Iranian-backed attacks on Albania highlights need for Cyber Capacity Building

By Rear Adm. (Ret.) Mark Montgomery

Rear Adm. (Ret.) Mark Montgomery is a senior director at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies. He directs CSC 2.0, which works to implement the recommendations of the Cyberspace Solarium Commission, where he previously served as executive director.

EXPERT PERSPECTIVE — Albania, a NATO member state, cut diplomatic ties with Iran earlier this month after blaming Tehran for a cyberattack against Albanian government networks. It is an unprecedented response to a cyberattack that highlights the impact of such attacks and how they could rapidly move NATO into a crisis or contingency.

Cyber deterrence relies on both maintaining offensive cyber capabilities and improving the resilience of cyber networks. This reality reinforces the importance of building the cyber defense capabilities of NATO allies.

Albania says July’s ransomware attack destroyed government data and temporarily disabled digital services. A group calling itself HomeLand Justice, claiming to be Albanian citizens, claimed responsibility for the attack.  The group said in a telegram message that it was upset about the government’s decision to provide refuge to roughly 3,000 members of the Iranian opposition group Mojahedin-e Khalq (MEK), which the United States has designated as a terrorist group.

But in announcing his country’s decision to sever diplomatic ties, Albanian Prime Minister Edi Rama called the cyberattack “state-sponsored aggression,” explaining that investigations aided by Microsoft and the FBI provided “indisputable” evidence that four Iranian government-backed groups were responsible.

The United States and United Kingdom expressed agreement with Albania’s attribution, with Washington pledging to “take further action to hold Iran accountable for actions that threaten the security of a U.S. ally.” NATO also condemned the attack. Following the severing of diplomatic ties, Albania experienced further cyberattacks last week, allegedly from Iran, that disrupted Albanian police and border control networks.

Join Cyber Initiatives Group Principal Mark Montgomery and dozens of other experts at The Cipher Brief Threat Conference happening Oct 9-11.  If your organization is in the business of cybersecurity and national security, you have to ask yourself, can you afford to miss it?  Request a seat at the table.

Albania is not the only NATO ally to come under attack from state-backed and criminal hacking groups. An independent Russian hacking group, for example, has declared “war” against 10 countries, including the United States and several of its allies. Earlier this month, the criminal Cuba Ransomware group crippled government systems in Montenegro. Like Albania, Montenegro is receiving remediation and investigative support from Washington and its NATO allies.

NATO takes these attacks seriously at least in part, because if the critical infrastructure or government systems of NATO member states are disrupted, the alliance’s ability to project power in a time of conflict could be weakened. Recognizing this problem, NATO allies pledged in June to “significantly strengthen our cyber defenses through enhanced civil-military cooperation.”

The Biden administration should support this pledge by having the Department of State’s newly formed Bureau of Cyberspace and Digital Policy spearhead a resilience summit with NATO allies. This gathering should have the goal of improving member states’ cyber defenses and coordinating an alliance-wide cyber capacity building effort to strengthen vulnerable NATO allies. The administration should also work with Congress to ensure full resourcing of the numerous State and Defense Department programs that improve the cyber defenses of U.S. partners.

The administration can fund this capacity building support in at five least ways.

First, it can expand State Department funding for the Assistance to Europe and Eurasia program to support cybersecurity programs in Eastern Europe that improve incident response and remediation capabilities. These programs could also train personnel on international cyberspace law and the policy and technical aspects of attribution of cyber incidents.

Second, there are funding opportunities to counter international cybercrime within the State Department’s Bureau of International Narcotics Control and Law Enforcement Affairs (INL). The INL programs build the capacity of partners to counter cybercrime by strengthening their ability to develop and implement national laws, policies, and procedures to hold malign actors accountable.

Third, Washington could utilize the Digital Connectivity and Cybersecurity Partnership. This State Department program supports international capacity building efforts that foster government-industry cooperation on cybersecurity and that build cyber resilience in partner networks.

The Cipher Brief hosts expert-level briefings on national security issues for Subscriber+Members that help provide context around today’s national security issues and what they mean for business.  Upgrade your status to Subscriber+ today.

Fourth, the State Department could expand Foreign Military Financing for cybersecurity capacity building efforts. This funding strengthens the readiness of partner military forces and encourages regional cooperation against nation-state cyber threats such as those demonstrated by Iran as well as Russia, China, and North Korea.

Finally, the Department of Defense could continue to expand funding for “hunt forward operations” by U.S. Cyber Command (CYBERCOM). These operations allow forward deployed CYBERCOM operators to sit in partner networks and observe and identify malicious activity that threaten partners. The operators can then use these insights to increase the resilience of critical allied networks. As of May 2022, CYBERCOM had conducted 28 such hunt forward operations in 16 countries.

The United States and its NATO allies must support the alliance’s less developed partners in protecting their critical infrastructure from cyberattacks. Attacks like the ones by Iran on Albania are best countered by a combination of cost imposition efforts that hold malicious cyber actors accountable for their actions and proactive measures to strengthen the defense and resilience of NATO systems. Investments in the cyber capacity building efforts highlighted above will go a long way to addressing the defensive requirements.

Michael Sugden, intern with CCTI and a master’s student in security policy studies with a concentration in science and technology from The George Washington University, contributed to this column.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief

Find out more about The Cyber Initiatives Group

Related Articles