On the Approval of the Conceptual Framework of the Law of the Republic of Lithuania on Security of Electronic Communication Networks and Information


Published: 2006-06-12

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$20 per month, or Get a Day Pass for only USD$4.99.
 
 
 
GOVERNMENT OF THE REPUBLIC OF LITHUANIA
 
 
 
RESOLUTION No 1211
 
of 6 December 2006
 
ON THE APPROVAL OF THE CONCEPTUAL FRAMEWORK OF THE LAW OF THE REPUBLIC OF LITHUANIA ON SECURITY OF ELECTRONIC COMMUNICATION NETWORKS AND INFORMATION
 
Vilnius
 
For the purpose of implementing paragraph 157 of the Measures of Implementation of the Programme of the Government of the Republic of Lithuania for 2006-2008, which were approved by Resolution No 1020 of the Government of the Republic of Lithuania of 17 October 2006 (Valstybės žinios (Official Gazette) No 112-4273, 2006), the Government of the Republic of Lithuania h a s  r e s o l v e d:
To approve the Conceptual Framework of the Law on Security of Electronic Communication Networks and Information (as appended).
 
 
Prime Minister                                                                                     Gediminas Kirkilas
 
Minister of Transport and Communications                                       Algirdas Butkevičius
 
APPROVED by
Resolution No 1211 of the
Government of the Republic of Lithuania
of 6 December 2006
 
THE CONCEPTUAL FRAMEWORK OF THE LAW OF THE REPUBLICOF LITHUANIA ON SECURITY OF ELECTRONIC COMMUNICATION NETWORKS AND INFORMATION
 
I.          LEGAL BASIS OF THE PREPARATION OF THE CONCEPTUAL FRAMEWORK
 
1. The Conceptual Framework of the Law of the Republic of Lithuania on Security of Electronic Communication Networks and Information (hereinafter referred to as “this Conceptual Framework”) has been prepared for the purpose of implementing paragraph 157 of the Measures of Implementation of the Programme of the Government of the Republic of Lithuania for 2006-2008, which were approved by Resolution No 1020 of the Government of the Republic of Lithuania of 17 October 2006 (Valstybės žinios (Official Gazette) No 112-4273, 2006).
The strengths, weaknesses, opportunities and threats (SWOT) analysis of the information society development, given in the Strategy for the Development of Information Society of Lithuania approved by Resolution No 625 of the Government of the Republic of Lithuania of 8 June 2005 (Valstybės žinios (Official Gazette) No 73-2649, 2005) talks, among other things, about the outstanding problems of security of information technologies as one of the threats for the development of information society. It has also stressed that while developing new electronic services and application solutions it is necessary to ensure security of information technologies. The abovementioned Resolution defines information society development priorities. One of them is knowledge economy, the implementation of which pursues certain objectives, such as to support the development of secure and modern information infrastructure.
 
