BlogEntrepreneurship & BusinessLegal ResourcesA Series of Unfortunate Events: A Take on Albania’s Lack of a Cyber Responsiveness

July 26, 20220
http://blog.legit.al/wp-content/uploads/2022/07/Nuk-jemi-me-ne-Kansas.png

Day 456 of the unfortunate events of Albania’s entanglement with technological advancement. (Read as: Since the patron’s list was published.)

Understandably, as a recently digitized country, there are some difficulties operating in cyberspace. From the publication of the infamous patron list that reflected the presumed political affiliations of almost 1 million citizens, to people knowing what their neighbour is earning to someone learning the owner of the car that keeps taking their parking spot near the workplace – simply by searching in an Excel sheet, Albanian people have sighed “Why us” for some time already.

As an old Albanian saying goes “If we cannot cry, we’re prone to laugh”, the community has perceived the news that the government’s infrastructure has been hacked with a sense of humor. To detangle this web of allegations and suspicions on who did what, let’s go back to day zero: The e-Albania was down.

 

Who turned off the Wi-Fi?

 

On June 18, 2022, Albania’s super techy IT team caught an attempt from “outside the country” to make a cyberattack. It was perceived to be synchronized, sophisticated and complex. For this reason, AKSHI (Agjencia Kombëtare e Shoqërisë së Informacionit e Shqipërisë) followed the response protocols. The response protocols were to isolate the infrastructure and the government systems in order to protect the data stored in governmental systems. As a result, citizens have been unable to access public services and other online governmental websites, and people are urged to understand the government and their effort to save the system and the data.

The conundrum is that only recently, prime minister Edi Rama introduced the initiative to digitalize the government infrastructure in Albania. The purpose was positive- as a combat on corruption, but the execution, as expected, was flawed. Only three months in place, the country was paralysed by a cyberattack and people could not access the systems to continue with their everyday lives for more than three days. Besides that, the digitization of services affected the marginalized groups and made them vulnerable to exploitation by other parties (public businesses or independent professionals) who have turned citizen mediation into a business vs. e-Albania.

In the end, no risk assessment on how this would impact the rights and access of certain groups such as elderly, people with disabilities, people who lack digital literacy or access to internet etc. was made public before the removal of ADISA counters was decided, either regarding the access to the public governmental services, or providing a secure platform to the personal information of the Albanian citizens. Above all, was the severity of the situation not apt enough to announce the state of the cyber crisis? 

Nevertheless, despite their efforts to put the blame on the advanced technology of the cyberattacks, and to hide behind the justification that other countries have faced the same fate as us (typical response as an Albanian) – the fact that the Albanian government had not thought a contingency plan to their digital initiative is perceived negatively.

Since there is yet to be a public declaration on what happened, and now that the government is back online (with yet some services not accessible), let us draw a couple of hypotheses to what might have happened, analyzing three scenarios:

  1. Malware in the system
  2. Botnets and DDoS, and
  3. A lack of secure infrastructure.
Possible scenarios to what might have happened

 

Scenario 1: Malware in the system

 

A malware is defined as”

“A computer program that is covertly placed onto a computer with the intent to compromise the privacy, accuracy, or reliability of the computer’s data, applications, or OS”.

It is perceived as the dominant cybersecurity threat facilitated using ransomware and extortion campaigns. This argument is based on the unconfirmed news on the news outlet Top-Channel that hackers had encrypted the folders as a response to Albania’s policy in hosting the Iranian opposition, and they required 30 million euros in bitcoin as ransomware. This news was considered fake by prime minister Rama, nonetheless, for the sake of the argument, let’s consider this scenario in more depth.

A prominent example of a ransomware attack was the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system. The malware took advantage of the vulnerabilities in Windows systems, removed user access by encrypting files, and demanded payment to grant access back. Employees’ computer stations were locked, their files were encrypted, and a timer-driven ransom demand was displayed on the screens of Window’s users. This option is less plausible to have happened against the others, as a feature of this type of attack is the need to publicize and let it be known that it is indeed a ransomware attack.

 

Scenario 2: Botnets and DDoS

 

A hypothesis that is on the table on what happened involves the use of botnets and DDoS. Botnets are:

“Special Trojan viruses to breach the security of several users’ computers, take control of each computer, and organize all the infected machines into a network of “bots” that the criminal can remotely manage.”

