Cybersecurity strategies of the Visegrad Group countries

A security strategy is a basic and starting document used for the formulation of regulations, standards, methodologies, rules, (security) policies and other tools needed to ensure cybersecurity. Because national strategies are an effect of the political environment, we may assume that this strategy reflects the unique political culture of the given state. A state’s security system is not stable and to a large extent depends on processes taking place in the political, social and technological environment. Cybertechnology tends to develop rapidly so we should consider whether policy documents address dynamically changing conditions and provide ways for citizens and public institutions to adapt to cyberspace. The documents analysed in this section contain guidelines that may steer the next stages of security policy implementation from both legal and practical perspectives. They should also help us determine the powers and competences of the various institutions involved in basic state operations. Arguably the future development of Visegrad Group is closely tied to the use of cybertechnology both in general political life and at the level of specific projects. To understand the factors shaping this cooperation framework, however, we need to turn to the cybersecurity policy positions of individual states. The sources of this analysis are documents developed by these countries and presented as their cybersecurity strategy. These documents set out the political plans of individual governments, thus allowing us to map out their present and future actions.

The Czech national cybersecurity strategy

According to the Czech Republic’s cybersecurity strategy, modern cybertechnology presents a key challenge for the state, with particular consequences for any public and private entities that depend on information and communication tools. In contrast with the strategies of the other V4 states, the Czech document emphasises the critical role of information security, the loss of which, we are told, could have unpredictable consequences for society:

The public and private sectors’ dependence on information and communication technologies becomes ever more obvious. Information sharing and protection are crucial for the protection of security and [the] economic interests of the state and its citizens. Whilst the general public is mostly concerned about their personal data abuse or afraid of losing money and data, cyber security as such encompasses much more. Major risks include cyber espionage (industrial, military, political, or other), ever more often carried out directly by govern‑ ments or their security agencies, organized crime in cyberspace, hacktivism, intentional disinformation campaigns with political or military objectives, and even – in the future – cyber terrorism. (p. 5).

Due to the open and publicly accessible nature of the Internet characterized by [the] absence of geographical borders, [the] security and protection of cyberspace demand a proactive approach not only from the state, but also from its citizens. (p. 6). The Czech Republic shall encourage [the] development of an information society culture through awareness raising among its citizens and private sector subjects. They shall have free access to information society services and to information on responsible behaviour and use of informa‑ tion technologies. (p. 8).[We need to train] experts specialised in […] active counter‑measures in cyber security and cyber defence and in [an] offensive approach to cyber security in general. (p. 18)

In ensuring cyber security, the Czech Republic abides by fundamental human rights, democratic principles and values. It respects the Internet’s open and neutral character, safeguards the freedom of expression, personal data protection and […] privacy rights. It therefore strives for […] maximal openness in access to information and for […] minimal interference in individuals’ and private entities’ rights. (p. 9).

Another important element of the strategy is its classification of the threats arising through cyberspace. These threats include cybernetic espionage (divided into industrial, military, political and other kinds), cybercrime, hacktivism, disinformation and cyberterrorism.

The Czech strategy has four main parts: the first offers a vision of state cybersecurity with goals extending beyond the designated time period of 2015–2020. The second part sets out the basic principles that should shape cybersecurity policy. The third identifies specific cybersecurity challenges for the state and international organisations while the fourth describes the strategic goals whose achievement is crucial for Czech cybersecurity policy in this period. The document also stresses the state’s obligations resulting from its role in international organisations and NATO’s collective defence structures:

The Czech Republic shall actively support its international partners in preventing and solving cyber attacks, fulfil its commitments arising from the membership in international organizations and from the collective defence within the NATO, and promote security in other states. (p. 7). The Strategy follows the principle of indivisible security; the Czech Republic’s cyber security is thus indivisible from global, namely Euro‑Atlantic cyber security. (p. 9).

Other sections highlight the need for state cooperation with the private and academic sectors on research and development concerning secure information and communication technologies. At the same time, the state confirms its support for the production, research, development and use of advanced technologies.