II. GENERAL CHARACTERISTICS OF THE SUBJECT-MATTER AND THE OBJECTIVES OF THE LAW
 
2. The Law on Security of Electronic Communication Networks and Information (hereinafter referred to as “the Law”) will govern the relations related to security of electronic communication networks and information (hereinafter referred to as “network and information security”), facilitate the development of secure information society, and increase consumer confidence in the information society.
3. The fast growth in the field of information society and media prompted by the increasing development of information and communication technologies in recent years will be further promoted by very widespread fast connections integrating many devices (according to the data of 2005, there were 781 thousand Internet subscribers in Lithuania). Today, a traditional electronic format material is available (e.g. movies, videos, music), in addition, new exclusively digital services are emerging, for example, interactive software. The convergence of information society and media services, networks and devices has finally become a part of everyday life: information and communication technologies are now more user-friendly, faster and easier to adapt. In order to be able to respond to radical developments of information and communication technologies and to accelerate the development of the information society, there must be a pro-active policy. It is vitally important to amend legal acts, so that the existing legal system does not impede the technological progress, but, on the contrary, contributes to it: they must suit the existing public relations and properly protect users, increase their confidence in information technologies, and encourage the use of advanced and secure information technologies (according to the statistical data of one of the biggest Internet providers in Lithuania, the number of network-related incidents has increased at least 100 times from 1998 to 2004).
4. In Lithuania, the society’s social relations are being increasingly moved to a virtual space: electronic communications are actively used not only to send or receive information, but also to utilise the e-banking, e-business and e-government potential. Unfortunately, these changes also incite illicit activities in the electronic space. A survey on network and information security situation in Lithuania conducted in 2005 has revealed that 78 % of directly interviewed people (respondents of representative survey), 79 % of business  enterprises and 100 % of Internet service providers have faced  computer viruses. Accordingly, 63 % of Internet users, 76 % of business enterprises and 100 % of Internet service providers indicated receiving spam from the Internet. 18 % of directly interviewed people, 25 % of business enterprises and 71 % of Internet service providers have suffered losses because of various network and information security incidents. Given the present situation, it is necessary to constantly and systematically tackle network and information security problems and strengthen the legal framework in this field at a national level.
5. In its Communication to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions “i2010 – A European Information Society for Growth and Employment” of 1 June 2005, the European Commission has identified security as one of the main challenges of digital convergence in the creation of a Single European Information Space: making Internet safer from and resistant to fraudsters, harmful content and technology failures to increase trust amongst investors and consumers. Once information and communication technologies are reliable and secure, converging digital services will be increasingly accessible. The European Union legislation does not lay down any specific requirements for the Member States to be transposed into national legislation; however, network and information security in the European Union is already considered as a priority.
6. Considering that the most important public relations must be regulated by laws rather than by secondary legislation, a relevant form to regulate public relations in the field of network and information security has been chosen, i.e. a law.
7. The main objective of the Law is to define and lay down the regulatory framework for public relations related to network and information security. Inasmuch as it is related to network and information security in the provision of electronic communication services, the Law will also fill in the gaps in the legal regulatory framework for the provision of electronic communication services.
8. The Law will define regulatory principles for network and information security activities and the concept of network and information security as well as other concepts related to this subject-matter. Article 4(c) of Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency (OJ 2004 L 77, p. 1) stipulates that “network and information security” means the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems. This concept, which has not been used yet in the legislation of the Republic of Lithuania, is to be transposed into the Law.
9. Currently spam constitutes the major part of the total e-mail flow and that is a big problem for electronic communication networks. The systems of Internet service providers are overloaded, the overall throughput is decreasing, the fight against spam requires additional resources, and serious financial losses are incurred. Spam adds to the threat of computer viruses and various frauds. Consumer opinion surveys also show that spam is one of the major security problems to the consumers. The inconveniences increase consumers’ distrust in electronic mail and the Internet in general. It is forecasted that this problem will be further aggravated by the spread of Universal Mobile Telecommunications Systems (UMTS) standard, when mobile communication network will be opened for the Internet. The use of electronic communication services for the purposes of direct marketing is partly regulated by the Law of the Republic of Lithuania on Electronic Communications (Valstybės žinios (Official Gazette) No 69-2382, 2004). For the abovementioned reasons, the Law will define the concept equivalent to the concept of network and information security defined in Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency, by additionally extending the concept of network and information security to cover the capacity of information system to reduce spam sent for direct marketing purposes. This would allow filling in the regulatory gap, when information systems are adapted for and facilitate the sending of spam.
10. The Law will:
10.1. clearly define the structure of state institutions in the field of network and information security, in order to avoid any overlapping in functions and to ensure effective cooperation between responsible institutions;
10.2. lay down general requirements for network and information security, mainly intended to protect consumers against network and information security incidents;
10.3. lay down security requirements for network and information systems of state and municipal institutions, for secure transmission of information between state and municipal institutions, and for critical information infrastructure of networks and information;
10.4. clearly define the system for the assessment of the level of network and information security, which will regulate network and information security audits  as well as hardware and software security assessments. This system will mainly apply to network and information systems of state and municipal institutions, critical information infrastructures, network and information systems of bigger enterprises as well as providers of information society services, i.e. in cases when network and information security is mainly ensured as part of an appropriate security policy.
11. The Law will also provide for general regulatory and legal basis, enabling the adoption of secondary legislation, which will set out the provisions of the Law in a greater detail. The secondary legislation will be adopted by the Government of the Republic of Lithuania, by a body to be designated by the Government, and by the Communications Regulatory Authority of the Republic of Lithuania (hereinafter referred to as “Communications Regulatory Authority”).
 
