See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/315495692
Cybersecurity in Albania: a Multistakeholder Approach
Article · January 2017
CITATIONS
READS
0
747
1 author:
Desara Dushi
Epoka University
3 PUBLICATIONS 5 CITATIONS
SEE PROFILE
All content following this page was uploaded by Desara Dushi on 22 March 2017.
The user has requested enhancement of the downloaded file.
DCAF Young Faces 2016 – “Strategic cybersecurity policy development in Southeast Europe”
Cybersecurity in Albania: a Multistakeholder Approach
AUTHOR: Desara Dushi*
Executive Summary
Cybersecurity in Albania is a new field which has brought new challenges and threats through
digitalization and connectivity. Currently, approximately 60% of the Albanian population are
internet users.1 The new Agenda on Digitalization of public services, together with the positive
impact in the EU integration process, brings ahead new challenges which cannot be faced by
the government alone. Cybersecurity is a field that involves many stakeholders and to
effectively respond to cyber threats, there is the necessity of cooperation among these
stakeholders. The aim of this brief is to describe the current multistakeholder involvement in the
cybersecurity of Albania and to promote the idea that better answers are reached when a
range of experts can discuss and cooperate with each other for common goals even if
different interests are at stake. It will start with a short overview of the legal basis on which
multistakeholder cooperation in the country can be achieved. The policy brief will continue
with an analysis of the current involvement of different stakeholders in the development of
cybersecurity in Albania, especially their involvement in the drafting of the new draft strategy
on cybersecurity. The brief will conclude with recommendations highlighting the need for wellbalanced coordination among activities of state and non-state actors in cybersecurity
measures and on the increased involvement of all stakeholders in the development of
cybersecurity and better protection from cyber threats.
OVERVIEW OF CURRENT POLICY
Statistics taken from the Agency for Electronic
and Postal Communications:
http://akep.al/statistika
1
1
The concept of cybersecurity and cyber
threat response in Albania is very recent.
However we are witnessing a very rapid
increase
of
information
and
communication technologies (ICTs) in the
country especially in the last two years,
where the number of ICT users by
broadband 3G/4G access from 2014 to
2016 has increased by 32.6%, currently
reaching 64.7% of the population.1
Increase in users and usage also points to
the higher risks that the Albanian
population faces in cases of weak
cybersecurity policies, risks that include
Page
Cyberspace is a very dynamic area and
requires adequate control in order to
prevent its negative effects which can
cause serious cybersecurity damage to
both governments and individuals. As
every country, Albania is susceptible to
cybercrime
and
attacks
against
cybersecurity, thus it should take action to
prevent cybercrime and maintain a
secure and safe cyberspace. Since
cyberspace is a dynamic environment
with new challenges and threats coming
up
at
every
moment,
Albania’s
cybersecurity policy must be equally
dynamic
and
flexible
enough
to
effectively respond to any kind of cyber
threat.
DCAF Young Faces 2016 – “Strategic cybersecurity policy development in Southeast Europe”
In December
adopted the
2015 the government
Document on Cyber
Dokumenti i Politikave per Sigurine Kibernetike
2015-2017 (Document on Cyber Security Policy
2015-2017)
3 See: Cyber Defence Strategy, Ministry of
Defence
4 See: Strategy on National Security 2014-2020,
available
at:
http://www.mbrojtja.gov.al/qksm/strategji_siguris
e_25mars_2014.pdf
2
Strengthening
of
partnerships
with
different responsible stakeholders is one of
the strategic objectives of this Document.5
The Document then describes in more
detail the fields of collaboration with
different
stakeholders,
such
as:
strengthening the collaboration with
Internet Service Provides as regards the
treatment of cyber incidents and
measures for blocking the access to
websites
with
illegal
content;
collaboration with civil society regarding
the online safety of children; collaboration
with academia on the opening of
specialized study programmes about
cybersecurity; collaboration with the
banking sector which, according to this
document, should be present in any legal
or technical initiative taken in the field of
cyber security. The Document puts the
responsibility with the government to
create the conditions and encouraging
the private sector, NGOs and Critical
Information Infrastructure (CII) operators
to engage in the processes of legislation
improvement,
CII
identification,
strengthening
of
human
resources,
meetings with representatives of public
2
In November 2014 the Ministry of Defense
(MoD) adopted its Strategy for Cyber
Defense. One of its main objectives is the
creation of partnership with the IT business
sector for guaranteeing security and
stability of the infrastructure, computer
systems, products and services. Besides IT
businesses, the MoD pays attention to the
collaboration with other public institutions
on cyber defense, with academia on
research and innovation in the field, and
the private sector on training and
fundraising.3 Another important document
adopted the same year, the Strategy of
National Security 2014-2020, pays specific
attention to fostering cyber security and
protection against cybercrime. This
strategy highlights that cyber threats in
the country are increasing and thus urges
for the drafting and implementation of
policies against cybercrime, especially for
the protection of networks of classified
information in the army and civil area.4
Security Policy 2015-2017 which aims to
coordinate the duties and responsibilities
of all actors involved in the maintenance
of a secure cyberspace. Among the basic
principles of cybersecurity listed in this
document are also the collective
responsibility
among
all
users
of
cyberspace,
including
not
only
government institutions but also the
private sector and citizens; collaboration
and coordination among all stakeholders:
interinstitutional collaboration, publicprivate
collaboration
and
even
collaboration with academia is included;
and international cooperation.
