Gradually and then suddenly: the effects of Russia’s attacks on the evolution of cybersecurity policy in Lithuania

Abstract

ABSTRACT This article examines how public policy, governance and institutional structures have been established and transformed in response to cyberattacks attributed to Russia that focused political attention in Lithuania. It argues that, despite the growing number of cyberattacks, political and institutional change has initially been slow and it has taken a decade to establish an adequate legal and institutional framework. The reasons for such a slow change are analysed, highlighting limited capacity (lack of understanding of cybersecurity by policy-makers and the lack of attention and other resources allocated to it), institutional fragmentation and coordination problems. It was only after Russia’s aggression against Ukraine in 2014 that cybersecurity policy started to be seen through the prism of national security and parliamentary elections created a window of opportunity for change, which resulted in significant policy transformation in 2017–2018. Interestingly, since then it remained relatively stable, even after Russia’s large scale war against Ukraine in 2022, which had only led to operational cybersecurity policy changes in Lithuania. The article contributes to the debates on the role of external shocks on policy change and the mediating factors which can slow down or facilitate change.