III. GENERAL CHARACTERISTICS OF OTHER LEGAL ACTS REGULATING NETWORK AND INFORMATION SECURITY
 
12. The number of information and network security breaches is growing fast. This causes a lot of financial losses and creates new risks and threats for the development of the information society. It is necessary to contribute to the development of a secure information society by properly regulating public relations in this field. Today there is no law in the Republic of Lithuania that regulates, in a coherent manner, public relations related to network and information security; however, some legal acts contain provisions relating to network and information security. Unfortunately, they do not ensure a thorough and clear regulation of these relations.
13. Article 62 of the Law of the Republic of Lithuania on Electronic Communications stipulates that providers of publicly available electronic communication services must implement appropriate technical and organisational measures to safeguard security of their services, and, if necessary, implement such same measures in cooperation with providers of public communication networks to safeguard security of public communication networks. These measures shall ensure a level of security appropriate to the risk posed. Once the provider of publicly available electronic communication services becomes aware of a particularly high risk of a breach of security of the electronic communication network or a part thereof, he must inform subscribers of such a risk and, where the measures taken by the service provider have failed to eliminate the cause of origin of such a risk, of any possible remedies and of the likely costs of such remedies. The abovementioned provision of the Law of the Republic of Lithuania on Electronic Communications provides only for a general obligation of both providers of publicly available electronic communication services and providers of public communication networks to take undefined measures to safeguard security of their services. It should be noted that this obligation is binding only on undertakings providing electronic communication networks and services; therefore, the proposed Law will broaden the circle of entities, by additionally setting relevant obligations related to network and information security for those undertakings which provide intermediate services of information society (e.g. information storage) and do not necessarily come within the scope of application of the Law of the Republic of Lithuania on Electronic Communications. The proposed Law will lay down guidelines for technical and organisational measures aimed to ensure network and information security. In addition, the Law will authorize the Communications Regulatory Authority to approve secondary legislation, specifying in a greater detail technical and organisational measures to be implemented to ensure network and information security according to the relevant services.
14. Article 63 of the Law of the Republic of Lithuania on Electronic Communications requires to ensure confidentiality of communications. It stipulates that undertakings providing electronic communication networks and/or services must take appropriate organisational and technical measures and ensure that it is prohibited to disclose the content of information transmitted via electronic communication networks and/or related traffic data to persons that are not actual users of electronic communication services without the consent of the interested actual users of electronic communication services or to create conditions for gaining access to such information and/or related traffic data. The State Data Protection Inspectorate (hereinafter referred to as “the Data Protection Inspectorate”) acting pursuant to Resolution No 807 of the Government of the Republic of Lithuania of 20 July 2005 “On the Approval of the Rules of Checking Confidentiality of Information” (Valstybės žinios (Official Gazette) No 89-3341, 2005,) shall monitor the compliance by undertakings providing electronic communication networks and/or services with the requirements concerning confidentiality of information.
15. Article 68 of the Law of the Republic of Lithuania on Electronic Communications regulates the use of electronic communication services for the purpose of direct marketing and prohibits the use of electronic communication services without a prior consent of the subscriber, determines certain requirements for senders of such electronic messages (e.g. prohibition to disguise or conceal the identity of the sender and the obligation for the sender to indicate a valid address at which the recipient may send a request to stop sending such information). The provisions of Chapter 9 of the abovementioned law are also partly related to the protection of privacy as part of safeguarding network and information security. With the massive spread of spam (which represents about 70 % of the total e-mail traffic today), a bare possibility to punish the spam sender is insufficient. In order to stop this negative phenomenon and taking into consideration the principle of technological neutrality, the Law will provide for the identification and implementation of technical and organisational measures designed for the prevention of the spread of spam.
16. Article 24 of the Law of the Republic of Lithuania on Legal Protection of Personal Data (Valstybės žinios (Official Gazette) No 63-1479, 1996; No 15-597, 2003) stipulates that the data controller and data processor must implement appropriate organisational and technical measures intended for the protection of personal data against any accidental or unlawful destruction, alteration, disclosure as well as against any other unlawful processing. The abovementioned measures must ensure a level of security adequate for the nature of data to be protected and the risks posed by processing operations and must be specified in a written or equivalent document (such as data processing regulations to be approved by the data controller, a contract between the data controller and the data processor, etc.). This provision of the Law of the Republic of Lithuania on Legal Protection of Personal Data is analogous to the provision of Article 62 of the Law of the Republic of Lithuania on Electronic Communications, with the exception that it is applicable to data controllers and data processors who, while providing relevant services, process data of a natural person.
17. Other articles of the Law of the Republic of Lithuania on Legal Protection of Personal Data lay down the system of protection of personal data (as a part of private information of natural persons).
18. The task to monitor the implementation of provisions of Articles 62 and 68 as well as other articles contained in Chapter 9 is entrusted, by Article 12(5)(1) of the Law of the Republic of Lithuania on Electronic Communications, to the Data Protection Inspectorate, which is responsible under the Law of the Republic of Lithuania on Legal Protection of Personal Data for an individual’s right to privacy, as it processes personal data. In order to protect personal data appropriately (in particular when it is processed by automated (computer-assisted) means), it is necessary to implement appropriate measures for ensuring network and information security. The protection of personal data is not possible without complying with relevant requirements for network and information security. On the other hand, these same requirements also apply for the purpose of guaranteeing other personal rights (apart from the right to privacy) within the information society (protecting persons against fraud or loss of information and financial or time resources, against interruptions in information systems they are using, against deprivation of access to services, etc.); therefore, the competence of relevant authorities in ensuring full protection of personal rights while using information society services must be clearly defined.
19. The Law of the Republic of Lithuania on Electronic Signature (Valstybės žinios (Official Gazette) No 61-1827, 2000) regulates the creation, verification, and validity of electronic signature, signature users’ rights and obligations, and the functioning of the necessary infrastructure. It regulates one of the elements of secure information society, designed to ensure a reliable and legally relevant exchange of information between users of information society services (i.e. electronic signature).
20. The Convention on Cybercrimes (Valstybės žinios (Official Gazette) No 36-1188, 2004) was ratified by the Law of the Republic of Lithuania on the Ratification of the Convention on Cybercrimes (Valstybės žinios (Official Gazette) No 36-1178, 2004); relevant provisions of the Convention were transposed by Articles 196 to 1982 of the Criminal Code of the Republic of Lithuania (Valstybės žinios (Official Gazette) No 89-2741, 2000), namely: Article 196 concerning deletion or alteration of computer information (serious damage must be done), Article 197 concerning deletion or alteration of a computer program and interruption of operation of a computer network, a database or an information system (serious damage must be done), Article 198 concerning misappropriation and dissemination of computer information (provided that the information is protected by laws), Article 1981 concerning illegal connection to a computer or a computer network, Article 1982 concerning illegal possession of devices, computer programs, passwords, log-in codes and other data for criminal purposes. Criminal activity of this type is investigated by pre-trial investigation authorities indicated in Article 165 of the Code of Criminal Procedure of the Republic of Lithuania (Valstybės žinios (Official Gazette) No 37-1341, 2002). It should be noted that a specialised Cybercrimes Investigation Division was established within Lithuanian Criminal Police Bureau to carry out pre-trial investigations with respect to such criminal activities.
21. The proposed Law is not intended to replace the computer crime system set up in the Criminal Code of the Republic of Lithuania. It will enable not only to take responsive measures for offences already committed (punish the perpetrators), but also to ensure prevention of such offences and their adverse effects. The Law will also clearly delimit behaviour, i.e. define activities, which are not formally criminalized (because the Criminal Code of the Republic of Lithuania criminalizes certain activities only by introducing a supplementary criteria – serious damage done), but are clearly dangerous, such as the creation and use of a harmful software code; unauthorised connection to an electronic communication network or information system or facilitation of such connection; collection, dissemination, acquisition, use or other kind of operations with e-mail address for direct marketing and similar purposes without consent of the user; such acts will carry administrative liability under the Code of Administrative Offences of the Republic of Lithuania (Valstybės žinios (Official Gazette) No 1-1, 1985).
