Cybersecurity as a Public Task in Administration

Abstract

Contemporary models of public administration have been formed by various political, social and economic conditions. Public tasks are carried out on the basis of legal provisions under the conditions of applying specific decision-making rules and organisational techniques, which include specific principles, procedures and practice—experience. These features characterise public administration as a system of operations, also in relation to cyberspace. The transformations associated with the computerisation and dissemination of information and communication technologies have meant that the duty of public administration in the information age is, on the one hand, to synchronise the activities of entities belonging to different sectors, and on the other, to manage complex networks, as well as to adapt the functioning of public administration to using new technologies. The goal of cybersecurity management is to provide optimal cost protection; to determine which risks can be avoided and how, using both organisational and technical solutions, the risk can be minimised to an acceptable level.

1 General Remarks

Numerous processes have shaped the contemporary public administration environment in Poland. The political transformation which took place in Central and Eastern Europe after 1989 consisted of the simultaneous creation of new foundations for political freedoms, private property, and market economy conditions, as well as of the values and mechanisms of the civil state. Various political, social, and economic conditions have shaped the contemporary public administration models. The state system and political considerations have contributed to the transformation of the centrally planned economy into a free market economy. After new governance standards were implemented, a demand developed for high-quality public services provided within public administration structures. This stems from the actual function of administration. The term ‘administration’ derives from the Latin ‘ministrare’, which means to lead, serve, manage¹ (and the prefix ‘ad’ emphasises the service-related aspect).² One of the first definitions was put forward by W. Jellinek. It dates back to the time when the canon of the rule of law was born, and it refers to the tripartite separation of powers in the state. It proclaimed that “[…] administration is an activity of the state which is neither legislation nor justice”.³ In recent years, there has been a general trend towards a shift from the administration to the management of public affairs, which is reflected in the introduction of the concept of “good governance” in the public sector.⁴

The modern state, whose administration relies on new technical solutions, has become susceptible to disruptions in the operation of hardware, IT networks, systems, databases, and the information processes based on these solutions. Nowadays, ensuring the security of information resources and systems which serve, in particular, to fulfil public tasks, has emerged as a serious issue. The efficient operation of public-sector entities is conditional, among other things, on the efficient performance of public tasks related to ensuring cybersecurity at every stage of the activities of public institutions.⁵

Public administration is extensively defined by legal commentators, but all these definitions relate to the state (or local government), society, and the citizen. J. Starościak⁶ describes it as

[…] an organisational function with features such as the initiating nature of activities, solving specific situations, and carrying out organisational work, not only by creating binding norms within the legal order, specific legally defined forms of administrative activity of the state.⁷

According to H. Izdebski and M. Kulesza,

Public administration is understood as a set of activities, operations and undertakings, both organisational and executive (the functional element), carried out in the public interest (the object element) by various entities, authorities, and institutions (the subject element) on the basis of Acts, and in the forms specified by law (functional element).⁸

Most generally, citing E. Ochendowski,⁹ this term is understood to mean any organised activity aimed at achieving specific objectives. On the other hand, according to J. Boć

Public administration is the fulfilment of the collective and individual needs of citizens, resulting from the coexistence of individuals in communities, by the state and its dependent authorities, as well as by local and regional authorities.¹⁰

Public administration is defined as a set of activities, operations, and organisational and executive undertakings carried out in the public interest by various entities, authorities and institutions, on the basis of Acts and in the forms established by law. It serves the general public, and covers the scope of matters of a public nature.¹¹ In defining public administration, we therefore refer to functions and actions which link the administration to its active and state-dependent activities. State and local government authorities create organisational structures to meet the needs of citizens. The computerisation process, which is being introduced with a view to facilitating the effective performance of public services and tasks, is a means by which modern administration intends to meet such needs.