These distributed systems are put to work, often for hire, to conduct distributed denial of service attacks (DDoS), servers are targeted with high volumes of legitimate packet requests until the traffic consumes resources like bandwidth or memory and the targeted servers cannot respond anymore. Services hosted on these servers are knocked offline temporarily, but DDoS attacks are not permanent, and impacts are often resolved once servers are brought back online. Nevertheless, downtime can cause significant economic, safety, or political costs.

 

Scenario 3: AKSHI’s lack of infrastructure

 

If either scenario is true, then the third scenario is true by default. AKSHI (National Agency for Information Society) is the Albanian institution with the mission to develop and administer the state information systems. The e-Albania portal, which serves as a gateway for any interested citizen to access services provided by public institutions in Albania via electronic means, was developed and is administered by AKSHI.

Admittedly, there is a consensus among Albanians that cybersecurity is not an easy challenge for any government, let alone one of a small country with not the adequate resources. Nevertheless, the dilemma in many revolves around how the government undertook the initiative to close all the service offices, and digitalize the government, if they had done their checks and controls that this system is impenetrable.

In the National Cybersecurity Strategy 2020-2025, it is accepted that the government lacks the necessary tools to obtain cyber intelligence for law enforcement activities, and the human resources with adequate skills and qualifications to address cybersecurity challenges. Despite their aim to “guarantee cybersecurity at a national level through the protection of information infrastructure”, the reality proved otherwise.

Moreover, the expenditures required for the implementation of the Strategy, namely on the specific objectives to improve the legal framework and aligning this framework with European Union directives and regulation, to strengthen critical and important information infrastructure, and enhance information infrastructure to combat cybercrime, allocate to 46,133,8491 ALL narrowly for 2021-2022. When the time comes to measure the cost of this incident, there needs to be an investigation if the tax money have been properly spent (well, judging from the outcome – no comment).

It all boils down to the fact that the effects of a breach are significant because compromised usernames, personal information, ID number and passwords can be used in additional attacks, creating a sizable market for stolen credentials. As a result, this should be the last incident relating to data that is not followed by a thorough investigation and response to the numerous data breaches.

 

Back online – What is the order of business?

 

Since the government pages have become accessible to the citizens, we can presume that the red alert has passed. If from the moment of hinting the unusual activity on the servers, to finally neutralizing the situation, has been an alarming situation that called for urgency to return the services, now the government and the prosecution will be in offence to know what happened and who did what.

The reality is that there is little to not at all data on the cybersecurity threat actors in Albania. Since we do not have any conclusive information, we can consider all the possibilities to what happened, mentioning human error, natural causes, technical faults, or attacks. Nevertheless – who did it, might be troublesome to find.

Altogether, the Criminal Code has provided an adequate legal basis to prosecute the perpetrator (if identified). In case it is concluded to be a denial-of-service attack, it stipulates that the creation of serious and unauthorized obstacles to harm the function of a computer system is punishable with imprisonment for three to seven years.

Infection of IT systems with malware (including ransomware, spyware, worms, trojans and viruses) is punishable by imprisonment for six months to three years. Any other activity that adversely affects or threatens the security, confidentiality, integrity or availability of any IT system, infrastructure, communications network, device, or data provides that damage, deformation, change or unauthorized deletion of computer data, when done in regard to military computer data, national security, public order, civil protection, and healthcare or in any other computer data with public importance, is punishable by imprisonment for three to 10 years.

Interestingly, Law No. 2/2017, “On cybersecurity” provides that failure by an organization to implement cybersecurity measures does not constitute a criminal offence, but it is considered an administrative violation and is punishable by a fine.

The prolonged service disruptions have been felt by the entire population, and there needs to be yet an assessment to the impact it has had on the work and lives of the Albanian citizens. Nonetheless, it is dubious to how the countability will unravel not only in those that committed crimes of national security, to those who failed to protect the system.

Fighting cybercrime should be more than to resolve to ex ante legal measures. Instead, the government should learn from its countless lessons on security breaches that it needs to take a more holistic approach to securing the paramount element that we need in today’s society – the data.

In these conditions, we should definitely think of getting a new ID number.

Leave a Reply

Your email address will not be published. Required fields are marked *

http://blog.legit.al/wp-content/uploads/2020/12/logit-white-red-icon.png
Tirana, Albania & Pristina, Kosovo
+ 355 69 634 0059
info@legit.al

Follow us:

STAY INFORMED

Subscribe


Legit.al. Calls may be recorded for quality and training purposes.

Copyright © Legit 2020