22. The Law of the Republic of Lithuania on State Registers (Valstybės žinios (Official Gazette) No 86-2043, 1996; No 124-4448, 2004) regulates the setting-up, management, reorganisation and liquidation of state registers (cadastres); the system of state registers and general principles of interaction between state registers; and rights and responsibilities of leading state register management bodies, state register management bodies, state register supervisory institutions, state register managers, state register data suppliers and recipients. Article 2(19) of the Law of Republic of Lithuania on State Registers defines a register as a totality of legal, organisational and technical measures intended for the registration of register objects designated by the law, and the collection, accumulation, processing, systematisation, storage and provision to legal and natural persons of quantitative, qualitative, geographic and other data and documents.
23. Article 20 of the Law of the Republic of Lithuania on State Registers lays down data security requirements for registers: “The register management body and register managers shall bear responsibility for register data protection. When processing register data, it shall be required to implement register data protection measures intended for ensuring the accuracy of register data and safeguarding them from accidental or unlawful destruction, alteration, disclosure, and also from all other unlawful forms of processing. To ensure the protection of register data, register data protection regulations shall be drawn up and approved by the leading register management body in compliance with the general data protection requirements approved by the Government. These regulations shall specify appropriate register data protection measures, the requirements concerning safe processing of register data and the implementation thereof. Register managers must ensure, in accordance with the provisions of register data protection regulations, appropriate administrative, technical and organisational measures governing data protection as well as compliance with such measures. State officials and employed persons who process register data shall be bound by an obligation to safeguard the confidentiality of data. The obligation to safeguard the confidentiality of data shall remain valid even after the termination of activity related to the processing of register data.”
24. The Law of the Republic of Lithuania on State Secrets and Official Secrets (Valstybės žinios (Official Gazette) No 105-3019, 1999; No 4-29, 2004) lays down the requirements for network and information security in the field of protection of state and official secrets. Chapter 8 of the abovementioned Law regulates the protection of automated data processing systems and networks used for storing, processing or transmitting classified information, by regulating the issuance of authorisations to process classified information via automated data processing (ADP) systems and networks, by laying down security requirements for such systems and networks as well as for information-carrying media. It should be noted that inasmuch as state and/or official secrets are concerned, the proposed Law is not intended to replace regulation of network and information security; the Law will only define general requirements, whereas the Law of the Republic of Lithuania on Sate Secrets and Official Secrets, as a special legal act, will separately regulate relations in the field of safeguarding security of state and/or official secrets.
25. Mention may be made of several network and information security-related resolutions of the Government of the Republic of Lithuania, which regulate, in a wide sense, network and information security within state and municipal institutions: Resolution No 952 of 4 September 1997 “On Data Protection in the State and Municipal Information Systems” (Valstybės žinios (Official Gazette) No 83-2075, 1997; No 2-45, 2003), Resolution No 290 of 5 March 2003 “On the Approval of the Procedure for the Control of Confidential Information in Public Computer Networks and Dissemination of Restricted Public Information” (Valstybės žinios (Official Gazette) No 24-1002, 2003), Resolution No 451 of 19 April 2004 “On the Approval of the Rules for the Setting-up and Validation of State Information Systems” (Valstybės žinios (Official Gazette) No 58-2061, 2004), Resolution No 807 of 20 July 2005 “On the Approval of the Rules for Checking Security of Communications” (Valstybės žinios (Official Gazette) No 89-3341, 2005), and Resolution No 601 of 19 June 2006 “On the Approval of the State Strategy until 2008 for Security of Electronic Information Stored in Information Systems of State Institutions and the Plan of its Implementation Measures” (Valstybės žinios (Official Gazette) 70-2575, 2006):
25.1. Resolution No 952 of the Government of the Republic of Lithuania of 4 September 1997 provides for general requirements for data protection; the objective of such requirements is to allow safe automated processing of data in state registers and other information systems of the state. The Resolution lays down content-related requirements for security regulations of data systems, for the procedure of the safe handling of data, and for the description of detailed instructions and procedures regulating actions to be taken or the manner in which they are to be taken on a case-by-case basis or in a particular situation. Following the procedure established by laws, the Resolution defines responsibility of the system administrator for the data reliability, lawfulness of data administration, lawfulness of disclosure of data and data protection against unauthorised use. As this legal act does not have a clear statutory basis, institutions, which are independent of the Government (e.g. municipal institutions), have difficulty in applying it.
25.2. Resolution No 290 of the Government of the Republic of Lithuania of 5 March 2003 contains provisions relating to the control of confidential information stored in public computer networks and to the dissemination of restricted public information within these networks, also to the enforcement and control of compliance with such provisions. The procedure for the control of confidential information stored in public computer networks and the dissemination of restricted public information was drawn up on the basis of Decision No 276/1999/EC of the European Parliament and of the Council of 25 January 1999 adopting a multiannual Community action plan on promoting safer use of the Internet by combating illegal and harmful content on global networks. It gives the definition of „filtering tools“ which are defined as software retrieving desirable or blocking undesirable information on public computer networks according to the parameters set by the user. The abovementioned Resolution imposes liability for the content of Internet websites, and defines responsibilities of providers of information hosting services (persons actually providing hosting services in public computer networks) and providers of network services regarding the provision of information to operational investigators and withdrawal of access to information on the server as well as responsibilities of state institutions in the field of regulated relationship. The Constitutional Court of the Republic of Lithuania in its Ruling of 19 September 2005 (Valstybės žinios (Official Gazette) No 113-4131, 2005) has ruled that Resolution No 290 of the Government of the Republic of Lithuania of 5 March 2003 is  compatible with the Constitution of the Republic of Lithuania (Valstybės žinios (Official Gazette) No 33-1014, 1992); it held, however, that the current legal regulation by laws is too generic and does not sufficiently take into account the peculiarities of the Internet as a medium for spreading information, and therefore the legislator has a duty to regulate the relevant relations by means of a law and in a greater detail and to ensure that legislative activity does not lag behind the advancement of information technologies and the consequent developments in public relations.
25.3. Resolution No 451 of the Government of the Republic of Lithuania of 19 April 2004 governs the procedure for the setting-up and validation, reorganization and liquidation of information systems of the state (except state registers). The rules for the setting-up and validation of information systems of the state as approved by the said Resolution are applicable to information systems of ministries, Government institutions, institutions under ministries, other state institutions and agencies accountable to the Government of the Republic of Lithuania. They do not apply to information systems used for processing data that constitute a state or official secret.
25.4. Resolution No 807 of the Government of the Republic of Lithuania of 20 July 2005 lays down the checking procedures to be performed by the Data Protection Inspectorate to verify the compliance with the requirements for ensuring confidentiality of communication set in Article 63(1) of the Law of the Republic of Lithuania on Electronic Communications, and for documenting the findings. Confidentiality of communication is checked in order to assess how entities providing electronic communication networks and/or services ensure confidentiality of communication.
25.5. Resolution No 601 of the Government of the Republic of Lithuania of 19 June 2006 sets out the strategy of the State for safeguarding the security of electronic information stored in information systems of state institutions for the period until 2008 and its implementation measures, also the main principles, objectives and tasks to ensure security of electronic information and implementation of such principles, objectives and tasks in information systems managed by state institutions. The main objectives include the improvement of coordination and supervision of safety of electronic information; regulation, by means of legal acts, of safety of electronic information; promotion of the culture of safety of electronic information; advancement of safety of electronic information transmission infrastructure; promotion of implementation of projects aimed at ensuring safety of electronic information.
 
