The Latvian Cybersecurity Strategy 2014-2018 was published in 2014.
The strategy sets five priority objectives and related actions to achieve them.
Obj. 1 - Governance and Resources of Cyber Security defined by a governance model Improved coordination, implementation and evaluation within the framework of the National Information Technology Security Council, government, the public, and private sector. Increase cyber defence capacities. Allocate resources for improved operational capacities. Ensure information exchange on cyber threats and best practices amongst businesses. Implement risk assessments at national level. Promote standards and practices on cyber security to the public and private sector, including training. Provide training programmes for staff and IT security managers working in state administration. Establish minimum security requirements along with responsibilities for implementation and penalties for non-compliance. Organise audits and security testing. Define a procedure for reporting implementation of IT security measures to competent authorities. Improve co-operation between local and regional government to improve security management in public administration.
Obj. 2 - Rule of Law in cyber space and reduction of Cyber Crime. Assess current laws and regulations governing the IT sector. Identify the need for amendments, including penalties for damage caused by malicious activities. Define and classify emerging cybercrime in a unified way across the police and judiciary.
Obj. 3 - Preparedness and capacity to act in a Crisis. Review the capacities of NAF and Cyber Defence Unit and take any necessary steps to ensure they are fit for purpose. Provide regular theoretical and practical training. Develop the regional and international co-operation, including training.
Obj. 4 - Awareness raising, education and research. Increase competences of teaching and training staff to raise awareness about cyber security, including among children and youth. Develop academic studies and research on cyber security. Establish an IT security lab and organise scientific conferences on cyber security. Leverage international informative initiatives and use the EU Cyber Security Month and eSkills Week to increase awareness. Promote innovation in cyber security.
Obj. 5 - International cooperation. Strengthen co-operation with Baltic and Nordic countries with bigger focus on cyber security. Improve co-operation with NATO, EU, OSCE and the UN. Organise international events on cyber security in Latvia on a regular basis. Develop and test national procedures in the event of a cyber threat drawing on the Memorandum of Understanding with NATO and its Cyber Defence Concept and Action Plan.
NATIONAL CYBERSECURITY STRATEGY - NIS Capacities
|Year of adoption||2014 for the years 2014-2018|
|Updates and revisions||
Latvia's Presidency of the EU Council in 2015 was considered an opportunity to gain in-depth insight into the current cyber security and defence situation in the EU and individual member states, and to develop a common policy.
Priorities defined for Latvia included continuing work on the first legal framework on cyber security at EU level - the Network and Information Security (NIS) Directive and increasing awareness of cyber security across all sectors of society.
Latvia has also been active in discussions with other countries at events in Brussels and Riga to help define actions to address significant cyber security issues that persist.
|Implementation and monitoring||
The National Information Technology Security Council determines the development of cyber security policy at a national level: the development of cyber security policy and planning and implementation of objectives and measures. It is the central national authority for the exchange of information and co-operation between the public and private sectors.
The centralised model used for implementation and monitoring involves different government departments and national entities.
Implementation and monitoring also falls under objective 1 of the strategy: improve mechanisms of implementation and monitoring of security requirements for electronic communication operations.
|Operational capacity building||
The Latvian Computer Emergency Response Team - CERT.LV (Latvian: https://cert.lv/lv; English: cert.lv/en) is responsible for monitoring and analysing developments in cyberspace, reacting to incidents and coordinating incident prevention. It also carries out reseach, organises educational events and training, and also supervises the implementation of obligations defined in the Law on Security Information.
Under the strategy, CERT.LV is expected to develop resources with the public and private sectors for collecting intelligence on incidents for analysis and evaluation. The strategy also calls for improving CERT.LV's ability to observe, analyse and prevent IT security incidents; co-operate with NATO and EU partners on information exchange; develop CERT.LV resources and competences to perform centralised security tests.
The strategy also calls for improved coordination between the owners of critical infrastructures, CERT.LV and state institutions dealing with security. The goal is to improve the exchange of information and experiences about cyber incidents.
From a legal perspective, implementing the strategy requires assessing and building on existing capacities in cybercrime investigations, including improved co-operation with CERT.LV.
CERT.LV is a member of the international forum on cyber security, FIRST, and accredited by Trusted Introducer.
Specific legislation and regulation related to cyber security has been enacted through the following instruments. However, the 2014-2018 strategy highlights the need for a review of current legislation and the establish of new laws fit for purpose.
Law On the Security of Information Technologies - 2010 (English).
Guidelines for the Development of Information Society in 2014–2020 - 2013 (English)
Guidelines for the Electronic Communication Policy in 2011–2016 - 2011 (English)
Businesses and Public Private Partnerships
In 2013 the Ministry of Defence invited the private sector to develop closer co-operation by forming a dedicated Cyber Defence Unit in the National Guard. The main function of the unit is to provide a support to the institution dealing with information technology security incident response CERT.LV and the units of Armed Forces to prevent information technology security incidents in conflict situations in case the resources of CERT.LV are insufficient.
|Other measures||The Latvian and Estonian Ministries of Defence have launched an initiative to develop and implement cyber hygiene. Austria, Finland, Lithuania, the Netherlands, Poland and the EU institutions are also part of the initiative. In practice, employees of various establishments will follow an interactive step-by-step programme that explains and teaches the basics of cyber security in everyday work with information technologies.|
|Overall assessment||CERT.LV has developed information technology security recommendations for state and local government authorities; it also has produced some activity reports which suffice as the officially recognised national or sector-specific research and development (R&D) programs/projecsts for cyber security standards, best practices and guidelines to be applied in either the private or the public sector. However, it needs to step up efforts on legislation and on demonstrating its operational capacity.|
|Date of last WISER analysis||July 2017|
Compliance with the GDPR and NIS Directive: Report a cyber incident
|Report a cyber incident to national CERT/CSIRT||
|Guidance and Updates||
CERT.LV provides information about different cyber incidents, cert.lv/en/incidents, and their priority status.
Most of its news update focus on cyber security events.
|Languages||Latvian and English|
|Date of last WISER analysis||July 2017|