On Thursday, some members of Seimas had their emails flooded with thousands of emails. IT specialists have warned politicians that hostile individuals have bypassed the special security filters. Apparently, this was not a cyber-attack from which special state institution sensors protect against, lrt.lt writes. But do the sensors protect and only protect from cyber-attacks or do they after all gather sensitive information even if this is not suitably regulated?
"There are rumours that completely private information surfaces in public even though none, bar the individual should be able to know it," MP Arvydas Anušauskas says. Such rumours have been present at all times and there have always been worries that individuals, particularly politicians, journalists, businessmen and others working with specific information could be spied upon.
The shadow of potential excess data gathering and storage now falls on institutions responsible for cyber security.
Sensors allow seeing more than just cyber attacks
A sensor has been placed in the humming LRT server room. The sensor copies data from the LRT network, which is sent to the National Cyber Security Centre (NKSC). Such sensors are, according to the LRT investigation department, placed in thirty networks of the most important state institutions and companies.
The sensors are data flow monitoring implements, they act as a breach warning system, which is intended to identify cyber-attacks. The level of cyber threats has risen sharply in Lithuania since 2014, it is one of the largest challenges to Western democracies.
As IT specialist Marius Pareščius explained to the LRT Investigation Department, the sensors are "often intended to record history. This is a history of what happened and when. An example – there was an attack up to a certain server and when the attack occurred, it ceased functioning. They then investigate the reasons, why it no longer works, who attacked and when."
According to M. Pareščius, there are such sensors, which also review the whole data flow, which passed through certain networks, all in order to identify potential cyber-attacks before they even occur.
An explanation of cyber security in Lithuania through sensors is as follows. Technically, information, which is assembled from state institutions and companies, lands in the NKSC server and there, according to LRT Investigation department sources, is held for at least a week. This means that much personal data is stored in the server – potentially VOIP conversations, if not also email content, then lists of addressees, all other information, which can be gleaned from IP addresses or at least what enters and exits the network. Data passing through the sensors is analysed by National Cyber Security Centre specialists.
This being a matter of national security, access to data in the NKSC server is also available to the Second Investigation Department under the Ministry of National Defence, which deals in military intelligence.
"Users browse through websites, the content, which is seen by them and what they do, perhaps reading something, perhaps writing, email correspondence, phone calls, Messenger chats or VOIP. If it is not sufficiently encrypted, the sensors will see it as data and afterwards they can either analyse or store the data," M. Pareščius said.
According to the IT specialist, this software and hardware solution can also see content. The purpose of the sensors is to protect from cyber-attacks, however IT experts say that they form premises to not only gather content of personal nature, but also to perform detailed analysis of it.
Who "deserves" sensors and how to "hide" from it
According the LRT Investigation Department information, sensors are not placed in all state institutions and companies' networks.
To return to the prior explanation. It highlights state control, however according to the LRT Investigation Department, the LRT, despite being a news media institution does have a sensor, while at the same time, the National Audit Office of Lithuania does not have a sensor installed in its networks. Furthermore, certain state companies, whose names are known to the LRT Investigation Department, prior to placing the sensors, adjusted their virtual networks so that key importance information would be accessible, but separated from the company's network data flows, decreasing the sensor's "field of view".
Former Minister of National Defence Juozas Olekas says that the sensors are primarily intended for ensuring security and if an institution does not have it in place, it is less secure.
How many institutions and companies are safe or remain unsafe is not public information because the list of companies and institutions, where a sensor may be placed, is classified. However, the criteria defined by the government is public. And these criteria and very broad. From threat to human life to threat to state sovereignty, from object disruptions threatening a number of residents to impact on other EU member states.
However, the government-defined criteria do not answer the question of why the LRT is this much more important than the National Audit Office, with one receiving one of the first sensors, while the other still does not have it. And why can institutions and companies decide themselves, how much access to grant the sensor?
Or could it also be that the sensors do not perform the role of protection from cyber-attacks, given that some institutions are consciously only transferring a part of their data flows through them?
The LRT Investigation Department was also left wondering, if the networks were adjusted prior to placing the sensors so that the sensor would not scan everything, does it mean that there were concerns that data would not be stored in the NKSC server, which is of particular importance to the companies and institutions? Such as correspondence between company or institution management.
In other terms, there is wariness of potential spying even at the cost of security.
Many means to secure, but little control
J. Olekas says that these questions can be posed, but he can answer them by stating that everything is regulated in detail. According to the politician, "The law allows listening to such conversations and correspondence only when it is sanctioned by the court. Overall, the law states clearly that the sensors are used solely to ensure security and not to analyse data flows or the content of the object they are placed in."
Politicians seek to reassure, however lawyer Daiva Dumčiuvienė states that there certainly is basis for doubts on the illegal storage and abuse of data. Is the cyber security law, which regulates the activities of the National Cyber Security Centre enough to leave us reassured that the information, which is gathered from state companies and institutions through the sensors, will not land in public one day?
"I do not believe it is enough," D. Dumčiuvienė says.
According to the lawyer, it Is not enough because the law itself states that the Cyber Security Centre can provide data for intelligence and counter-intelligence purposes, as well as for purposes of national security.
"This, no doubt, is much broader than data used for cyber security purposes. In this case, the law is not systematic, to my understanding," she states.
