Valstybės Kontrolė

National Audit Office of the Republic of Lithuania (VK)
Increasing risk of cybercrime - Background

"In accordance with the Convention on Cybercrime, these type of crime includes offences against the confidentiality, integrity and availability of Computer data and systems, and other offences in cyberspace: Internet fraud, offences related to the sexual exploitation of children, violations of copyright and related rights, acts of a racist and xenophobic nature. In the conclusions of the EU Council of 2015 on the renewed EU Internal Security Strategy for the period 2015-2020 it is declared that the fight against cybercrime is one of three key security priorities. Based on the European Cybersecurity Strategy, the National report on Serious and Organised Crime Threat Assessment 2019 by the Europol’s European Cybercrime Centre (EC3) and the World Economic Forum's Global Risks Report 2020, it is predicted that the scope and potential harm of cybercrimes will only increase in the future, and rapid changes in information and communication technologies (e.g. cloud computing) can lead to new challenges as well. Criminal offences in this area are to be observed as a growing serious threat to public security. A study conducted in 2018 by the US Computer security software company "McAfee" together with the Centre for Strategic and International Studies shows that global business expenditure due to cybercrime amounted to almost EUR 700 billion, which accounted for 0.8 per cent of global GDP."

Lack of common criteria

"The Police do not manage all information about cyber incidents that may be criminal offences, as not all cybersecurity entities (19 out of 143 surveyed by auditors) report cyber incidents that are potentially criminal offences in cyberspace to the Police. The State Data Protection Inspectorate never provided such information to the Police in 2015-2019 and the National Cyber Security Centre instructs cybersecurity entities to address the Police individually. The Police and the National Cyber Security Centre do not exchange the available data about online events and incidents. This situation is caused by weaknesses in the management of cyber incidents. There are no criteria (a general taxonomy) to identify which cyber incidents are potentially cybercrimes. There is also no elear regulation on what cybersecurity entities are required to inform - the Police or the National Cyber Security Centre about cyber incidents possibly having elements of a criminal offence. A lack of methodological leadership, advice and training to enhance cybersecurity entities' ability to identify and respond to criminal offences: 64 per cent of surveyed cybersecurity entities do not know how to assess the loss or damage of a crime, 51 per cent - how to collect and save electronic evidence properly and 27 per cent - how to respond to a possible cybercrime. In addition, it has not been possible to manage cyber incidents, which are potential cybercrime, on a one-stop-shop principle basis."

Recommendation 3 According to the agreed taxonomy of cyber incidents and criminal offences in the cyberspace, to improve the existing mechanism of cyber incident management which would ensure that cybersecurity entities submit all cyber incidents that are potentially cybercrimes for further investigation at a one- stop-shop principle (2 key audit result).
Incomplete profile

"Cybercrime profile covers crimes against the security of electronic data and information systems and crimes related to child sexual expioitation online, however, it does not cover other criminal offences committed in cyberspace referred to in the Convention on Cybercrime: Internet fraud, crimes related to copyright and related rights violations, the crimes of a racist and xenophobic nature. Police registers do not collect, systematise and analyse all information about crimes in this field, and therefore do not analyse the actual scope and trends of cybercrime threats. The lack of complete information on these crimes can have a negative impact on strategie decisions and the appropriate response to changes in this area."

Recommendation 5 To review and improve the operational model of cybercrime specialised units in order to identify all systemic crimes at the national level, concentrate sufficient specialised investigative and expert capabilities and increase the scope of criminal intelligence activities.
Missing monitoring and analysis

"The Lithuanian Criminal Police Bureau does not actively monitor and analyse cyber incidents, which are potentially criminal offences and does not allocate sufficient human resources to these activities (one official works with cyber incidents and during the period 2015-2019 he conducted 9 cyber incident investigations). Without managing all the information about cyber incidents that may be cybercrimes, the Police may not respond in time to the criminal offences committed in cyberspace and fail to assess the extent of these threats."

Preventive measures not coordinated

"Preventive activities for cybercrime are carried out by the Police and other institutions: the National Cyber Security Centre under the Ministry of National Defence, the Communications Regulatory Authority, the State Data Protection Inspectorate, the State Consumer Rights Protection Authority, the Office ofthe Inspector of Journalist Ethics, the Ministry of Culture, the Information Society Development Committee, the Government Office. During the period 2015-2019, the Police bodies alone implemented approximately 1.5 thousand various preventive measures, mainly focused on educational activities during events and providing information on the Internet. However, the participating institutions operate within their area of competence and according to their priorities, do not coordinate preventive measures with each other, do not carry out an impact assessment of preventive activities in cybercrime, and an inter-institutional system for planning, coordinating and measuring the impact of preventive activities at the national level is not established. For these reasons, similar preventive measures are being implemented (e.g., educational activities on the subject of Internet fraud were carried out by 5 institutions) which do not produce the necessary result. According to the Eurobarometer survey, in 2019, compared to 2018, Lithuania shows a 16 per cent increase (from 28 per cent to AA per cent, respectively) in residents who believe that they are not able to protect themselves from cybercrime."

Recommendation 1 In order to ensure that the implementation of cybercrime prevention activities have a greater impact on the ability of the country residents to recognise these threats, to establish inter-institutional planning, coordination and impact measurement of prevention activities in the field of cybercrime.
Prosecutors need the domain training

"Insufficiently organised training for specialised officials and prosecutors. There is no cybercrime training programme for specialised officials and training is carried out only according to their needs, which do not cover the courses recommended in IOCTA reports. We found that between 2015 and 2019, 30 per cent of specialised officers were attended any training. Irregular joint training for prosecutors and officials is also organised. 70 per cent of specialised prosecutors and officials interviewed by auditors indicated that training in this area was insufficient."

Recommendation 7 To improve the specialisation regime of prosecutors so that all pre-trial investigations of cybercrime specialised officials are supervised by specialised prosecutors in this area.
The items above were selected and named by the e-Government Subgroup of the EUROSAI IT Working Group on the basis of publicly available report of the author Supreme Audit Institutions (SAI). In the same way, the Subgroup prepared the analytical assumptions and headings. All readers are encouraged to consult the original texts by the author SAIs (linked).