15. 7. 2021 30min.

Building up Cybersecurity Policies in the Visegrad Region: Which Cooperation?

Reflexe

The Visegrad region has been the target of cyberattacks, both in the public and private sectors, in the last years. Cyberattacks raise a number of political and legal questions: which legal instruments protect the victims of cyberattacks? How do national governments cooperate among themselves in providing a common response to cyberattack? In this respect, the V4 offers a unique example of sub-regional cooperation in the cybersecurity sector, thanks to the Central European Cyber Security Platform. This reflection argues that such form of cooperation in cybersecurity issues may serve as an example on how to start a constructive dialogue on cybersecurity issues and shape coordinated legal and political responses.

INTRODUCTION

The Visegrad region has been the target of cyberattacks, both in the public and private sectors, in the last years. Cyberattacks raise a number of political and legal questions: which legal instruments protect the victims of cyberattacks? How can national governments ensure a safe cyber environment? And how do they cooperate among themselves in providing a common response to cyberattack? National governments responses differ from country to country, and a common political and legal approach has not yet been achieved at any level of regulation. In this picture, the V4 offers a unique example of sub-regional cooperation in the cybersecurity sector, thanks to the Central European Cyber Security Platform. This reflection argues that such form of cooperation in cybersecurity issues may serve as an example on how to start a constructive dialogue on cybersecurity issues and shape coordinated legal and political responses.

ANALYSIS

The last World Economic Forumʼs Global Risks Report 2021 has included cyber risks among the current global risks: increasing cyber-incidents have been targeting public and private organizations and infrastructures around the world in the last years. The Visegrad region (or V4, comprising Czech Republic, Slovakia, Hungary and Poland) makes no exception to this trend: among others, we can recall the massive cyber-espionage operation that was first unmasked in 2018 by the Slovakian cybersecurity firm ESET, which was ongoing since about 2013 and was targeting public institutions in Central and Eastern Europe. In the last year, in particular, the COVID-19 pandemic has opened new opportunities for cyber-threats: worth mentioning are the episodes of ransomware attacks on national health facilities (like the ones occurred in Czech Republic in April 2020), or the cyber-attacks against the national vaccine registration website in Hungary in February 2021 .

Cyberattacks poses not only technical issues (on how to identify and address cyber incidents), but also political and legal questions: which (international, regional and national) legal instruments protect the victims of cyberattacks? How can national governments ensure a safe cyber environment not only for national institutions and infrastructures, but also for its citizens? National governments responses differ from country to country, and a common political and legal approach has not yet been achieved at the international, but also the regional level. All in all, multiple layers of policy documents and regulations are
still in place, lacking a coordinated and uniform legal and political framework of reference.

In general, we can highlight a constant tension between, on the one hand, the increasing episodes of cyber-incidents that know no borders (any cyber-incident may originate in one country/countries and have effects on other country/countries), and, on the other hand, the adoption of (normative) policies at each level of regulation (international, European, sub-regional and national) that do not seem harmonized and coordinated.

Lack of uniformity and harmonisations of regulations starts with a lack of comprehensive database on cyber-incidents. At the international level, it does not exist an official and institutional database of cyber-incidents; at the EU level, the European Union Agency for Cybersecurity (ENISA) keeps tracks of cyber threats occurring within the EU member states (and it is up to the relevant national offices to send the relevant information regularly to ENISA). At the national level, data and statistics are generally not comprehensive and detailed. In the V4 region, we can rely on the reports and data collected by the following national agencies: 1) the National center for cybersecurity SK-CERT of Slovakia; 2) the National Cyber Security Centre (NCSC – NCKB) of the Czech Republic; 3) the Polish computer emergency response team CERT Polska; and 4) the National Institute of Cyber Defense (NKI) of the National Security Service of Hungary. Moreover, we can rely on reports and data published by private companies and institutions, like the Cyber Operations Tracker, a public database of state-sponsored incidents prepared by the US-based Council on Foreign Relations think tank. The lack of clear
and comprehensive data is surely an obstacle when it comes to understand how to regulate in the most efficient way this phenomenon.

An additional obstacle towards a common approach to cybersecurity issues, as already mentioned, comes from the fragmented layers of policies and regulations that governs cybersecurity.

At the international level, there is no unique instrument dealing with cybersecurity. The only binding instrument to date is the Convention on Cybercrime of the Council of Europe (“Budapest Convention” – CETS No. 185, signed on 23 November 2001 and entered into force on 1 July 2004), which
focuses on infringements of copyright, computer-related fraud and violations of network security. There are also a number of multilateral initiatives addressing cybercrime and cybersecurity issues at the international level, like the work of the G7 Cyber Expert Group, the United Nations, the Organisation for
Economic Cooperation and Development and the North Atlantic Treaty Organization (NATO). Worth mentioning are also private codification initiatives like the 2017 Tallinn Manual 2.0 on the international law applicable to cyber operations. Overall, the existing international legal framework
is rather fragmented.

