On 6 September 2019, the Law Firm representatives participated in the reconciliation conference organized by the Ministry of Digitization regarding the draft resolution of the Council of Ministers on the Cybersecurity Strategy of the Republic of Poland for 2019-2024 . The aim of the conference was to discuss the comments to the document submitted as part of departmental arrangements and public consultations.
Consultation process and meeting
Representatives of the Ministry informed that as part of these consultations, about 400 comments were received , which will be considered when determining the final version of both the Strategy and the Action Plan , i.e. the document specifying the Strategy as to the actions, financing and bodies responsible for implementation. This is even more important because - according to MC announcements - in the case of the Action Plan similar consultations will not be conducted .
The participants had a substantive discussion as part of the conference, justifying the need for specific changes to the Cybersecurity Strategy or indicating the reasons for not considering the comments.
Among the issues of particular interest to the IT industry, which were discussed more widely during the meeting, the following issues can be distinguished:
- Uniform approach to the obligations of all digital service providers
The Lewiatan Confederation made the following remark: " Equal business continuity standards for all digital service providers can be unfair and redundant for providers whose operation has no direct impact on other sectors (with an emphasis on key infrastructure). The requirements for even Internet providers or companies providing cloud computing services cannot be the same as for online trading platforms. This is due to the different specifics of service recipients, the cascade of the incident and its escalation to other sectors, as well as time and quantity standards. "
Referring to this remark, MC emphasized that it is necessary to introduce uniform minimum requirements for digital service providers, as it results from regulations at the EU level (the Act on the National Cyber Security System is an implementation of the EU NIS Directive). However, to the knowledge of MC, this issue is currently the subject of work of working groups at EU level, so it is not excluded to introduce the expected changes in the near future.
- Cooperation with law enforcement agencies
The Lewiatan Confederation also referred to the following fragment of the Cybersecurity Strategy : "Increasing the effectiveness of procedural and operational activities requires undertaking and extending the cooperation of law enforcement authorities with other entities that may have knowledge in determining the nature of the crime or may contribute to determining its perpetrator."
In the Confederation's opinion, expanding cooperation may create the risk of excessive disclosure of clients' data by entrepreneurs and their transfer to third parties, even if they are not of interest to these entities. MC argued that access to data and trade secrets is regulated by law, so the content of the Strategy should not raise doubts in this respect.
At the same time, the MC representative emphasized that the ministry sees a practical problem regarding the prosecution of cybercrime, but does not want to introduce a separate procedure or interfere in the current model of prosecuting cyber crimes enshrined in the Penal Code. This problem is largely due to the fact that these crimes are still a novelty for law enforcement agencies. Local competent police stations do not have much experience in the implementation of obligations related to violations in cyberspace. However, the Ministry sees a solution to this problem on the one hand in increasing education and training in cybersecurity, and on the other on the direct cooperation of entities responsible for cybersecurity with entrepreneurs in an acceptable legal framework.
- Transfer of assumptions to the amendment of legal acts
The Confederation also suggested that before adopting the final version of the Strategy, detailed provisions or even assumptions for changes in legal acts that would be amended should be prepared and submitted for consultation. MC did not accede to this suggestion, arguing that it is too early to formulate detailed provisions and amendments to legal acts - it has not been even a year since the first key service operators were appointed.
- Risk assessment methodology
The discussion was also joined by the Ministry of Energy , which among others stressed that due to the differences in the specificities of the sectors in which key service operators operate, there should not be only one methodology for static and dynamic risk estimation for all entities in this group. MC, in turn, argued that there must be a consistent methodology for all operators in order to be able to assess risks at national level, which in turn would allow for the development of a joint national risk management plan.
At the same time, the MC representative confirmed that he noticed the specificity of individual sectors and the resulting differences that may complicate the creation of risk assessment methodology, but the Ministry would like the document to contain a common part for all entities, which is also justified by technical reasons (a joint IT program for risk assessment ).
- Overview of the Cybersecurity Strategy
Finally, attention was drawn to the laconic nature of the Strategy in terms of measures of the degree of implementation of the main objective and specific objectives. The Supreme Audit Office emphasized that "the lack of unambiguous measures and indicators of achieving goals will not allow effective monitoring of their implementation, and the Strategy will act as a list of individual loosely related tasks of the state, which, however, will not combine into a logical whole to assess the state of state security. "
MC in response indicated that the Strategy is of a general nature and will be detailed in the Plan developed on its basis. It will provide for specific activities, schedule and sources of financing.
Further work on the Strategy
The meeting organized in the MC was to discuss key comments submitted to the Cybersecurity Strategy and to work out the final version of the document. It can be expected to be published in the near future, as the Council of Ministers is statutorily obliged to adopt the Strategy by October 31, 2019.
Nevertheless, the Ministry is now facing another very important task - to develop a detailed Action Plan that will specify the Cybersecurity Strategy . Given that this document will be relevant from the perspective of all entities creating the national cybersecurity system, including IT companies that are key service operators, digital service providers or cybersecurity consultants, it remains to be hoped that - contrary to MC declarations - it will be subject to consultations.
Link to documents and detailed comments: