DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
ALBANIA’S VISION TOWARDS CYBER SECURITY
AUTHOR: Eranda BEGAJ*
Executive Summary
The purpose of this policy brief is to offer a detailed description of the current legal and
institutional framework of cyber security in Albania. The policy brief will start with a short overview
of Albania’s standing in the European Union (EU) processes and the development of electronic
communication. The brief will analyse the steps that need to be undertaken by the Albanian
government, aiming to fulfil EU standards and best practises in the area of cyber security. The
Albania Parliament approved the Council of Europe Convention on Cybercrime on April 25, 2002.
In light of this, another aspect of this paper will examine the implementation of the Council of
Europe Convention in Albania and the need for coordination of all activities of state and nonstate actors relating to combating cybercrime.
This policy brief consists of three parts. The first part will provide an overview of Albania’s
development of telecommunications, internet and informatisation of society. The second part
offers a snapshot of the Albanian government’s efforts to implement fully the obligations that
derive from the Council of Europe Convention on Cybercrime.
The last part of the paper includes some recommendations on how the Albanian cyber
security area should be developed. The recommendations focus mainly on legislative aspects
and are based on the comparison of existing policy in the Council of Europe (CoE) and the EU on
the one side and the Albanian legal framework on the other side. Nonetheless, it is very crucial
that Albanian authorities also develop administrative actions.
1http://ec.europa.eu/enlargement/countrie
s/detailed-countryinformation/albania/index_en.htm
of integration, which requires political,
economic and legal stability as well as
internal reforms, and adapt proper
administrative structures. In this context,
aligning the Albanian legislation and
setting up a proper institutional framework
in the area of cyber security is one of the
main obligations that our government
needs to undertake in the EU integration
processes.
Page
Recalling that Albania is a candidate
country1 for EU accession, it must fulfil
obligations
that
derive
from
the
integration process and will continue even
after membership in the EU. The EU is a
dynamic organization under constant
institutional and legal reform. Therefore,
Albania must pursue this dynamic process
1
BACKGROUND
DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
However, speaking about cyber security,
we need to consider not only the
obligations that derive from the EU
integration process, but also the internal
need of our society; a need that is
coming from the rapid advancement of
technology in Albania and worldwide.
Our society is demanding safer and more
reliable services when using ICT tools.
Moreover, the increased use of ICT and
the internet is changing the whole society
by creating new means of connectivity,
communication,
cooperation
and
economic development through access
to cyberspace. This has contributed to the
continuous dependence of our society on
the use of these technologies.
Access to cyber space, along with its
positive effects, also increases the
potential risk of damage or misuse of data
and computer systems. As a result of
growing cyber threats, ensuring data
integrity, confidentially secure access to
cyberspace, has become one of the
greatest challenges facing our society
today and is therefore an urgent national
security issue.
based on active SIM cards reached 130%.
Access to broadband Internet has
experienced significant growth; fixed
broadband connections increased by
14% during 2013 and there has been
similar growth in mobile broadband
connections (card and USB modem).
The increased usage of communication
constitutes an added value to economic
and social development of the country.
At the same time, however, it exposes
state and non-state actors to cyber risks.
Cyber-attacks have the potential to
severely damage the exchange of
information
in
public
institutions,
telecommunications and the financial
and banking system, causing disruption of
vital services.
Electronic Communication and Postal
Authority: www.akep.al
2
Page
2
Albania is among the countries where the
development of telecommunications,
internet and informatisation of society has
advanced very quickly. The usage of
information
and
communication
technology has increased significantly in
recent years and, according to data
published by AEPC2, there were 3.7 million
active users of mobile services at the end
of 2013. Penetration of mobile phones
DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
ANALYSIS
The issue of cyber security is a new area
for all countries; thus, relevant legal
regulations are recent everywhere. In
2010, the UK government inserted in its
National Security Strategy the concept of
cyber-attack. In the same period, the
United States adopted its strategy on
National Security3. In 2011, Canada
launched its Cyber Security Strategy, as
did the UK in the same period4.
In Albania, cyber security developments
are at an earlier stage, but there are
initiatives to define and insert some
standards in this light. The first measure in
this regard was introduced in 2002, when
the Albanian parliament ratified the
Council of Europe Convention on
Cybercrime.5 Due to the ratification of the
CoE Convention, there was an immediate
need for Albanian authorities to reflect
the obligations derived from this initiative
in the national legal framework.
