The Albanian government’s responsive cyber-risk management level: Good, bad, inexistent?
In Albania, an old proverb goes: “The greatest wonder lasts only 3 days”. Stylistically, a common feeling is that the crisis that encapsulated the Albanian people for the last couple of months vanished into the abyss. For context, in June 2022, the Albanian government was forced to shut down its digital services and government websites after it was hit by a “massive cyber-attack”. This came two months after the Albanian government decided to go all-digital for the majority of public services.
If this was the first cyber incident relating to the government in Albania, we might have taken a softer stand on their efforts to function well in the digital realm. However, only in the last couple of years, the data of some 910,000 Albanians on the Patrons’ list, personal and salary data for 637,138 Albanian citizens, and private information on car licence plates and phone numbers for 650,000 Albanians were leaked and made part to the public domain. These are significant numbers considering Albania has a 2.8 million population, and there is a database somewhere that contains personal data of more than half of it. Considering the “bad luck” and the unfortunate entanglement of the government with technology, the transition to digital of the Albanian government might have been considered by many – a big, thoughtless leap.
This piece will try to detangle the situation that made Prime Minister Edi Rama give the green light for the digitalization of the country’s core services, the response to the cyberattack, and the aftermath.
The architecture of the digital government
The post-communism stance in Albania on public services has remained the same for the last triple decades: inefficient services that took a long time to receive, and for which you had to call a number of people – feeling as if you were being granted access to secret state information, and not your birth certificate. Following the dismay of the Albanian citizens, the Prime Minister thought that the best solution would be to remove all the possible contact between the public administration employee and the citizens and businesses.
If the channel cannot be corrupted, then the corruption itself ought to not exist in Albania? – this must have been what the prime minister and his cabinet thought in this avant-garde (for Albania) idea to become a digitalized government.
The Digital Agenda Strategy provided the basis for the e-Governance, e-tax, e-procurement, e-customs, e-patens, e-fines services, and other e-services to be developed. This became reflected in the creation of the portal www.e-albania.al, the only point of contact for governmental services. Through the e-Albania portal, the average Albanian citizen can request and receive information and services on 1200 services that are offered by the public administration. This translates to 95% of the public services, compared to 1% of the services that were offered online in 2014. From 2020, citizens and business can receive public services only online. Citizens and businesses apply through the platform e-Albania, and the government employees collect all the relevant documents of the services. This interaction goes through the government network GovNet. In principle, as PM Edi Rama said, that now “the state goes to the citizen, and no longer the citizen to the state”, the digitalization is not bad or evil per se. It is the lack of checks and balances that infringe our right to know what is happening in the e-Government most troublesome.
Going through the strategies and what we can perceive as a decade worth of work on planning, budgeting, and implementing the digitalization of the country, we cannot simply conclude that there was no opportunity for the government to have been prepared during the cyberattacks in July. The question is what happened?
A short-lived success: e-Albania error 404 message
On June 18, 2022, the National Agency for the Information Society (NAIS) gave a declaration that there was a synchronized, sophisticated, and complex attempt from “outside the country” to interfere with the digital framework of the government. As cyberattacks cannot be perceived as a new phenomenon per se, NAIS put in place the response protocols to isolate the infrastructure and protect the data and personal information. This approach blocked citizens to access e-Albania and other websites in the government network (GovNet), resulting in paralysis of the state.
The National Cybersecurity Strategy 2020-2025 acknowledged the government’s lack of the necessary tools to obtain cyber intelligence for law enforcement activities and the human resources with adequate skills and qualifications to address cybersecurity challenges. Despite their aim to “guarantee cybersecurity at a national level through the protection of information infrastructure”, the reality proved otherwise. As the cyberattacks caught the government amidst celebrations on e-Government, the government tried to shelter from the public demand for accountability through some arguments:
- e-Albania does not store data.
The biggest commotion was on how much data could be leaked through this cyberattack. As the GovNet and e-Albania were hacked, citizens were wary of their personal data falling into the Dark Web. Officials had stated in previous data leaks that e-Albania does not hold personal information and that it only works as a portal that connects the user to the civil registry. However, this would mean disregarding all the theories that state that we leave digital footprints in cyberspace. The trail of data we leave behind when accessing the portal, our login information, and other meta data would be sufficient to harm us if they fell in the wrong hands.
- Other governments were hacked too.
The Significant Cyber Incidents report by CSIS indicates that this statement is true: around 70 cyber attacks happened on government agencies, defence and high-tech companies, or economic crimes with losses of more than a million dollars, only in 2020 – e-Albania hacking was included too.
Particularly in this background of geopolitical and geo-economic tensions, whether in the form of ransomware, phishing, or some other form of attack, the government is a prime target for hackers for the main reason: private government information. Nonetheless, this does not entail that the governments must surrender to the invisible enemy, but they should have a dedicated national incident response and recovery plan, a national critical infrastructure protection program and invest in a vibrant cybersecurity ecosystem. This was highlighted as essential in Albania’s recent cyberattack. The lack of a risk management plan was evident, as the government delayed in the responses to the shut down of the government websites and e-Albania portal, as re-opening physical points and other contingency plans that should have been thought prior to the attack.
- “We did the best we could do”.
The probably underfunded IT department of the Albanian government may be justified to a certain level for failing to respond in a timely manner to the cyber attack. Nonetheless, as cyberattacks are inevitable, the government needs to have a national incident response and recovery plan for future situations like the last one.
A clear plan would properly define the reporting procedures to report cyber incidents in Albania, active monitoring for cyber threats, establishing channels to gather threat intelligence, making proactive efforts to combat cyber threats and having a mobilization plan to respond effectively to such situations.
In evaluating and managing the digital risk – which refers to all the consequences that come from the digital transformation and withhold the objectives from being realised – the government of Albania needs to further focus on increasing the physical, human resources, and logistic infrastructure of GovNet, raising awareness on cyber attacks, and improving the capacities of the centre on gov data.
In the 2022-2026 Agenda, the government assures that they will try to develop the capabilities to limit, control and recover from cyberattacks. They are exploring shifting to cloud technology, as a technology that might be more elastic and secure, keeping in focus the protection of personal data and privacy.
The aftermath of the cyber attacks
If we look back to how Albanian government handled the three data leaks in the past years, we will encounter a lack of novelty to their methodology. It has been an approach more focused on “who can take the blame on this”, rather than “what we can do so this does not happen again – at least in the near future”. This fails to capture the nature of cybercrime, as an offence with an anonymous author who is hard to trace, and who commits a crime whose elements are hard to prove.
The problem with the “blame” game, particularly for a government that has recently started to heavily depend on technology, is that it does not do us any good. Drawing from this, some governments are holding out on improving their digital infrastructure, as it may expose them to a number of cyber attacks. Others are exploring cloud-based technology, encrypting sensitive information, and encouraging the use of two-factor authentication and training employees on cybersecurity hygiene. As it is yet for a conclusive report to be published by the government as to what was the predominant cause of the cause, whether it was a human error or an unstoppable technology, we need willingly be more overreaching to all the areas critical against cyberattacks.
While waiting for the Albanian judicial system has had adequate time in investigating who, what, why happened, there is no assurance that this will not happen again. Certainly, a proposed solution would not be to ostracize digitalization completely and promote a Stone Age lifestyle. To fear the technology, would probably result in more drawbacks than benefits. Nevertheless, the effects of a breach are significant because compromised usernames, personal information, ID number and passwords can be used in additional attacks, creating a sizable market for stolen credentials. As a result, this better be the last incident relating to data that is not followed by a thorough investigation and response to the numerous data breaches in Albania – for the sake of the privacy of Albanian citizens.