ACTA protesters took to the streets of Warsaw last week Veronika Joy/WBJ

No one was seriously harmed by the cyber attacks unleashed on several Polish government websites last week. The attacks did, however, expose the inexplicably low level of security protecting those sites, and at the same time brought into question what would happen if more malevolent hackers were to target, for example, IT systems operating the country’s infrastructure.

ACTA opposition

The hackers and online “activists” attacked Polish government websites in protest against government’s plans to sign the Anti-Counterfeiting Trade Agreement (ACTA), launching a distributed denial-of-service (DDoS) attack against the websites of the president, prime minister, parliament, Internal Security Agency (ABW) and other government offices. According to Poland’s Computer Emergency Response Team (CERT Polska), a government body tasked with reacting to internet security breaches, apart from DDoS attacks, there were at least two confirmed “defacements” of government websites: those of the prime minister and the Ministry of Defense.

At first, the government attempted to deny what was going on, with government spokesperson Paweł Graś saying the problems were “just the result of huge interest in the sites of the prime minister and parliament.” After the truth of the incidents became apparent, these comments quickly became a source of ridicule on Facebook and other social networking sites.

A Twitter account using the name “AnonymousWiki” claimed responsibility for the hacking and warned the government of further strikes if Poland signed the ACTA treaty. It also claimed it had “leaked documents on many of Poland’s officials,” and that if the treaty were passed, the group would not hesitate to make those documents public.

These acts of “hacktivism” (the act of breaking into a computer system for politically or socially motivated purposes) against Poland’s support for ACTA came days after coordinated opposition in the US to the Stop Online Piracy Act (SOPA) and Protect Intellectual Property Act (PIPA). Like SOPA and PIPA, critics of ACTA argue that the bill will stifle freedom of expression on the internet and endanger users’ right to privacy.

The SOPA and PIPA legislation now appear unlikely to pass, but despite this and the cyber attacks on Polish sites, Prime Minister Donald Tusk refused to budge over ACTA, announcing that Poland would sign the agreement and would not “submit to blackmail.” The agreement was signed in Tokyo on January 26.

The prime minister added, however, that “only when the government is sure that Polish law guarantees freedom on the internet, will we send the bill for ratification to parliament.”

Security breach

The apparent ease with which hackers brought down government websites raised serious security concerns in Poland, after hackers indicated that the login and password for the prime minister’s website were “admin” and “admin1”, respectively. These words tend to be place holders when a new system is installed, so website administrators can enter a proper login and password later on.

Last Monday Foreign Minister Radosław Sikorski even casually thanked the hackers via his Twitter account, for testing his ministry’s website.

“Thank you to the hackers for the test of the Foreign Ministry’s website. Another attack repulsed after a few minutes. Only through practice can we improve our procedures,” Mr Sikorski wrote.

Others were less sanguine, however. “These events showed us that we are not prepared to counter potential cyber threats,” said Joanna Świątkowska, who is responsible for the project “Target: Cyber Security” at the Kosciuszko Institute, a think tank.

“The poor login and password of the Prime Minister’s website are just embarrassing. And the same with the websites of entities that are supposed to take care of Poland’s cyber security: the ABW’s web page was shut down. The statements of the Polish Ministry of Foreign Affairs show us that our decision makers have played down the problem. These are symptoms of deeper problems, and Poland needs to face them,” she added.

Critical infrastructure

Arguing that cyber security is not high enough on the government’s agenda, the Kosciuszko Institute has been carrying out a comprehensive analysis of Poland’s defense measures against cyber threats, with results scheduled to be published in the next few weeks.

According to Ms Świątkowska, the attacks against government websites fall in the category of hacktivism, were a manifestation of people’s opposition to ACTA, and were not aimed at destroying the government’s IT systems. But the possibility that those systems could be endangered in the future is what has security experts so worried.

With the global financial system and critical national infrastructure (such as the energy grid, the supply of water and gas, the health care system and telecommunications) all based on the use of ICT solutions, cyber security has become a fundamental element of national security policy.

Following last week’s attacks, the ABW stated that the security of classified information had not been at risk, primarily because confidential information is subject to special control and is stored in separate networks that are not accessible through the internet.

But networks that are isolated in this way are still vulnerable. The most famous case in which such systems were attacked occurred in 2010 in Iran. The country’s factories, power plants, oil pipelines and military installations were targeted by the Stuxnet worm. While that program was subsequently described as one of the most sophisticated pieces of malware ever detected, it made clear that even the most heavily guarded networks could be compromised.

