Source Codes Considered to be of “Strategic” importance. Polish Cyber-Security Doctrine
Polish authorities have developed a “Cyber-security Doctrine of Republic of Poland”, which created a framework needed for the state security systems acting within the IT network. The document assumes that, inter alia, capability of carrying out offensive actions should be created. Access to the source codes of the equipment acquired abroad has been defined as a “strategic” issue.
According to the document, which has been published by the National Security Bureau, the main strategic aim is to ensure security of the state within the cyberspace, which has been defined as an “additional dimension” of the national security, along with land, sea, airspace and space.
Polish cyber-security doctrine assumes that preventive and defensive operations are to be undertaken side by side with “active-defence” and offensive actions. The authors of the document additionally pointed out that there is a need of carrying out losses recovery after the potential attacks.
The doctrine in question is placed above the ministerial infrastructure, and the created system shall include both command, as well as operational elements, which would be able to carry out, independently both defensive, as well as offensive operations, as well as operations which would be organized jointly with the allies. The newly developed framework also indicates, that particularly relevant threats are related to the critical infrastructure of the state (including the defensive system), as well as to the private subjects acting within the financial, high-tech, energy, transport and public health sectors. The list of potential victims also included the IT-services providers.
When it comes to the risks within the area of cyber-security, regulations related to relationships between the subjects which are functioning within the cyberspace (including e.g. sharing the information on the threats), as well as issues related to the use of the advanced military equipment components in the defensive system, when the source codes are unavailable, have been created.
Authors of the doctrine have also mentioned the need of providing the proper financing or risk related to the possible social rejection of the regulations, which would make it possible for the state to obtain proper tools needed for carrying out effective operations within the cyberspace. On the other hand, it has been said that the national scientific and technological potential makes it possible to create national cyber-security and cryptographic systems.
According to the content of the document, the activities carried out within the cyberspace are, nowadays, an integral element of any conflict “with the hybrid character [of these conflicts]”. Within the scope of the operational activities, the doctrine includes, inter alia, monitoring and risk analysis, as well as creation and updating of the action plans in case of a cyber-attack directed at the elements of national administration. It is stressed that there is a great need to coordinate the implemented measures with the international structures, including NATO and the UE. The authors consider development of proper legal regulations, that would e.g. support the R&D works, to be of essential value.
Polish cyber-security doctrine also assumes that scope cooperation between the public and the private sector shall be expanded. It also takes into account the need of creating capabilities within the scope of conducting offensive operations in the cyber-space. Polish Army shall also be capable of conducting operations, should a cyber-war be in question. It is emphasized that achieving full control of the IT elements of armament and military equipment acquired from the foreign partners has a “strategic” meaning, which means that there is a need to access the source codes of the newly procured equipment.