IV. ANALYSIS OF INEFFICIENCY OF LEGAL RULES BEING AMENDED AND REVOKED
 
26. Judging from legislation in the same area of public relations, described in Chapter III of this Conceptual Framework, it can be said that so far none of the laws of the Republic of Lithuania or secondary legislation regulate network and information security in a comprehensive and systematic manner, and that the existing legal acts do not ensure a thorough and coherent regulation of public relations in the field of network and information security and do not create conditions for enhancing consumer confidence in information society and for developing a safe information society. Only fragmentary regulation is provided for. Certain important issues are still outstanding, such as a lack of definitions, absence of a well-structured institutional set-up, no regulation of liability for activities which are not formally criminalized by the Criminal Code of the Republic of Lithuania (because a serious damage is not done), no detailed description of obligations of providers of electronic communication services and intermediate services of information society to take care of the security of their customers (some providers are not bound by such an obligation at all), absence of an investigation scheme for network and information security incidents, no regulation of network and information security in state and municipal systems  (network and information security in state and municipal systems is still regulated by secondary legislation, i.e. by resolutions of the Government of the Republic of Lithuania and ministerial orders), unclear regulatory scheme for the security of critical information infrastructure, absence of regulation concerning the assessment of network and information security.
27. Merely supplementing the Law of the Republic of Lithuania on Electronic Communications does not suffice for solving the problem of underregulation of network and information security for several reasons. Firstly, the proposed Law will cover a wider range of entities than the Law of the Republic of Lithuania on Electronic Communications does, to include providers of intermediate services of information society (the concept is defined in Chapter X of this Conceptual Framework). Secondly, the scope of the Law will include not only electronic communication networks, but also information systems. Thirdly, the Law of the Republic of Lithuania on Electronic Communications does not regulate relations related to the content of information transmitted via electronic communication networks, although network and information security is partly related to this field as well, e.g. it is necessary to regulate such issues as the creation and use of a harmful software code.
28. To ensure network and information security, integrated regulation is necessary, as information systems may be used for various activities which restrict access to services and cause inconveniences (such as spam) for other persons and bring financial losses to the providers of those services, including criminal activities, such as thefts from electronic bank accounts and loss of other data causing considerable financial losses to their legitimate possessors, etc. The activities criminalized by the Criminal Code of the Republic of Lithuania in the computer-related area are of specific criminal nature; therefore, most of them must have specific consequences, i.e. cause serious damage. However, laws do not yet prohibit activities, which are not so much dangerous within the meaning of criminal law as to carry other types of liability for perpetrators.
29. The proposed Law is intended to fill in the abovementioned regulatory gaps and define the prohibited activities in the field of network and information security (e.g. dissemination of a harmful software code), as well as amend the Code of Administrative Offences of the Republic of Lithuania accordingly, by adding new provisions imposing liability for illegal activities in the field of network and information security.
30. The Law will grant market supervision functions in the field of network and information security to one authority, i.e. the Communications Regulatory Authority, and clearly define the scope of competences and powers of this Authority, including the function of ensuring, in cooperation with other authorities acting pursuant to laws regulating their activity and competence in the field of network and information security, a high level of network and information security in Lithuania.
31. As already stated in paragraph 18 of this Conceptual Framework, in order to ensure a more efficient regulatory scheme in the field of network and information security, the competences of relevant authorities must be clearly defined.
32. The Law will lay down general requirements for network and information security, which will ensure consumer interests in the information society. The Law will also define providers’ rights and obligations for ensuring network and information security, e.g. the obligation to filter harmful software codes and block harmful addresses in e-mail systems without affecting the privacy of natural persons (taking into consideration the recommendations provided in the Opinion 2/2006 of 21 February 2006 of the Article 29 of the Directive 95/46/EC on Data Protection Working Party on privacy issues relating to the provision of email screening services), which is not regulated at the moment.
33. The Law will also provide for an investigation scheme for network and information security incidents and create the conditions to prevent the spread of network and information security incidents by temporarily restricting access to services or networks for the sources of network and information security incidents and by imposing other sanctions.
34. The Law will regulate the fields of audit of network and information security and assessments of hardware and software security, which have not been regulated by any other legal acts yet. The Law is aimed not at replacing network and information security audit performed in the market, but at introducing a system for ensuring higher reliability, which will be applied to critical information infrastructures and to state and municipal information systems specified by the Government of the Republic of Lithuania or, on a voluntary basis, to any other market players.
35. Currently no law regulates network and information security of critical information infrastructures. The proposed Law will fill in this regulatory gap by setting forth the basic principles for ensuring network and information security of the critical information systems, identifying the entities (the Government of the Republic of Lithuania or an institution authorised by it) having the right to draw up a list of critical information infrastructures, identifying the entities having the right to submit proposals regarding the drawing-up, amending or supplementing such a list, and designating authorities exercising the supervisory function.
 
