By Besmir Semanaj
Cybersecurity cannot be built on secrecy, institutional arrogance, and fear of criticism. In a democratic state, transparency is not only an obligation, but also a guarantee of public trust and effective protection.
Public Reaction on the AKSK Statement on the Cyber Incident in Tirana Municipality
Tirana, June 20, 2025
The statement distributed by the National Cyber Security Authority (AKSK) on the cyber incident that affected the infrastructure of the Municipality of Tirana raises serious concerns regarding the lack of transparency, the mixing of technical and investigative powers, and the attempt to limit public information and independent criticism.
Repeated incident in a context of non-accountability
This incident is not an isolated case. Albania has been the target of numerous cyberattacks in the last three years, including:
• The 2022 attack on government infrastructure, for which the Albanian government directly accused a foreign state;
• The attack on the State Police TIMS system in 2023, which temporarily paralyzed the border system and international operations;
• Numerous cases of interruptions and suspicious intrusions into municipal systems, government portals, and public service databases.
In none of these cases have the authorities provided full technical reports, independent audits or transparent public notices on:
• The cause of the attack;
• Damages caused;
• Lessons learned;
• Measures taken to prevent recurrence.
This institutional irresponsibility has raised ongoing concerns among the expert community, digital rights organizations, the media, and Albania's international partners.
⸻
Lack of transparency in the AKSK statement
The statement for the Municipality of Tirana follows the same pattern as the above cases: it contains only general phrases such as “incident”, “measure”, “coordination”, but does not provide:
• Type of attack (ransomware? unauthorized access? data destruction?);
• The identity of the affected systems;
• Whether personal or sensitive data has been affected;
• Whether the attack is under control, active or ongoing.
Such a statement serves neither as a warning, nor as digital education, nor as support for understanding their vulnerability to citizens. Moreover, the lack of transparency prevents even the expert community from helping or objectively analyzing the situation.
⸻
Conflicts of interest and lack of independence in the investigation
AKSK announces that the incident is being handled in cooperation with the State Police and AKSH. This is a repeated problematic practice:
• The State Police is not equipped for technical analysis of malware or digital forensics at the critical infrastructure level – its role should be limited to the investigative phase, not the technical one.
• AKSH is an infrastructure provider for many of the affected institutions – its presence as an “analyzing” party is a clear conflict of interest.
In a state with democratic standards, handling incidents of this nature would require an independent technical audit, the publication of an official report, and the engagement of external expertise.
⸻
Attempts at indirect control and censorship
Most worrying is the closing of the AKSK statement with the phrase:
"For any official information, citizens and the media are invited to refer only to the official channels of AKSK."
This is an attempt to silence the media and independent experts, who, unlike state bodies, have an essential role in public oversight, citizen information, and critical analysis.
The state has no right to monopolize information about incidents affecting citizens and their data. Such an approach violates freedom of expression, access to information, and sets a dangerous authoritarian precedent for covering up systemic problems in the digital public sector.
⸻
Immediate demands for the government and responsible institutions
I call on central and local institutions, the Parliament and independent bodies to demand:
1. Immediate publication of a preliminary technical report with basic information about the incident;
2. Engaging independent expertise to audit the security measures of the Municipality of Tirana and other affected entities;
3. Establishing an external board for transparency and accountability towards cyber incidents with public impact;
4. Drafting and implementing a protocol for public notification in cases of incidents, in accordance with Law No. 18/2018 and GDPR.
