Poland is taking a wrong (cyber)turn

Photo courtesy of Wikimedia Commons

Poland had long been taking a rather hands-off approach when it comes to the nation’s IT security. In 2012 during the ACTA debacle, PM Donald Tusk said that he understood the need to regulate the Internet, but the Polish regulations should be “as liberal as possible”. Unfortunately, this philosophy extended to the country’s approach to securing internal network. PM’s website was compromised by using simple credentials (the username was “admin” and the password was “admin1”). This event together with the present ruling party chief’s comment about the Internet being “unsuitable environment for voting”, because the people who use the Internet only “drink beer and watch porn”, shows the fundamental lack of understanding of the modern, connected world. That lead previous rulers to a conclusion that it is better for all the parties involved to leave the Internet alone. Until now.

As a recent report by the Supreme Audit Office showed, Polish civilian incident response sector was fragmented, chaotic and profit-driven. While military had proper procedures and chain of command, civilian sector was not coordinated and the Ministry of Digital Affairs was doing nothing to change that situation. It was a high time for someone to step up and sit behind the steering wheel.

Shortly after the report saw the daylight, election came and demos decided that the Law and Justice (PiS) party will be forming a new government. Few months later PiS aggressive style of politics and rapid legislative process become one of the highlights of the new times in Poland. It was also the dawn of a new approach to all things cyber. Very swiftly the .pl registrar and also the best IT security research institution in Poland (NASK) was handed over from the Ministry of Science and Higher Education to the Ministry of Digital Affairs. The process of handing over also involved the aftermath, namely the appointment of a new new head of NASK. At that time the Ministry of Digital Affairs proposed a new IT security strategy for Poland.

The document outlined a policy and proposed some radical changes in the current state of digital affairs. Government wanted to change the role of several institutions and wanted to make Poland secure from all external threats. According to the Ministry, a complete monitoring of all Internet exchange points in the country, including satellite links, was required to make everyone feel safe. When the newly appointed head of the Polish civilian cybersecurity in the MoDA, general Nowak, was asked whether this action would mean that the government will be openly spying on its citizens, he responded that the only data which will be gathered is the volume of the traffic and and the “vectors of a potential attack”. While it still remains unclear what “the vector of a potential attack” means, the term may encompass everything, e.g. from simple path traversal to a more militaristic informational warfare — i.e. monitoring of the propaganda comments left by paid Internet trolls.

This sounds reasonable, until you realize that the monitoring of a path traversal attack means that the government will build a system where they can look at everyone’s browsing history and check the URLs for specific patterns, while monitoring of the informational warfare means looking at the content that people publish and searching for specific words. Having that kind of system in place opens up a tremendous new area of abuse and makes it possible to block the content that is deemed unsuitable by the government. However, as gen. Nowak explains, the monitoring has to be implemented, because “attacks can come from a variety of directions and monitoring one entry point is not enough to get the whole picture”. In essence, gen. Nowak is not even considering the suppression of the attack, but the whole point of the system is to look at the network traffic.

As far as the stopping of these “vectors of potential attack” goes, government has other plans. Two recent bills — one, which is still a proposal and the second one which is just about to become a law — will allow the government to block websites or services which either “are related to an event, which has terrorist characteristics” or “allow to identify websites or other services that contain information about illegal gambling activities”. This means that the government is looking to build a system that would allow to quickly — and in the case of “information leading to a terrorist threat” immediately — block any service for all of the Polish users. Bill introduces also an interesting concept of delayed judiciary overview — the notion that a website may pose such a great threat to national security that it has to be taken down immediately and the subsequent judicial process may only remove, not impose, the censorship.

Illegal gambling is one of the staples of Internet censorship. Italy, for example, started their full-fledged Internet censorship program precisely by blocking illegal gambling websites and now moved to blocking the copyrighted content and even discussed blocking the content that hurts person’s feelings. Polish government openly admits that blocking the online gambling websites is done in order to tighten the tax law, which is a must given the government expensive social policies. What is really concerning is the fact that the Ministry of Finance will unilaterally decide to block any website it wants and this list will be reviewed semi-annually by the court. Which means that a website illustrating how to play poker can be blocked for half a year until court will decide against it. None of these laws will be overturned by the Constitutional Tribunal now, because the government simply ignores its verdicts since a couple of months.

I hope that the ruling government will realize that a system to block unwanted websites can be as easily abused as a system to monitor all Internet traffic. However, since the ability to watch porn was one of the main arguments against the introduction of the electronic voting mechanisms, I feel that the government may actually want to take the cyberturn to the road of abuse. Only time will tell. But there are good news in it after all. Paradoxically, the very reason of the introduction of the Internet censorship — the expensive social policies and the motion to crack down on the gambling tax heavens— means that the Polish government does not have funds necessary to devise and implement the Great Firewall of Poland. Without it, Polish Internet censorship will be as easily circumvented as it was legislated.