The Lithuania Cyber Security Strategy was adopted in 2011, with a plan covering the years 2011-2019: The Programme for the development of electronic information security (Cyber security) for 2011-2019.
It is a comprehensive plan that includes an assessment of Lithuania’s cybersecurity capacity and a set of clearly stated goals, which are mapped to an implementation schedule.
The main objectives of the strategy are ensuring:
Obj. 1 - The security of state-owned information resources.
Obj. 2 - An efficient functioning of critical information infrastructure.
Obj. 3 - Cyber security of Lithuanian residents and persons staying in the country.
NATIONAL CYBER SECURITY STRATEGY - NIS Capacities
|Year of adoption||
The first Law on Cyber Security was approved in December 2014.
|Updates and revisions||
In September 2016, Lithuania officially launched its National Cyber Security Centre (NKSC) amid increased efforts by Eastern European countries to protect themselves against potential cyber-attacks. Operations started in July 2016. The NKSC was set up through a transformation of the Lithuanian Defence Ministry's Communications and Informations Systems Service.
The main goal of the NCSC is to consolidate the efforts of public institutions, spread the ideas of cyber-awareness and provide help in dealing with cyber-incidents on government networks. The establishment of the NCSC was enabled by the recently-adopted Cyber Security Law
In July 2015 a Lithuanian Cyber Security Centre was established with the aim of ensure centralisation of cyberspace protection at national level.
In April 2015 the government of Lithuania decided to establish a Cyber Security Council, to ensure a closer cooperation between the state, business and academic organisations.
|Implementation and monitoring||
The Ministry of Defence is responsible for shaping cyber security policy as well as monitoring and coordinating its implementation.
The work of NCSK is supported by an Inter Departmental Committee on Cyber Security, established and chaired by the DCENR, which regularly reports on progress and on cyber security issues to the Government Task Force on Emergency Planning. The Government Task Force, chaired by the Minister for Defence, maintains cyber security as a standing agenda item, allowing for provision of regular updates and addressing of issues of common interest.
Since 2015 the Ministry of the Interior is authorised to shape policy in the field of public information resource security along with the National Cyber Security Centre, Communications Regulatory Authority, State Data Protection Inspectorate and the Police Department, to implement cyber security policy within their respective remits.
|Operational capacity building||
Lithuania is building its cyber security capacity and management institutions based on a long tradition of information technology and telecommunications.
CERT-LT (Lithuanian: https://www.cert.lt/statistika.html; English: www.cert.lt/en/) is the national electronic communications network and information security incidents investigation service operating as the national Computer Emergency Response Team. It is responsible for coordinating security and incident response measures across all Lithuanian networks. CERT-LT is tasked with managing the reporting of cyber security incidents and provides an online reporting structure to log cyber security.
It is also charged with promoting security in the information society by preventing, observing, and solving information security incidents and disseminating information on threats to information security. CERT-LT provides capability to deal with netwotk and information security incidents but would require additional resources in the event of a national cyber security crisis.
SVDPT-CERT (Lithuanian: http://www.is.lt/lt/titulinis.html; English: http://www.is.lt/en/svdpt-cert_117.html) is the computer emergency response team of Secure State Data Communication Network of State Enterprise ''Infostruktura'' in Lithuania.
In September 2016 the Lithuanian government officially launched the country's National Cyber-Security Centre (NKSC), http://www.nksc.lt/en/title.html,. The NKSC was set up through a transformation of the Lithuanian Defence Ministry's Communications and Informations Systems Service with the aim to consolidate the efforts of public institutions, spread the ideas of cyber-awareness and provide help in dealing with cyber-incidents on government networks.
The programme acknowledges the need for Lithuania to adopt a stronger regulatory framework for the protection of critical infrastructure that includes the implementation of a coordination structure between entities engaged with critical infrastructure, as well as testing and monitoring systems to facilitate the prevention of incidents. No detailed plan is provided in terms of capacity building around critical infrastructures.
The programme addresses electronic information security in general, but also includes goals to improve the legal framework and processes that support information security generally. There is no specific requirement for written information security plans.
The Programme for the Development of Electronic acknowledges that the legal framework supporting information security is fragmented and does not cover all members of the “information society”.
The programme recommends implementing a stronger legal requirement for incident reporting,as part of a wider strengthening of the legal framework supporting electronic information security.
The Lithuanian Law on Cyber Security defines the organisation of a cyber security system, its management and control. It came into force on 1 January 2015. The Law designates authorities responsible for the development and implementation of cyber security policies and sets out their competences, functions, rights and obligations. The law stipulates that the Minisitry of National Defence has to formulate, coordinate and implement the organisation of the state cyber security policy. This includes the establishment of the National Cyber Security Centre, which was launched in September 2016.
Businesses and Public Private Partnerships
There is no defined partnership in the current national cyber security strategy. While there is no industry-led cyber security platform, InfoBalt, the national trade association, includes cyber security in its activities.
There are no specific plans related to sector specific actions, no priorities identified and no risk assessment foreseen.
|Other capacity-building measures: research and education||
Lithuania has a comprehensive education plan and implementation schedule as part of its national cyber security strategy, including the establishment of self-help websites.
There is no legislation in place in Lithuania that requires each agency to have a chief information officer (CIO) or chief (information) security officer (CISO/CSO). This may hamper not only the ability to detect and counteract cyber threats but also significantly impact on capacity building across the public and private sectors in Lithuania. It is also important to note that the national strategy does make reporting a cyber incident to the government or EU a requirement (it is only a provision).
The statistical analysis provided by CERT-LT is a good practice that could be replicated by more CSIRTs/CERTs.
|Date of last WISER analysis||July 2017|
Compliance with the GDPR and NIS Directive: Report a cyber incident
Report a cyber incident to a national CERT/CSIRT
|Guidance and Updates||
CERT-LT, www.cert.lt/en/ provides regular reports on cyber incidents, spanning statistics for the current period: Attack statistics; Number of infected machines found in "Botnets"; CERT-LT recommendations' efficiency; Number of solved incidents per week, as well as quarterly activity reports: https://www.cert.lt/en/statistics.html.
LITNET CERT (cert.litnet.lt/en/) provides some snapshot information on the threat landscape.
|Date of last WISER analysis||July 2017|