On the headline number, Kyrgyzstan’s cybersecurity has measurably improved. The country’s score on the ITU Global Cybersecurity Index (GCI) rose from 49.64 in 2020 to 65.59 in 2024. The index measures five things — legislative frameworks, technical capabilities, organisational capacity, capacity-building, and cooperation — and Kyrgyzstan has, by any reasonable read of those five, advanced. The legislation exists. The institutions exist. The points are deserved.
The GCI is, by design, a measure of institutional cyber readiness. It does not score the operating posture — the actual cyber threat the country faces from the network, the technical capacity present at operator and ministry level, the resilience of the underlying transit architecture, or the supply-chain dependencies sitting under the equipment stack. The score went up while the posture stayed largely where it was. Both sentences are true at the same time, and the rest of this piece is about how to read them together.
What the score reflects: the institutional layer
Several concrete pieces of cyber-institutional architecture have been put in place over the last cycle:
- The Law on Electronic Governance, with criminal provisions for cybercrime;
- A national CERT (Computer Emergency Response Team) — the standing body for incident coordination;
- A Coordination Center for Cybersecurity, housed inside the State National Security Service (GKNB);
- Ongoing alignment of digital legislation with the Digital Codex adopted in 2023.
These are the components a country needs in order to score well on the GCI’s organisational and legislative axes. They are also, on their own, the part of the cyber stack closest to the policy document and furthest from the operating console. The DECA field assessment lands on four areas where the institutional layer has not yet translated into operational capability: cyber threat analysis capacity, protection of essential services, transit-provider diversity, and cyber hygiene awareness across both the civil service and the general user base. Each of those is something an index built around frameworks does not see.
The threat landscape, in named incidents
The clearest evidence that the operating posture and the index are different surfaces is the run of cyber incidents documented against Kyrgyz targets over the last decade. None of these are reconstructed; each has been publicly attributed.
| Period | Incident | Target / Attribution |
|---|---|---|
| 2014–2021 | Multi-year spear-phishing campaign | Kyrgyz political entities; PRC-linked group |
| 2017 | Cyber-espionage phishing campaign | Kyrgyz politicians and government officials; Russia-linked |
| 2016–2018 | Suspected use of NSO Group Pegasus surveillance software | Targets in Kyrgyzstan; reportedly originating from Uzbekistan |
| October 2020 | Government-linked malware campaign disclosed by U.S. Cyber Command and CISA | Entities in Kyrgyzstan; PRC-linked |
| August 2022 | Cyberattacks against multiple Kyrgyz banks | Banking sector; attributed to a Ukrainian group in the context of the war in Ukraine |
Two patterns are visible across the list. First, the threat actor mix is geographically broad — PRC-linked, Russia-linked, regional, and incidentally affected by adjacent conflicts. Second, the targets span political administration, government communications, journalists, and the financial sector. This is the threat surface a working national CERT, an operationally capable Coordination Center, and a mature operator-level SOC posture would each be exercised against. The DECA field assessment’s reading is that the exercise is not yet at the level the threat surface demands.
The intercept and surveillance stack, as infrastructure
Read as technical infrastructure rather than as a civil-rights story, two stacks deserve specific naming because they shape the country’s cyber attack surface, vendor dependency, and resilience posture.
SORM — the Sistema Operativno-Rozysknykh Meropriyatiy, originally developed for Russian lawful-intercept use — is installed across all Kyrgyz telecom operators. From a network-architecture point of view, what matters is the technical envelope:
- Voice and data-traffic metadata interception across operator networks;
- Subscriber data retention for at least three years;
- Real-time remote access by authorised state bodies;
- 15 categories of internet-subscriber metadata defined by the SORM Instruction (user IDs, session data, connection type, traffic volume, IP address, and adjacent fields);
- Operators self-fund installation and maintenance.
For cyber-defence purposes, the relevant point is that the SORM stack is a piece of foreign-origin infrastructure embedded inside every operator’s network, with retention obligations that materially expand the size and lifespan of high-value data sets. From a vendor-risk and supply-chain perspective, that is a meaningful structural exposure to track.
The Safe City programme is the cyber-physical analogue. As of February 2023, it had deployed:
- Around 2,177 surveillance cameras nationally;
- Of which 519 carry facial-recognition capability;
- With expansion plans of up to 10,000 cameras in Bishkek alone.
The deployment was contracted to Russian and Chinese suppliers, including CEICEC, which sits on the U.S. sanctions list. From a cybersecurity reading: Safe City is a large, networked, internet-connected sensor estate built and maintained by external vendors, holding biometric data, with no public framework for retention, access, or audit. The operational risks are familiar from any large CCTV-plus-AI deployment — credential leakage, footage exfiltration, model bias, and supply-chain compromise — but in this case sit on top of vendor concentration that the country’s wider ICT supply chain already carries.
Vendor concentration and supply-chain exposure
Underneath both stacks sits a more general supply-chain pattern. Kyrgyz mobile operators and most fixed-line ISPs depend on equipment from Huawei and ZTE; both have been involved in the country’s earlier 5G trial work. The pattern is not unusual regionally, but for a national cyber posture it is a defining feature: the equipment estate the country defends is largely sourced from a small number of vendors, and the trust assumptions baked into that estate are vendor assumptions, not domestically verifiable ones. Cyber risk in Kyrgyzstan is, in a meaningful sense, a supply-chain question more than an attack-surface one.
The resilience question: transit, single points, and continuity
One of the clearest network-resilience risks identified in the DECA field interviews is the periodic move toward routing all of the country’s international internet transit through a single state-controlled chokepoint at Kyrgyztelecom. From a cyber-resilience point of view, this is the cleanest possible expression of a single-point-of-failure problem. A model of that kind would simultaneously:
- Reduce the number of independent transit operators (Elcat, Fiberlinks, and others) — eliminating the redundancy that currently absorbs partial outages;
- Concentrate the country’s international traffic into one technical envelope, which is also one technical attack surface;
- Bring the country closer to the architectural pattern in place in Tajikistan, where the consolidation has produced both higher costs and lower resilience.
For an honest cybersecurity read of Kyrgyzstan, transit-architecture decisions matter at least as much as endpoint-defence ones. The most consequential cyber-resilience decision the country can make in the next cycle is whether to keep the transit market plural or to consolidate it.
What the score does not yet capture
Read against the threat list, the embedded intercept and surveillance infrastructure, the supply-chain concentration, and the open transit question, the GCI score is what it is — a fair description of the institutional layer of the country’s cyber readiness. It is not, on its own, a description of the operating posture.
The score measures whether the country has built the institutional shell of a cybersecurity system. The posture is whether anything inside the shell is operationally exercised against the threats actually arriving on the network.
The next two pieces in this series move from the cyber layer to the services that ride on top of it — first the e-government stack, where the trust model determined here ends up tested in production, and then the digital economy, where the same questions land at the level of the household and the firm.
The Cybersecurity section of the assessment for the Kyrgyz Republic was prepared by Aziz Soltobaev as part of the DECA assessment. The view in this piece draws on direct operational experience at the country’s transit and exchange layer, including as co-founder of KG-IX and co-builder of SNS-IX in Uzbekistan. For an updated read on the threat landscape, vendor and supply-chain exposure, transit-resilience options, or operator-level SOC capacity, get in touch.