In this light, the Albanian authorities
worked on the issue and prepared
detailed proposals for necessary changes
to Albanian law, in order to be in
compliance with the Convention and
ensure the proper implementation of the
legal provisions.
As the Convention on Cybercrime
provides tools for cooperation and
harmonization in criminal matters, related
Tallinn manual
Tallinn manual
5Law no. 8888, dated 25.4.2002 “On the
ratification of crime convention in the
cybernetic area”
to the concept of extradition of persons,
amendments to the Albanian criminal
code were the initial need. The duty was
to have a criminal code harmonised with
the Convention on Cybercrime. Therefore,
the intervention was related to the penal
code and the procedural code.
After a detailed analysis of the current
legislation, the Albanian authorities
amended the Criminal Code dealing with
cybercrime thus reflecting the obligations
stemming from the ratification of the
Convention on Cybercrime. The following
laws that reflect this change are in force
today:
 Law no. 10023 date 27.11.2008 “On
some amendments and changes on
Law no. 7895, dated 27.1.1995, “Penal
Code of Republic of Albania”
amended
 Law no. 10054 date 29.12.2008 “On
some amendments and changes on
Law no. 7905 dated 21.3.1995 “Penal
Procedure Code of Republic of
Albania” amended
Actually, the Albanian legislation6 foresees
provisions for the following criminal
offences:
 Computer dissemination of materials
in favor of genocide or crimes against
humanity;
 Motifs
intimidation,
racism
and
xenophobia
through
computer
systems;
3
Law no.9859, dated 01.21.2008 “On some
additions and amendments to Law no 7895,
dated 27.1.1995 "Code of the Republic of
Albania", as amended.
3
6
Page
4
DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
Moreover the establishment of the
National Agency for Computer Security
(ALCIRT) on 14 September 2011, with the
Decision of the Council of Ministers (DCM)
no. 766, was another important step
towards consolidating the institutional
framework.
The mission7 of the Albanian ALCIRT is to
identify, anticipate and take measures to
protect against threats/cyber-attacks, in
accordance with the legislation in force.
This clearly defines the need for proper
legislation in the area of cyber security.
Consequently, there is a major gap in the
correct implementation of DCM no. 766,
because the legal framework in this area
is not yet in place.
In Albania there is no strategy or policy
document; there is still a lack of clear
vision and specific objectives for the
Albanian government in controlling
7
http://www.cirt.gov.al/alcirt
 Complete the legal framework in the
field of cyber security;
 Increase awareness of cyber security;
 Increase the level of knowledge, skills
and capacities of expertise in cyber
security;
 Identify the Critical Information
Infrastructure Protection in Albania;
 Increase
security
infrastructure
networks/state systems;
 Implement
minimum
safety
requirements;
 Strengthen the partnership with other
responsible actors nationally and
internationally.
On the other hand, the Progress Report
2014 states that “Police and prosecution
officials need to receive specialised
training. The number of prosecutions for
cybercrime increased, but is still low”. The
Report recalls a very important aspect
that the Albanian government should
bear in mind; it needs to have all the
measures to react properly. Strengthening
Albanian Progress Report 2014 issued by
the EU Commission :
http://ec.europa.eu/enlargement/pdf/key_
documents/2014/20141008-albaniaprogress-report_en.pdf
8
4
The above legal provisions defined
cybercrime criminal offenses as specified
in the CoE Convention. However, there is
no provision related to the infringement of
copyright and related rights as required
by the CoE convention. The Albanian
Authorities are currently proposing some
initiatives in this regard.
cyberspace. However, as stated in the
European Commission Progress Report
2014, “as regards the fight against
cybercrime, a working group tasked with
drafting
a
policy
document
on
8
cybercrime has been set up”.
The
working group established for drafting this
policy document has already launched
the first version of this important document
with all actors involved. It foresees, inter
alia, measures for the development of this
sector, such as:
Page
 The
distribution
of
racist
or
xenophobic
material
through
computer systems;
 Computer related fraud;
 Computer related forgery;
 Unauthorized computer entry;
 Illegal interception of computer data;
 Interference with computer data;
 Interference in computer systems.
DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
the administrative capacity is a key
element for success in combating and
preventing cybercrime.
Unfortunately, the Albanian administration
suffers from a lack of stability due to
political changes9, which put the
continuity of reforms in the area of cyber
security in real danger. Continuous public
administration restructuring, lack of
adequate staff, lack of expertise and
professionalism remain the main factors
that hamper further development in this
sector. However, Albania had a good
basis to develop the necessary human
capital for reform in the cyber security
area. Public administration is the main
driver for developing cyber security in
Albania and an efficient and professional
administration definitely will give a new
impetus to this area. Therefore special
attention by the Albanian government
should be given in this light.
In 2013, with the new government in force
around 380 civil servants in central
institutions were dismissed, resigned or put
on waiting lists and around 100 were
downgraded out of a total of 1 392 current
civil servants. It is also estimated around 5
200
dismissals
and
resignations
in
subordinate institutions and agencies.
Page
5
9
DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
RECOMMENDATIONS
The policy document on cyber security in
Albania is broadly in line with the EU
strategy for cyber security; both strategic
documents foresee investigating and
combating cybercrime. However, the EU
strategy focuses its effort on fostering
research and development, investments
and innovation, while the Albanian policy
document does not foresee any provision
in this regard.
The EU strategy includes definitions such
as cyber resilience, cybercrime and cyber
defense. The Albanian policy document is
missing a definition of cyber resilience. It is
crucial that this area be part of the
actions of the responsible Albanian CIRT.
Moreover, the capability of Albanian
authorities to deal with cyber incidents
remains unclear; this is something we still
need to properly address. It is very
Another
immediate
step
towards
consolidating the protection of Albanian
cyber space is the establishment of a
Cyber Security Council. As incidents
happening in this area, such as cyber
espionage or state-sponsored attacks,
seem to be very complicated or have
national security implications, there is an
immediate need for strong collaboration
between all national actors and, most
importantly, international ones. At the
national level, the Albanian government
should be aware of the importance and
potential of the private sector in ensuring
security.
Fostering international cooperation and
coordination is essential for guaranteeing
cyber security. Therefore, a strong
partnership between all actors is needed
in order to meet the challenges posed in
this field. Recalling that Albania is a NATO
member country and an EU candidate
country, Albania actively participates in
cyber security initiatives and programs
worldwide.
Nonetheless, in my opinion, regional
communication and cooperation in the
Western Balkan countries would be a very
good initiative to respond to possible
large-scale cyber-attacks.
6
However, it is very crucial that Albanian
authorities develop administrative actions.
For example, the authorities should form
an ad-hoc response group, consisting of
representatives of the government and
experts, to respond to any possible attack
or crisis.
important to establish a well-functioning
legal and institutional framework in
Albania. In this light, the development of
cyber-defence policies should be in mind
as an action that the Albanian
Government needs to address very soon.
Page
Through this last part of the paper, I would
like to give some recommendations on
how the Albanian cyber security area
should be further developed. These
recommendations
focus
mainly on
legislative and institutional aspects and
are based on the comparison of existing
policy in the Council of Europe and the EU
on the one side and the Albanian legal
framework on the other side.
DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
Improving cyber literacy, starting an
awareness and education campaign, is
another area where the Albanian
authorities must make lots of efforts. The
digital culture is not very advanced;
Albanian authorities need to invest in
order to create awareness among public
institutions and society in general on
offline and online dynamics.
CONCLUSIONS
To conclude, I would like to recall the very
complex nature of the cyber sector, and
the Albanian authorities’ need to protect
and exercise its sovereignty over cyber
space. As a first step, a proper legal
framework and adequate capacity to
cope with this very complex area is
needed.
Aiming to facilitate the understanding of
the above-mentioned recommendations
regarding the process of establishing an
effective cyber security framework in
Albania, I would like to present below an
Measures proposed
Form an ad-hoc response group
Form a Cyber Security Council (leading the
orientation of cybersecurity framework)
action plan for mitigating cyber security
threats in Albania.
The action plan presents the measures
that need to be undertaken in the order
of highest priority. The measures proposed
focus on the elements of the institutional
and legal framework that need to be
established
or
further
developed.
Moreover,
aiming
for
smooth
implementation of the proposed action
plan, a clear division of institutional
responsibilities is foreseen.