Public tasks are performed pursuant to the law in compliance with certain rules of decision making and organisational techniques, which consist of certain rules, procedures and practice—experience. These characteristics define public administration as a system of operations.¹² The efficient and effective functioning of public administration depends to a significant extent on its organisational structure, which consists of various units vested with the powers specified in the Acts, and forming a specific organisational system to perform public tasks.¹³

The transformations associated with computerisation and the popularity of information and communication technologies¹⁴ have resulted in, among other things, the convergence of economic, social, and political phenomena. On the one hand, the duty of public administration in the information age is to synchronise the activities of entities belonging to various sectors, to manage complex social networks, and to adapt the functioning of public administration to the use of new technologies. On the other hand, it should be noted that administrative authorities are some of the most important users of modern ICT tools and techniques, since the functioning of the administration involves, or is based on, the processing of information; information is therefore an essential resource for administration.¹⁵ In a democratic state of law, public-administration tasks have the status of legal obligations. In a state of law, the administration can influence the shape of legal acts which contain the legal norms characterising its tasks; however, it may not decide what its tasks are. It might have some freedom and influence on the shape and scope of the tasks to be carried out, but the sources and limits of that freedom always stem from legislation adopted by the responsible legislative bodies. The state performs its tasks through public authorities. Central and local government authorities and other state authorities are responsible for public tasks. This is a statutory procedure, carried out in the public interest. Polish legislation does not offer a legal definition of public tasks. However, many definitions can be found in academic papers.¹⁶ On the basis of the definition of public administration presented by J. Boć, it is possible to derive the term ‘public tasks’, as tasks assumed by the state, consisting of meeting collective and individual human needs resulting from the coexistence of people in communities. The development of communities and the changing reality is enforcing changes to the field of the tasks taken over by the state. These tasks are implemented on the basis of the provisions of the law.¹⁷

According to A. Błaś:

[…] the performance of administrative tasks is the duty of the public administration authority to which they have been entrusted by law to take up an active role in the implementation of these tasks.¹⁸

The literature on the subject stresses that administrative tasks should be supported by the very-broadly defined rule of good governance. It is also worth mentioning the understanding of

[…] public administration as a set of activities, operations, and organisational and executive undertakings, carried out in the public interest by various entities, authorities, and institutions, on the basis of Acts, and in the forms established by law.¹⁹

According to S. Biernat,

Public tasks may be carried out by public entities without any powers of authority, or even by non-public entities. The main criterion for defining a task as a public task is the fact that the state or local authority is legally responsible for its implementation. The mere performance of tasks within the organisational structures of the state or local government is not a criterion which qualifies it as public tasks. The responsibility of the authorities is maintained when other entities are authorised to carry out public tasks, but the forms of activity and their scope change.²⁰

P. Schmidt defines public tasks as “a set of activities, operations, and organisational and executive undertakings carried out in the public interest by various entities, authorities, and institutions, on the basis of Acts and in forms established by law”.²¹ On the other hand, T. Kocowski describes public tasks as “a legal obligation for an entity clearly indicated in legal norms to achieve or maintain a certain state which is important and desirable in terms of the public interest”.²² These two definitions, though different in content, have many compatible properties. Public tasks is a collective term for tasks carried out by the state, which performs them through public administration. On the basis of the applicable regulations, public tasks are implemented through planned and rational action aimed at reaching specific objectives.²³

In J. Zimmermann’s view, the main indicator for considering a task public is where the state or local and regional authorities are responsible under law for carrying it out.²⁴ According to M. Stohl, the concept of a “public task” is associated with public (public-utility) objectives to be achieved by the administration. In turn, these objectives are identified with the public interest.²⁵ According to E. Knosala, there are currently no clear criteria for distinguishing between the public and the private domain. This means that the outlines of public tasks are no longer as clearly defined as in the past.²⁶ Public tasks are those which serve to meet collective needs and the needs of a particular community.²⁷ Public tasks are generally attributed to the state, but under the influence of political factors it decides which tasks will be performed by its authorities on an exclusive basis, which can (and must) be entrusted to other public authorities, and which can be performed by non-public entities.²⁸

A typical feature of public tasks is that their performance is an obligation of public authorities, not an entitlement. This concept is determined by individual legal norms, which are indeterminate, due to the fact that it is the state that decides independently and ultimately whether a given function is a public task or not. It is not necessary for public tasks to be implemented within the structure of public administration (e.g. if the performance of a public task has been privatised). The law provides a legal basis for public administration, and sets out a framework for the performance of public tasks. Respect for the law is based on the constitutional principle of legalism (the rule of law) expressed in Article 7 of the Constitution of the Republic of Poland. Public tasks cited in the Constitution include guaranteeing the security and inviolability of the territory of the Republic of Poland, freedom, human and civil rights, the security of citizens, and environmental protection;²⁹

Government administration authorities and local government units, and other state authorities, are responsible for public tasks, i.e. legally defined conduct postulated for the sake of common good.