The same holds true also for the EU level of regulation. In the last years, cybersecurity has been at the heart of manifold EU regulations and policies, both in the internal dimension of the EU policies – related to the Internal Market and the Area of Freedom, Security and Justice – and in the external one – related to the foreign and security policy. A series of legal acts have been adopted in order to protect electronic communications networks: the 2016 Directive on Security of Network and Information Systems (NIS Directive 2016/1148 of 6 July 2016 ), which introduced commitments for member states on security measures and incident notifications in a number of sectors such as energy, transport, banking, financial market infrastructures, healthcare; the 2016 General Data Protection Regulation (GDPR Regulation (EU) 2016/679 of 27 April 2016 ), according to which all companies should take measures to enhance data security and notify regulatory authorities of any significant breach of the data; the 2018 Directive establishing the European Electronic Communications Code (Directive (EU) 2018/1972 of 11 December 2018 ), according to which member states should ensure the security of public communications networks; and the 2019 Cybersecurity Act (Regulation (EU) 2019/881 of 17 April 2019 ), which has introduced a system of EU certification for information and communications technology (ICT) products, services and processes that would be recognised in all EU member states.

In the field of cyber-defence, in 2017 the Joint EU Diplomatic Response to Malicious Cyber Activities (the so-called cyber diplomacy toolbox) was adopted. The toolbox allows the EU and member states to implement a diplomatic response to malicious cyber activities through the means of the Common Foreign and Security Policy. These can include preventive (e.g. awareness-raising, capacity-building), cooperative, stability and restrictive measures (e.g. travel bans, arms embargoes, freezing funds).

As part of the EU cyber diplomacy toolbox, in May 2019 the Council established also a “[…] framework for targeted restrictive measures to deter and respond to cyber-attacks with a significant effect which constitute an external threat to the Union or its Member State […] against third States or international
organisations […]” (Council Decision (CFSP) 2019/797 of 17 May 2019 ), when such measures are deemed necessary to achieve the objectives of the Common Foreign and Security Policy.

And what about the V4 countries? All V4 countries, as EU member states, implement the relevant EU Directives and Regulations. Moreover, each of the V4 country has its own cybersecurity-related regulation: Czech Republic adopted its National Cyber Security Strategy for the period from 2021 to 2025 in 2020 (replacing the previous one adopted in 2015 ); Hungary adopted the National Cyber Security Strategy in 2013; Poland adopted the Cybersecurity Strategy for 2019–2024 in 2019 (replacing the previous one adopted in 2017 ); and Slovakia adopted its National Cybersecurity Strategy 2021–2025 in 2021 (replacing the previous one adopted in 2015 ). All V4 countries are also part of the Budapest Convention and of the major international fora discussing cybersecurity issues, like NATO and the UN. Within the EU, they collaborate, among others, with the European Cybercrime Center of Europol and ENISA.

And what about the V4 as a platform of cooperation? Even thought to date there has been no significant joint document on cybersecurity issued by the V4, we find important programmatical references to cybersecurity in public documents issued by the Group in several occasions.

The importance of cybersecurity was recalled by the V4 in the Visegrad Group Joint Declaration on Mutual Cooperation in Digital Projects – adopted on 17 February 2021 at the meeting of the prime ministers of the V4 on the occasion of the 30th anniversary –, which underlined “the importance of cybersecurity and digital technologies in ensuring the economic growth in the V4 countries”. Also the 2011 Bratislava Declaration (on the occasion of the 20th anniversary of the Visegrad Group) restated that “[…] The Visegrad Group will actively contribute towards international efforts in combating […] security threats and challenges, including those in the area of cybersecurity, that jeopardise our values and the freedoms of our citizens […]” [emphasis added].

Cybersecurity has also been referred to in V4 Presidency Programs, with a call to strengthen cooperation, as well as in a number of joint declarations: the Joint Declaration of the Ministers of Economic Affairs of the Visegrad Group Countries on the Future of Economic Cooperation of 19 April 2018 included a call on “[…] the importance of arising issues that include cyber security […that] will contribute to the data-economy of the coming digital age […]”, while the Joint Declaration of Intent of V4 Prime Ministers on Mutual Cooperation in Innovation and Digital Affairs (“Warsaw Declaration” ), issued in Warsaw on 28 March 2017 restated the willingness of the V4 to “[…] work towards sustainable, efficient, resilient and secure cyber space […] allowing the joint internal market for the high-level cyber security and protection of critical information infrastructures and resources […]” [emphasis added]. A call on implementing cooperation was also included in the Joint Statement of the V4 Ministers of Defence, issued in Brussels on 4 June 2013: “[…t]he V4 countries will tighten their cooperation in countering cyber threats at political
and operational level as cyber security becomes extremely vital […]”.

