National Cybersecurity Center of Lithuania's Report for 2019: a personal view

This past week the National Cybersecurity Center (national CERT of Lithuania) issued its report on Lithuania's cybersecurity for 2019. Very important work has been accomplished in building Lithuania‘s cybersecurity capacity. Sadly it is mostly an „Office IT“ cybersecurity oriented document in terms of the incidents and threats covered. Information System protection language dominates. The words information, information systems are used 150 times in this report. It is mentioned in the foreword of the report that there is cooperation with a student group „Kurk Lietuva“ (create Lithuania) in preparing a guide on cybersecurity for small and medium enterprises.

What one would like to see is a more balanced approach to the wide variety of threats to critical infrastructure. This report lacks an understanding of the importance of industrial control systems that are mostly about protecting a physcial process rather than protecting information. Most importantly these control systems are not found in the „office“ where the acounting, billing and management sit. In the definition section these critical control systems are only mentioned under the defintion for „Communication and Information Systems“ (pramoninių procesų valdymo sistema ir jų valdymo). The Law on Cybersecurity has a separate definition but in this report it is jammed and diluted into the definition of CIS. This puts into serious question whether the National Cybersecurity Center or it‘s parent institution the Ministry of National Defence knows what they are talking about when they speak about CIP. 

To be fair the cyber attack that took place against the water utility in Kaunas is mentioned as something important (page 28 ). However it is not clear what follow up is planned to deal with what is truly a very late wake up call for addressing intentional and unintentinal cyber threats to the control systems that play a vital role in supporting modern economic life, national security and well-being of society.

The report‘s forward concludes (page 7) with the hope that the reader with take note of the importance of their own and the cybersecurity of their neighbors. One can only hope that the policy makers who influenced the writing of this report will also do the same, especially in thinking more about the protection of critical physcial processes and the control systems used to make them safe and reliable.

As in the fable of „The 3 Little Pigs“ only one fo the pigs evaluated what needed to be protected, from what threats, and how to address them correctly. 

My best wishes for preparing a more comprehensive and relevant (to the threats and to the targets) next year.

Report link: https://www.nksc.lt/doc/Nacionalinio_kibernetinio_saugumo_bukles_ataskaita_2019.pdf