Release peace: the magazine
Release peace: the magazine
Analysis & Background Stories on International Affairs
Albania Was Hit by Cyberattacks. What it Can Learn From Estonia.
Written by: Logan Emily Carmichael
Falling Victim to Cyberattacks
On 15th July 2022, anyone looking to access e-Albania.al, the portal for digital government services in Albania, found that it was unavailable. It had fallen victim to cyberattacks. The portal, which had been unveiled only months earlier in May, sought to move many government service provisions online, vaunting more than 1,200 new digitised services. Albania’s digital transformation, accelerated by the COVID-19 pandemic, was also an attempt to mitigate corruption that has plagued the country since the 1990s. What followed signalled completely uncharted territory for Albania, which is a relatively new democracy, still weeding out deception after decades of steadfast authoritarian rule. Albania is now at a crossroads. The country has an immense opportunity to bolster the future cybersecurity of its entire digital transformation project through the decisions that it makes today. To do so, it can learn from Estonia, the small Baltic state of 1.3 million, which has been honing its digital governance structure, including electronic identification, e-services, and even online voting in national elections. Most importantly for Albania, Estonia has had its own experiences with major cyber incidents and has developed some of the world’s most advanced practices to prevent and respond to them.
In Estonia, like for many other countries in the world, responsibility for cybersecurity matters falls between several ministries and departments. These entities have adopted a practice of ‘radical transparency,’ – being clear and open about the information that they know, in order to maintain the trust of the public. This approach allows the public to maintain confidence in both the digitalised systems, and the government itself, decreasing the possibility of getting caught out later and thereby damaging the government’s reputation. By undertaking a transparent response to cyberattacks, the Estonian government uses coordinated messaging and typically selects a specific voice to speak on the cyber incident in question. During the 2017 eID crisis, when Czech researchers discovered a vulnerability in the Estonian electronic identification cards, then-Prime Minister Jüri Ratas provided the main public messaging and spoke during press conferences. In August 2022, after Distributed Denial-of-Service (DDoS) cyberattacks targeted the Estonian government and private sector, the Undersecretary for Digital Transformation, Luukas Ilves, provided the initial messaging, which was disseminated widely through the media and on social networks by other government officials, including the prime minister and president.
The Blame Game
For any government, it is important to craft its messaging carefully and deliberately around the attribution of cyberattacks; that is, determining and stating who was responsible for them. Attribution takes time. Some of the world’s most prominent cyberattacks of recent years have taken many months to attribute because determining who committed the cyberattacks is a painstaking process that does not take place overnight. Initially in Albania, pro-government media blamed Russia for the cyberattacks, while former prime minister and opposition leader Sali Berisha, blamed the cyberattack on “the ineptitude of the government rather than Russia.” Berisha criticised the e-Albania portal as too centralised while lacking sufficient “policing against cyber crime.” Though the technological underpinnings of the cyberattacks would later be investigated with highly specialised international assistance, as time has shown, premature attribution to Russia was ultimately untrue. It is highly problematic for pro-government media or government officials to be publicly speculating and sharing misinformation in times of crisis. It has been well-documented that, regionally, the Balkan states have pre-existing issues with mistrust of government. This was a concern voiced widely when Albania rolled out its digital governance platform.
Creating An Effective Institutional Setup
Cybersecurity is a comparatively new and non-traditional government portfolio like finance, foreign affairs, or interior, but a relatively new and critical field. In Estonia, the purview for cybersecurity falls between several ministries including foreign affairs, defence, and economic affairs. This all is alongside the information authority, the Riigi Infosüsteemi Amet (English: State Information System Board). These institutions understand that their responsibility within the larger cybersecurity landscape is specific and clearly delineated. Historically, this has not always been the case. In 2007, DDoS cyberattacks disrupted the Estonian government, news media, and bank websites over a period of three weeks. These cyberattacks highlighted the need for future institutional support for cybersecurity. The Cyber Defence Unit of the Estonian Defence League was created in the cyberattacks’ aftermath, a new National Cybersecurity Strategy was written to give the government strategic direction on cybersecurity, and changes to the criminal code were implemented to reflect the seriousness of the crime. Taking note from Estonia, in January 2023 Albanian Defence Minister Nikeo Peleshi said that a military cyber defence unit will become operational in 2023. He said: “the year 2023 will be the year when the military cyber defence unit will have completed 100% of its human capacities.” Albania may also need to look beyond this, reshaping an entire governmental infrastructure in order to properly equip it with the expertise and technology that can deal with the myriad of cybersecurity challenges that almost certainly lie ahead.
Training Experts and the General Public
As Peleshi noted, the Albanian government is seeking to significantly increase the number of cybersecurity experts in its ranks; however, these experts do not appear overnight. To achieve that goal, resources will need to be made available to train a new generation of experts, Yet, it may be just as important to provide education on this matter to the general population as the primary users of digital technologies. Following the 2007 DDoS cyberattacks, Estonia similarly realised that it would need increased expertise in cybersecurity amongst government ranks. In the aftermath of the cyberattacks, new educational opportunities were created, including the first cybersecurity Master’s programme in the country.
Looking to the Future of Albania
For the general populace, this training typically meant basic cyber hygiene awareness concerning the use of e-governance platforms and other online provisions. In Estonia, the Tiger Leap of the 1990s, which taught ICT skills in school classrooms, led to a digitally-savvy generation now approaching their 40s. However, this still left a large portion of the population who had aged out of the educational system. The Estonian government targeted this segment of the population via a Digital Lifelong Learning Strategy, aimed at teaching digital skills. These are practices that Albania might adopt, while adapting them to the local intricacies that may be different from Estonia. Estonia harnessed past cyber incidents to bolster its cybersecurity. Looking into a future where more frequent and more severe cyberattacks are likely, Albania may be able to follow the process Estonia has embarked on.