Organisation of the National System of Cybersecurity: Selected Issues

The issues discussed in this paper concern cybersecurity. The threats present in cyberspace are becoming increasingly difficult to detect, and their prevention requires not only knowledge and special equipment, but also considerable financial resources. As such, the State has to put a great deal of effort (both institutional and financial) into cybersecurity measures directed against attacks. In order to meet the challenges connected with ensuring cybersecurity, the legislators have undertaken the regulation of such issues by adopting laws on the national cybersecurity system to allow the responsible authorities to properly secure cyberspace against threats. As part of the national cybersecurity system, lawmakers have imposed a number of obligations on public entities to ensure that information systems are resistant to actions which compromise the confidentiality, integrity, accessibility, and authenticity of processed data, and the related services offered by such systems. Appropriate obligations have also been exacted on the operators of essential services (OES), i.e. services key to maintaining critical social or economic activities which are included in the list of essential services.


INTRODUCTION
Security is an area of considerable concern to the state. Ensuring freedom from threats, or rendering such threats harmless to the normal functioning of public institutions, private entities, or society (ensuring security), is the primary objective of each state. There are multiple levels at which this objective should be met. Effective protection against threats allows the state to fulfil its public mission of meeting the needs of society (including its security needs) and supporting its development.
One of the actors in the national cybersecurity system is local government. 1 Local governments are separate decentralised authorities which perform public tasks, have their own governing bodies and the attribute of independence, and act on local or regional scales to exercise their competences in their own name and at their own responsibility. It should be noted, however, that the legislators have not provided local governments with the instruments they need to properly perform their cybersecurity tasks, as these are largely managed by State institutions.
Cybersecurity is one of the domains of any country's security. It is all the more important today, and the repercussions of cybersecurity breaches affect not only public spaces but also the social sphere. Therefore, the State must respond quickly and decisively to cyberattacks, while seeking more and more advanced protection mechanisms. In their efforts to react to the increasingly frequent threats to cyberspace, the Polish legislators decided to introduce an appropriate regulation which would allow an accurate diagnosis and a sufficient response in the event of a cyberattack.
The aim of the national cybersecurity system is to ensure cybersecurity at the national level, entailing the uninterrupted provision of both essential and digital services, which is to be achieved by guaranteeing a proper level of security within information systems used to provide such services, as well as by providing smooth incident-management procedures. 2 The lawmakers have not provided any exact definition of the system, and have specified it only through certain statutory determinants (including the purpose), which makes it difficult to define its overall status. The system of cybersecurity should indeed work as a system, i.e. as a group of synchronised institutional and functional components which deploy their relevant skills and know-how to perform specific tasks. This system should be composed of various cybersecurity-related entities, organised into one interconnected whole, and equipped with the appropriate tools. The current solution undoubtedly lacks cohe-

U M C S
Organisation of the National System of Cybersecurity: Selected Issues 237 in charge of cybersecurity; 18) the Single Point of Contact for cybersecurity; 19) the Government's Plenipotentiary for Cybersecurity; 20) the Cybersecurity Board. Therefore, the legislators chose those entities which they believed played a vital role in the cybersecurity system, and also those being important from the point of view of the strategic interests of the country, including in the field of telecommunications.