According to legal commentators, public tasks may be performed by public entities without any powers of authority, or even by non-public entities. The main criterion for considering a given task as public is that the state or local authority is legally responsible for its implementation.³⁰

The Constitutional Tribunal³¹ (TK), in its Resolution of 27 October 1994, case file No. W 10/93,³² ruled that all tasks of local government which serve to satisfy the collective needs of local communities, as well as national needs, were public tasks. According to the TK, “Both commissioned tasks and local government’s own tasks are public tasks as defined by the applicable law”.

In the opinion of the Constitutional Tribunal, the definition of the commune’s own tasks as public tasks is not inconsistent with the undoubted fact that the commune, as an entity responsible for the municipal assets, manages it in a manner appropriate for the performance of its own tasks.³³ It should be mentioned here that the set of systems which constitute critical infrastructure is also part of municipal assets. Special tasks in the field of cybersecurity are entrusted to local government entities under, i.a., the Act of 26 April 2007 on Crisis Management. According to Article 3 (2) of the Act on Crisis Management, critical infrastructure should be understood as systems and functionally integrated facilities, including installations, devices, building structures, and services crucial for the security of the state and its citizens, and serving to guarantee the efficient functioning of public administration authorities, as well as of institutions and enterprises.³⁴

Therefore, public tasks for the security of cyberspace have high priority in the safe and efficient functioning of the state. The responsibility for ensuring cybersecurity rests with all network users, but public administration authorities have a particularly important role to play, as their priorities include ensuring security and public order. The Council of Ministers, in leading Government administration, performs its constitutional duties by carrying out tasks for the protection of cyberspace. It also has the primary responsibility for ensuring a high level of security for cyberspace and the citizens functioning within it.³⁵

The expansion of modern communication and information technologies has meant that the administration is responsible for the quality and maintenance of communication routes and road networks, and nothing has changed in this respect. It is clear that the creation of the technical infrastructure and the system of access to it by specific users requires substantial financial resources, which can only be provided by private entities interested in benefitting financially from these activities. In this respect, the function of public administration is to ensure the security of IT systems and networks, and to select entities which ensure continuity and a high quality of services, while guaranteeing access conditions for the widest-possible range of recipients.³⁶

As has already been mentioned, one of the basic public tasks is to ensure a safe and efficient state, including the security of cyberspace. Cybersecurity is all the more important because the dangers in cyberspace can adversely affect national security, which in turn is the foundation of public tasks.³⁷

National security is also the most important value, national need, and priority objective, of the activities of the state, individuals, and social groups, and at the same time a process comprising a variety of measures to ensure sustainable, unhindered, national (state) existence and development, including the defence of the state as a political institution and the protection of individuals and society as a whole, as well as their assets and the natural environment, from threats which significantly restrict its functioning or pose a threat to fundamental rights.³⁸

The key national needs include needs of a systemic nature (e.g. strengthening the social and economic system and legal order), social needs (ensuring health protection, social security, and counteracting all forms of discrimination), economic needs (e.g. national development, economic growth), ecological needs (environmental protection), and cultural needs (nurturing national heritage, respect for differences in outlooks on life, and ethnicity).³⁹ Each of these national needs can be adversely affected by cyber threats, which is why the security of cyberspace is so important for the proper functioning of the state.⁴⁰

State administration, as a complex structure, performs public tasks in the field of cybersecurity through a set of activities, actions, and organisational undertakings. The administration’s primary tasks include efforts to guarantee public safety and order. The administration ensures the security of IT systems and networks and selects entities ensuring continuity and high service quality, while guaranteeing access conditions for the widest-possible audience; it secures the functioning of the national trust service infrastructure and supervises trust service providers. It is the executive sector of the state which carries out activities to pursue the public interest through cooperation between public authorities and services. These authorities are responsible for ensuring a high level of security for cyberspace and its users.

It should be stressed that the adopted policy is an important instrument for implementing public tasks in cyberspace.