V. OVERVIEW OF LAWMAKING IN FOREIGN COUNTRIES
 
36. The practice of regulation of network and information security in foreign countries is not abundant as most of the countries are still in the process of developing the regulatory scheme in this area.
37. For instance, Finland has a Law on the Protection of Privacy in Electronic Communications which came into force on 1 September 2004 and whose objective is to ensure confidentiality and protect privacy in electronic communications, strengthen network and information security, and improve electronic communication services. Taking into consideration the principle of technological neutrality, the abovementioned Law empowers the Electronic Communications Regulator of Finland, FICORA, to approve secondary legislation according to relevant network and information security categories and services. Mention should be made of the requirement for e-mail service providers to fight against spam, also the requirement to provide the unit in charge of investigating network and information security incidents with any information on network and information security incidents, and other.
38. General overview of lawmaking practices in foreign countries in the field of network and information security reveals that regulation is fragmentary. Many foreign countries, in particular European Union Member States, are concerned about the necessity to draw up a single national legal act to regulate network and information security (such a law is currently being drafted by Belgium).
 
VI. ANALYSIS OF RULES AND PRINCIPLES OF INTERNATIONAL LAW AND EUROPEAN UNION LAW
 
39. The European Union legislation provides for relevant obligations while increasing the level of network and information security both on national and international level:
39.1. On 22 January 2004, the Convention on Cybercrimes (the Budapest Convention) was adopted, and ratified by the Law of the Republic of Lithuania on the Ratification of the Convention on Cybercrimes. As already mentioned in Chapter II of this Conceptual Framework, the provisions of this Convention have already been transposed to the Criminal Code of the Republic of Lithuania.
39.2. On 24 February 2005, the Council Framework Decision 2005/222/JHA on attacks against information systems was adopted (OJ 2005, L 069, p. 67). The proposed Law will stipulate that the Police Department under the Ministry of the Interior shall organize and coordinate the disclosure and investigation of criminal activities related to network and information security, and ensure the implementation of functions provided for in Article 35 of the Convention on Cybercrimes done at Budapest on 23 November 2001, and Article 11 of the Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems.
39.3. Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency provides for the establishment of the European Network and Information Security Agency (ENISA) and the mechanism for communication and the exchange of information between Member States in the area of network and information security. The proposed Law will enforce the right of the Communications Regulatory Authority to participate in the activities of the European Network and Information Security Agency (ENISA) and to ensure the exchange of information related to those activities between this Agency and the relevant authorities of the Republic of Lithuania. The Communications Regulatory Authority is already actively engaged in the activities of the European Network and Information Security Agency (ENISA), as part of performing its own functions under paragraph 8.24 of the Regulations of the Communications Regulatory Authority as approved by Resolution No 1029 of the Government of the Republic of Lithuania of 19 August 2004 (Valstybės žinios (Official Gazette) No 131-4734, 2004), and the Law will provide the legal basis for those activities.
39.4. Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (“Directive on electronic commerce”) (OJ 2004 Special edition Chapter 13 Volume 25 p. 399). The objective of the Directive is to lay down clear general principles to cover certain legal aspects of electronic commerce in the internal market, and to create a legal framework ensuring free movement of information society services between the European Union Member States. The Directive defines its scope and concepts related to information society services, and the internal market; lays down certain principles related to the provision of information society services, and requirements for information and commercial communications related to information society services, as well as requirements for sending unsolicited commercial communications; regulates the professions; imposes the obligation on the European Union Member States to ensure non-discrimination of the electronic form in the national legislation; defines liability of intermediate service providers; and covers the issue of implementation of this Directive. As the proposed Law and the Law of the Republic of Lithuania on Information Society Services implementing the Directive will regulate the activities of the same entities, it is appropriate to provide that this regulation shall be done by one single authority, thus ensuring a coherent, single and robust market regulation mechanism.
39.5. It is noted in the Preamble of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ 2004 Special edition Chapter 13 Volume 29 p. 514) transposed by the Law of the Republic of Lithuania on Electronic Communications, that for public communication networks, specific legal, regulatory and technical provisions should be adopted to protect fundamental rights and freedoms of natural persons and legitimate interests of legal persons, in particular with regard to the increasing capacity for automated storage and processing of data relating to subscribers and users. One of the areas of regulation of this Directive is the safeguarding of security of services and networks, covered in Article 4. The Directive on privacy and electronic communications lays down the obligation for the provider of the publicly available electronic communication services to take appropriate technical and organizational measures to safeguard security of its services, if necessary in conjunction with the provider of the public communication network, to ensure the security of network itself. The Preamble also states that the requirement to inform subscribers of particular security risks does not discharge a service provider from the obligation to take, at its own costs, appropriate and immediate measures to remedy any new, unforeseen security risks and restore the normal security level of the service. It also states that service providers who offer publicly available electronic communication services over the Internet should inform users and subscribers of measures they can take to protect the security of their communications (e.g. by using specific types of software or encryption technologies).
39.6. The Council in its Resolution of 28 January 2002 on a common approach and specific actions in the area of network and information security has stated that it is necessary to increase, at a national level, the society’s awareness of the potential risks in the field of network and information security and of the means of elimination of such risks. The Law will delegate the task of coordinating public awareness-raising activities in the field of network and information security to the Communications Regulatory Authority.
39.7. The guidelines of the Organization for Economic Cooperation and Development on network and information security highlight the importance of network and information security. One of the main objectives is to increase, in cooperation with all interested parties, the level of network and information security. The Council in its Recommendation of 25 July 2002 relating to those guidelines has encouraged European Union Member States to adopt new strategies (or modify the existing ones) for the purpose of elevating the culture of network and information security.
 
VII. MAIN PROVISIONS FOR REGULATING PUBLIC RELATIONS
 
40. The regulatory system of network and information security is based on certain principles, the most important of which are the following:
40.1. Institutional cooperation: considering that the regulation of network and information security is integrated, it is important to ensure that competent authorities cooperate in an effective and speedy manner, and, most importantly, that any issues concerning network and information security are handled effectively by a concerted effort of the authorities concerned. For this purpose the Law provides for the setting-up of a commission to be formed of representatives of different institutions.
40.2. Minimum regulation: regulation must protect the interests of consumers and other users of services and ensure confidence within the information society, but not restrict the activities of service providers or other market players more than necessary for the achievement of these objectives.
40.3. Legal certainty in a changing market: for undertakings to be able to make investment decisions with confidence, regulation must be stable and transparent. However, it must also be flexible and allow market developments and new technologies to be taken into account.
40.4. Technological neutrality: regulation may neither encourage nor obstruct the use of any specific technology or service; whatever technology is used for the provision of network or services, the network and information security must only be regulated.
40.5. Agreement on regulation: regulation may be a subject of an agreement on a global, regional or national level, but it shall be applied (inasmuch as it is practically feasible) as close to the activity as possible. In accordance with this principle:
40.5.1. an independent national regulatory authority shall be responsible for the achievement of national objectives;
40.5.2. in order to avoid the fragmentary nature of regulation, there must be a coordination of actions of state institutions;
40.5.3. regulation must comply, as far as possible, with international and regional legal acts, regulatory practice and existing customs.
41. The Law will introduce the following regulatory novelties:
41.1. define concepts in the area of network and information security, which have not been used in the legislation of the Republic of Lithuania yet;
41.2. provide for a clear institutional set-up and the distribution of functions;
41.3. lay down obligations of providers to ensure network and information security, which have not been regulated yet;
41.4. clearly define the investigation of network and information security incidents and provide for the means for their prevention; the investigation of network and information security incidents will not duplicate investigations of illicit activities carried out pursuant to the relevant provisions of the Code of Criminal Procedure of the Republic of Lithuania and the Code of Administrative Offences of the Republic of Lithuania;
41.5. lay down the procedures and conditions for determining network and information security requirements to be applicable on a voluntary basis;
41.6. clearly regulate the task of ensuring security of state and municipal network and information systems;
41.7. set up the system for ensuring security of critical information infrastructures;
41.8. contain the provisions concerning the right to audit network and information security and lay down the conditions for assessing hardware and software security.
 
 
VIII. POSSIBLE EFFECTS OF THE PROPOSED LEGAL REGULATION
 
42. The Law will create conditions to protect users, undertakings, state and municipal institutions and agencies against potential threats arising from the use of information services. The Law will clearly regulate competences of each responsible authority in the area of network and information security, and will facilitate effective cooperation and speedy and accurate investigation of network and information security incidents.
43. No adverse effects of the proposed legal regulation are envisaged.
 
IX. FINANCIAL AND ECONOMIC JUSTIFICATION
 
44. The Government of the Republic of Lithuania, institutions authorised by it (the Ministry of Transport and Communications and the Ministry of the Interior), and the Communications Regulatory Authority shall be charged with the task of implementing the Law. The Communications Regulatory Authority will be financed in the manner provided for in the Law of the Republic of Lithuania on Electronic Communications. No new authorities will be established. The drafting and implementation of the Law will not require any additional public funds.
 