The Czech Republic addresses cybernetic security comprehensively and so the document rightly observes that cyberspace is a global phenomenon transcending geopolitical boundaries. The authors note that the state and its agencies cannot be solely responsible for cybersecurity. Instead the active cooperation of the Czech public, private entities and entrepreneurs is required:

The state and its agencies cannot bear the sole responsibility for cyber security; […] active cooperation of the Czech Republic’s citizens, private legal persons and individual entrepreneurs is needed. (p. 10).To ensure, in cooperation with [the] private sector, a cyberspace offering a reliable environment for information sharing, research and development and provide a secure information infrastructure stimulating entrepreneurship in order to support the competitiveness of all Czech companies and protect their investments. To provide education and raise the private sector’s awareness of cyber security. Provide the private sector with guidance on how to behave in crisis situations, particularly during cyber incidents but also in their day‑to‑day activities. (p. 18).

As such, this area of security policy is said to require various forms of cooperation across the public and private sectors, civil society and the academy

The Hungarian national cybersecurity strategy 

The Hungarian cybersecurity strategy focuses largely on the enforcement of national interests within the context of the state itself. Reading the document, we come away with a strong sense of its highly national concerns. Established targets of security policy (for example, guaranteeing economic security, adapting to technological innovation and ensuring international cybersecurity cooperation) must all be compatible with Hungarian state interests:

The purpose of this Strategy is to determine national objectives and strategic directions, tasks and comprehensive government tools which enable Hungary to enforce its national interests in the Hungarian cyberspace, within the context of […] global cyberspace. The strategy aims at developing a free and secure cyberspace and protecting national sovereignty in the national and international context […] Furthermore, it aims at protecting the activities and guaranteeing the security of [the] national economy and society, securely adapting technological innovations to facilitate economic growth, and estab‑ lishing international cooperation in this regard in line with Hungary’s national interests. (p. 2).

The introduction to the document sets out two specific goals for the cyberstrategy: it should manage threats and risks arising in cyberspace (understood here as both a location and the source of harmful processes) and it should enhance government coordination and resources. There are also references to values such as freedom, security and the rule of law and the need for international and European cooperation. In this way, the Hungarian strategy highlights the international materials that have served as signposts for the national document. Those sources include recommendations from European Parliament, documents from the European Commission and the High Representative for EU Common Foreign and Security Policy and the main tenets of the NATO strategy:

At the same time, the Strategy is in conformity with the recommendations of the European Parliament for the Member States included in Decision No. 2012/2096(INI) on cyber security and defence, adopted on 22 November 2012, and with the joint communication published by the European Commission and the High Representative of the Common Foreign and Security Policy of the European Union on 7 February 2013 under the title “Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace.” Furthermore, the Strategy is in line with the Strategic Concept of NATO accepted in November 2010, the Cyber Security Policy of the Organisation adopted in June 2011 and its implementation plan, as well as with the cyber protection principles and objectives set forth in the documents of the NATO summits held on 19-20 November 2010 in Lisbon and on 20-21 May 2012 in Chicago. (p. 2).

Hungary’s strategy also introduces and defines a concept of “Hungarian cyberspace,” which includes both electronic information systems located within state territory and social and financial processes occurring within and through cyberspace. Those processes may result in data and information found in the Hungarian public domain or outside state borders but affecting the level of Hungarian security.

     Significantly, the drafters understand the concept of cybersecurity in a military context. The idea of an “information war” is invoked, with cyberspace described as one of the most important theatres of modern warfare. Turning to the security standards of international organisations, the cyberstrategy appeals to a notion of community defence based on the common defence principle under Article 5 of the NATO charter. Hungary, thus, recognises the cooperation with NATO as key to cybersecurity:

Hungary considers it highly important that cybersecurity has become an issue for collective defence under Article 5 of the founding treaty of NATO. (p. 3).