Cyber defense

So where does Poland stand when it comes to cyber defense? The country participates or plans to participate in several cyber defense systems, including NATO’s Cooperative Cyber Defence Centre of Excellence.

Poznań University of Economics’ Department of Information Systems and Polish IT solutions provider Sygnity are piloting the Semantic Monitoring of the Cyberspace (SMC), as part of the EU’s Coordination of the European Future of Internet Forum of Member States (ceFIMS) project. The SMC aims to create a prototype to monitor various internet sources in order to detect cyber threats.

CERT Polska, as part of the IT security Department of the Polish Internal Security Agency (ABW), is tasked with ensuring and developing the capabilities of public administration units to protect themselves against cyber threats, “in particular against attacks aimed at the infrastructure involving IT systems and networks the destruction or disturbing of which may considerably threaten the lives and health of people, existence of national heritage and the environment or lead to considerable financial loss or disturb the operation of public authorities.”

CERT is responsible for coordinating responses to cyber attacks, but when contacted by WBJ, a spokesperson at the ABW said the situation was fluid and declined to comment on its assessment of CERT’s response to the latest attacks on governments websites.

Kosciuszko Institute experts argue that the systems Poland has in place do not amount to a cohesive system of cyber defense.

“There is no piece of legislation designed to exclusively address cyber crime and consequently it is next to impossible to define one institution or agency which would be exclusively responsible for the country’s cyber security. As a result, all undertaken actions are insufficiently coordinated and less effective,” according to the institute’s policy brief “Cyber Terrorism – A new threat to international security in the 21st century.”

“The solutions that Poland applies for cyber security are insufficient and rudimentary. A lack of a strategic, holistic approach in this area is very visible,” commented Ms Świątkowska.

Missing link?

Contacted by WBJ, Poland's incumbent telecoms operator TP said the firm has a its own CERT which monitors IT security incidents 24/7, and is in constant contact with other IT security teams within the country and worldwide. Both Polish gas infrastructure operator Gaz-System and Poland's biggest bank PKO BP declined to comment on their cyber protection systems, saying the information was too sensitive.

According to all the experts contacted by WBJ, Polish businesses are actually better prepared than government institutions to counter potential cyber attacks.

But according to Marcin Geroch, director of the center of security and data protection at Polish IT provider Comarch, more work needs to be done, as many firms and institutions still fail to see cyber assaults as a real, immediate threat. “More and more companies and institutions are better protecting themselves against possible attacks from hackers, however, knowledge about these threats is still average,” he said.

“Poland is a country that has a well-developed information system, a lot of business is handled via the internet and a lot of sensitive data is transmitted in this way. Unauthorized access to certain information could be extremely costly, [and involve] severe financial losses, loss of customer confidence, and also serious legal consequences.”

Security experts also note that while businesses might be better prepared than the government because they are more acutely aware of the financial consequences of poor cyber security, the potential for public-private cooperation in this area is still underestimated in Poland. This is a problem in the sense that from a national cyber security point of view, both public and private institutions are often linked.

“Cyber security knows no borders, therefore solutions regarding solely the state level hardly work. Technology is ahead of politics, that is why public-private cooperation is so important,” said Andrew Nagorski, vice president of the New York-based think tank EastWest Institute at a debate on cyber security at the 2011 Economic Forum in Krynica.

Possible solutions

So what does Poland need to do? According to the Kosciuszko Institute’s Joanna Świątkowska, the answer is threefold. The first step would comprise a review of Polish legislation related to cyberspace. Strengthening public-private partnerships on cyber security comes next, and should include a security audit of the ICT systems of firms responsible for critical infrastructure. Last but not least, awareness of the importance of cyber security must be raised among internet users and people responsible for operating critical infrastructure, she said.

Another challenge, according to Comarch’s Marcin Geroch, is for firms and institutions to constantly update the security systems in place, which is sometimes neglected because it is expensive. “Security procedures require a considerable investment, and the results are not directly tangible. Unfortunately, most institutions are beginning to defend themselves after the fact,” he said.

“This weekend’s attack showed that there are straightforward ways [for hackers] to get into some of the most important government websites. It is difficult to defend against hackers, because they always are one step ahead of us,” added Mr Geroch.

It remains to be seen whether last week’s attacks will have decision-makers turning their attention to cyber security, although some experts are doubtful. “I am a little worried that this won’t occur until something more serious happens,” said Ms Świątkowska.