Why Mongolia Needs Cybersecurity Literacy?

By Baasankhuu Sumiya

A few days ago, at midnight, I walked 10 kilometers to get home. Public transportation had stopped, but I couldn’t get a taxi because I didn’t have any cash and always use banking applications on my phone. My most reliable smartphone was dead. These days, most Mongolians don’t carry cash because we are heavily on our smartphones.

Just like me, many Mongolians are so proud of going digital but pay a little attention to cybersecurity literacy – many even don’t hear the term. And, we can scale up to our national security – the state is vulnerable to cyberattacks and cybercrimes. Besides the government’s strategic vision of a ‘Digital Nation’ and passing a number of laws, we need to educate our public from the age when they started being exposed to the digital world.

Becoming a Digital Nation

In 2022, Mongolia had announced a vision for Mongolia to become a “Digital Nation.” As part of this vision the Government of Mongolia approved the ICT Sector Medium-Term Development Policy to be implemented in 2022-2027, and established the Ministry of Digital Development and Communications (later renamed to the Ministry of Digital Development, Innovation and Communications) to oversee the policy implementation. With 84% of the 3.47 million population connected to the internet, and 5.13 million devices online, our society now relies heavily on digital platforms[1]. From paying bills to accessing government services via E-Mongolia, a digital one-stop shop for government services. This shift has saved the ordinary citizen a lot of time, money, and paperwork, not to mention the stress and discontent resulting from having to go through long lines and angry crowds at any given public office. Moreover, digital transformation has improved government efficiency by cutting red tapes and streamlining various functional processes.

Digital transformation of Mongolia is progressing rapidly. However, while it has accelerated transactions, saved time and money, it has not been without difficulties. Mongolia faces challenges especially when it comes to cybersecurity. In 2024, there were 1.6 million cyber-attacks and incidents, 13061 cybercrimes, and cost about 25.4 million USD counted in Mongolia. And these are just the cases that we are aware of. Many more cyberattacks and cybercrimes likely go unnoticed.

Establishing a Legal Framework

Then, to address this vulnerability in cybersecurity and the overall digital development the State Great Khural, Mongolia’s legislature, passed the Law on Cybersecurity, which establishes the legal framework for cybersecurity governance, protection, and response in 2021. A year later, in 2022, a round of measures related to cybersecurity were taken including, the approval of the National Cybersecurity Strategy, which outlines key priorities for strengthening the country’s cybersecurity posture, with establishment of the Cybersecurity Council, Cyber Crime Police Department under The National Policy Agency, National Computer Security Incident Response Team (NCSIRT, or National CERT), Public Computer Security Incident Response Team (Public CSIRT/CC), and the Armed Forces Cybersecurity Center (AFCC).

All these efforts to strengthen cybersecurity and fight cybercrime appeared to bear fruits. For instance, In the Global Cybersecurity Index (GCI) 2024, published by the International Telecommunication Union (ITU), Mongolia achieved a score of 56.36, placing it in Tier 3, labeled as “Establishing.” This reflects a significant improvement from the 2020 edition, where Mongolia scored 26.20 and ranked 120th out of 194 countries, which means the country advanced 17 places to 103rd position[2]. But these efforts alone couldn’t prevent all cyberattacks and crimes.

Cyberattacks and Crime on the Rise

The cyberattack and cybercrime statistics continuously increasing, government websites are under constant cyberattack, and there have been several high-profile cases of government website and social media handle hacks. Just to mention a couple of breach examples,

In August 2024, the China-linked RedDelta group targeted Mongolia’s Ministry of Defense, deploying a customized PlugX backdoor through spear-phishing emails using flood-related lures[3].
Between November 2023 and July 2024, Russian state-backed hackers (APT29) compromised Mongolian government websites, including cabinet.gov.mn (official website of Cabinet Secretariat of Government of Mongolia) and mfa.gov.mn (official website of Ministry of Foreign Affairs), to conduct “watering hole” attacks. They used these sites to infect visitors’ devices, exploiting vulnerabilities similar to those used by commercial spyware vendors[4].