The Hungarian text also refers to civil liberties and human rights. These values are said to coexist with another important and often irreconcilable value: the right to security. This is apparent, for example, in the following statements about ensuring freedom from fear while also guaranteeing the protection of personal data and the free and safe use of cyberspace:

This Strategy reflects the basic values enshrined in the Fundamental Law of Hungary, specifically freedom, security, [the] rule of law, international and European cooperation, in a separate field within security and economic policy. (p. 2). The protection of Hungary’s sovereignty in […] Hungarian cyberspace is a national interest, too; free, democratic and secure functioning of the Hungarian cyberspace based on the rule of law is regarded as a fundamental value and interest. In Hungary, the freedom and security of cyberspace is ensured through the close cooperation and coordinated activities between Government, academia, business sector and civil society based on their shared responsibility. (p. 3).

The authors highlight potential threats to the state that may arise from an information leak, maintaining that this is why the protection of state data is so essential. In this context, they also draw attention to the security of key cyberspace infrastructure. Another important issue, more marginal in other V4 countries’ strategies, is the need to provide a safe online space for children and young people:

Child protection. Hungary regards the creation and maintenance of an environment allowing the healthy development of children as a basic element of cybersecurity, and treats it as a priority in all affected areas, achieving, at the same time, the objectives of the European Strategy for a Better Internet for Children. Particular emphasis is laid on encouraging the creation of quality online content for young people, supporting awareness‑raising and preparatory measures, the prevention of the harassment and exploitation of children, and the establishment of a secure online environment. For this purpose, Hungarian non‑governmental organisations with a proven record in online child protection are regarded as key partners. (p. 6).

     The strategy also underlines the importance of specialist security policy institutions. Implementation, it notes, should be entrusted to organisations with specific skills and powers. Those organisations should cooperate not just with one another, but also with other authorities responsible for data protection and classified information:

It is worth noting that the organisations responsible for cybersecurity policy are not clearly indicated in the document, and in practice, this provision may result in many controversial actions. The drafters stress the aim of expanding Hungary’s role in EU and NATO cybernetic protection initiatives and cooperation as well as in UN and OSCE cybersecurity cooperation projects. Finally they announce the continuation and expansion of cooperation in the Central and Eastern Europe region.

The Polish cybersecurity doctrine

The starting points for the Polish security strategy are provisions of EU documents. Like the other V4 countries, Poland sees the chance to strengthen its cybersecurity as a potential benefit of its membership of NATO and EU allied defence and cybernetic defence structures. The document, thus, emphasises that any Polish provisions should be compatible with the strategies of allied states and international organisations like the EU and NATO:

It is important that the evolution of security in Europe favours coherence and solidarity, as well as [the] development of defence capabilities of NATO and the EU, and not a decrease in Member States’ ambitions related to this domain […] [Objectives include] developing the defence and protection capabilities that would be adequate to the needs and capacities of the state, as well as increasing their interoperability within NATO and the EU […] reinforcing NATO’s readiness and ability to provide collective defence, as well as the coherence of EU’s actions in the field of security; building a strong position of Poland in the two organizations. (p. 17).

Like its Slovak counterpart (see the discussion below), the Polish strategy assumes the need to establish a defining framework for processes and phenomena at the very outset. The document, thus, contains an explanation of the basic concepts that it uses when discussing the cybersecurity problem. The strategy’s main goal is to ensure Poland’s safety in cyberspace. In this context, however, cybersecurity is understood mainly in terms of the efficient functioning of key state and private sector infrastructure, particularly as this affects the financial, energy and health sectors. In other words, the focus is on the structure of the state and its economic environment, including the private sector, which directly determines security policy:

Particular importance is attributed to: cooperation and coordination of protective actions with entities from the private sector – in particular the finance, energy, transport, telecommunications and health care sectors; conduct of preventive and prophylactic activities with regard to threats in […] cyberspace; elaboration and use of appropriate procedures for social communication in this field; recognition of offenses committed in cyberspace, their prevention and prosecution of their perpetrators; conduct of information struggle in the cyberspace; Allied cooperation, also at the level of operational activities aimed to actively combat cyber offences, including the exchange of experience and good practice in order to increase the efficiency and effectiveness of domestic measures. (p. 21).

