Polish institutions are ill-prepared for cyberattacks and are not cooperating well enough to be effective in tackling online threats, according to a state auditor.
According to Poland's Supreme Audit Office (NIK), state agencies as well as other government institutions are not collaborating enough and lack the expertise to deal with new security threats, department director Marek Bienkowski told the audience at a security conference this week in the Polish capital of Warsaw.
While the NIK's audit is still ongoing and the final report hasn't published yet, it's already clear the Polish authorities have much work ahead of them.
The NIK has been auditing cybersecurity at Polish government institutions since the summer, looking into the agencies' files dating back til 2008. While audits of some organisations are still ongoing, the NIK's director is confident of its eventual findings — and alarmed enough about them — to share some of the preliminary conclusions. And they aren't pretty.
Communication between the Ministries of Home Affairs, Administrative Affairs and Digitization, and Defence has been below par, while law enforcement agencies and academic computer networks are poorly equipped to deal with security breaches, he said. Only on a few occasions were actions taken to counter threats effectively, Bienkowski said. While the Polish police and the country's internal security agency ABW are very active on the topic of cybersecurity, they simply lack the necessary security systems (the police) or resources (ABW) to be effective.
Politically, the situation is even more alarming. Instead of being proactive, the highest government officials tend to wait for the European Union to come up with new directives and common guidelines, Bienkowski says.
The ministries in particular are doing poorly when it comes to cybersecurity. While the National Security Bureau has been looking into cybersecurity and developed frameworks on the subject, Bienkowski warns these guidelines are just that: guidelines, without hard commitments. The Minister of the Interior has, for example, no set duties with regard to securing Poland's IT systems, and there is a lack of a sense of responsibility within the department.
The Ministry of Administrative Affairs and Digitization gets criticism for responding in an ad hoc manner to events as they happen, without preparation or a long-term vision. But even worse, according to Bienkowski, is the lack of knowledge within the department on the topic of cybercrime and digital threats. Since the formation of the ministry in 2011, the result of a split from the Ministry of the Interior, documents have not been shared between the two government departments, and the newly formed ministry has been coordinating cybercrime initiatives, the NIK has found.
"We were stunned when we read a 2012 report from the [Ministry of Administrative Affairs and Digitization] to the Government Centre for Security saying that the threats associated with cybercrime are very limited, do not have any economic effect to the state and that the Ministry is not taking up any coordinative tasks in that area," the Polish press agency PAP quoted Bienkowski saying. The audit at that particular ministry is still ongoing.
Despite Bienkowski's frank remarks, the NIK told ZDNet that it does not comment on ongoing processes, adding that the final report is expected for the spring of 2015. Likewise, a spokesperson from the Ministry of Administrative Affairs and Digitization simply wrote that the report has not reached the Ministry yet.
Read more on this story