The region hasn’t suffer from any massive cyberattack, but minor incidents are fairly common. All the V4 countries have their strategies, institutions and cooperate to tackle the most dangerous threats.
By Aneta Zachová, Edit Zgut, Karolina Zbytniewska, Lucia Yar
The era of armies, tanks and massive technic seems to be gone, at least in Europe. War is held in the cyberspace instead and countries are adapting to the new types of threats.
Visegrad region is standing relatively well in this new era. The region hasn’t suffer from any massive cyber-attack yet that could be compared to the Estonian experience from 2007, when dozens of websites were put down at once, including those of the government, newspapers and banks.
Still, there are some incidents worth mentioning.
“Companies and institutions in the Czech Republic have been the target of DDoS attacks (distributed denial-of-service attack). Those attacks have been responsible for a limited failures of some services as well as penetration into some of the subordinate systems of state administration,” said Tomáš Rezek, cybersecurity expert from the Association for International Affairs (AMO) in Prague.
It happened recently in October 2017 during the parliamentary elections when two websites reporting of results were put down after a DDoS attack.
Slovakia has suffered similar problem in 2016, when the web page of the Statistical Office was unavailable at the General Election’s night.
Media become a target of massive attacks, too. Recently, several web pages of Slovak nationwide media shut down, including the national TV and Radio (RTVS), while facing DDoS attacks.
Business as target
Attacks on private companies happen quite often in everyday reality, but are not a big issue in the public debate.
Vast majority of businesses in the Slovak Republic use just standard IT security prevention systems such as antiviruses and firewalls. Much fewer companies rely on security tools that offer protection against modern threats, such as ransomware or attacks causing site and service failures.
In Hungary, around 50% of large companies and less than 10% of small- and medium-sized enterprises have addressed cyber security to some extent. The low level of awareness by individual users is indicated well by the fact that a European Commission poll found only 33% of Hungarian respondents were worried others might abuse their personal data shared, for instance, in online financial transactions. This was the third-lowest value in the European Union after Malta and Romania. It also suggests that there is room for improvement in terms of strengthening cyber security in Hungary.
Polish business face such problems, too. As many as 65% companies were challenged by cyberattacks – mostly ransomware, and almost half of the cases led to financial losses. Nevertheless, companies spend just around 3% of their IT budget on cybersecurity, PWC report shows.
What’s more, every third attack was conducted by current employees, a little less by hackers.
“The most fundamental threat is human failure, whether due to negligence, inappropriateness or wilfulness,” claimed Karel Macek, Armed Forces Communication & Electronics Association.
Hybrid war or unintentional manipulation?
Macek also pointed out that there could be connection between international politics and cyber-attacks. “The Czech Republic declared by concrete steps that it belongs to western democracies rather than the eastern area, which may result in targeted actions within the ongoing hybrid war on influence over Central Europe,” said Macek.
Nowadays the term “hybrid war” is often connected by experts and media with disinformation campaigns conducted by Russia. But in fact, no V4 country mentions Russia in its cybersecurity strategy.
Disinformation is one issue while unintentional manipulation is another.
“It happens through automated customization of content to user preferences and it is very dangerous, too,” explained Miroslav Nečas from TOVEK, Czech private company specialising in data and information processing. He is not mentioning the Cambridge Analytica scandal, but the approach when the content of social sites is filtered which leads to the situation when people are closing into a virtual bubbles.
“Individual virtual bubbles then diverge not only from reality but from bubbles in which other people live. I think this is one of the factors that contribute to the actual division of society, although it is certainly not the only factor,” said Nečas.
Cybersecurity, governments and the EU
All the V4 countries are adopting European requirements for cybersecurity without difficulties. What’s more, some of them became an example of good practise.
For example the Czech Republic has started to work on improvement of its cyber security law several years ago. The new Cyber Security Act is valid from 2014 and it has established National Cyber and Information Security Agency (NCISA) on 1 August 2017.
NCISA’s spokesperson Radek Holý emphasized that in May 2018, the country should be fully in line with the Directive on security of network and information systems.
The so called NIS Directive is the first EU-wide set of rules on cybersecurity coming into full effect on 10 May 2018 and forcing member states to create national strategy on security of network and information systems or to establish competent authorities and teams (CSIRTs) providing monitoring, early alerts, responses to incidents etc.
Hungary has already transposed the NIS directive in December 2017. Botond Feledy from The Centre for Euro-Atlantic Integration and Democracy (CEID) emphasised that on paper, the institutional structure for this has been established – the National Cyber Defence Institute and govCERT (Computer Emergency Response Team) are operational. However, the capability of the EU directive to raise attention is highly doubtful considering the fact that not much public information has seen the light of day so far.
Actually, great progress in Hungarian cybersecurity could be seen in the past more than nowadays. A 2015 report on the cyber defence capabilities of NATO member states concluded that Hungary found itself in the top of the pack.
Until April 2015 Hungary had been the chairman of NATO’s cyber defence working group, an active member of the EU’s cyber security committees, and it had a well-functioning cyber defence centre under the control of the National Security Supervision Office.
However, the Orbán government completely re-organised the system in April 2015: an amendment to the information security law established a completely new institutional structure, cyber defence fell under the umbrella of secret services, and, consequently, the sector became non-transparent.
Poland will also be in line with NIS Directive soon. The new Regulation on the Cybersecurity System that implements the directive has been accepted by the Government and sent to the parliamentary proceedings.
However, currently there’s no coherent cybersecurity system in Poland. The new Strategy and regulation has been created without a clear lead from one ministry – it was coordinated especially by the Ministry of Defence and by Ministry for Digitalization competing for dominance. After dismissing the former Minister for Digitalization Anna Streżyńska in January, many anticipated that the whole Ministry will be actually closed. That did not happen, but in March the role of the Ministry of Defence was put forward and a post of the Governmental Representative for Cybersecurity was set up there. Afterwards, after over 3-month interregnum also MD received a new head. Who will lead the cybersecurity policy is even more unclear now.
The Ministry of Finance seemingly doesn’t intend to increase funding of the cybersecurity field, despite the arising strategy that has to be implemented to meet NIS directive requirement. However, now when cybersecurity has become more of the Defence issue, it may be beneficial for the sector, as the Defence Ministry has a much bigger budget.
In Slovakia, the issue of cyber security has become much more discussed in recent months, as the government had been proceeding with the new Cyber Security Act. Slovak Parliament passed the legislation in January 2018 as the first ever legislation of such kind, modifying joint and uniform security practices in cyberspace. Yet, its preparation was complicated, since it did not only involve officials and state administration experts, but included also the academic community, non-governmental experts and analysts.
The Act, transposing a European NIS directive into the Slovak legal order, came into force on April 1st.
Generally, its early adoption is considered a success. According to the recent study of the Estonian e-Governance Academy Foundation NGO, the Slovak Republic triumphs in the National Cyber Security Index (NCSI). The Index measures countries' willingness to prevent serious cyber threats and to be prepared for cyber incidents, crimes and major crises.
Slovakia has a national strategy, titled National Strategy for information security in Slovak Republic since 2008. Furthermore, there is the Concept of Cyber Security, introduced by the government´s office, National Agency for Network and Electronic Services (NASES) and National Security Authority (NBÚ) for 2015 to 2020, approved by the government in June 2015.
NBÚ became the national authority of the cybersecurity, taking the agenda over from the Finance Ministry that had managed the portfolio for years. However, critics point out the one-way style of NBÚ´s communication towards public as well as business and experts. Another issue seems to be the lack of vision, as all of the legislation had been adopted from the European level almost slavishly, omitting any national specifications.
Together against hackers
While all the V4 countries have their strategies and dedicated institutions, they can also cooperate to tackle the most dangerous threats and share their best practices.
“International co-operation is taking place, but not in the form of some state units creating large armies. Collaboration takes place among state actors as well as among security teams (CERT / CSIRT) that are interconnected directly or through organizations,” said Holý from Czech cyber and information security agency NCISA.
Slovak experts also participate at many international workshops, trainings and competitions (including Crossed Swords, Locked Shields, Cyber Coalition and Cyber Europe). Among them, Slovak teams often succeed and score highly. This is considered a success story of Slovak cyber protection, yet far away from the public eyes.
Polish ministry of digitalization emphasizes that V4 states cooperate in the V4 states cooperate in the cybersecurity field mostly as a part of the wider EU cooperation in the field.
“Another example of the activity may be also the Central European Cyber Security Platform that meets up two times a year (on the strategic level), while its representatives cooperate in Brussels holding meetings and exchanging information. Poland, Czech Republic, Slovakia, Hungary and Austria belong to CECP,” said the ministry’s spokesperson.
Hungarian expert Feledy thinks that the V4 and the Union are both more advanced in fighting against cyber-crime than in cooperation in the wider field of cyber security. “Joint drills are mainly held by the militaries in NATO, while on the civilian side it would be worth to practice critical infrastructure defence jointly, especially in the case of power plants.”