The strategy next highlights the co‑existence of public and private entities in cyberspace. Entities in the financial, energy, transport, public health and advanced technology sectors are seen to be at particular risk, especially when it comes to data theft and attacks on their integrity or breaches of confidentiality related to the scope of their activities and availability ofservices. One of the few references to the social risks of cybertechnology appears in the discussion of public administrative and financial services. In these realms, data and identity theft and the loss of control of private computers are all seen as serious threats:

[The] improving position of Poland in the international arena, as well as its membership [of] NATO and the EU, result in an increased interest of foreign secret services in our country. Possible unauthorised disclosure or theft of classified information and other data protected by law may cause damage to the national security and interests of the Republic of Poland. (p. 10).

If cybersecurity policy is to be effective, the document notes that appropriate standards and good practices must be established to support private and non‑public organisations (NGOs and scientific and research institutions) with cybersecurity risk management. There is also a need for preventative education and information to protect citizens from potential cyber- threats:

Education for security comprises activities thanks to which citizens gain knowledge and skills related to security. It is provided within the framework of general and higher education, by central and local state institutions, as well as associations and non‑governmental institutions. It is [a] priority […] to increase social awareness in terms of the understanding of threats to […] security and to shape competences […] to respond to such threats in a deliberate and rational manner. (p. 21).

The Polish authors detect a high risk to national security coming from private operators and ICT service providers (especially transnational entities with decision‑making centres abroad) given the limited state influence on their operations. Unregulated or improperly regulated relations between these entities are, thus, an important challenge for Polish cybersecurity policy. At the same time, the text notes a potential threat to democracy arising from efforts to bal‑ ance two sets of values, i.e. the protection of personal freedom and personal rights in the virtual world on the one hand, and the use of adequate security measures on the other. This tension may complicate the introduction of effective new cyberspace security systems:

[…] ensuring that citizens freely enjoy freedoms and rights, without detriment to the safety of others and of the security of the state, as well as assuring national identity and cultural heritage. (p. 12).

As technology has advanced, the counterparts of all traditional security threats have arisen in cyberspace. Of particular importance are those threats affecting critical state infrastructure controlled by IT systems. The development of information technology has led to a range of new external threats including cybercrimes and cyber‑conflicts with state and non‑state entities, which may, in turn, produce cyber‑threats. Cyberspace operations are, thus, now am integral part of political and military conflicts.

  One contemporary external threat that Poland identifies in cyberspace is cyber‑espionage. This refers to operations by foreign state services and non‑state entities, including terrorist organisations. These entities use special tools to gain access to sensitive data. Other sources of danger include extremist organisations, terrorist organisations and organised transnational criminal groups whose cyber attacks may have ideological, political, religious, financial or criminal motivations.

The country’s most important cybersecurity tasks include developing and adopting a systemic approach, which will have legal, organisational and technical dimensions. Like the strategic proposals of all the V4 countries, the Polish document notes that the expansion of cybersecurity brings with it the potential for significant scientific collaboration. There is, thus, a need to create a support system for cybersecurity and education research and development, including projects to be implemented with scientific and commercial enterprises.

     As can be seen, Poland calls for the expansion of intelligence services’ powers and capacities in cyberspace since this will enable them to neutralise foreign intelligence activity and be an effective counterespionage tool. In this context, cybersecurity policy must introduce a safe system of oversight, that is, an independent communications network to manage national security (this could be done from within the government communications network, for example). It will also be important to ensure the national control of ICT systems.