THE OBLIGATIONS OF THE OPERATORS OF ESSENTIAL SERVICES
The EU legislators expressly stipulate that Member States are to take steps in order to ensure that the operators of essential services implement appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations. When doing so, they should factor in the latest state of the art. Their protection measures must ensure a level of network and information-systems security which corresponds to the risks posed. Furthermore, EU Member States are to ensure that the operators of essential services take the appropriate measures to prevent or minimise the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, which aims to ensure the continuity of such services. Member States also need to ensure that the operators of essential services immediately notify the responsible authority or the CSIRT of incidents with a significant impact on the continuity of the essential services they provide. Such notifications have to include information enabling the responsible authority or CSIRT to determine any cross-border impact of the incident, while at the same time they cannot make the notifying party subject to increased liability. 12 Pursuant to Article 8 NCSA, the operators of essential services are required to deploy a security-management system within the information systems they use to provide their services. Such a security-management system is to ensure the following: 1) regular incident-risk assessment and risk management; 2) the implementation of the appropriate technical and organisational measures proportionate to the assessed risk, taking into account the latest state of the art, including a) the maintenance and safe operation of the information system, b) physical and environmental security, including access control, c) the security and continuity of services key to the provision of the essential service, d) the deployment, record-keeping, and maintenance of action plans which allow the continuous and uninterrupted provi- Pobrane z czasopisma Studia Iuridica Lublinensia http://studiaiuridica.umcs.pl Data: 11/07/2021 02:38:57 U M C S sion of the essential service, and ensure the confidentiality, integrity, availability, and authenticity of information, e) the implementation of a continuous monitoring system to supervise the information system used to provide the essential service; 3) the collecting of information on cybersecurity threats and the vulnerabilities of the information system used to provide the essential service; 4) incident management; 5) the applying of measures to prevent and minimise the impact of incidents on the security of the information system used to provide the essential service, including a) using mechanisms to ensure the confidentiality, integrity, availability, and authenticity of the data processed in the information system, b) keeping the software up to date, c) security measures against unauthorised modification in the information system, d) taking immediate action on identifying a vulnerability or a cybersecurity threat; 6) using the means of communication which facilitate accurate and safe communication within the national cybersecurity system.
The obligations imposed on the operators of essential services include the following basic activities and processes: risk management, with the implementation of physical, technical, and organisational security measures based on risk assessment; incident management, and the management of effective incident responses; and an obligation to guarantee a safe and secure communication channel operating within the national cybersecurity system. 13 The obligations of the operators of essential services (OES) involve many fields, including incident-risk assessment and incident-risk management, and finally incident management. Risk assessment should be understood as the overall process of risk identification, analysis, and estimation (Article 2 para. 13 NCSA); an incident is defined as an event which has or might have an adverse effect on cybersecurity (Article 2 para. 5 NCSA); and risk management entails coordinated activities in the sphere of cybersecurity management in relation to the assessed risk (Article 2 para. 19 NCSA). Incident management means handling an incident, searching for connections between incidents, eliminating incident causes, and developing conclusions drawn from incident handling (Article 2 para. 18 NCSA).
As stated in Article 9 NCSA, the operator of essential services: 1) designates a person responsible for communicating with entities in the national cybersecurity system; 2) provides essential-service users with access to knowledge which allows them to understand cybersecurity threats and employ effective precautions against such threats within the scope associated with the essential services provided, in particular by publishing relevant information on the operator's website; 3) provides the responsible authority with relevant data no later than within 3 months of changing the data.

U M C S
A public administration body may designate a contact person using whatever legal form available. It is not obliged to perform a strictly defined legal act resulting in the appointment of a contact person who will communicate with the entities of the national cybersecurity system.
The OES are required to fulfil their information obligations towards the person who is the user of this type of service. The exchange of relevant messages may take place via the operator's website; there is no requirement to send such personalised information directly by electronic means, such as e-mail. 14 Further obligations of the OES are set out in Article 11 NCSA. Under this provision, the OES should: 1) ensure incident handling; 2) provide access to information on recorded incidents to the responsible CSIRT MON, CSIRT NASK, or CSIRT GOV, to the extent which is necessary for the operators to perform their tasks; 3) classify incidents' seriousness, based on the incident seriousness thresholds; 4) report serious incidents immediately, and not later than within 24 hours from detection, to the responsible CSIRT MON, CSIRT NASK, or CSIRT GOV; 5) cooperate with the responsible CSIRT MON, CSIRT NASK, or CSIRT GOV during the handling of serious and critical incidents by, e.g., providing the required data, including personal data; 6) remove the vulnerability which has caused or could potentially cause a severe, significant, or critical incident, and notify the responsible authority of its having eliminated the vulnerability. As part of the obligations set out in Article 11 NCSA, two terms have been described -"serious incident" and "critical incident". A serious incident is an event which causes or might cause a serious reduction in the quality of, or discontinuity in, the provision of the essential services (Article 2 para. 7 NCSA); a critical incident is an occurrence leading to significant damage to public safety 15 U M C S or public order, 16 international interests, economic interests, the operations of public institutions, civil rights and freedoms, or human lives and health, as classified by the responsible CSIRT MON, CSIRT NASK, or CSIRT GOV (Article 2 para. 6 NCSA).

