Poland is one of the European countries, if not the country, that invests the most in defense. The same can be said about cyber security?
Yes. However, there are different levels of investment, but we actually started building our cyber army. It was decided three years ago and now we see ourselves as a country with very advanced cyber defense capabilities. And we are also recognized as one of the cyber powerhouses in Europe. These investments have already paid off. We see the growing potential in our cyber defenses. In short, we have a lot of good talent in Central and Eastern Europe in the field of STEM (science, technology, engineering, math), there is a good pool for cyber talent development. We believe that our cyber professionals, with the country’s systemic support, funding and structure, can help us prepare for more sophisticated cyber attacks. We can see that Central and Eastern Europe are already under cyber-attacks, we can see that the statistics are changing in that regard. We believe that this is a very important investment and we also know from the Ukrainian example that countries are capable of preparing for this type of attack. For example, Ukraine has repelled up to 29% of cyber-attacks against its network and systems. We cannot protect ourselves against all cyber attacks, but if we are prepared, we hope to succeed.
How was this cyber army formed? How many people are to work?
Following the political decision to establish the Cyber Defense Command and the Cyber Army, we have strengthened our cyber defense and employ about 6,500 people. Now we are also more aware of the potential of the public-private partnership as we can see that it was another factor in the success of Ukraine’s cyber defense. Ukraine works or has worked with global information and communication technology (ICT) companies, but it has also worked with Ukrainian SMEs and start-ups with ICT and cyber capabilities. They also built up an IT army that is actually made up of IT professionals from Ukrainian companies. So this is another important factor to consider.
“Ukraine has repelled up to 29% of cyber-attacks against its network and systems. We cannot protect against all attacks, but if we are prepared, we hope to succeed.”
A few days ago, Warsaw accused the Russian government of a cyber attack that took down the tax website. Poland is the target of a cyber-attack every nine minutes, according to an IT company, and that has been exacerbated by the Russian invasion of Ukraine. How is Poland dealing with the Russian threat?
As a member of the European Union, we primarily follow the regulatory regime imposed by the EU. We have transposed the NIS directive [segurança das redes e da informação] and now we are also planning to apply the NIS2 guideline. There is also another very important piece of legislation on the horizon, namely the Cyber Resilience Act. Our government follows that regulatory regime. At the same time, we are trying to increase our resilience and are trying to protect our networks and systems even more advanced than before the invasion. We have also encouraged collaboration between cybersecurity players. So we have three CERT [equipas de resposta a incidentes informáticos] and they didn’t work together that closely before the conflict broke out, but now they meet regularly, share information and work together on a daily basis. We are also strengthening knowledge development, which means that we organize training courses for employees of various companies, particularly in the vital sector, operators of vital infrastructure. And we are very active in auditing systems and networks against cyberthreats.
Did Polish solidarity with Ukraine also extend to cybersecurity?
We supported Ukraine in the early stages of the conflict with the ICT infrastructure destroyed by the Russian aggression, so we supported with equipment, but the support also includes training and now also information sharing. For example, we have recently made progress in this regard and representatives of cyber commands have also recently reported that this information exchange is now almost in real time. And this is very important because cyber threat awareness is a very important factor in preparing for potential cyber attacks.
“Every system is vulnerable and it’s probably just a matter of time and money to hit it somehow.”
Do the rules of war apply equally in cyberspace? How should one country act if it is attacked by another?
It has been agreed at the level of the United Nations that international law applies to cyberspace. The NATO countries also decided in 2014 that Article 5 can apply if a country or countries are attacked in cyberspace. Still, we don’t really have clear criteria to decide whether the cyberattack has crossed the war threshold. It is always the political decision, which also needs to be supported with attribution and the attribution process is very complicated. This is often primarily a political decision. Each country must therefore consider how and what the response will be to these types of cyber-attacks. The answer need not be limited to cyberspace, it could be economic sanctions, for example. There is no clarity on these criteria, but we were in absolute agreement as a global community that international law also applied to cyberspace.
In theory, it is possible to carry out a cyber attack on, for example, the batteries of the Patriot missile ineffective?I’d say there’s no such thing as a system that can’t be hacked, but I haven’t heard of any threats like this for that particular system. We can conclude that any system is likely to be vulnerable and it is probably just a matter of time and money to hit it one way or another. So maybe it’s possible, but I wouldn’t make a headline out of it.
The European Commission banned employees from using TikTok [decisão entretanto seguida pelo governo britânico]. What is your verdict on security and privacy issues of this Chinese application?
Two years ago I wrote in a report that data, which can be processed from different applications, devices, networks, is an important asset. Perhaps we should be aware that when we use mobile devices, search for information on websites and use social networks, we leave very important traces. So it’s valid in terms of TikTok, in terms of Facebook, in terms of Twitter, but the real question is what use the owners can make of these platforms, whether they come from countries that follow democratic principles and values, whether they come from authoritarian regimes, who can use this data against our society, against our security. In that regard, I take the decision of the European Commission as an indication that not all platforms can be trusted and that it matters who provides these, say, essential services to our society. I think we will see more focus on high-risk digital providers at the European level, and this is an example of that. But another would be providers of 5G network technology, for example, and this discussion has already taken place and the “5G toolbox” [medidas para mitigar os riscos] was released with European permission, suggesting that European countries should conduct a safety assessment of suppliers of this important technology.
Besides Russia and China, what other countries could pose a serious threat in cyberspace?
Countries with more advanced cyber capabilities would be Russia, China, but also Iran and North Korea.
No Belarus?
Yes, but not at that very advanced level. But of course they also have state-inspired hacking groups.
Are Europeans aware of the threat posed by cyberwar? Or is it something we don’t really care about?
Knowledge and awareness has been growing and growing for a number of years, but I think we are still surprised by the magnitude of the threats, as is the case with TikTok. For example, we as a society do not understand the extent of our exposure to data. We are not aware that every device connected to the internet is vulnerable. We are not aware that the Internet of Things, that is, the equipment we use every day that is connected to the Internet, is vulnerable. But there are things that are already clear to society, such as that critical infrastructure can be compromised by cyberattacks. There are also things that are not so obvious, but I think that European Union legislation already includes these types of threats throughout the digital distribution chain. And once our governments, the governments of the member states, implement these regulations in national law, the increase of our awareness in companies, but also in society, will increase. But we’re not there yet. We are on our way to, for example, absolute consciousness or knowledge.
Source: DN
