METODI HADJI-JANEV:  HYPER THREATS TO CRITICAL INFRASTRUCTURES IN THE REGION OF SOUTH-EASTERN EUROPE:
                        A WAKE-UP CALL FOR SOUTH-EASTERN EUROPEAN LEADERSHIP

            “success does not go to the country that develops a new technology first, but rather, to the one
            that better integrates it and more swiftly adapts its way of fighting”(Mattis, 2018).

            The changes and strategic updates need to be realistic and based on the SEE contemporary
            security assessments and perception under the Euro-Atlantic framework. The SEE countries
            no longer have the luxury of simply implementing security concepts that work for the EU
            or NATO Allies; without a proper adaptation that reflects the cultural perspectives or other
            region-based dynamics, these concepts will not give the expected results. Of course, general
            trends need to be reconsidered and put into the SEE security context.

            SEE governments need to reconsider prevention. Reducing risk and mitigating cascade effects
            in the new, unpredictable and complex security environment, require that critical infrastruc-
            ture organizations must take a more holistic view of the critical infrastructure ecosystem. A
            cultural shift under the whole of society’s mode of application is necessary. Not just security
            personnel but all the administration and related private-sector employees in the CIP and CIIP
            system need a whole new level of awareness of the contemporary hyper-based threats. Em-
            bracing a holistic zero-trust approach that prioritizes prevention strategies over reactive detec-
            tion methods and avoiding an “it is not going to happen to me” culture is urgent. Therefore,
            existing detection or consequence management policies and procedures need to be reconsid-
            ered in the context of prevention.

            The SEE leadership needs to rethink resilience in the age of AI applications and systems. A
            US Department of Homeland Security study concluded that one of the major risks to CIP in
            the age of AI is potential mass unemployment (The US Homeland Security, 2017). Led by
            efficiency, many private sector companies in the chain of CIP and CIIP in SEE will eventually
            implement AI systems. At the same time, the threat vectors landscape is drastically changing,
            which urges the SEE leadership to reconsider not just employment policies but also contin-
            gencies in the security protocols for effective CIP and CIIP with AI systems. Therefore, an
            open dialogue in advance and a regulatory platform that will reduce new potential vulner-
            ability gaps and data privacy concerns under the SEE governments’ leadership is necessary.

            Mitigate risks with training and awareness. The human factor is the number one security risk
            to SEE CI and CII. At the same time, SCADA- (Supervisory Control and Data Acquisition)
            run systems and the whole cybersecurity policy and industry related to CI and CII in SEE are
            predominantly led by IT experts. While this group of SEE society remains a valuable factor
            in CIP and CIIP, they lack security (not safety) training and geopolitical awareness. A brief
            overview of the educational and training institutions in SEE would lead one to conclude that
            except for some programmes and curriculums there is a general separation between defence
            and security, policy, legislation and economic and IT-based educational programmes and cur-
            riculums. Furthermore, the same separation exists in the private sector. Corporate manage-
            ment rarely has a holistic approach to corporate security, and the requirements are just profit-
            oriented. National security considerations are either sporadically considered if there is a legal
            requirement, or not considered at all. While many of these companies address supply chain
            risks by certifying the cybersecurity practices of their partners, basic security awareness and
            training often lags behind other industries (Czarny, 2020). Hence, the SEE governments need
            to reconsider this and initiate a multidisciplinary training approach, as well as stimulating
            multidisciplinary professionalization of administration and private sector employees.




                                                                                    105