Generally speaking, a policy is a set of coherent, precise, and lawful rules, principles, and procedures, according to which a given organisation, or administration, builds, manages, and provides information resources.⁴¹

2 The Main Benefits of a Well-Designed Security Policy

• Allocating responsibility for system development to a separate group of people, so that no one has full authority within the system

• Establishing organisational structures responsible for managing information security

• Controlling the process of issuing cards and codes’ not being left to programmers/developers who have access to account data

• Introducing a distinction into open and protected information

• Distributing operational functions between different people

• Effective programming of information-security principles among the management and employees of the organisation

• Documenting changes in the system to facilitate its periodic checks

• Supervising software modifications and system testing

• Regular training of users on information security

• Backups’ being stored in a different room than the one in which the server is located

• Monitoring the system and detecting any anomalies.⁴²

As can be seen, the issue of cybersecurity in today’s administration is of crucial importance. Therefore, the information-security and cybersecurity management system is part of the organisation-management system. It is often based on an approach related to business risk, and refers to the establishment, implementation, monitoring, maintenance, and improvement of information security in particular.

The aim of cybersecurity management is to provide optimal protection in terms of cost; to identify which risks can be avoided and how, using both organisational and technical solutions, risks can be minimised to an acceptable level⁴³

At every institution covered by the National Cybersecurity System Act, the unit’s head must establish a cybersecurity management system based on the existing standards and best practices. These should define, among other things, the roles of the administrators and security inspectors of information processed on open communication and information systems and networks. The information-security management system will thus become an integral part of the institution’s security policy.⁴⁴ Public entities modify, develop, and implement, as appropriate, security policies for the communication and information systems used by these entities to perform public tasks.⁴⁵ In drafting their security policies, public entities take into account the responsibilities stipulated by the Act of 17 February 2005 on the Computerisation of the Operations of Entities Performing Public Tasks,⁴⁶ regarding the minimum information security requirements for communication and information systems.⁴⁷ A public entity should also take into account the provisions of the Polish Standards in the field of information security, in particular the group of standards in the PN ISO/IEC 27000 series, along with other related standards.⁴⁸ Coordinating the information-security policy of organisational units will ensure a common minimum level of security. All institutions, when taking into account cybersecurity, are obligated to establish, implement, monitor, operate, review, maintain, and improve their Information Security Management Systems⁴⁹ (see further comments).⁵⁰ The Minister competent for computerisation, in accord with the Ministry of National Defence (the MON), the Internal Security Agency (the ABW), and the Military Counterintelligence Service (the SKW), with the intention of guaranteeing a uniform information security policy for organisational units, has the power to draw up guidelines for cybersecurity management systems.⁵¹

When the appropriate regulations are implemented at the statutory level, the following will be ordered.

• Reporting on cybersecurity incidents to a designated governmental centre on cybersecurity;

• Drawing up Disaster Recovery Plans (DRPs) and Business Continuity Plans (BCPs), after the occurrence of an incident, including national standards or, in the absence thereof, international standards, acceptable principles not included in official standards, or widely recognised good practices

• Managing the cybersecurity of information and the introduction of safeguards, including national standards or, in the absence thereof, international standards, acceptable principles not included in official standards, or widely recognised good practices;

• Operating within a network of information about hazards.⁵²

The ISMS (Information Security Management System) is understood (as defined in the ISO/IEC 27000 series of standards) as a part of the management system, based on the concept of business risk management, responsible for establishing, monitoring, implementing, operating, reviewing, maintaining, and improving information security,⁵³ the management system itself being understood as a set of guidelines, policies, procedures, processes, and related resources (i.e. material resources—such as computers and machines; human resources—such as employees, with their skills and experience; and intangible resources—such as computer programs and organisational culture) aimed at ensuring that the organisation completes its tasks.⁵⁴ At least two elements in the normative definitions should be stressed:⁵⁵

• The systemic approach, in particular as the information security management system is composed not only of “paper” records (procedures, standards, ordinances, etc.) but also of all the resources relating to information security

• Basing information security on the business risk management concept.⁵⁶

According to § 20(1) of the Regulation of the Council of Ministers of 12 April 2012 on the National Interoperability Framework (KRI), the minimum requirements for public records and the exchange of information in electronic form, and the minimum requirements for communication and information systems⁵⁷ the entity performing public tasks develops and establishes, implements and operates, monitors and reviews, and maintains and improves, an information security management system, ensuring the confidentiality, availability, and integrity of information, taking into account such attributes as authenticity, accountability, non-repudiation, and reliability. The requirements for the information security management system in the KRI Regulation are considered to be fulfilled if the system

has been developed on the basis of the Polish Standard PN-ISO/IEC 27001, and the establishment of safeguards, risk management, and auditing is carried out on the basis of Polish Standards related to this standard, including:

