Parallel Competences: The State of Cyber Security in V4

EU-level legislation on national cyber spaces is a chance for building to create more-common path dependence for the future of V4

Botond Feledy
30 November 2017

This article comes from The Buzz Around the Ballot edition of Visegrad Insight 2/2017 devoted do media landscapes and disinformation in Central Europe. Read full contents page here.

Legislation, the business sector and the structuring of life in our national cyber spaces is extremely dynamic in all four Visegrad countries. While it is a chance for early platform building to create more-common path dependence for the future, the speed of change and the multiplicity of institutions are hindering this process. EU-level legislation is one of the driving forces behind the organisational evolution of cyber structures in public administration, but so too are national-level administrative cultures and political games which also play their part.

EU-LEVEL DYNAMICS

Activism stems from the proliferation of cyber warfare all around us. Not only are there multiple threats, but all kinds of legal, military and organisational responses as well; however, the European Union is taking more and more measures to combat these issues. The General Data Protection Regulation (GDPR) and the directive on security of network and information systems (the NIS Directive) are pillars of legislation assuring specific layers of security while, economically speaking, action was taken by the European Commission in May 2015 when it adopted the strategy to complete the Digital Single Market by 2018. The latest most important document is the conclusion of the European Digital Summit in Tallinn. Heads of member states met in late September 2017 under the auspices of the Estonian EU-presidency.

The summit reiterated several earlier common EU objectives, but, most significantly, it declared that “Europe [will be] a leader in cybersecurity by 2025”, an extremely ambitious goal given the current status of yet fragmented cyber security and defence developments in Europe. Later it concluded, “Europe needs a common European approach to cybersecurity. Europe has to function as a single European cyberspace and a single cybersecurity market”. This is facilitated by the above legal steps like GDPR, but in no way are we ready.

The official summit document also mentioned measures and actions which might well be taken up the V4 states in advance, as a pilot programme of sorts for the eventual EU introduction. This will involve building joint standards and joint operational capacities – a common CERT set up for one industry, like telecoms where most ISP providers are similar in Visegrad countries – or joint preparedness exercises with more and more extensive scenarios involving offline elements, moving further from table-top exercises, featuring critical infrastructure break downs on larger scales. National level incidents which are publicly reported might be analysed on the V4 level with a moving common task force; while the information sharing and cooperation of CERTs is already developing, we need more confidence building in person. Nevertheless, technical questions cannot and should not dominate the EU discourse. The Brussels discussion is also about tax reform regarding GAFA companies, where V4 states cannot really be
forerunners; however, when it comes to rewriting the competition law to reflect the realities of digital economies, many proposals may come from the V4, just like new pilots for common IoT certifications or strategic discussions about the rule of engagement in offensive operations when it comes to military aspects.

WHAT CAN WE BUILD ON? CYBER SECURITY RELATED STRUCTURES IN THE V4

Cyber security is a horizontal policy. This means that it does not only need a department in one of the ministries, but it must be at the forefront in all public institutions, whether that be education (e.g. teaching cyber hygiene and digital skills), energy security (e.g. protecting the grid) or data protection (of citizens or of public interest). Hence, the Visegrad countries have all come to grasp with the cyber realities and have launched legislation on the delegation of competences in their public administration of cyber security.

This is the big-bang moment for all cyber security organisations: it does matter where competences and responsibilities were fist planted, how the organisational structure evolved and whether in-house or intra-administration concurrence for competences is strong or weak. All of this has contributed to the colourful and diverging structure that V4 countries show in this regard.

While in every member of the V4 the military (and intelligence units of the military) get their fair share of the budget for cyber defence, this is exactly the type of silo-thinking one must avoid: of course, it is not exclusively a military exercise.

However, the V4 countries have delegated their civilian responsibilities to different bodies. The Czech Republic reorganised somewhat its structure very recently by introducing the powerful NÚKIB (National Cyber and Information Security Agency {NCISA}), which is in charge of education, research, cryptography and a plenty of other cyber affairs. The head of the agency is nominated and approved by the Czech Government while the Security Committee of the Chamber of Deputies has the right to preliminary discussion. The NCISA head is directly responsible to the Prime Minister and has its own line of budget outside of the ministerial structures.

The general trend shows that parallel to the high priority that cyber security gained on the public agenda, its centralisation is happening in real-time: chancelleries and prime ministers’ offices claim more and more insight, as finally it is understood how much influence cyber yields.
This is well reflected in Beata Szydlo’s recent announcement at the CyberSec conference in Krakow early in October 2017 that the Polish Prime Minister’s office would also give place to a cybersecurity staff and department. Poland still has the Ministry of Digital
and Administrative Affairs ruling the cyber domain of civilian affairs, besides the well-supported govCERT institution.

While CERTs/CSIRTs exist under (or inside) different bodies in the V4, historically the Slovak Ministry of Finance has had a large say in cyber issues, so path dependency is linked with this ministry, releasing its competences to other administrative units as the network of cyber bodies increases.

Interestingly, Hungary has entirely reshaped its cyber landscape during the early wave of administrative reorganisation done by the 3rd Orban government, though without completing the cyber security strategy review. This means that the reforms were more of a political nature, providing examples of intra-administrative competition for competences. Now, the Special Service for National Security (SSNS) together with the National Cyber Security Centre (NCSC) are under the control of the Ministry of Interior and through the state secretary for law enforcement. The new NCSC competences involved the GovCERT-Hungary management, uniting earlier competences from the National Electronic Information Security Authority (NEISA) and the Cyber Defence Management Authority (CDMA).