See: Dokumenti i
Kibernetike 2015-2017
5
Politikave
per
Sigurine
Page
but are not limited to: data theft (credit
cards, passwords or other personal data),
identity theft, botnet attacks, Denial of
Service
(DDoS)
attacks,
copyright
infringement, online grooming and even
production and distribution of child
pornography. According to police reports
in 2014 alone, 180 criminal acts classified
as cybercrimes were detected in the
country, out of which 53 were in the ICT
field and 127 committed through
computer systems.2
DCAF Young Faces 2016 – “Strategic cybersecurity policy development in Southeast Europe”
Ibid.
See: Albanian Digital Agenda 2015-2020,
available
at:
http://akshi.gov.al/images/Strategjia_Axhenda_D
ixhitale_e_Shqiperise_2015-2020.pdf
8 European Commission, Albania 2016 Report:
http://ec.europa.eu/enlargement/pdf/key_docu
ments/2016/20161109_report_albania.pdf
9 Ibid.
10 Ibid.
6
7
In December 2016, the second National
Security Forum was held in Tirana, where
the National Agency for Cyber Security
(ALCIRT) presented the draft Law on
Cyber Security which was drafted in
cooperation
with
the
Ministry
for
Innovation and Public Administration
(MIPA). This draft law provides for the
creation of a National Authority for Cyber
Security (NACS), as the central authority
for monitoring and implementing this law
and other regulations related to the law.
NACS will replace ALCIRT and will be the
central national contact point of the
country when it comes to cyber security,
serving directly under the Prime Minister.
This
authority
is
responsible
for
coordinating
the
public-private
collaborations between operators of CII,
operators
of
Important
Information
Infrastructure and other public or private
stakeholders engaged in cyber security;
and for the creation of awareness and
educational activities in the field of cyber
3
In 2014, the Albanian government
adopted an inter-sectorial strategy called
“Albanian Digital Agenda 2015-2020”,
which established as part of the basic
principles for the development of the
digital
agenda
the
public-private
collaboration and partnership and intersectorial, local-central, regional and
international
collaboration.7
On
9
November
2016
the
European
Commission launched the Albania 2016
Progress Report on EU enlargement policy,
with a chapter related to information
society and media. According to this
report, Albania is making continuous
efforts towards the implementation of the
2015-2020 digital agenda and the
national
plan
for
broadband
development.8 A new law on electronic
identification and trust services was
adopted in October. Amendments to the
law on e-commerce suggest further
alignment with the acquis. The number of
e-government services provided through
the e-Albania.al portal increased, as well
as the number of users and electronic
payments carried out.9 The administrative
capacity of the National Agency for
Information Society was strengthened with
20 employees.10
The government of Albania has also just
started a new initiative trying to engage
civil society living abroad in the
cybersecurity development of the country
by creating a network of Albanians living
abroad
who
are
engaged
in
cybersecurity in all sectors. As such, on 19
November 2016 the Ministry for Innovation
and Public Administration organized the
first Summit of the Albanian Diaspora, with
the intention of creating a network of
successful Albanian citizens living abroad,
in order to increase their involvement in
the country’s development. One of the
main topics discussed at the summit was
innovation in the direction of e-commerce
and digital economy, which require a
strong network and online security
development.