• PN-ISO/IEC 17799168—with regard to the establishment of safeguards

• PN-ISO/IEC 27005—with regard to risk management

• PN-ISO/IEC 24762—with regard to IT-disaster recovery within business continuity planning.⁵⁸

As regards the information security management system, the most important standards are

• PN-ISO/IEC 27001:2014–12 – Information technology – Security techniques – Information security management systems – Requirements: specifies the requirements for the establishment, implementation, maintenance, and continuous improvement of the information security management system with regard to its organisation. It also includes the requirements for estimating and handling information-security risks

• PN-ISO/IEC 27002:2014-12 – Information technology – Security techniques – Code of practice for information security controls, contains recommendations for information-security standards in organisations, and information security management practice, including the selection, implementation, and management of security, taking into account the environment(s) in which information-security risks are present in the organisation. Chapters 5 to 18 relate to the safeguards listed in Annex A of the 27001 security standard.⁵⁹

It should be noted that the new possibilities for the administration’s operation, and, in particular, the virtualisation of its activities, also generate an ever-increasing risk of interference with information security. Risk management is the element of key importance in the process of protecting cyberspace. It determines and justifies measures taken to reduce the risk to an acceptable level. The first stage in risk management is the identification of all cases of hazards, and the identification of their sources and impacts. Each identified risk should then be evaluated and categorised, using the defined risk categories and parameters, and prioritised.⁶⁰ This is very important in the context of taking potential preventive action against key risks, in line with the risk management and implementation strategy adopted in order to regularly monitor the status of each risk.⁶¹ The adopted action plan will direct most of the resources (technical and non-technical) against the most likely risks. Information-security risk assessment should be performed repeatedly during business operations. It should be stressed that risk management is not intended to provide total protection, but to ensure a level of protection proportionate to the importance of the resources being protected. Risk management is a process which consists of both identifying hazards and assessing risks, by deciding which risks are to be avoided, and which ones to control, and how. An organisation, such as an administrative unit, can take action to avoid risks by refraining from high-risk operations, such as, for example, introducing “top secret” information into the system. It can also transfer the risk to another entity with the use of a legal mechanism, e.g. to insure itself against a given risk. The administration can also consciously control risks in two ways.⁶²

One of these is to minimise risk by implementing business continuity plans to ensure that users have access to the most important organisational functions in an emergency situation. In the event of a crisis situation, organisations should apply data- and information-security procedures.

• Have a backup archive at another location if possible

• Data stored on hard drives should be copied to two independent external media, and regularly returned and stored in a safe place

• If you have important paper documents, you should photocopy or scan them, and store them in a safe place, such as a safety deposit box

• Prepare precise instructions in the event of an emergency shutdown of equipment, especially computer hardware.⁶³

The second way to control risk is prevention by using safeguards.

Ways of reducing risk:

The second way to control risk is risk prevention by using safeguards.

Ways of reducing risk:

• Risk avoidance

• Risk control

• prevention through safeguards

• non-technical safeguards

• technical safeguards

• minimising by implementing business continuity plans

• Risk transfer.⁶⁴

On the last day of January of each year, with the intention of achieving an acceptable level of security, all government administration units referred to in Point 1.4 (sub-points 1–4) of the Polish Cyberspace Protection Policy⁶⁵ provide the Minister competent for computerisation with a report summarising the results of risk assessment (according to the model developed by the Minister competent for computerisation). The report includes general data relating to the hazards, risks, and vulnerabilities identified in each of the sectors in which the institution operates and for which it is responsible. The report also presents information on methods for dealing with risk. The Minister competent for computerisation, in cooperation with the institutions involved, formulates a uniform methodology for conducting risk analyses. This methodology is obligatory for Government administration institutions. The Governmental Computer Security Incident Response Team CERT.GOV.PL submits to the Minister competent for digital affairs, with a view to achieving a unified approach, catalogues covering vulnerabilities which undermine cybersecurity, and the specification of possible threats.⁶⁶

Authorised representatives for cybersecurity (hereinafter referred to as the PBC) have been appointed within government-administration units.