"The law primarily lacks this and I hope that it will be amended, considering the April 27, 2016 directive over personal data protection and personal data management when investigating criminal activities, also when ensuring public security from threats (obviously, the cyber activities law is intended to protect the public from threats), thus this directive would be integrated into the law with all human rights, which are important to each one of us," D. Dumčiuvienė comments.
Jurists note that the law itself states regarding NKSC functions that "Measures implemented through National Cyber Security Centre funding are employed to exclusively ensure cyber security," and this means that these measures can be used for a variety of things. However, there is no control mechanism.
Thus, it is not specified or the public is not informed, how the NKSC handles the content it stores in its servers. Is the content erased, how is it erased, who reviews it, do data copies not land in other hands, does no one analyse content accessed through the sensors without court sanction, for example data such as electronic correspondence or at least information entering and leaving the network. Are the copies made not stored somewhere other than the NKSC?
Such questions and doubts also arise because a special government ruling on what documents are needed for managing stored content only was made on April 2016. However, according to LRT Investigation Department sources, the first sensors were begun to be installed already in 2014. The LRT sensor was also installed prior to the ruling being made.
Former Minister of National Defence J. Olekas, who has written a number of pieces of legislation on cyber security, says that there was no time to wait – cyber-attacks occurred one after the other. Apparently the goal was to, "Protect information infrastructure. We had a number of attacks on these objects, including here in Seimas. And the goal is for the NKSC to be able to have information and be able to prevent such attacks."
Questions posed by the LRT Investigation Department were not posed in the Seimas National Security and Defence Committee (NSGK) and for the last half year, the committee delved into the ongoing parliamentary investigation on influence on politicians. A. Anušauskas states, "In 2017 there were a number of such deliberations, however when the parliamentary investigation began, this was in late 2017, we finished it in half a year, thus in this half year, I have to say that the parliamentary control instrument was not used at all."
The head of the National Cyber Security Centre Rytis Rainys answered a phone call from the LRT Investigation Department, however he stated that he needs to prepare answers to the questions and a permit to speak to the news media. National Defence Vice Minister Edvinas Kerza, who had to grant such a permission and is responsible for cyber security policy, agreed to talk on Monday, however on Wednesday, through the Ministry of National Defence Public Relations Department, requested questions in writing and informed via SMS message that he does not have time to answer questions even by phone.
Only the discussion topic, not specific questions to E. Kerza were sent to the Ministry of National Defence Strategic Communications and Public Relations Department. The department provided a comment formulated to the topic on November 1.
The ministry's comment is featured below, however questions on whether the sensors, supposedly performing protection from cyber-attacks functions, are only performing that or if they are also used for gathering sensitive data, remain open.
Ministry of National Defence Strategic Communications and Public Relations Department November 1 comment on interview topics requested from MND officials.
In performing state information system and critical information infrastructure cyber protection, the National Cyber Security Centre may employ and control various technical cyber security measures. Their installation is established by the cyber security law. The regulation for the installation of such measures is regulated by the technical cyber security measure installation and management in state information resources and critical information infrastructure regulation description, signed by the minister of national defence.
Information about cyber incidents received from technical cyber security measures is processed in the Cyber Security Information Network (hereon – KSIT), whose controller is the National Cyber Security Centre. KSIT has established regulations, secure information management rules, data protection regulations and user administration procedures, which strictly regulate what data is received and processed, how it is managed and who has access to it.
The technical measures employed by the National Cyber Security Centre are used to record cyber incidents in state information resource and critical information infrastructure networks, as well as evaluate the cyber security situation.
The threat recognition system is created so that only metadata (data about data, for example file types, creation dates and such) is used to identify threats. We would like to highlight that file content is not necessary for threat identification, thus this data is not recorded, reviewed or stored.
The technical cyber security measures in state information resource or critical information infrastructure networks are installed only with the network operators' consent. On observing a cyber-threat case, the National Cyber Security Centre informs the state information resource or critical information infrastructure network operators in accordance to legislation.
We would like to highlight that the cyber security law clearly regulates that data processed by the KSIT can only be employed for purposes of ensuring cyber security. Data is stored in National Cyber Security servers for a year.
A report published on European state activities in ensuring state cyber security shows that Lithuania has made major advances in this regard and is currently in second place: https://ncsi.ega.ee/ncsi-index/
Below we present more detailed information about legislation mentioned in the text earlier:
Based on the cyber security law article 6, clause 9, the Ministry of National Defence approves the technical cyber security measure installation plan, specifies procedures for their installation and management in state information resources and critical information infrastructure. The procedures can be found here: https://www.e-tar.lt/portal/lt/legalAct/7faa0300f3c611e4927fda1d051299fb
Based on the cyber security law article 8, section 2, clause 8, the National Cyber Security Centre installs and manages technical cyber security measures in state information resources and critical information infrastructure based on the technical cyber security measure installation plan coordinated with subjects operating and (or) managing state information resources and critical information infrastructure. Measures installed through the funds of the National Cyber Security Centre are used exclusively for ensuring cyber security.
Critical information infrastructure operators create conditions for the National Cyber Security Centre to install and manage technical cyber security measures in critical information infrastructure and apply technical measures in seeking to evaluate critical information infrastructure resistance to cyber incidents based on the cyber security law article 12, section 1, clause 4.
Article 15 of the cyber security law outlines information protection and specifies that the cyber security policy implementation institutions only have the right to exchange information, including confidential information, provided by cyber security subjects to the extent that it is necessary for these institutions to perform their functions based on their competences and must ensure the protection of received information.