reports and noted that, in order for CBMs to be useful, they need to be implemented at minimum on a bilateral basis and preferably on a multilateral and eventually an international basis. The Personal Data Protection Law N° 29733 (PDPL) was enacted in June 2011. In March 2013, the Supreme Decree N° 003-2013-JUS-Regulation of the PDLP (Regulation) was published in order to develop, clarify and expand on the requirements of the PDPL and set forth specific rules, terms and provisions regarding data protection.
Together, the PDLP and its Regulation are the primary data protection laws in Peru.
As of 2021, Peru approved the Bill that creates the National Authority for Transparency, Access to Public Information and Protection of Personal Data.
Peru possesses a Digital Trust Framework, as a means to establish certain obligations for public or private entities acting as digital service providers. These include reporting when a digital security incident involving personal data occurs, as well as implementing technical, organisational, and legal security measures to guarantee the confidentiality of information transmitted through its communications services.
Over the last decades, the Peruvian state has made efforts to promote digital transformation, both within its institutions and in the services it offers to citizens and has outlined a Digital Agenda in 2021 for Digital Transformation.
The US has been active in engaging in strategically-minded capacity building with partners; US capacity building in Africa with organisations such as the African Union and SADC, for instance, have been largely motivated by Washington’s wish to promote an open, secure, and democratic model for Internet governance across the African continent.
In relation to cyber defence, there have been several joint operations and military exercises, both bilaterally (e.g. between the US Cyber Command and the Montenegrin military) and under the auspices of NATO. Recent regional engagement efforts such as the dialogues in the context of the tripartite AUKUS coalition and the Structured Quadrilateral Security Dialogue (the eponymous Quad) also heavily feature references to collaborative cyber-capacity building. In multilateral fora, the US has also welcomed the inclusion of confidence-building measures in the GGE reports and noted that, in order for CBMs to be useful, they need to be implemented at minimum on a bilateral basis and preferably on a multilateral and eventually an international basis. The Personal Data Protection Law N° 29733 (PDPL) was enacted in June 2011. In March 2013, the Supreme Decree N° 003-2013-JUS-Regulation of the PDLP (Regulation) was published in order to develop, clarify and expand on the requirements of the PDPL and set forth specific rules, terms and provisions regarding data protection.
Together, the PDLP and its Regulation are the primary data protection laws in Peru.
As of 2021, Peru approved the Bill that creates the National Authority for Transparency, Access to Public Information and Protection of Personal Data.
Peru possesses a Digital Trust Framework, as a means to establish certain obligations for public or private entities acting as digital service providers. These include reporting when a digital security incident involving personal data occurs, as well as implementing technical, organisational, and legal security measures to guarantee the confidentiality of information transmitted through its communications services.
Over the last decades, the Peruvian state has made efforts to promote digital transformation, both within its institutions and in the services it offers to citizens and has outlined a Digital Agenda in 2021 for Digital Transformation.
Montenegro is a party to the Council of Europe-sponsored Budapest Convention, ratifying it in 2010. In February 2013, Montenegro signed the regional Declaration on Strategic Priorities against Cybercrime, which “identified strategic priorities” that largely reflect the spirit and content of the Budapest provisions. [x] The 2018-2021 Strategy lists several developments that have contributed towards strengthening the capabilities of law enforcement authorities in dealing with cybercrime: these include the establishment of a dedicated High-Tech Crime Group within the Ministry of Interior, while the National Security Agency is making “significant efforts aimed at creating normative and operational mechanisms for fighting against cybercrime and espionage”. [x]
Many thanks to Ms Ana Minevski for her valuable comments.
The US is a signatory and an early proponent of the Budapest Convention. A big part of American cyber diplomatic activity has, in fact, been focused on promoting the Budapest regime as the global model of cybercrime governance. In 2019, the US firmly opposed the Russian-sponsored resolution calling for an alternative legal instrument to the Convention; following the passing of the resolution, however, the US has agreed to participate in the Ad Hoc Committee established under UNGA resolution 74/247 despite the fact that the “surprise text” within the May 2021 resolution was seen as an effort to “circumvent dialogue” and undermine the “balanced, inclusive, consensus-based process” sought by the US.
On a multilateral level, the US is also a party to the UN Convention against Transnational Organised Crime (UNTOC) and the Inter-American Convention on Mutual Legal Assistance of the Organisation of American States (OAS) and is a member of Interpol.
Bilaterally, the US has completed an agreement with the UK under the CLOUD Act that facilitates cross-border data sharing directly between US companies and the British government; the US is trying to expand this type of bilateral engagement, currently negotiating a similar agreement with Australia. Peru’s signature and ratification of the Budapest Convention on Cybercrime, which is the only binding international instrument dealing with cybercrime, was a great step towards advancing a cyber agenda.
In 2019, Peru passed a Cyber Defence Act, with the objectives of defending and protecting sovereignty, national interests, critical national assets and key resources to maintain national capabilities against threats or attacks in and through cyberspace, when these affect national security.Peru has also passed a Cybersecurity Framework for the private sector, with the objective of identifying and protecting information assets, detecting security events, and providing for response and recovery from cybersecurity incidents.
In this context, there are more and more reports of cybercrime in the country. According to data from the Public Prosecutor's Office, in 2021 they received 18,596 reports of cybercrime cases, which represents a percentage increase of 92.9% compared to 2020, with phishing and ransomware being the most common attacks.
Many thanks to Ms Ana Minevski for her valuable comments.
The US is a signatory and an early proponent of the Budapest Convention. A big part of American cyber diplomatic activity has, in fact, been focused on promoting the Budapest regime as the global model of cybercrime governance. In 2019, the US firmly opposed the Russian-sponsored resolution calling for an alternative legal instrument to the Convention; following the passing of the resolution, however, the US has agreed to participate in the Ad Hoc Committee established under UNGA resolution 74/247 despite the fact that the “surprise text” within the May 2021 resolution was seen as an effort to “circumvent dialogue” and undermine the “balanced, inclusive, consensus-based process” sought by the US.
On a multilateral level, the US is also a party to the UN Convention against Transnational Organised Crime (UNTOC) and the Inter-American Convention on Mutual Legal Assistance of the Organisation of American States (OAS) and is a member of Interpol.
Bilaterally, the US has completed an agreement with the UK under the CLOUD Act that facilitates cross-border data sharing directly between US companies and the British government; the US is trying to expand this type of bilateral engagement, currently negotiating a similar agreement with Australia. Peru’s signature and ratification of the Budapest Convention on Cybercrime, which is the only binding international instrument dealing with cybercrime, was a great step towards advancing a cyber agenda.
In 2019, Peru passed a Cyber Defence Act, with the objectives of defending and protecting sovereignty, national interests, critical national assets and key resources to maintain national capabilities against threats or attacks in and through cyberspace, when these affect national security.Peru has also passed a Cybersecurity Framework for the private sector, with the objective of identifying and protecting information assets, detecting security events, and providing for response and recovery from cybersecurity incidents.
In this context, there are more and more reports of cybercrime in the country. According to data from the Public Prosecutor's Office, in 2021 they received 18,596 reports of cybercrime cases, which represents a percentage increase of 92.9% compared to 2020, with phishing and ransomware being the most common attacks.