Page
and private institutions, project creations
and public discussions about legislation,
creation of public-private partnerships
and involvement in the monitoring of the
results of the Document.6
DCAF Young Faces 2016 – “Strategic cybersecurity policy development in Southeast Europe”
security.11 The draft law, which is currently
being reviewed by the Parliament,
describes organizational and technical
measures that each institution should
respect in order to ensure cyber security
ranging from the management of risks,
the persons who have access to
information, verifying the identity of users,
and even the physical security of the
equipment, or the use of cryptography.12
WHY THE MULTISTAKEHOLDER
APPROACH?
A multistakeholder approach is used in
many areas as an accepted international
norm. It results in high effectiveness on
issues where:




Decisions impact a wide range of
people and interests;
There are overlapping rights and
responsibilities;
Different forms of expertise are
needed;
Decisions
directly
impact
13
implementation.
Internet, as a very dynamic medium, fulfills
all the above criteria. It is used by a very
wide range of people and affects all of its
users and their different interests. Different
stakeholders
have
rights
and
responsibilities
which
are
often
overlapping with each-other. Digital
security is not simply a technical issue, but
also an economic and social issue, all
stakeholders are responsible for managing
digital security risks. Internet governance
See: Draft law “On Cyber Security”, Art. 16
available
at:
http://www.inovacioni.gov.al/al/legjislacioni/kon
sultim-publik/konsultim-publik-per-projektligjin-persigurine-kibernetike
12 Ibid. Art. 6
13 Internet Society (2015) Internet Governance:
Why the multistakeholder approach works?
includes a wide range of actors, all of
which influence in the effective decisionmaking and implementation according to
their respective roles and the context.
ANALYSIS OF MULTISTAKEHOLDER
INVOLVEMENT
The key to strong cybersecurity is having
integrated security solutions with a threefold approach: detection, removal, and
prevention.14 It is also important to follow
good security practices and policies at
every level.15 Security is all about being
aware and open to twists in the tale, and
tackling them with the right foresight and
quick after-action.16 Investing in security
solutions now is a must. One of the main
fields of investment that the Albanian
government should focus on is also
increasing cooperation between different
stakeholders, both public and private,
comprising law enforcement, policy
makers, private sector (internet industry),
academia
and
researchers.
Such
cooperation should be based on a solid
legal framework that sets precise and
balanced limits on the powers of each
stakeholder, especially of the law
enforcement to access data held by
private sector entities on the basis of the
Convention
on
Cybercrime,
which
Albania has ratified since 2002, as well as
applicable standards of human rights and
the rule of law.
A key factor to make multistakeholder
cooperation work efficiently is the
dialogue between the government,
industry and all the other stakeholders in
11
R. Kulkarni (2016) Network and Online Security:
Emerging Threats and Solutions, available at:
http://www.readitquik.com/articles/networking2/network-and-online-security-emerging-threatsand-solutions/
15 Ibid.
16 Ibid.
Page
4
14
DCAF Young Faces 2016 – “Strategic cybersecurity policy development in Southeast Europe”
The new draft Law on Cyber Security in
Albania, mentioned in the above section,
provides for the creation of a central
authority for cyber security but it does not
mention
any
criteria
about
its
composition. This authority could be a
very good opportunity for a development
of a multistakeholder approach if
members
of
this
authority
were
representatives
of
not
only
the
government but also from the private
See: https://www.cybersecurityraad.nl/indexenglish.aspx
17
Obviously,
collaboration
between
different stakeholders is not an easy task,
especially if considering the different
interests and operating methodologies.
Not only should this kind of council have a
clear position in the cyber security
dialogue and policy development of the
country, but the same should be for each
stakeholder. Their responsibilities and
duties should be precise and clear, in
order to avoid overlap and conflict
among the stakeholders.
The first and most important task of this
dialogue among stakeholders in Albania
would be the creation of a list of Critical
Information Infrastructure for the country,
followed by a drafting of a cybersecurity
strategy, which is still non-existent, thus
creating many difficulties and obstacles
for the tackling of cybercrime and the
development of cyber security.
