Cybersecurity 18 January, 2018 11:00 am   
COMMENTS: Mateusz Gibała

Wandering in the darkness. Cyber security following reconstruction

Cyber security is unfortunate in Poland. For a long time now, there has been friction between various state institutions. As a result, new visions emerge, but there are few concrete actions. The government’s reconstruction can help, but so far, the list of pressing problems is only growing.

It is difficult to reconcile different visions of cyber security. This is partly due to the fact that cases with little in common are handled together. One thing is the fight against propaganda on the Internet, another thing is the protection of physical infrastructure such as fibre optics, and yet another is the fight against hacking attacks. Added to this is “ordinary” cyber crime, such as theft of money or personal data. It is difficult to imagine that one institution would be responsible for all these tasks.

A dispute over ideas

Therefore, according to experts, taking the lead in this matter by the Ministry of Digitization is not the most fortunate idea.

From a practical point of view, it is worthwhile to think about separating digitisation from cyber security – as estimated by Colonel Grzegorz Małecki, formerly the head of the Intelligence Agency, and now an expert of the Kazimierz Pułaski Foundation.

– Managing them within a single ministry is not the most fortunate solution. Unfortunately, this has been linked in our country. This is the same digital space, but the tasks are different. The role of the system administrator is different, and so is the role of a security inspector. You cannot be a creator and a material at the same time. Cyber security is an interdisciplinary issue and its management should be carried out from a supra-ministerial level, from the Prime Minister’s level – as he claims.

One of the problems of Polish cyber security is an excessive lack of ideas for the implementation of activities in this field. At least eight documents have been produced over the last decade as a basis for creating a coherent strategy. In practice, none of them has fulfilled this task. The latest such study, the National Cyber Security Policy Framework of the Republic of Poland, was adopted by the government in May last year. Although it presents a fairly bold vision, there is still a lack of specificity about even a clear definition of the competences of individual institutions and, above all, about the budget allocated to cyber security. This is to be specified in the following documents. For the time being, the most important declaration is “ultimately it is necessary to establish within the framework of the state budget a Multiannual Programme dedicated to the construction and development of projects in the area of cyber security”.

Cyber Security Act

It is also not yet known when a law on the national cyber security system will be adopted, i.e. a document to serve as a basis for organising the entire defence system against threats from the network. Its draft is already available, but the responsible Ministry of Digitization is undergoing reorganisation. Anna Streżyńska, its former head, was outside the government and, according to RMF FM, Marek Zagórski, formerly Secretary of State at the Ministry of Digitization, is temporarily responsible for the ministry.

The ministry itself will probably not be liquidated – as suggested by Streżyńska before her resignation – but the key decisions related to the ministry’s activity will be taken not by its head, but by the Prime Minister. Therefore, it is not clear who will now be responsible for the act. According to government parties, a few days ago the project started to be evaluated by individual ministries, so it will take some time before it reaches the Sejm.

In addition, it is possible that the project will be substantially modified. The list of charges against it is long. It was criticized by the Ministry of Defence under Antoni Macierewicz. First of all, the Ministry demanded an increase in its role in cyber defence at the expense of the Ministry of Digitization. Mariusz Błaszczak, the then Minister of Interior and now the head of MON, also reported allegations against the project. It is unlikely that he would change his earlier opinion, all the more so as the Head of the Ministry of Internal Affairs and Administration has already been showing his ambition to take over at least some of the cyber-security-related tasks. It seems that Błaszczak is winning so far in the dispute concerning cyber security. However, there is not enough time since the reconstruction to be able to clearly assess which institution will play a major cyber-security role.

Cyber defence in military terms

It is not impossible that Błaszczak, as the head of the Ministry of National Defence, will simply continue his predecessor’s work. Antoni Macierewicz, as a Defence Minister, did not hide his cyber security ambitions. In September last year, during the CyberSec conference in Krakow, the Minister of Defence announced that he would allocate PLN 2 billion for the creation of a “office for organizing the Polish military effort of Polish cyber soldiers.”

– If Poland is to be safe from cyber threats, the Ministry of National Defence must remain the centre of gravity of the entire cyber security system – as he said. In this statement we can see the essence of the dispute over the cyber-security vision – while the current head of the Ministry of National Defence emphasized the importance of uniformed services in this respect, Anna Streżyńska paid attention to the protection not only of state institutions, but also of the citizens.

– (It is) a conflict about principles, about the basis of the cyber-security approach, which has two facets, military and civil – as she said in an interview with Radio ZET. – There are many tasks related to the protection of the average citizen, which will simply never be carried out by the Ministry of National Defence – she said.

Need for money and specialists

The reconstruction also put into question the operation of a special cyber security unit, whose creation was announced four months ago by Beata Szydło. The institution was to advise the Prime Minister on new risks. It was managed by Paweł Szefernaker, who according to PAP information will probably be sent to the Ministry of National Defence as Deputy Minister. It is not clear whether anyone will take over his tasks and whether Prime Minister Morawiecki is going to develop this office at all.

Poland’s specific problems are also compounded by those faced by all countries. It is a lack of cyber security specialists. The situation is dramatic. According to a study commissioned by Intel Security, in two years’ time about 15% of the positions related to this IT area will be vacant. – Polish specialists are good, but there are not enough of them. Each country complains about an insufficient number of experts in this field, but the level of deficiencies in Poland is incomparable. We must not be too impressed by the fact that our computer scientists are valued in the world, because this fact does not solve our problems – says Małecki.