The PBC performs the following tasks regarding cybersecurity.

• Drawing up and launching procedures for responding to computer incidents, which will function within the organisation

• Developing contingency plans and their testing

• Performing tasks resulting from the provisions of legal acts dedicated to ensuring security in cyberspace

• Identifying and conducting periodic risk analyses

• Preparing procedures to ensure the notification of the appropriate CERTs.⁶⁷

The position of the Cybersecurity Representative within the structure of the organisational unit is not indicated by the Policy; however, this role should be performed by a person responsible for the implementation of the ICT-security process.⁶⁸

In summary, a cybersecurity policy is a set of precise and consistent procedures and rules, according to which a given public-administration institution manages, builds, and makes available information and communication resources and systems. It determines which resources are to be protected and the methods applied to this end. The ISMS, on the other hand, is a continuous process which must be constantly improved and adapted to changing circumstances. Each stage is divided into activities which involve security policy, risk management, and resources. Combining all activities into a continuous process of secure information management facilitates secure functioning in the new digital reality.

In the Republic of Poland, cybersecurity tasks, like other security tasks, are carried out by public authorities and their subsidiary administrative authorities. According to constitutional division, a public authority possesses legislative, judicial, and executive powers.⁶⁹

These tasks arise from the general public task of ensuring national security. W. Kitler cites, inter alia,

the protection of the constitutional order, understood as the activities of state authorities and institutions, and the system of legal rules guaranteeing the continuity of the constitutional state system, including the protection of the state as a legal and political organisation, as well as the protection of freedom and human and civil rights, and the protection of classified information and personal data; the protection of the life and health of the people, and of goods and the environment, from the negative effects of human activities, technical failures and natural forces.⁷⁰

It should be noted that all these values can be affected by the risks arising from the use of cyberspace. The role of the legislative authority, which includes the Sejm, the lower House of the Polish Parliament and the Senate, in the field of cybersecurity, mainly arises from its system-forming functions, including legislation. This encompasses legislation and the definition of the main directions of the state’s activities,⁷¹ which is related to the effectiveness of the Polish legal system and the activities carried out by administrative bodies.

Public authorities also include the judiciary. Its main tasks, which it also carries out within the ambit of cybersecurity, include the administration of criminal justice. These often relate to national security in general, as well as to its trans-sectoral field, that is to say, cybersecurity, with its rules of conduct.

However, the executive branch plays the key role in the field of cybersecurity. Its responsibilities relate to managing cybersecurity, through “influencing the behaviour of others and supervising their actions, but also by taking specific measures, having the tools and managing the assets related to the achievement of its objectives”.⁷² The Constitution of the Republic of Poland states that executive power in Poland is held by the President and the Council of Ministers.⁷³ Pursuant to Article 126(2) of the Constitution of the Republic of Poland, “The President of the Republic of Poland shall ensure observance of the Constitution, safeguard the sovereignty and security of the state as well as the inviolability and integrity of its territory”.⁷⁴ This provision is general, but a more specific function follows from Article 230 (1), which states

In the case of threats to the constitutional order of the state, to security of the citizenry or public order, the President of the Republic may […] introduce for a definite period no longer than 90 days, a state of emergency in a part of or upon the whole territory of the state.

This is all the more important, as, under the State of Emergency Act, these threats can be caused by actions in cyberspace.⁷⁵

A special role in ensuring the security of cyberspace lies with the Council of Ministers, consisting of the Prime Minister and Ministers. As noted by W. Kitler, “The Council of Ministers is the ‘leader’ of the public administration”,⁷⁶ as it is responsible for implementing laws and controlling and coordinating the activities of government administration bodies. The Council of Ministers is responsible for external security, internal state security, and public order, which includes the implementation of cybersecurity tasks. Other tasks related to cybersecurity include crisis management on the territory of the Republic of Poland, actions for the protection of critical infrastructure, and, in situations of special threat, including those arising from cyberspace, which cannot be removed by ordinary constitutional means, the Council of Ministers may adopt a Resolution to request the President to impose a State of Emergency or Martial Law, and in certain cases it may itself impose a State of Natural Disaster.⁷⁷ The leading role in the Council of Ministers is played by the Prime Minister, who presides over the Council of Ministers, that is to say, exercises leadership, coordination, and control tasks in respect of it. The second body of the Council of Ministers is made up of the Ministers themselves, who head the various departments. They define the principles, methods, and ways of performing public tasks, in the offices and organisational units subsidiary to them.

