Building cyber resilience without borders: how socially-based CERT is pioneering
When most countries discuss cybersecurity, they frame it around national strategies, government-backed Computer Emergency Response Teams (CERTs), and regulatory frameworks. But Bosnia and Herzegovina stands apart for a sobering reason: it remains the only country in the world without a national CERT or a comprehensive cybersecurity law.
Despite this absence, Bosnia is not standing still. A small, socially-driven initiative—the Cybersecurity Excellence Centre (CSEC)—has emerged as a lifeline for critical infrastructure, NGOs, and even some government agencies. By leveraging open-source technologies, academic partnerships, and community trust, CSEC demonstrates how resilience can be built from the ground up, even when top-down support is missing.
Cybersecurity in Bosnia: a nation without a net
Bosnia’s digital infrastructure is far from primitive. Health records, banking data, and payment systems like Google Pay are widely used. What is missing is accountability: no authority is mandated to secure these assets or ensure minimum service levels. This leaves organizations exposed, particularly in sensitive sectors like domestic violence shelters, where data breaches have had fatal consequences abroad.
In response, CSEC positioned itself as an independent CERT-like body, free from political entanglements but anchored in academia and civil society. This structure allows it to fill a gap that the government has yet to address.
Innovation on a shoestring
Operating with a team of fewer than ten people, CSEC has nonetheless delivered groundbreaking tools for Bosnia’s cyber landscape. These include:
- CVE and vulnerability trackers open to the public.
- Membership in the Shadow Server Foundation, enabling Bosnia to monitor its entire IP space.
- DecoyNet, a nationwide honeypot network built on open-source software and deployed on low-cost devices like Raspberry Pi.
Though modest in scale, these initiatives provide unprecedented visibility into Bosnia’s threat landscape and align local findings with global attack trends.
From reactive to predictive: the AI ambition
Currently, CSEC operates reactively—responding to incidents after data is often already compromised. The next frontier is predictive defense. With limited manpower, the center aims to apply AI for:
- Early anomaly detection across Bosnia’s networks.
- Automated incident classification to handle overwhelming case volumes.
- Assisted forecasting to make sense of the enormous datasets gathered from global partners.
But the challenges are immense. Bosnia lacks both official data sources and a pool of trained AI experts. CSEC must generate its own datasets via honeypots and collaborations, while also navigating the ethical and practical challenges of AI adoption—ensuring transparency, avoiding “black box” dependencies on vendors, and treating AI as augmentation, not replacement for people.
Regional and global partnerships
Recognizing its limits, CSEC has plugged into larger ecosystems. It collaborates with universities in Sarajevo and Brno, participates in EU initiatives, and advocates for regional sandboxes where AI models can be trained on Western Balkans-specific data. These partnerships have already borne fruit: CSEC’s AI-supported threat dashboards helped spark Bosnia’s first parliamentary initiative toward a national Cybersecurity Agency.
Lessons for emerging-country CERTs
Bosnia’s case offers several insights for other nations or regions lacking centralized cybersecurity structures:
- Civil society can step in where governments fail, especially for vulnerable groups.
- Open-source tools and community trust can compensate for scarce funding.
- Predictive security is a mindset: it requires not just tools, but collaboration, ethics, and local context.
- AI should serve humans, not substitute them, particularly in small teams where expertise and accountability matter most
