REPORT ON CYBERSECURITY MATURITY LEVEL IN ALBANIA CONTENTS DOCUMENT ADMINISTRATION ..................................................................................................................... 3 LIST OF ABBREVIATIONS .............................................................................................................................. 4 EXECUTIVE SUMMARY ....................................................................................................................... 6 INTRODUCTION ................................................................................................................................ 14 DIMENSIONS OF CYBERSECURITY CAPACITY .................................................................................................. 15 STAGES OF CYBERSECURITY CAPACITY MATURITY .......................................................................................... 16 METHODOLOGY - MEASURING MATURITY ................................................................................................... 17 CYBERSECURITY CONTEXT IN ALBANIA ............................................................................................ 20 REVIEW REPORT............................................................................................................................... 22 OVERVIEW ............................................................................................................................................. 22 DIMENSION 1 CYBERSECURITY STRATEGY AND POLICY .................................................................... 23 D 1.1 NATIONAL CYBERSECURITY STRATEGY ................................................................................................ 23 D 1.2 INCIDENT RESPONSE ....................................................................................................................... 25 D 1.3 CRITICAL INFRASTRUCTURE (CI) PROTECTION....................................................................................... 27 D 1.4 CRISIS MANAGEMENT ..................................................................................................................... 29 D 1.5 CYBER DEFENCE ............................................................................................................................. 30 D 1.6 COMMUNICATIONS REDUNDANCY ..................................................................................................... 31 RECOMMENDATIONS ............................................................................................................................... 32 DIMENSION 2 CYBERSECURITY CULTURE AND SOCIETY.................................................................... 37 D 2.1 CYBERSECURITY MIND-SET ............................................................................................................... 37 D 2.2 TRUST AND CONFIDENCE ON THE INTERNET ......................................................................................... 38 D 2.3 USER UNDERSTANDING OF PERSONAL INFORMATION PROTECTION ONLINE ............................................... 40 D 2.4 REPORTING MECHANISMS ............................................................................................................... 40 D 2.5 MEDIA AND SOCIAL MEDIA .............................................................................................................. 41 RECOMMENDATIONS ............................................................................................................................... 42 DIMENSION 3 CYBERSECURITY EDUCATION, TRAINING AND SKILLS ................................................. 45 D 3.1 AWARENESS RAISING ...................................................................................................................... 45 D 3.2 FRAMEWORK FOR EDUCATION .......................................................................................................... 47 D 3.3 FRAMEWORK FOR PROFESSIONAL TRAINING ........................................................................................ 48 RECOMMENDATIONS ............................................................................................................................... 50 DIMENSION 4 LEGAL AND REGULATORY FRAMEWORKS .................................................................. 53 D 4.1 LEGAL FRAMEWORKS ...................................................................................................................... 53 D 4.2 CRIMINAL JUSTICE SYSTEM ............................................................................................................... 57 D 4.3 FORMAL AND INFORMAL COOPERATION FRAMEWORKS TO COMBAT CYBERCRIME ...................................... 59 RECOMMENDATIONS ............................................................................................................................... 60 DIMENSION 5 STANDARDS, ORGANISATIONS AND TECHNOLOGIES ................................................. 64 1 | Cybersecurity Capacity Review of Albania, 2018 D 5.1 ADHERENCE TO STANDARDS ............................................................................................................. 64 D 5.2 INTERNET INFRASTRUCTURE RESILIENCE .............................................................................................. 67 D 5.3 SOFTWARE QUALITY ....................................................................................................................... 68 D 5.4 TECHNICAL SECURITY CONTROLS ....................................................................................................... 68 D 5.5 CRYPTOGRAPHIC CONTROL............................................................................................................... 69 D 5.6 CYBERSECURITY MARKETPLACE ......................................................................................................... 70 D 5.7 RESPONSIBLE DISCLOSURE ............................................................................................................... 71 RECOMMENDATIONS ............................................................................................................................... 71 ADDITIONAL REFLECTIONS ........................................................................................................................ 75 2 | Cybersecurity Capacity Review of Albania, 2018 DOCUMENT ADMINISTRATION Lead researchers: Dr Maria Bada, Mr. Faisal Hameed Reviewed by: Professor William Dutton, Professor Michael Goldsmith, Dr Jamie Saunders, Professor Basie Von Solms and Professor Federico Varese Approved by: Professor Michael Goldsmith Version Date Notes 1 9/10/2018 First Draft 2 31/10/2018 Submitted to WB 3 2/11/2018 Second draft addressing comments from WB 4 15/01/2019 Second draft addressing comments from Albania 3 | Cybersecurity Capacity Review of Albania, 2018 LIST OF ABBREVIATIONS AF Air Force AKEP Authority of Electronic and Postal Communications AKCESK The National Authority for Electronic Certification and Cyber Security AKCE National Authority for Electronic Certification AKSHI National Agency for Information Society ALCIRT National Cyber Security Agency (The national Computer Incident Response Team for Albania), now part of AKCESK AMF Financial Supervisory Authority (financial market regulator) ANSP Albania Air Navigation Service Provider or Albcontrol BSH Bank of Albania CBMs Confidence Building Measures CEO Chief Executive Officer CI Critical Infrastructure CMM Cybersecurity Capacity Maturity Model CNI Critical National Infrastructure CPC Criminal Procedure Code CRCA The Children's Human Rights Centre of Albania CSIRT Computer Security Incident Response Team CSDP Common Security and Defence Policy DDoS Distributed Denial of Service DR&BCP Disaster Recovery & Business Continuity Planning DRC Disaster Recovery Centre DSIK Department of Classified Information Security ENISA European Union Agency for Network and Information Security ESDC European Security and Defence College EU European Union EUROJUST The European Union's Judicial Cooperation Unit GDPR General Data Protection Regulation GCSCC Global Cyber Security Capacity Centre HIDS Host Intrusion Detection Systems 4 | Cybersecurity Capacity Review of Albania, 2018 ICSE International Cyber Shield Exercise ICT Information and Communication Technologies IIIs Important Information Infrastructures IGF Internet Governance Forum ISSIS Cross-cutting Strategy for the Information Society ISO International Organization for Standardisation ISP Internet Service Provider ITU International Telecommunication Union LOTL European List of Trusted Lists MITIK Ministry for Innovation in Information and Communication Technology MoD Ministry of Defence MOU Memorandum of Understanding NAEC The National Authority for Electronic Certification NAIS The National Agency for Information Society NGOs Non-governmental organizations NATO North Atlantic Treaty Organisation NCIRC NATO Cyber Incident Response Centre NCS National Cybersecurity Strategy NIDS Network Introduction Detection Systems NIS Directive The EU Network and Information Systems Security (NIS) Directive OSCE Organisation for Security and Cooperation in Europe OST Transmission System Operator (of Albania) PhD Philosophiae Doctor (doctor of philosophy) PKI Public Key Infrastructure SMEs Small and Medium Enterprises SSL Secure Sockets Layer TAIEX Technical Assistance and Information Exchange instrument of the European Commission TLS Transport Layer Security UNODC United Nations Office on Drugs and Crime VPNs Virtual Private Networks 5 | Cybersecurity