Cybersecurity as a trans-sectoral field involves all administrative authorities. Public tasks focused on this field are performed by various types of state entities, guards, services, and inspections subordinate to the Prime Minister or individual Minister. Given the responsibilities assigned, the leading role in this respect is played by the Internal Security Agency, the Ministry competent for Digital Affairs, the Minister of the Interior and Administration, and the Minister of National Defence.

The most important bodies responsible for cybersecurity include the Internal Security Agency (the ABW), whose Head reports directly to the Prime Minister. The ABW is competent for the internal security of the state and its constitutional order.⁷⁸ These responsibilities also include cybersecurity, including tasks which the ABW performs through the Department of Information and Communication Security and the Department of Classified Information Protection. The former includes the Governmental Computer Security Incident Response Team, which is the main state entity responsible for identifying, combating, and neutralising cyber threats.⁷⁹ It was modelled on European and American units operating in the field of computer incidents.

The next important institution in the protection of cyberspace is the entity established on 5 July 2016—the National Cybersecurity Centre.⁸⁰ The Centre functions as an early-warning unit, which, working on a 24/7/365 basis, manages and monitors the procedure of issuing information about network threats (Dyżurnet.pl⁸¹). The NC Cyber is developing a national-protection plan, in cooperation with the administration, business, and the scientific communities. The NC Cyber operates within the structures of the NASK, and consists of four divisions—Operations, Research & Development, Analysis, and Training. Within the Operations Division there is the National CERT team, i.e. a group which, among other things, responds to network security incidents, constantly monitors threats in cyberspace, and anticipates upcoming trends and threats. Thanks to cooperation with such entities as banks, mobile-phone operators, power-line managers, energy distributors, etc., CERT specialists have direct access to the IT infrastructure of the whole country. If a cyber attack from outside is detected, it is intended to make it easier to defend against it at the Polish IT border. As part of their cooperation with the NC Cyber, the individual institutions have deployed their specialists, who monitor the situation in cyberspace 24 hours a day, to its Headquarters. Their presence is designed to facilitate rapid response in the event of an adverse situation.⁸²

The NC Cyber acts as a security operation centre (SOC) in the field of cybersecurity, carries out audits of companies and public administration authorities which encompass critical infrastructure, and issues orders and recommendations. The NCC NASK is the place where information on threats from the various actors involved in the project is collected as part of the National Cyberspace Protection System. The NASK’s NC Cyber specialists conduct analyses and make recommendations on the basis of this information. The NC Cyber develops contingency plans, organises training and exercises for persons responsible for the security of the state administration, and stipulates minimum security requirements for institutions. The NC Cyber will prepare incident-reporting schemes, which will include critical-infrastructure managers, banks, and other business sectors.⁸³ The Centre plays a key role in the process of implementing the EU NIS Directive in Poland.

3 Conclusions

In conclusion, in recent years we have seen a spike in interest in cybersecurity, resulting in an increasing number of individuals and organisations emerging to deal with this problem. However, in order to carry out public tasks in this area more effectively, it is necessary for administrative, military, and civil fields to cooperate and exchange information. It is also essential in these fields to build structures and systems protecting the information which forms the basis of their operations.

A key role for the security of cyberspace is played by the Minister of National Defence, one of whose main tasks in peacetime is to lead the Armed Forces of the Republic of Poland. The Armed Forces are not only responsible for cybersecurity, but they themselves could become the target of potential attacks, which could lead to losses for the whole country. The Armed Forces have also been subject to computerisation and digitisation activities, resulting in the emergence of cyber-sensitive vulnerabilities.⁸⁴ New technologies and networks are being used more and more often in operational reconnaissance,⁸⁵ or in the information war. These processes are intensifying with the development of nanotechnologies and automated and robotic devices. Military operations are also permeating cyberspace, which means that more countries are deciding to develop offensive capabilities to deter potential aggressors.⁸⁶ The changes related to digitisation have led to the creation of special units dealing with cybersecurity within the structures of the Polish Armed Forces.