1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

IT security

January 25, 2011

The law was passed in October 2010 in the wake of a major security breach of online financial and tax records from the State Revenue Service. The legislation also creates a new Cyber-Security Response Agency.

https://p.dw.com/p/102Ti
Lock and keyboard
Latvia's new law is in reaction to a major breach in 2010Image: Bilderbox

Nearly one year ago, Latvia was hit by a major security breach at the Latvian State Revenue Service.

A hacker, working under the name "Neo," illegally downloaded 7.4 million documents from the electronic declaration system of the State Revenue Service by finding a major flaw in the way the documents were stored online.

The documents were then leaked to the media and exposed that many Latvian bankers did not take the salary cuts that they had promised and that other state-owned companies awarded bonuses to executives while asking for financial help from the state.

By October, the Latvian parliament passed a new IT security law, which will take effect on February 1, 2011. This marks the first legislation in this Baltic nation that puts a new IT security head at the top of every state institution.

Stricter regulation

State Revenue Service, Riga
Online records were taken from the State Revenue Service websiteImage: Gederts Gelzis

This official will also have to check the systems for any vulnerability to threats by hackers and viruses at least once a year and make sure that no files are lost in case of emergency or natural disaster.

"We will establish the minimal standards for every state and every local government institution in IT security," said Māris Andžāns, the head of the Consultative Council on Security of Electronic Communications and IT, and one of the officials involved in drafting of the legislation.

He adds that while the country has fire safety rules, but there have been no such laws for the use of digital information.

In order to ensure that the officials follow and obey the rules, two present computer security prevention institutions will be merged into a new Cyber-Security Response Agency.

The agency will also start operations in February and will consist of eight IT experts who will keep their eye on the overall situation of IT security and advise the public sector workers about data protection.

Careless data security

Months after the February 2010 breach, it turned out that the man behind the alias Neo was Ilmārs Poikāns, a researcher at the Artificial Intelligence Laboratory at the Institute of Mathematics and Computer Science in Riga.

He criticized the State Revenue Service for not carrying out appropriate security audits.

"There was a [web address] and there wasn’t any security check," said Ilmārs Poikāns. He had changed the ID at the end of the web address of the State Revenue Service and so, he could access the documents.

Ilmārs Poikāns
Ilmārs Poikāns, aka "Neo," said it was fairly easy for him to access the online financial recordsImage: Ilmars Znotins

"Basically anybody from Internet by writing direct URL could access that data. So, it was a very big hole," he added.

He is convinced that Latvian authorities don’t demonstrate a serious attitude towards computer security audits – they just tend to "check-off" that it is done.

The State Revenue Service fixed the security hole after the incident and established a special IT security manager at the institution.

But Agnese Grīnerga, the spokesperson for the State Revenue Service said that there’s no guarantee that such cases will not occur again.

"The professional security audits are provided by outsourcing companies for our institution and, therefore, it requires considerable financial resources," she said.

"We have more than 60 IT systems and we simply can’t afford to inspect all of them every year."

No technical solution is 100 percent bulletproof

Some Latvian IT experts believe that the new law is a big step up for at least trying to ensure that the government does a better job of protecting private data. But it will take months or even years until the effectiveness of the new rules can be evaluated.

"You can never be 100 percent safe about your data because one of the factors - aside from the various technical devices to protect - is the human factor," said Juris Kaža, a Latvian tech journalist.

"You don’t want those people to tell things to friends that are not really friends while they’re out drinking and that sort of thing."

Author: Ģederts Ģelzis, Riga
Editor: Cyrus Farivar