Most probably the only way to overcome the costly burdens of silo-thinking in the public administration of cyber security is to create central competences at the prime ministerial level, directly under government control. One major challenge all EU countries face is the growing lack of human resources. While Germany has just opened (September 2017) its new Cyber Command in Bonn, with the set purpose to recruit 12,500 staffers (so far only a couple of hundred are employed), Poland has also openly called for 1000 cyber security public employees, after the more-humble initiative of the “golden hundred”. All administrations are striving to fid legal solutions to pay near market-level salaries for IT specialists, otherwise all these cyber quests would remain impossible to solve.

V4 PROJECT OPTIONS IN LOW-RISK DOMAINS

The Tallinn conclusions also put responsibility on the states as model actors of the cyber space: “[O]ur public sector should facilitate the digital transformation of our societies by leading in the use of electronic and innovative procurement and making all communication between public authorities, businesses and citizens digital, and introducing digital practices and services as default options (e.g. e-invoicing, digital mailbox). Public administrations should lead the way by becoming enablers and (early) adopters of new and breakthrough technology.”

Seemingly, the national capitals are seeking their own niche in the sector: who will organise the most recognised international conference, who will host the best higher education institutes, whose CERT or CSIRT will serve as a model for others in third partner countries, not to mention NATO centres of excellence. One might say that there is a feeling of competition among the Visegrad governments, despite all the rhetoric of mutual understanding.

However, cyber security offers an excellent platform for cooperation where path-dependency might have less impact – unlike in classical public policy domains. In this area, procedures and structures are still – and will be for the coming years – in the making, and this means it should be easier to harmonise, engage and reach out to trusted partners.

Neither the EU nor NATO would be against any enhanced cooperation of the Visegrad countries related to cyber security. It offers plenty of potential not only to give some substantial institutionalised level of cooperation of the four CEE states, but it might well serve as best practice and as a pilot project for future larger enterprises. President Macron just proposed in his Sorbonne speech a military academy for the EU. Starting a new common education platform centred on cyber security, where the V4 could share scarce teaching resources, actually poses the least amount of risk even if connected with national security. Not to mention the enormous potential if certain parts of the national cyber security staff are working and training side-by-side for one or two years; we cannot overestimate enough the potential added-value once they are in operative positions. This might be translated as a real confidence building measure, next to the existing NATO-level cyber exercises.

If such a V4 undertaking is open for transatlantic partners, or builds on the Finnish and Baltic experience, the more the better. Nevertheless, higher education is not the only venue for collaboration. V4 countries could try to pilot successful, national-level awareness raising campaigns for targeted groups, ranging from the retired (those susceptible to the growing threat of attacks like ransomware, IoT, etc.) to high-level decision-makers. This latter group is an extremely valuable target for attackers while their mindset, in part due to generational differences and a lack of management practice, as well as their vulnerability is crucial in most of our public policy sectors. So simple questions as setting up the culture of travel phones among leading decision-makers is a cornerstone.

We rarely talk about regional municipalities, though in January 2017 one might have witnessed in Poland that this level of public administration cannot be left behind as an Achilles heel easily prone to attacks. Several Polish municipalities suffered serious incidents while hosting the U.S. troops for NATO operations. Again, the V4 best practice for sharing and mutual comprehension of threats at the level of municipalities might turn out to be very useful. Why not organise a special CyberSec for Municipalities and Regions, especially that these are running the physical infrastructures of general elections, when voting booths are set up in schools and other municipality facilities. Just imagine a black-out during election time.

Finally, there is one particularity of cyber legislation which presents an asset for cooperation. All assemblies and public authorities have realised, in the last few years, that the technical development is far too quick to follow up on it with timely regulation. Hence the importance of the review process, enshrined in all our cyber security strategies and action plans. Impact assessment has become a cornerstone of effective and successful cyber legislation, but not only a preliminary assessment is done, but a regular retrospective evaluation as well, which should, in principle, drive the next round of legislation and fie-tune cyber security strategies. The methodology of such reviews, from interview techniques to third parties helping the evaluation after public procurement, from comparability of data from civilian and military branches of
cyber security and numerous other aspects might be extremely helpful for the
Visegrad countries to set up a common scientific body for perfecting the review
mechanisms.

Such a multi-national academic organisation could also run a with higher chance of success for the funding provided by the European Union Research and Innovation Programme “Horizon 2020”, where apparently €450 million will be available for cyber related projects.

Plenty of other venues are wide open on which this article will not elaborate, such as common elevated security standards for hardware procurement, common NATO DEEP or other missions and eventually a common centre of excellence, but these need more political dedication and further CBMs apparently.

Poland is key in all these questions due to the size of its economy and the dedication with which it has refocused on cyber security. If Poland does not provide incentives for cooperation for the other three Visegrad members, then another serious fracture will be born. There is the risk that Warsaw will turn to Finland – just like the newly signed cooperation agreement – or to the Baltic states while the Czech Republic would fall into the sphere of interest of German partners.

From the point of view of the V4, however, the best option would be to follow on the trails of the Central European Cyber Security Platform (an earlier vehicle developed by Hungary together with the V4 and Austria) and to create further agreements with potential V4+ partners. After which they could involve Finland, contributing together at the European Centre of Excellence for Countering Hybrid Threats in Helsinki for example, to build more and more personal relationships among our cyber security staff.

While all the NATO member states are feeling the urgent pressure to advance their cyber security and simultaneously EU-member state governments are driving fragmented regulation further along, it is fundamental to plant the seeds of cooperation at this early stage of institution building because it will require much more effort later on.

Botond Feledy is foreign policy expert and analyst.

BUY