Lithuania spends millions of euro on cyber security every year – supposedly guarding from Russian threats. While it is claimed that rising threats are being watched for, words do not always match actions, lrt.lt writes.
LRT investigation department journalist Mindaugas Aušra uncovered that for example, the Bank of Lithuania obtained a Russian software management system just this year and the contract is to last until 2021. Officials see no issue with this and repeat that, "We know the threats – the situation is under control." This was the topic of LRT's Dienos Tema with Indrė Makaraitytė with Minister of National Defence Raimundas Karoblis and political analyst Marius Laurinavičius.
When the LRT journalist inquired the vice minister of national defence over the situation being under control, the vice minister pointed to this being a matter of market offerings and this specific offer having been the most affordable. When asked, to what extent the state is actually in control if it is left to the market, R. Karoblis noted that first and foremost it is the purchasing institution's remit to maintain its own cyber security when making such procurements. "Those, who have Russian equipment, it is primarily their responsibility. We are looking into Bank of Lithuania procurement, most certainly," he states, adding that certainly Russian made software is liable to pose a threat.
He points out that he is not personally familiar with every single institution's procurements, but explains that the Ministry of National Defence has presented a proposal to amend public procurement procedures so as to eliminate software that could be deemed unreliable, primarily in terms of geographic sourcing. This proposal has not come into power as of yet, however and for now, it remains up to the purchasing institution.
When queried, why there are no such safeguards in place already, R. Karoblis states that the question is under consultation with the European Commission, which states that this does not match EU directives. Secondly, the minister points out that the software has been noted for its vulnerability in a cyber-attack on Ukraine and prior iterations of it have been used in Lithuanian companies since 2003, which, according to him, proportionately reduces the risks.
"We have a problem in Lithuania: we have yet to grasp that we are experiencing a war situation against Russia. Everything starts from this. At least the current government truly has not grasped it because it is not dealing in, for example, the creation of an anti-hybrid warfare strategy. It is not prioritising the questions you are posing. They are not priorities for this government. There is no talk about what should be discussed. Just look at what Germany did, for example, before the elections, when it truly wanted to oppose Russian tampering with the elections. Every other week, the head of one or other security service, A. Merkel or someone else would stand and would say how they prepared, what they are doing – these are preventative actions. What we are hearing in at least the public sphere is that we should, for example, defend from Russia," M. Laurinavičius states.
The claim made, however, is that everything is in order. The analyst quips that it is more than in order, "For example, the chairman of the ruling party has business with an individual, who financed the Russian "troll factory" and this is all in order, no one minds it."
The Lithuanian Police Department has also chosen to use the same software suite as the Bank of Lithuania, but the minister reassures that the system has been cut off from outside access and indicators have been established. It cannot be replaced immediately, however because it deals with various core operations, such as accounting, which means that an alternative has to be chosen first. "The question is of proportionality. When the new software will be implemented and how to manage the intermediary period we have now. Technical measures are being taken, it is constantly monitored that there would not be any intrusions with viruses and other matters, thus these are temporary problems. Another matter is that none other, but the National Cyber Security Centre is cooperating with Lietuvos Geležinkeliai, how to replace Russian software," he states.
The same software suite was used in Ukraine and following cyber-attacks linked to it, usage was immediately halted. M. Laurinavičius points out that the difference with Lithuania is namely that Ukraine understands that it is in a state of war with Russia, while Lithuania refuses to recognise it. "We refuse to recognise it and it is not the only matter. Yandex's arrival. What, for example, changed in terms of Yandex? How much progress have we made? Let's say, we need to change legislation. In fact, we cannot half such matters by a single order from someone.
It's the same regarding public procurements, regarding all things. We do not have the combined view of it and we specifically don't have it because we refuse to recognise we are in a war situation with Russia. Otherwise we would take steps," M. Laurinavičius states, albeit noting that even if a minister can propose legislation, they cannot change them. While he has made his proposals, the rest is not up to him. Instead, the analyst points to Prime Minister Saulius Skvernelis and the ruling parties' leaders as being in position to enact changes.
R. Karoblis notes that S. Skvernelis is both supportive and does not hamper cyber security efforts, however the minister stresses that the issues present are not ones that can be solved overnight. "The problem was identified a year ago, the issue with the railways was identified even earlier. Auditing has been done, all gaps and measures have been reviewed. There are at least temporary measures for the software to last until truly safe alternatives are put in place. There is greater attention on risk management, to avoid intervention. Trust us, we have the technical equipment and capacities where you can do it in specific cases when you know the subjects," he says.
When asked whether this is a threat in the looming presidential and other two elections, M. Laurinavičius states, "There is a threat overall because I would describe these matters more as an attempt on critical infrastructure – we have been talking about it at the world level as a major threat. It is more in this regard rather than interference in elections."