Responsible Institutions
Government (ALCIRT10, NAIS11, Line
Ministries CIO) and external experts
Relevant government officials headed
by the PM or deputy PM
Assign a CiSo (Chief Information Security
Officer) for each ministry to be the focal
point for contact with the Council and with
the CERT
Line Ministries
Strengthen Albanian CIRT capacity (an
information sharing and analysis center,
coordination with international Computer
Emergency Response Teams and national
cooperation between the private and
public sector, conducting of rigorous cyber
drills)
CoM12, Ministry of Innovation and Public
Administration, ALCIRT, ASPA13
National Agency for Computer Security
National Agency for Information Society
12 Council of Ministers
13 Albanian School for Public Administration
Page
11
7
10
DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
Establish a Computer Incident Response
Team (CIRT) in the National Agency for
Information Society. The CIRT will handle
the protection of the state information
systems necessary for the provision of vital
services.
CoM, NAIS
Start an awareness
campaign
education
Relevant private sector companies,
Internet Companies and government
Adopt a National Strategy of Cyber
Security
and
National
Strategy
of
Protection of Critical Infrastructure and
action plans (An inventory of critical
infrastructure needs to be compiled)
Establish
the
legal
framework
on
information security
CoM (Minister of Innovation and Public
Administration, ALCIRT)
Adopt technical and organizational
standards and security policy
Line Ministries, CI, private sector (ISPs,
telecom operators)
Organize
capacity
building
government cyber security trainers
CoM, consultants
and
for
CoM, Line Ministries, Parliament with the
contribution of ALCIRT
Oblige CI companies to form their own
cyber security operation center
CoM, Internet Companies
Oblige CI companies to conduct regular
security audits
CoM, Internet Companies
BIBLIOGRAPHY
EU Digital Agenda
http://ec.europa.eu/digital-agenda/ (accessed
20.03.2015)
“Cybersecurity Strategy of the European Union:
An Open, Safe and Secure Cyberspace”,
February, 2013
“Proposal for a Directive of the European
Parliament and of the Council concerning
measures to ensure a high common level of
network and information security across the
Union”, February, 2013
http://eur-lex.europa.eu/legalcontent/EN/TXT/PDF/?uri=CELEX:52013PC0048&fr
om=EN (accessed 20.03.2015)
United States Department of Justice, Computer
Crime
&
Intellectual
Property
Section
http://www.justice.gov/criminal/cybercrime/
(accessed 20.03.2015)
8
Policy document for cyber security in the
Republic of Albania
http://www.cirt.gov.al/dokumenta/ligje/dokume
nti_politikave_draft_version.pdf
(accessed 20.03.2015)
http://eeas.europa.eu/policies/eu-cybersecurity/cybsec_comm_en.pdf
(accessed
20.03.2015)
Page
“EC Progress Report 2014 for Albania”, October,
2014
http://ec.europa.eu/enlargement/pdf/key_docu
ments/2014/20141008-albania-progressreport_en.pdf
(accessed 20.03.2015)
DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
European Union Agency for
Information Security
https://www.enisa.europa.eu
20.03.2015)
Network
and
(accessed
Council of Europe Convention on Cybercrime
http://conventions.coe.int/Treaty/en/Treaties/Ht
ml/185.htm (accessed 20.03.2015)
Tallinn Manual
https://ccdcoe.org/tallinn-manual.html
(accessed 20.03.2015)
Law no. 8888, dated 25.4.2002 “On the
ratification of crime convention in the cybernetic
area”
Law no.9859, dated 01.21.2008 “On some
additions and amendments to Law no 7895,
dated 27.1.1995 "Code of the Republic of
Albania", as amended.
Law no. 8888, dated 25.4.2002 for ratification of
the "Convention on cybercrime”
* Ms. Eranda Begaj was the Head of the Integration Unit at the Electronic Communication, Postal
and Integration Directorate in the National Agency on Information Society of the Republic of
Albania when taking part in the DCAF Young Faces Network 2014 cycle. All opinions and evaluations
contained in the paper are those of the author and cannot be attributed to DCAF or any institution
to which she is affiliated. The factual background for the paper might have been overtaken by
events since early 2015.
Page
9
http://www.dcaf.ch/Region/Southeast-Europe/DCAF-Southeast-Europe-Regional-Young-FacesNetwork