Danguolė Morkūnienė Head of Law Division, State Data Protection Inspectorate 16/04/2015 Conference "ID Thefts – Issues, Legal Regulation, International Context" The Law on Cyber Security in Lithuania – First Experiences

Aim of the presentation Why was the Law on Cyber Security necessary? What is the importance of this Law? What are the first results? Has the excitement faded away in the face of reality? 2

Cyber security / space 3 Cyber security – a set of legal, information dissemination, organisational and technical measures to avoid, identify, analyse and react to cyber incidents as well as restore the normal functioning of the management systems of electronic communications networks, information systems or industrial processes in case of such incidents. Cyber space – the environment where individual computers or other information or communication technologies equipment generates and/or transfers electronic information through the computers connected by the network of electronic communications or any other ICT equipment.

Cyber incident 4 Cyber incident – an event or act which: leads or may lead to, or can enable an unauthorised connection to the management system of IS, electronic communications network or industrial processes; disrupts or modifies, including the taking over of control of, the management system of IS, electronic communication network or industrial processes; destroys, damages, erases or modifies electronic information; denies or limits access to electronic information; makes it possible to appropriate or otherwise use non-public information to the persons who do not hold such rights.

2014 Activity Report of the Government of the Republic of Lithuania (TAR, 1 April 2015, No. 4887) ACTIVITY PRIORITIES OF THE GOVERNMENT AND THEIR IMPLEMENTATION DIRECTIONS V. Strengthening of the EU, Foreign and Defence Policy 5.3. Strengthening of cyber security

Report on National Security and Development in I 6 RISK FACTORS, THREATS AND RISKS FOR NATIONAL SECURITY 1.3. Activities of other states against the Republic of Lithuania In 2014, most active in their operations against Lithuania were Russian intelligence and security services. In addition to classical intelligence methods, electronic intelligence and cyber espionage was used actively.

Report on National Security and Development in II Cyber attacks In 2014, the range of cyber incidents was expanding; the technologies, methods and ways to hack into automatic data processing (hereinafter – ADP) systems or networks, or individual computers were becoming more sophisticated. The goals of cyber attacks remained the same: espionage, disruption of the functioning of ADP systems and networks, intention to take over their control or impact, looking for vulnerabilities The number of cyber incidents will keep growing in the future and the cyber space will be one of the main areas both for espionage and for undermining the national security of Lithuania and the defence power of the country, for impairing other important national objects as well as ADP systems, networks and individual computers of the private sector and private individuals.

Report on National Security and Development in III Vulnerability of Economics and Economy More frequent cyber attacks against banking information systems pose risk to the security of personal data and/or money of bank customers as banking institutions are not only likely to suffer significant financial damages but also eventually lose their image of reliable custodians of information and assets. The prevention of this risk is complicated by the fact that such attacks are most often administered from the territories of foreign countries.

Report on National Security and Development in IV Strengthening of electronic information security (cyber security) In 2014, the Law on Cyber Security was adopted which defined the arrangement of the Lithuanian cyber security system, the competence of responsible institutions, the rights and obligations of participants in cyber security as well as the measures to ensure cyber security. Much emphasis in 2014 was placed on the security of information systems, additional security mechanisms were implemented and the existing threats and protection mechanisms were analysed. In order to ensure the prevention of cyber incidents (identify weaknesses), the software was updated, the system and network security was audited. In addition, malware, the mechanisms and consequences of attacks were analysed.

Assessment of the Threats to National Security (National Security Department) 10 With rapid development of IT, the national security is increasingly exposed to the risks of cyber espionage. Endless sophistication of computer viruses take advantage of cyber security gaps and can invisibly steal large amounts of valuable information both from encrypted and non-encrypted information systems. In cyber espionage operations, Russian services use special spyware. It is integrated into different format annexes to s sent to selected addressees. For example, spyware get built into annexes in pdf format. They also use viruses which get into computers through external data storage devices (USB, CDs).

Objectives of the Law on Cyber Security I 11 to regulate the area of cyber security to set the legislative framework for personal data processing for the purposes of ensuring cyber security to identify the institutions to make and implement cyber security policy, their competence, functions, rights and obligations to specify the rights and obligations of controllers and/or managers of the information resources of the state, controllers of the information infrastructure of special significance, providers of public communications networks and/or public electronic communications services and providers of electronic information hosting

Objectives of the Law on Cyber Security II 12 to identify cyber security measures to set minimum organisational and technical cyber security requirements for the information resources of the state controlled by public administration bodies (to the extent not covered by the Law on Management of State Information Resources), for the information infrastructure of special significance, for the providers of electronic communications services (to the extent not covered by the Law on Electronic Communications), and for the providers of electronic information hosting services.