Recently, the Albanian government is
focusing on the development of egovernment but is lacking in the
development of cyber security measures
and awareness by putting the country at
a very critical situation and making it an
easy target for cyber threats. Getting IT
business and academia engaged in the
development of e-government would
result in a more secure infrastructure and
ability to mitigate possible future risks, by
creating protective mechanisms.
In Albania, there is a general lack of trust
among different stakeholders, making the
cooperation even more difficult. For this
reason, I think that the best method of
cooperation would be through formal,
regular and transparent meetings. This
would allow all stakeholders to be
5
Such an approach of creating a council
of representatives from all stakeholders is
very effective because it will make
possible for a continuous dialogue among
stakeholders through regular meetings, by
keeping all stakeholders updated with
new threats and developments. Besides, it
also makes possible the tackling of issues
from various angles, thus increasing the
productivity of the results. For reaching the
highest results, a balanced composition of
such a council is mandatory; each
stakeholder should be represented and
should have a voice.
sector, academia, NGOs, IT business,
banking, law enforcement, and even
think-tanks, each of them having an
equal voice.
Page
order to keep a balanced approach
between the need for strong protection
against cybercrime and cybersecurity
and the protection of private life of
individuals. This is noticeable when
examining the best practices of other
countries, where all the most successful
initiatives in achieving a satisfactory level
of
cyber
security
involve
several
stakeholders working together. It is worth
mentioning here the Dutch Cyber Security
Council which has a strong public-private
partnership due to its composition which
includes members from government,
industry, and the scientific community. It
monitors the National Cyber Security
Strategy and gives advice to the
government and society.17
DCAF Young Faces 2016 – “Strategic cybersecurity policy development in Southeast Europe”
included, thereby building confidence
among them: which is crucial for reaching
compromises on information sharing in
cyber security issues.
CONCLUSION
The experience accumulated by several
successful initiatives described above
demonstrates that, in order to be
effective, any cybersecurity initiative
depends
on
collaboration
among
different stakeholders, and it cannot be
achieved only by a single organization or
structure. A multistakeholder approach in
regulating national cybersecurity is crucial
for Albania. It is fundamental for creating
a stable, secure and transparent
management
of
such
a
critical
environment as Internet. Albania is still in
its early stage of cyber security initiatives
and action should be taken rapidly. While
laws are reasonably good and compliant
to the EU standards, implementation is
very weak, resulting in very weak
cybersecurity awareness and protection.
The Albanian government, in addition to
traditional security and defense strategies,
needs to improve its awareness of the
multistakeholder nature of the Internet
and the vital importance of cooperation
to address security threats.
Transparency and inclusiveness are
essential
elements
for
effective
collaborative
decision-making.
Those
significantly affected by a decision should
have the chance to be involved in
making it. For this reason, all stakeholders
should have a shared understanding of
the importance of transparency and
collective responsibility in the quality of
outputs for the cyber security of the
country. Clear shared goals among
experts of different fields, defined
objectives and outlined core principles
help build consensus, ease the monitoring
process and produce more effective
results.
Acknowledgement: Research presented in
this paper by the author is conducted as
part of PhD research at Mykolas Romeris
University, within the Erasmus Mundus Joint
International Doctoral (Ph.D.) Programme in
Law, Science and Technology.
* Ms. Desara Dushi was a PhD Candidate at the Erasmus Mundus Joint International Doctoral Degree in
Law, Science and Technology (LAST-JD) Programme, coordinated by University of Bologna and supervised
by University of Luxembourg when taking part in the DCAF Young Faces Network 2016 cycle. Research
presented in this paper is conducted as a PhD researcher at Mykolas Romeris University, within the Erasmus
Mundus Joint International Doctoral (Ph.D.) Degree Programme in Law, Science and Technology. All
opinions and evaluations contained in the paper are those of the author and cannot be attributed to
DCAF or any institution to which she is affiliated. The factual background for the paper might have been
overtaken by events since late 2016.
Page
6
http://www.dcaf.ch/Region/Southeast-Europe/DCAF-Southeast-Europe-Regional-Young-FacesNetwork
View publication stats