The Slovak cybersecurity concept

The drafters of the Slovak strategy emphasise that cyber‑threats are a constant accompaniment of everyday life. As such, cooperation with NATO allies is essential under Article 5 of the North Atlantic Treaty, which concerns collective defence and response coordination in the event of an attack on an alliance member. Like the Czech strategy, the Slovak document stresses the need for ongoing planning by raising political, legal, economic, social and technical‑organisational awareness:

At a state level, it is a system of continuous and planned increasing of political, legal, economic, security, defence and educational awareness, also including the efficiency of adopted and applied risk control measures of a technical‑organizational nature in cyber space in order to transform it into a trustworthy environment providing for the secure operation of social and economic processes at an acceptable level of risks in cyber space. (p. 6).

The document also notes the lack of any coherent, formal cybersecurity terminology. As such, it includes an appendix with basic explanations of all the key terms used. The authors emphasise that cybersecurity issues are neither isolated to the Slovak Republic nor limited to one or a few segments of the socio‑political environment. Rather, due to its global nature, cybernetic security is a general social phenomenon. This interdisciplinary approach to cybersecurity is also clear from the assumption that implementing cyberse‑ curity policy requires continued cooperation among a wide range of entities: the armed forces and civilians, the state and the private sector and national and international bodies.

The Slovak strategy emphasises its compliance with the cybersecurity principles set out in EU and NATO documents. It is also supported by references to existing Slovak laws, including provisions on defence planning, crisis situation planning and coordination and intelligence services:

Cyber security is perceived as a key component of state security. The basic com‑ ponents forming and implementing the security system of the Slovak Republic are, according to the law: foreign policy, defence planning, civil emergency planning and coordination and intelligence services. (p. 7).

Like the cyberstrategies of other V4 countries, the Slovak document highlights the need for cybersecurity education. However, the text points out certain shortcomings that may affect the general level of knowledge about cyber‑threats. Education, it notes, does not take place at the level of specialised fields of study. Instead it is mainly handled in discrete courses offered by selected educational institutions based on selected needs.

As a NATO and EU member, Slovakia is, like all the V4 states, involved in drafting international strategic documents which also cover cybersecurity. This implies an obligation toapply the adopted documents and transpose them into national law. In this respect, the Slovak government is cooperating closely with the NATO Cybernetic Defence Excellence Center in Tallinn as well as the European Network and Information Security Agency (ENISA) and the European Cybercrime Center (EC3), which was established in 2013.

     Slovakia’s cybersecurity strategy describes a cybersecurity culture made up of basic elements that are also noted by other countries. The cybersecurity policy consists of several key activities. The first of these is establishing an institutional framework for cybersecurity administration. The second is creating and adopting a legal framework for cybersecurity. The third is maintaining and applying basic systems for secure cybernetic space administration. The fourth is supporting, preparing and implementing a system of cybersecurity education. The fifth is introducing and applying a communication risk control system among interested parties. The sixth is active international cooperation and the seventh and final activity is supporting cybersecurity‑related science and research.

     Prevention is the key to the strategy and it entails the use of protective tools that will avert cyber‑threats. In this context, the focus is not only public education but also intelligence activities that collect and evaluate intelligence data in order to predict and prevent certain cyber‑incidents:

[T]his involves the activation of entities active when solving crisis situations and if necessary, an early warning for the public, taking measures aimed at stopping the escalation of the crisis situation and the creation of conditions for a return to a stabilized situation. Offensive activities aimed at weakening and/or eliminating the cyber and even physical capacities of the attacker and to discourage the attacker from continuing in the attacks. Intelligence activities aimed at supporting defensive and/or offensive activities (e.g. intelligence information about the cyber capacities of the attacker). (p. 16).

The strategy demonstrates the system for responding to existing or potential threats, i.e. the steps taken to respond effectively to specific events. At the same time, it highlights the repair mechanism that should reduce the damage caused by cyber‑attacks and restore the status quo.

In a characteristic move for strategies of this type, the document calls for the creation of a formal cooperation platform at national level. This structure should ensure representatives of the business and academic communities are involved in preparing and drafting government decisions. In particular, these representatives should provide opinions on the development and ongoing improvement of the cybersecurity system.