X. PROPOSED STRUCTURE OF THE LAW
 
45. The Law will have the following 7 sections:
Section One. General provisions.
Section Two. The system for the formation and regulation of policy and strategy in the area of network and information security.
Section Three. General requirements for network and information security.
Section Four. Network and information security of state and municipal institutions and of critical information infrastructures.
Section Five. Audit of network and information security and assessment of hardware and software security.
Section Six. Receipt of information and monitoring of compliance with the Law.
Section Seven. Final provisions.
Section One of the Law will define the subject-matter and the purpose of the Law, as well as its application, regulatory principles (principally corresponding to those laid down in Article 2 of the Law of the Republic of Lithuania on Electronic Communications), and objectives. Section One will define the following concepts:
Electronic data means any facts, information or concepts presented in a form suitable for processing in an information system, including a program suitable to cause the information system to perform a function.
Intermediate services of information society means information society services, which totally or partially consist of the transmission of information provided by a user, via an electronic communication network, of the provision of a possibility to use the electronic communication network, or of the storage of information provided by a user.
Information system means any device or a group of interconnected or related devices, one or more of which perform automated processing of electronic data using a program, also in which electronic data is stored or processed or from which electronic data is retrieved or via which electronic data is transmitted with the purpose of processing, use, protection or monitoring. 
Network and information security means the ability of an electronic communication network and information system to resist, at a given level of confidence, accidental events or actions that compromise or may compromise the availability, authenticity, integrity or confidentiality of electronic data stored, processed or transmitted via the information system or electronic communication network, or of the related services offered by or accessible via that information system or electronic communication network, including the ability to block the transmission of e-mail messages sent for direct marketing purposes without a prior consent of the subscriber.
Harmful software means a software code (or a part of it) designed for/facilitating illegal connection to information systems or electronic communication network, for disruption or transformation of operation (including the interception of management) of the information system or electronic communication network, for destruction, damaging, removal or alteration of electronic data, for deprivation or restriction of access to electronic data, or for allowing non-public electronic data to be misappropriated, disseminated, published, distributed or used otherwise.
Critical information infrastructure means an electronic communication network, an information system or a group of information systems, the illegal connection or facilitation of illegal connection to which, the illegal disruption or transformation of which, the destruction, damaging, removal or alteration of or the deprivation or restriction of access to the electronic data stored or processed in or retrieved from or transmitted via which, compromises or may compromise national security, national economy or society’s welfare.
Audit of network and information security means the evaluation of the conformity of electronic communication network and/or information system to the compulsory, applicable and/or declared requirements of network and information security and/or the assessment of the security of the electronic communication network and/or of information system networks and information.
Network and information security incident means any event, action or omission, which causes/facilitates or may cause/facilitate an illegal connection to the information system or electronic communication network, disrupt or transform (including the interception of management) the operation of the information system or electronic communication network, destruct, damage, remove or alter electronic data, deprive or restrict access to the electronic data, also allow the misappropriation, dissemination, publication, distribution or any other use of non-public electronic data and the sending of e-mail messages for direct marketing purpose without a prior consent of the subscriber.
Network and information security management rules means the totality of documents laying down technical and organizational measures for ensuring network and information security.
Provider means an undertaking providing public communication networks, public electronic communication services or intermediate services of information society via the public communication network.
Other concepts to be used in this Law shall have the meanings defined in the Law of the Republic of Lithuania on Electronic Communications and other legal acts.
Section Two will lay down the institutional set-up for the regulation of network and information security and identify the main authorities: the Government of the Republic of Lithuania, institutions authorised by it (the Ministry of Transport and Communications and the Ministry of the Interior), and the Communications Regulatory Authority. In the institutional set-up, political and regulatory functions will be separated, with political functions being assigned to the Government of the Republic of Lithuania and the institutions authorised by it (the Ministry of Transport and Communications, and the Ministry of the Interior), and the function of regulating market monitoring being assigned to the Communications Regulatory Authority. In order to establish a clear institutional framework for administration of network and information security, the Law will define functions of other authorities (such as the Police Department under the Ministry of the Interior) in the field of network and information security, and lay down the guidelines for institutional and international cooperation. This Section will also lay down the principles of application of standardisation documents concerning network and information security.
Section Three will lay down general requirements concerning network and information security, define illegal activities in the area of network and information security, lay down the providers’ (undertakings providing public communication networks, public electronic communication services or intermediate services of information society, via public networks) rights and obligations concerning network and information security. It will contain provisions about the maintenance and monitoring of network and information security and investigations of network and information security incidents. For this purpose the Communications Regulatory Authority will coordinate activities of the investigation group for network and information security incidents; provisions about voluntary application of network and information security requirements will by laid down, etc.
Section Four will deal with ensuring, controlling and maintaining network and information security in state and municipal institutions and of critical information infrastructures. Section Four will serve the purpose of regulating, by a law, security of state and municipal networks and information, which has already been defined in sufficient detail, and facilitating the regulation of security of critical information infrastructures, obligations of state and municipal institutions, possible means of secure transmission of data and provision of public services.
Section Five will regulate network and information security audit, principles and requirements for certified auditors of network and information security, and assessments of hardware and software security.
Section Six will lay down the procedures and conditions for monitoring the compliance with the Law, to ensure its implementation.
Section Seven will set the date of entry into force and implementation of the Law.
 
XI. LEGAL ACTS TO BE AMENDED OR REPEALED
 
46. For the purpose of implementing the Law, the following legal acts shall be amended:
The Law of the Republic of Lithuania on Electronic Communications;
The Code of Administrative Offences of the Republic of Lithuania.
47. The Government of the Republic of Lithuania or institutions authorised by it shall, within their competence, amend the legal acts to be compatible with the Law and its implementation.
 
 
––––––––––––––––