- for regions - for states - for persons 13 Damage

14 Cyber Security Policy-Making and Implementation The Government The Ministry of National Defence The Ministry of the Interior The Communications Regulatory Authority The State Data Protection Inspectorate The Police Department The National Cyber Security Centre The Cyber Security Council Roles: important when taken all together or each individually?

15 Cyber incidents Targeted attacks Distortion of contents Malware DDOS attacks Sabotage Spying...

16 Legislation Framework / Results More than 20 implementing laws had been planned for the implementation of the Law on Cyber Security. Not all implementing legal acts (resolutions / orders) have been adopted. For example, Resolution of the Government of the Republic of Lithuania "On the Approval of the List of the Information Infrastructure Objects of Special Significance"

17 Results achieved by the institutions The Police Department The Communications Regulatory Authority The State Data Protection Inspectorate The National Cyber Security Centre The Cyber Security Council

18 Results - the CRA I Comparison of the incidents dealt with by CERT-LT during Q and Q ( Incident type Number of incidents Number of incidentsChange, % Q Q Malware IS hacking DDos Fake electronic data Compromised integrity Loopholes in device security Manipulating electronic data Other

19 Results - the CRA II The National Computer Emergency Response Team CERT-LT investigated more than incidents in response to the reports received from Lithuanian providers of electronic communications services, foreign CERT services and Lithuanian internet users. Compared to 2013 when 25.3 thous. incidents were reported, the number of cyber incidents in Lithuania has grown by 43 per cent ( incidents). The trend remains the same in 2015.

20 Results / State Data Protection Inspectorate No reports about cyber incidents related to personal data security violations. No inspections have been carried out, hence, there are no findings as to violations of personal data processing on the cyber space. Order of the Director of the State Data Protection Inspectorate No. 1T-11(1.12.E) "On the approval of the description of procedure for communicating information about cyber incidents related to personal data security violations and the measures to manage such incidents to the State Data Protection Inspectorate" (TAR 25/02/2015, No )

21 Results / Police I Order of the Commissioner General of the Lithuanian Police No. 5-V-101 "On the approval of the description of procedure for submitting the information necessary to prevent and investigate cyber incidents with potential elements of criminal offences, for fulfilling instructions of the police and investigating cyber incidents " (TAR 03/05/2015, No )

22 Results / Police II No data available: how many reports have been received about cyber incidents with potential elements of criminal offences; how many orders have been given to restrict temporarily (not longer than for 48 hours without authorisation of the court and longer with authorisation of the court) the provision of public communications networks and/or electronic information hosting services to the customer; how many orders have been given to store the information related to the services provided by them and making it possible to find out the subscriber's identity and other details; how many orders have been given to communicate the data on the service user's traffic, how many times the contents of the information transferred has been controlled (on the basis of a reasoned court ruling).

Cyber security / Identity thefts Can we ensure the national security of the state without ensuring the safety of cyber space? Can we ensure the prevention of identity thefts by ensuring cyber security? 23

24 Identity thefts in Lithuania / in the world The scope is unknown either in Lithuania or globally. Victims of identity thefts always suffer negative consequences. Identity thefts are committed not only by means of modern technologies but also in daily life.

Cyber security is closely linked to the right to privacy. What is more imporant? 25

Criticism I 26 Police powers: instructions to providers of public communication networks and/or public electronic communication services and providers of electronic information hosting services to restrict temporarily (not longer than for 48 hours without authorisation of the court and longer with authorisation of the local court of the place where the service is provided) the provision of public communications networks and/or electronic information hosting services to the customer, when customer or his/her/its ICT equipment is involved in criminal activities and/or instructions to providers of public communication networks and/or public electronic communication services to apply measures to eliminate the preconditions for violations of law on the cyber space and for criminal offences.

27 the right to issue reasoned instructions to providers of public communication networks and/or public electronic communication services and providers of electronic information hosting services to retain the information related to the services they provide to make it possible to identify the type of the communications service used, the technical measures applied and the time of usage, the subscriber's identity, post and geographical location address, telephone and other access number, information about accounts and payments made on the basis of a service contract or agreement and any other information at the place where the communications equipment has been installed under a service contract or agreement, receive such information; as well as obtain, under the procedure provided for by legal acts upon a reasoned order of the court, the customer's traffic data and control the contents of the information communicated. Criticism II

Cyber Security 90 % of companies are attacked several times or attacks are repeated permanently. DDoS attacks: anybody can be a victim, participant, perpetrator Trends: the number of attacks is decreasing but they are becoming more complex, lasting for 1.5 hours approximately. Usually DDoS attacks are up to 300 Gbit/s, but in 2014 there were even attacks of up to 400 Gbit/s. Most of attacks are directed to servers and networks. The worldwide trend – the number of the attacks known already is decreasing, the number of unique attacks is growing (growth of around 20 % per year). 28

29

30

31

We assume liability for cyber security, it means also for the prevention of ID thefts. 32

Thank you for the attention! 33

Project website: