Let the administration use cloud services. We are still crawling, and Pentagon announces a tender for such services for 10 billion dollars! It will give security to a private company and business, which seemed impossible a few years ago - says Marek Zagorski, Minister of Digitalisation.
- The European Commission underlines that the NIS Directive of 6 July 2016 is the first European Union-wide law on cyber security. The formula for its implementation was chosen through national legal and organizational solutions. What of the new Polish law belongs to the EU canon?
- The common element is CSiRT, i.e. units responsible for receiving notifications and processing information on incidents. Making some simplification: they create a network coordinated by the European Union Agency for Network and Information Security (ENISA). It is integrated with the system used to certify solutions and devices, called Common Criteria. Together they create a model of EU cybersecurity.
The good thing is that there is no rigid organizational canon. The level of advancement in combating cyberagression in various countries is different, so is the level of institutional responsibility. NATO also has its “areas of concern” - and this is another channel of cooperation in hybrid threats or even direct attacks.
- A triad of central CSIRTs (computer security incident response teams) were created within the National Cyber Security System: CSIRT MOD, CSIRT NASK and CSIRT GOV (in the structures of the Internal Security Agency) - with bounded fields of observation of cyberattacks in fields, institutions and companies important for the country. Six ministries plus the FSA and UKE are responsible for cyber security. It is a complicated structure, creating difficulties in the management of processes. There were no simpler solutions.
- One could promote, for example, a model with one minister responsible for everything and build structures almost from scratch - but with great effort and a lot of resources.
Besides... If we were to delegate that task entirely to the Ministry of Defence, more emphasis would be put on military than civil issues. And if the minister of digitization were to answer, his influence on these issues in the military forces would be limited by nature.
We acted rationally. NASK (Research and Academic Computer Network) has been building competences for almost a quarter of a century. It is similar in the case of Internal Security Agency and structures of the Ministry of National Defence, or units that are not directly a part of the system - among others, in Police - where the National Centre for Cryptology is in operation. We also have a government plenipotentiary for cybersecurity, my deputy, Karol Okonski. In summary: we chose the optimal model, which does not mean that one day we won't have to modify it.
- Your ministry has been cautious about the financing of cyber security system for a long time. Some of the funds are guaranteed by the law, but for the time being most of the tasks - said Deputy Minister Karol Okonski – “are carried out within the current limit of expenditure”. The National Centre for Research and Development and extra-budgetary funds are helpful. “This allows us to deal with the lack of funds” - he concluded. Your last statements, however, are quite optimistic. Are you expecting a quick stream of money?
- There are enough funds. Before the bill, it was difficult to decide who should pay for what. Now - within the budget possibilities of the ministries - we can make a division of competences and money in this and next year.
At the Cybersecurity College, we will ensure that there is enough money in the ministries. My colleagues from the government are also convinced that such operations will absorb more and more money.
Money reached NASK in the form of targeted subsidies. Now we can finance this institution with an earmarked subsidy, and structure what the Network is supposed to do. We talk here about a system of collecting and reacting to cyber threats, but also about the necessary research.
When estimating expenses, a flexible mechanism comes into play, balancing the expenditures and necessary costs. If we wanted to allocate, say, several hundred million zlotys, a large part of this amount could be unspent - if only because we don't have enough specialists. We'd have to hire them first.
- In the era of Industry 4.0, how to ensure that ever-growing pools of sensitive data transmitted to sub-suppliers - often from the SME sector - remain resistant to hacking aggression? Is it possible to reassure the “senders” and “recipients” of this transmission? Because not everyone can afford CSiRT.
- On the one hand, it is important to respond to the threat - the commonness of informing about irregularities, solid basis for the pyramid, at the top of which are the national CSiRTs and Cybersecurity College. It's simple: if the victim does not report a crime to the police after having his or her house broken into, the possibility of identifying and punishing the thief is virtually nil. There would also be no lesson for others to install appropriate safeguards and effective alarms.
The second issue is protection of data and business by entrepreneurs. What is our goal? We want to promote cloud services that enable a security standard higher than the average standard small or even medium-sized companies can achieve themselves.
- It will also give rise to the development of Polish companies offering cloud services.
- Of course. We want Polish companies to create solutions in the field of cyber security, ultimately we will also build a universal certification system and ensure compliance with certain standards and criteria. Poland has enough potential in the field of IT to become an active creator of these solutions.
Let the administration use cloud services. We are still crawling, and Pentagon announces a tender for cloud services for 10 billion dollars! It will give security to a private company and business, which seemed impossible a few years ago. Offices and entrepreneurs should follow a similar path, without any fear.
- You emphasize the change in the model of cooperation with business, for example establishment of mixed working groups by the ministry, dealing with AI or 5G. In Poland, consultative entities often play a superficial role for years... Why should it be any different this time?
- First of all, competences of the Ministry won’t catch up with the broadly understood ICT of the market. We want to learn from close relationship with business to find out what's going on.
Second of all, the discussion will allow joint legislative work at the national and international levels, especially in the EU. Social or business partners have their own channels of reaching out to each other - for example, trade chambers remain members of EU organizations that have a strong influence on the shape of regulations. It is worth changing our shared point of view.
Third of all, a few interesting documents have been created spontaneously in these groups in cooperation with our officials. The team responsible for personal data has developed several guides, and the team that explores the issues of artificial intelligence has developed a draft strategy. Such a contact between business and administration also acts as a safety anchor, allowing to react to tensions in the industry.
We have brought the formula of “working groups” to the necessary minimum. We do not impose a rigid corset on the conclusion of these meetings. But I am settling accounts with my employees, because it's important to maintain “stability in feelings” and rhythm of consultation; the partners should know that it is not just a flash in the pan.
- Providing adequate training for IT specialists is a big problem in Poland. An interesting idea is the Central School of Digital Competence (SGKC) - to train the staff. How close/far are we from its implementation?
- The original idea came from fundamental observations: before the war, when we needed highly educated farmers, the WULS-SGGW emerged, when we needed economists and traders - the SGH was established. Today, we need a lot of IT specialists with different qualifications.
I do not reject the idea of SGKC, but we need to implement the law, find financing, appropriate staff... This would take several years and the market expects a quick response. We need - according to various estimates - from several dozen to 100 thousand IT specialists.
That’s why we are talking with the Ministry of Science and Higher Education on how to use the instruments contained in the Constitution for Business to create something like a university confederation in combination with the funds we want to transfer (we have savings in the Programme “Digital Poland” - up to PLN 200 million). This - encouraged by organizational possibilities and money - would maximally accelerate the training of professionals.
This centre for staff training (working name) should shape the IT elite: not only IT professionals or programmers, but also IT managers with flexible skills that would be able to adapt to changing situations, even create business technologies and developmental lines.
- But this is only a stretch of the right path...
- Hence our numerous initiatives for younger generations. During this year's CodeWeek, or the European Coding Week, a Polish record was set - more than 5.000 applications, mostly from schools and libraries. You can see a revival!
We implement many educational projects, the most important of which is the Centre for Information Technology. It's about working with talented young people. We expect that at least 900 IT clubs will be created in Poland.
The main goal is also the acquisition of high IT competences by teachers. This might take several years, it's a kind of organic work.
- You mention a few serious defects in our march to the e-state, such as the “scattered pattern of solutions” and quick “launching” of large, innovative systems. The fact is that quite often - not only in the MC work domain - we start with global power and race, and finish with small piece combinations. Which strategies seem the most appropriate in this case?
- The most important thing is to include a citizen’s perspective and needs - that's the right strategy. This would force the integration of systems and solutions. What is our destination? I enter my account on a government or official web portal and after logging in - if I have a Trusted Profile - I gain access to all services offered by the government administration or local government.
The user panel on the obywatel.gov.pl web portal is already operating, though with a limited scope of services. It sounds inconspicuous, but it is a completely new quality! We will intensively expand it.
This systematic integration proceeds effectively without pretension, yet with some help. If we follow the work of the past, we should prepare another “big e-PUAP”: “migrate” all services under one button. And wait, wait, wait.
Gradual implementation has the advantage that if, for example, the Ministry of Health was aware that the Trusted Profile has more than 2.5 million users, it would feel pressure to join. NB: in 2015, there were only 350-400 thousand users. Most of which were officials!
- You point to desirable foreign patterns, like Denmark (e-box) or the purchase of cloud services by the central administration and local governments (Great Britain). Which projects should use the experience of others?
- The user panel that I was talking about is a Polish e-box. What a great pattern! And thanks to the law that came into force on September 11, we are on the home stretch before launching the federal model of digital identity. Today, the Trusted Profile serves to confirm our identity, but the state won’t be the only supplier of identification means.
I think that soon the first applicant will ask for permission for a commercial system of identification means. I mean the National Clearing House, and therefore the banks. The use of electronic identification means will thus become available to customers of electronic banking, which in turn will multiply the number of users of electronic services offered by the administration, by a dozen million!
We treat cloud solutions based on the British model as a reference point. For now, we would like to keep the most important registers in the central administration cloud, but nothing prevents us from building new data centres. Today we have identified about 400 of them at the government level! Each commune has a server... This multiplies the costs and deficits of IT staff, and at the same time encourages the use of new, systemic solutions.
A free ticket to good services is also the right flow of information about citizens - the use of data that has already been collected. Let's start complying with the obligation set out in the Code of Administrative Procedures! Thanks to the cloud, we will also improve e-delivery, that is the electronicisation of the information flow between the citizen and the administration.
- Let's talk now about the reduction of areas without broadband internet in Poland, including internet access to all schools, and 5G network, which according to the Union must be commercially implemented in at least one big city in each country by 2020, and in all big cities by 2025. In case of Poland, are those pious hopes or real horizons?
- Without a well-developed fiber-optic network, the effect of 5G will not be achieved. Therefore, for this reason, the construction and compaction of a fiber-optic network is an absolute priority. Agreements are concluded, some are in the midpoint of completion (they are 3 years old).
- But you didn't start from scratch…
- Yes, predecessors buried fiber optic cables in the ground. But this time it is about the investments of telecommunications operators with co-financing from the state, and not - as before - local governments that could provide wholesale services. They do not provide them to a large extent, and the undertaking remains loss-making.
- What about the fiber-optic network in schools?
- The plan for this year was a little too ambitious. We had to face the lack of workers to assemble the installations in schools: today we recorded a delay of 3 weeks in relation to the schedule.
In January-February 2019, we intend to include up to one thousand schools per month to the National Education Network, i.e. 40-50 a day.
- Let's go back to 5G. Can you give me a short report?
- We have completed the conceptual work at the Ministry of Digitization. The result is a draft amendment to the telecommunications law in the field of spectrum management plus an amendment of the so-called mega-law, which serves to support the construction of the network (this should help remove numerous investment barriers). We also intend - through new regulations - to mobilize UKE to precisely and quickly outline the plan and schedule of frequency sharing.
I assume that we won't have a problem with launching the network in at least one big city by 2020, although the permissible EU derogation also indicates 2022. The year 2025 is also a realistic date in the distribution of the 5G network in Poland. First, we will make frequencies in the 3 GHz range available - we assume that operators of the 4G network will be first to enter the tender; the 4 offered blocks will allow the operation of the 5G network in major cities.
The main communication routes (also found in the EC decision) pose another issue: we will talk with operators to maximally integrate their resources, which will significantly facilitate work and reduce costs.
The essential element provided by the Commission (that is, making the 700 MHz frequency available) will be implemented in the final stage - for many reasons, for example because our Russian friends have not released this frequency... With 5G - as with other projects that will contribute to ensuring that technological development is permanently translated into the country's economic development - we are on the right track.
In connection with visiting our websites, we process your IP address, cookies and similar data on user activity or devices. If these data allow to identify your identity, then they will be treated as personal data in accordance with the Regulation of the European Parliament and of the Council 2016/679 (GDPR).
If you also use other services available through our services, we also process your personal data provided when creating an account, registration for events, subscription, newsletter, alerts and online services (including Premium Zone, reports, rankings or licence for reprints).
Remember that in connection with the processing of personal data you have a number of guarantees and rights, and above all the right to object to the processing of your data. These rights will be strictly observed by us. So if you do not agree with our assessment of the necessity of processing your data or if you have other reservations in this regard, be sure to submit an objection or send us your objections to the address firstname.lastname@example.org.
Management Board of PTWP-ONLINE Sp. z o.o.