At the end of September, I had the opportunity to attend the second annual CYBERSEC EU conference in Krakow, Poland. Organized by the Kosciuszko Institute (a prominent think tank), with support from Poland’s Ministry of Foreign Affairs and NATO, the conference drew more than 700 attendees, including more than 100 speakers spanning government officials, industry experts and practitioners. While many speakers and participants were Polish, many also came from other central and eastern European countries—such as Hungary, Slovakia and the Czech Republic—as well as France, Germany, Belgium, the United Kingdom and the United States, among others.
The focus of CYBERSEC EU was first and foremost on policy. Organizers emphasized the desire to develop and shape cybersecurity policy proposals for Poland and beyond. The conference’s topics and themes represented multiple dimensions of Poland’s efforts on cybersecurity policy, including domestic policies and its roles as a member of the European Union (EU) and a member of NATO.
On a domestic level, the Polish government emphasized support for the “fourth industrial revolution” in the country, securing the ever-expanding government and private-sector services offered online, protecting citizens from data breaches, and driving an innovative Polish economy underpinned by leading-edge technical skills. Opening remarks delivered by State Secretary Krzysztof Szczreski on behalf of President Andrzej Duda made clear that Poland desires to be a leader in cybersecurity, both in terms of driving domestic and regional policy and of building up and leveraging its technical capacity.
Various speakers described recent and planned activities under President Duda, who took office in 2015. The Ministry of Justice highlighted a more active and effective prosecutor’s office to tackle cybercrimes. In July 2016, the Ministry of Digitalization launched a new National Cybersecurity Center (NCC), part of the Research and Academic Computer Network (NASK), Poland’s leading data networks operator. The NCC will be active in four areas: research, operational tasks, training and analytics. Its mandates include coordinating cybersecurity efforts with various sectors such as banking, transportation, energy, and telecommunications. Poland also has strengthened its longstanding CERT, which has existed as part of NASK, expanding its availability from business hours to 24/7. A multi-government agency “State Administration Cluster” also has been formed, aiming to de-silo and centralize IT operations and services, including those related to cybersecurity.
More recently, the Ministry of Digitalization released on September 29 a new high-level cybersecurity strategy (content is in Polish) that aims to achieve numerous goals within four years. The strategy still needs internal approval following discussions involving a range of stakeholders, but the topics covered in this version include:
- A new national CERT that will collect cyberthreat information from the government and publicly owned companies, redistributing this threat information to sub-CERTs;
- Securing critical infrastructure with an emphasis on energy, finance, transportation and healthcare;
- Creation of security clusters for selected verticals: energy, telecommunications, finance and local administration; and
- Education and training.
In terms of government systems, the strategy emphasizes the need to invest in the security of the L7 (application) layer, which needs improvements. It also states that the Polish government will cooperate with public and private institutions, including vendors and telecom operators.
If the strategy is accepted, further steps will commence: a final version, to be released later this year, will serve as a blueprint for a new law that Parliament will begin to craft in early 2017. The Polish government also will need to estimate expenditures and allocate additional financing for some efforts, such as the planned establishment of security operations centers (SOCs) and cybersecurity training and awareness. The forthcoming law also is meant to help Poland implement the EU’s Network and Information Security (NIS) Directive (described in my July 2016 blog post), although with the items listed above, as well as expected provisions related to public-private partnerships mentioned by some speakers, the law will likely go beyond the framework outlined in the NIS (a scenario envisaged under the Directive). Some private-sector speakers stressed that Polish critical infrastructure sectors want to increase their cyber resilience (a goal of the NIS Directive) but that more efforts were needed to help inform Polish industry of how important cybersecurity is to their operations.
The NIS Directive was the primary focus of the discussions around EU-wide efforts. As a milestone law (the EU’s first cybersecurity-specific legislation) that all EU member states must implement by May 2018, this was not a surprise per sé. It was interesting, however, that much of the focus on NIS at this conference was on its provisions calling for a pan-EU strategic Cooperation Group comprised of representatives from the member states, the European Commission, and the European Union Agency for Network and Information Security (ENISA). Per the Directive, the Cooperation Group is to support and facilitate strategic cooperation and share information and best practices on risks, incidents, awareness-raising, training, and research and development (R&D) among member states and to develop trust and confidence.
Multiple speakers stressed the imperative of correctly launching and empowering this Cooperation Group to ensure it effectively facilitates the pan-EU coordination envisioned in the Directive. Some speakers voiced that EU member states more advanced in cybersecurity efforts should commit to share threat information with those member states at earlier stages of cybersecurity readiness. Speakers also urged the Cooperation Group to help to ensure the NIS Directive is implemented consistently across member states, noting the strong interconnectedness and interdependencies of so much critical infrastructure (CI) within the EU, whether in transportation, energy, banking, or other industry sectors. Finally, some Polish and other central and eastern European country speakers voiced support for the Directive’s role in raising awareness of cybersecurity within their countries and driving changes in domestic policy and operational efforts they wanted to make.
Finally, Poland’s central role in NATO, and NATO’s evolving role in cybersecurity, particularly following the NATO Warsaw Summit in July, was another primary discussion topic. The NATO Warsaw Summit had two main cyber-related outcomes. First, NATO Allied ministers formally agreed to recognize cyberspace as a war domain along with air, land, and sea operation. They also reaffirmed the applicability of international law and NATO’s defensive mandate for cyberspace; pledged to further develop NATO-EU cyber defense cooperation; and pledged to commit more resources to cyber defense capabilities. A question raised at CYBERSEC EU was how NATO countries would implement these commitments. One speaker opined that, despite a robust technical platform to support cyberthreat sharing, larger NATO member nations needed to increase actual threat sharing with smaller ones. Private sector entities can also play an important role here in expanding the cyber threat information sharing environment across NATO. As one such example, Palo Alto Networks has partnered with NATO’s Malware Information Sharing Platform (MISP) to share cyber threat information and enhance the collective malware knowledge base among participating NATO country members.
A strong theme running throughout CYBERSEC EU, voiced often by Polish officials, was the importance and value of partnerships in cybersecurity—both among EU governments and NATO members as described above, as well as between the public and private sectors. Conference speakers emphasized that the private sector develops most of the technologies to combat cyberattacks, and also owns and operates most critical infrastructures on which economies depend. During the conference wrap-up, organizers played a video stating, “the role of business in delivering answers to some of the most pressing cybersecurity questions is absolutely crucial.” One Polish industry speaker noted that partnerships are starting to emerge in Poland, albeit slowly.
Poland’s steps to date and plans for leadership as well as partnership in cybersecurity—domestically, regionally, and globally—are commendable. Palo Alto Networks believes strongly in the value of such partnerships, working with governments and others worldwide to develop and implement effective cybersecurity policies that protect our way of life in the digital age. We look forward to contributing to Poland’s efforts to raise the level of cybersecurity and cyber resilience in Poland and beyond.