Cybersecurity has been also discussed during V4+ meetings, as highlighted in the Joint Statement from the Annual Summit of the Visegrad Group Prime Ministers and the Prime Minister of the State of Israel released in Budapest on 19 July 2017, where “[…t]he five leaders agreed to explore the possibility of further strengthening joint cooperation in the areas of […] cyber security […]” [emphasis added] as well in the Joint Statement of the Ministers of Foreign Affairs of the Visegrad Group, Austria, Croatia and Slovenia
issued in Budapest on 10 July 2017, where there was a call on “[…] take action on issues including […] cyber security as well as digital skills […]” [emphasis added] and again in the Joint Statement on the Occasion of the First Summit of Prime Ministers of the Visegrad Group and the President of the Republic of Korea, released in Prague on 3 December 2015, where “[…t]he V4 and the ROK acknowledged the goal to strengthen their cooperation on global issues, including […] cyber security […] and agreed to continue close consultations in respective areas […]” [emphasis added].

However, it is in the field of technical cooperation in cybersecurity that the V4 has made major development, thanks to the Central European  Cybersecurity Platform (CECSP), which was established in 2013 and includes representatives of governmental, national and military Computer Security Incident Response Team (CSIRT) teams along with the representatives of national security authorities and national centres of cybersecurity from Slovakia, Czech Republic, Poland, Hungary, and Austria (also ENISA is present with an observer role and supports the activities of the platform). The CECSP facilitates the exchange of information and sharing of know-how among the countries on cybersecurity issues.

CECSP is indeed an exemplary (operational) cooperation model in the field of cybersecurity: among the activities of CECSP, we can mention the organization of cybersecurity exercises among its participants – which serve as opportunities to test and share best practices in the field of cybersecurity – and coordination of relevant policies. Hungary hosted the first joint cybersecurity exercise of CECSP in 2014; this was an opportunity for the participant countries to learn from each other about relevant technical solutions and know-how, thus setting the premises for future cybersecurity cooperation in fighting global-scale cyberattacks. In 2015, CECSP held another exercise focusing on decision-making, while the exercise in 2017 was devoted to test the technical skills of participants.

As highlighted in the 2018/2019 Slovak Presidency, “[…the CECSP] initiative did not go unnoticed by other members of the EU. For example […]  France joined in on the coordination of CECSP activities in matters of the cybersecurity of the European Union […]”. Accordingly, CECSP has started to be seen as an example of cooperation in cybersecurity issues.

The work program and the meeting agendas of CECSP are not publicly available; however, we find several references to the importance of its role and functions in the cybersecurity sector in V4 public documents, especially in some Presidency Programs, like in the 2014/2015 Slovak Presidency Program , the 2015/2016 Czech Presidency Program – which expressly considers CECSP as the privileged forum where to “harmonis[e] the positions of the V4 countries on fundamental topics of cyber security” –, the 2016/2017 Polish Presidency Program , the 2017/2018 Hungarian Presidency program – which, after the global cyber-incidents of WannaCry and NotPetya , put a strong emphasis on the role of cyber-defense –, the 2018/2019 Slovak Presidency Program and the most recent 2020/2021 V4 Polish Presidency Program , which refers to CECSP as an “established channel[...]” where to carry out “[c]onsultations with a view of finding topics of mutually beneficial cooperation in cyber security […] include[ing with respect to the question of] international law applicable to cyberspace operations […]”. One practical example of successful cooperation within CECSP in the field of harmonization of cybersecurity policies relates to the implementation of the 2016 NIS Directive in CECSP member states.

The NIS Directive was the first EU Directive providing legislative and technical co-operation requirements in the field of cybersecurity, and all EU member states had to transpose the Directive in their own national regulatory framework. CECSP provided a forum where the V4 and Austria could confront and discuss the best ways to transpose the Directive; in the end, they all transposed the NIS Directive in similar and harmonized way. Overall, CECSP has been proved to be a platform where to start trust building among participants: representatives of national governmental CSIRTs share their experience, know how, their organizational and legal structures, and build up personal contacts that are important for future cooperation in cybersecurity operations.

CONCLUSION

CECSP represents an example of (operational) cooperation in the field of cybersecurity in the V4 region: its participants countries have recognized that the platform is a good forum for discussion for cybersecurity issues, where to build trust and start harmonizing cybersecurity policies.

This should serve as a model for other countries, in the EU and at the international level; sub-regional platform of discussion and cooperation can indeed be extremely useful in sharing information, best practices and developing efficient policies. This is extremely important when it comes to deal with cybersecurity. Cyber-threats know no boundaries; accordingly, nationaloriented solutions are not sufficient.

As stressed in the 2020 Visegrad Group Joint Statement on the Future of the Eastern Partnership , “[h]ybrid threats including cyber-attacks need to be addressed in a collaborative way”. The V4 group can indeed become a privileged platform of discussion to advance in the regulatory harmonization of the issues
at stake.