THE RESPONSIBLE CYBERSECURITY AUTHORITIES
In Article 41 NCSA, the lawmakers define a catalogue of authorities in charge of cybersecurity, including: 1) for the energy sector -the Minister responsible for energy; 2) for the transportation sector, excluding the water-transportation sub-sector -the Minister responsible for transportation; 3) for the water-transportation sub-sector -the Minister responsible for the maritime economy and the Minister responsible for inland navigation; 4) for the banking sector and the financial-market infrastructure -the Polish Financial Supervision Authority 5) for the healthcare sector -the Minister responsible for healthcare; 6) for the healthcare sector, the digital infrastructure sector, and digital-service providers, including the following entities -a) entities subsidiary to, or supervised by, the Minister of National Defence, including organisations whose ICT systems or ICT networks are included in a uniform specification of sites, installations, facilities and services forming a part of the critical infrastructure 17 -the Minister of National Defence, b) entrepreneurs of special economic and defence significance for which the Minister of National Defence coordinates and supervises the performance of national defence tasks 18the Minister of National Defence; 7) for the drinking-water supply and distribution sector -the Minister responsible for water management; 8) for the digital-infrastructure sector and for digital-service providers -the Minister responsible for computerisation.
The Polish legislators have decided to create a dispersed model of cybersecurity-responsible authorities, with several authorities performing this function and dealing with matters substantially related to the specific nature of the activities of the operators of essential services, and of digital-service providers. 19 CONCLUSION According to the EU legislators, ICT networks, systems, and services play a vital role in society, which is indeed very true. The reliability and security of such networks, systems, and services are of utmost importance for both the economic and social spheres, in particular for the well-being of the internal market. The scale, frequency, and impact of security incidents are on the rise, posing a serious threat to the functioning of network and information systems. Information systems can also become the target of malicious acts aimed at damaging or disrupting their operations. Such incidents can not only impede business operations, but also generate significant financial losses, undermine the confidence of users, and result in serious losses to the economy of the EU and its Member States. Responding effectively to challenges to the security of network and information systems, therefore, requires a global approach at the Union level covering common minimum capacity building and planning requirements, the exchange of information, cooperation, and common security requirements for the operators of essential services and digital service providers. 20 The dynamic civilisation shifts of recent years stem from the rapid advancement of information techniques and information and communication technologies. Cyberspace is only one of the new spheres in which these processes take place. 21 This field should be properly secured, because it is of strategic importance, not only for the proper functioning of the country itself, but also for the information society, which needs and uses various forms of communication.
Ensuring cybersecurity, which is intended to be achieved through systemic measures, relates to the protection of information systems' integrity against unau-U M C S thorised interference. The job of information systems is to guarantee the uninterrupted exchange of data via telecommunications networks, and the uninterrupted provision of digital services. Such protection is the responsibility of the State. It is the State which should foster the optimal conditions (including the legal conditions) for successful cybersecurity. 22 The issues related to security in cyberspace are determined by the development of new technologies, including robotics, as well as digital processes and the ever--evolving computerisation. The progress of the State's computerisation is a key building block in the development of cybersecurity administration, which should be perceived in two dimensions. The first involves a specific group of institutions with the appropriate powers and functions in the sphere of cybersecurity administration. The second dimension is related to the domain of the law, which is used to implement the State's cybersecurity-related mission, goals, and tasks, at both national and international levels. 23