These incidents highlight Mongolia’s growing cybersecurity challenges despite its progress in global rankings. One of the core reasons of this persistent vulnerability is the lack of sovereign digital infrastructure. Mongolia is connected to the undersea fiber optic cable network via a single terrestrial fiber optic cable that runs through Mongolia connecting Eurasia to South Asia, making it highly susceptible to disruptions, cyber espionage, and geopolitical leverage. In other words, Mongolia is totally dependent on the single terrestrial fiber optics. Elon Musk’s Starlink internet satellite constellation started service in Mongolia fairly recently, in 2023. But it is prohibitively expensive for the majority.

In addition, there are only about 20-25 Datacenters in Mongolia. Among them only 1/5 have met essential standards like ISO/IEC 27001, Uptime Institute’s Tier II or more. To make matters worse Mongolia suffers from an energy supply and an insufficient human capital in the ICT sector and even fewer professionals in cybersecurity and cybercrime to adequately service the 2.9 million internet users. The sufficient amount of ICT professional for Mongolia is over 27,000 and there only about 12,000 people. On average there are 2000-2100 graduates major in IT specific major. Of them only 10% specialize in cybersecurity or system security[5]. The situation is exacerbated by brain drain, where talented individuals are lured by promises of better life abroad.

Absence of the Cyber Literacy

Leaving the worst to last, Mongolians hold terrible cyber literacy rates. In 2024, UNDP conducted “Cybersecurity awareness research in Mongolia”[6]. It covered a thousand well educated young and mid-age population.

The key findings were, 51% of those people use unauthorized or cracked software, 60% were unaware of ransomware, despite one-third encountering it personally, two-third lack knowledge about Personally Identifiable Information (PII), nearly half reuse passwords across applications, websites, 47% use private information in passwords. Despite 70% using mobile internet, mobile security awareness was critically low (almost no awareness), 71% never heard of phishing or have no knowledge, many of them do not update software, application they use and don’t know the importance of patch management, data backups. Finally, almost two-third lack knowledge of cybersecurity reporting channels, indicating insufficient awareness of initiatives.

Mongolia is trying to keep walks on global trends of digitalization but our cybersecurity is weighed down by a plethora of challenges, which necessitates massive intervention to unburden. Mongolia has made strides, but cybersecurity threats know no borders.

Educating Citizens – A Way Forward

As we continue to digitalize, we must seek global cooperation to strengthen our defenses. First and foremost, we must invest in improving cyber literacy across our entire society. Without proper cybersecurity literacy, our national security—and even our sovereignty—remain vulnerable. If I had paid a little attention to my over-dependence on the technology, I could’ve carried some cash and had a convenient ride back home. If many Mongolians become aware of cybercrimes and cyberattacks, we could withstand against any cyber threats – thus make our cybersecurity stronger than now.

Acknowledgement: Author would like to thank Dr.Mendee Jargalsaikhan, Director of ISS and Buyandelger Davaajantsan, Research fellow at ISS, for their valuable peer review and the copy-editing.

[1] Simon Kemp, “Digital 2024:Mongolia,” DatarePortal, February 23, 2024, https://datareportal.com/reports/digital-2024-mongolia

[2] “Global Cybersecurity Index 2024”, The International Telecommunication Union (ITU), 2024, https://www.itu.int/epublications/publication/global-cybersecurity-index-2024

[3]Ravie Lakshmanan,” RedDelta Deploys PlugX Malware to Target Mongolia and Taiwan in Espionage Campaigns”, The Hacker News, January 10, 2025, https://thehackernews.com/2025/01/reddelta-deploys-plugx-malware-to.html

[4] Clement Lecigne, “State-backed attackers and commercial surveillance vendors repeatedly use the same exploits”, Google Threat Analysis Group, August 29, 2024, https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/

[5] “Харилцаа холбоо, мэдээллийн технологийн салбарын хүний нөөцийн эрэлт, нийлүүлэлтийн судалгаа”, Цахим хөгжил, харилцаа холбооны яам, 2021 он, (Human resource demand, supply research report in IT sector), Ministry of digital development and communication, 2021.

[6] “Cybersecurity Awareness Research in Mongolia Research Report”, UNDP, October 2024.

It’s Time to Establish an OSCE Policy Center in Mongolia

Mongolia’s One Billion Trees Campaign: A Bold Step Against Climate Change and Desertification

The Impact of the Russian Mobilization on Mongolia

The Historic Friendship Between Mongolia and Vietnam

Diplomatic world

The Ulaanbaatar Dialogue: A Time to Talk About Climate Change

Statistics

Similar Posts

Statistics