Executive Summary
The Lithuanian Cyber Defence Command (LTCYBERCOM) has been operational since 1 January 2025, with a Signal Battalion added on 3 June 2025 (sources: kam.lt; thedefensepost.com 2025-01-07). Its public mandate is defensive — protecting Lithuanian networks, communications systems, and the electromagnetic spectrum. It has no announced offensive component. Allied cyber operations show what that gap costs in a real campaign. On 11 March 2026, US Cyber Command contributed to Operation Epic Fury against Iran: a tool called Stryker, pushed through a stolen Microsoft Intune administrator account, wiped more than 200,000 devices across 79 countries (Nextgov 2026-03; CSIS). On 29-30 December 2025, Russian state hackers (the group known as Sandworm) destroyed the digital systems running two Polish power stations by stealing the certificates that authenticate utility networks. Lithuania currently has no equivalent capability to offer the alliance, and no tool of its own to impose costs in cyber when an adversary targets Lithuanian critical infrastructure. This is a gap Lithuania must close on Lithuanian terms, and the path forward is not obvious. A new offensive-effects branch raises questions of statutory authority (the lead role belongs at the Antrasis operatyvinių tarnybų departamentas, the military-intelligence body known as AOTD, with LTCYBERCOM as operational integrator and the National Cyber Security Centre, NKSC, in its existing defensive role), of legal doctrine (peacetime espionage is permitted under Tallinn Manual 2.0; destructive attacks require a crisis trigger and allied cover under the rules on countermeasures and use of force), and of cost (peer benchmark suggests €80-120M over four years, with a 10-year lifecycle of €200-300M, roughly three times the figure circulated in earlier drafts). The recommended next step is a cross-government working group — AOTD, LTCYBERCOM, NKSC, the Ministry of Justice, and the Seimas National Security and Defence Committee — that maps statutory authority, allied integration under the Macron Île Longue framework and the Treaty of Nancy, and the budget envelope, and reports back with a phased pilot proposal.
The Problem
Russia conducts continuous cyber operations against NATO members, ranging from espionage to preparation for destructive attacks. The Sandworm group (also tracked as GRU Unit 74455) destroyed the digital systems running two Polish combined heat-and-power stations on 29-30 December 2025 by stealing the certificates that authenticate government and utility networks (the same group behind NotPetya in 2017 and the 2018 PyeongChang Olympics sabotage). The APT29 group (also known as Cozy Bear) routinely targets the kind of small, specialised unit Lithuania would have to stand up — its operators, their families, the cyber-range tools they would train on. A cyber attack of this kind typically comes before a missile strike; Lithuania's digital government, parliament, and energy systems run on the same kind of infrastructure that Sandworm hit in Poland.
LTCYBERCOM has been operational since 1 January 2025 as a defensive command. Lithuania can defend its own networks; it cannot impose a cost in cyber when its networks are attacked, and it cannot contribute named offensive cyber effects to an allied operation. The legal lead for offensive cyber under Lithuanian law is AOTD (the military-intelligence and signals-intelligence body), with LTCYBERCOM as the operational integrator under National Command Authority and NKSC remaining the defensive coordinator — earlier drafts that placed NKSC in the offensive lead were incorrect. The 2026 Lithuanian defence budget is €4.79 billion (5.38% of GDP), of which roughly €1.7 billion is the weapons envelope; an offensive cyber branch sized to peer benchmarks would draw 1.5-2.5% of that envelope, comparable to Belgium's Cyber Command setup at 3.1% of its defence budget.
Without action: A purely defensive cyber posture leaves Lithuania reliant on allied effects for any cost imposition in the cyber domain. The Macron Île Longue speech on 2 March 2026 named Germany, Poland, the Netherlands, Belgium, Greece, Sweden, Denmark, and the United Kingdom (Northwood) as observers and anchor; the Baltic states are absent from that list, not explicitly excluded. The Treaty of Nancy, signed Poland-France on 9 May 2025, with its first follow-up at the Tusk-Macron Gdansk meeting on 20 April 2026, has not been extended to Lithuania. A named Lithuanian offensive cyber contribution under NATO's Sovereign Cyber Effects Provided Voluntarily by Allies (SCEPVA) framework is one of the few routes by which Lithuania can offer the same coalition something it cannot get elsewhere.
Lithuanian Context
Lithuanian doctrine should distinguish two regimes in plain language. In peacetime, the Tallinn Manual 2.0 (the international-law reference Lithuania endorses through the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, CCDCOE) permits espionage and access development inside an adversary's networks under sovereignty constraints (Rule 4 and related rules); destructive attacks are not permitted. In a crisis or armed conflict, destructive cyber attacks become available under the rules on countermeasures (Rules 20-26) and use of force (Rule 69), and only with allied cover under the SCEPVA framework or in self-defence under Article 51 of the United Nations Charter. The non-duplication rule with Estonia is to be respected: Tallinn leads on cyber doctrine through CCDCOE; a Lithuanian branch contributes offensive effects, not parallel doctrine. An earlier proposal to integrate civilian hacktivists in the Ukrainian style is not appropriate at Lithuanian scale — Lithuanian internet space is small and traceable, and hacktivist blending burns state attribution and gives Russia a ready-made false-flag template.