Serious warnings from the Ministry of Digital Affairs. Significant gaps need to be patched

• The Digital Affairs Council is an advisory body to the Ministry of Digital Affairs. During its two-year term, it has prepared many recommendations for ministers, but most of them have not been used by the administration.
• The term of office that has just passed ( recruitment for the new Council started today ) is summed up in an interview with WNP by Agnieszka Jankowska, head of the Council and at the same time director of corporate affairs and public affairs at T-Mobile Polska.
• Examples of inertia? Office applications. - There is no standard for securing them, so they often become a loophole for cybercriminals - says Jankowska. This is a big problem also from the point of view of ZUS.
• Why is it taking so long to work on the National Cybersecurity System? - Because there is no single team in the government. Quite simply - assesses the WNP interlocutor.

The term of the Digital Affairs Council at the Ministry of Digital Affairs is coming to an end. How can we sum up these two years?

- I am glad that there are people in it and around it from various institutions who see the challenges in the area of ​​digitalization and who would like to do something about them. This is very encouraging. On the other hand, I have the feeling that few of the proposed recommendations have been used.

Why does the Digital Affairs Council work?

Is the Digital Council a piece of cake?

- I think that a well-composed council is needed. We proposed various solutions not only to the Ministry of Digital Affairs, but also to other ministers in the government, we sent one letter to the prime minister.

We have adopted the assumption in this term that we are not afraid to take on difficult topics, our role was to show solutions that will serve society. That is why we have written a position on cybersecurity in the medical sector or in the science and research sector.

Did the ministers listen to you?

- Regarding our position on cybersecurity in the medical sector, I received a very substantive response from the e-Health Center, and regarding the position on the Cybersecurity Fund, the Ministry of Finance responded. The responses were sometimes working, from people we invited to meetings from institutions, sometimes given in an official form.

And the Minister of Digital Affairs? The photo of the head of the Council was placed in the "management and key persons" tab on the ministry's website.

- Did he listen to us? I think so. Three times the Deputy Prime Minister was even present at the meetings. But I don't have the feeling that what we said translated into concrete use of our proposals. At first I sent the Council's positions only in the form of a note, later I wrote official letters with a polite request to respond to them.

We received a response from the Minister of Grammar regarding the Council's position on combating disinformation about the properties of the electromagnetic field in telecommunications. Additionally, we hosted Minister Standerski at one of the meetings - it concerned eIDAS 2.0.

So what did it mean that you were a “key person” in the ministry?

- Honestly, I do not know what the key point of my role was, apart from what I set out to do, which was to perform the function of the Chairwoman of the Council as best and as efficiently as possible.

Digitalization strategy? It has not been adopted, although half a year has passed since consultations

Is the Council satisfied with the digitalisation strategy presented by the Ministry?

- We prepared a large position when it was created. Some of our ideas were included in it, some were not. It is natural. Then we submitted a number of comments to the already published document. It is difficult for me to say anything now, because I do not know what the final version of this strategy is.

This is interesting, because last year we had a lot of time pressure, you could see a lot of commitment and a huge effort from the strategy department that worked on it. In December, the MC announced consultations. Today we have mid-June and there is still no final version of the strategy.

The dynamics have declined.

- She fell, exactly.

This sounds a bit like a profession.

- As a Council, we were very involved in preparing the strategy from the very beginning, we prepared a number of materials, held many meetings, the deadlines were very tight, which is why I feel dissatisfied.

Is there a lot of inertia in the administration?

- Yes, that's why the Council seems important to me. We need a place where there will be a few positive "crazies" who simply want to do something for Poland. They will insist and follow one or another minister, remind each other.

Although it should be emphasized that among the members of the Council there are also people who hold the view that it is an advisory body to the minister and can only advise, suggest, and whether the minister uses these proposals or not is not our business. However, I believe that it is worth going after good proposals and asking for them to be at least discussed.

Who should have a seat in the Digital Affairs Council? Today, there are, among others, T-Mobile and Google

Does the way the Council is composed facilitate this?

- I would change the recruitment method for the Council so that it is truly a think tank, so that people who care about change and have time for additional work get into it. I would definitely announce open recruitment for selected thematic areas.

When formulating such an advertisement, however, it would be necessary to emphasize that this is intensive work that is not well paid and that it requires time and commitment.

You are a lobbyist for a telecommunications company. This has been the subject of criticism from some in the sector.

- I admit that the criticism was very difficult for me, because during that time I was not involved in playing for myself or my own company. You can see it in the minutes of the Council meetings, as well as the topics of the positions - all of them are publicly available. The only one, which concerns the telecommunications sector, is related to disinformation about the properties of the electromagnetic field.

I was responsible for organizing the Council's work, giving it rhythm and efficiency. This was my goal since I became chairwoman.

Should representatives of specific companies be on the Council?

- There has to be some kind of body where both large and small, representatives of the non-governmental sector and local governments meet - the aim is to have maximum diversity. Ultimately, this is an advisory body and so the minister chooses what to do with the recommendations.

Unfortunately, the decisions made are always subject to this political filter. It is our torment that politicians look for solutions that simply satisfy voters in some way. In addition, each project must find political support. Obtaining it is difficult work, because even if someone has a good idea and intentions, there will soon be dissatisfied people.

Where do problems with the National Cybersecurity System come from?

Speaking of political topics – how does the Council view the National Cybersecurity System? Why is it taking so long to pass this bill?

- Because there is no single team in the government. Simply.

Minister Krzysztof Gawkowski told us in an interview that the problem is the ministers .

- Everyone has their own interests and everyone sees different threats. It will never be the case that everyone is happy.

For months, there has been a lot of pressure from various groups to remove the issue of high-risk suppliers from the project.

- Yes, but this is a topic that I did not want to deal with at all as Chairwoman of the Council.

Because he was too controversial?

- No, it is simply a political decision. You have to sit down, discuss the concerns of all parties and make a decision. How many years have the consultations been going on? The Council was already preparing a position on this matter in the previous term. What more can I say? Here, you have to have the courage to make one decision or another.

It is obvious that not everyone will be happy. And to be clear, I am not talking about the deputy prime minister, but about other ministers.

Office applications are becoming a gateway for cybercriminals

What else will be most important from the point of view of digitalization until the end of the term?

- Higher education and science require a lot of attention. Between 2023 and 2024, the number of cybersecurity incidents at universities almost doubled, and yet there is still no systematic approach to improving the situation.

Similarly in healthcare – there are applications created in individual healthcare units, even private ones. There is no standard for securing them, so they often become a loophole for cybercriminals. They use them to create prescriptions for dead or fictitious people or they can influence the medical history of, for example, a patient.

We had a very good meeting with ZUS representatives on this topic. They pointed out that the ZUS certificate, originally created solely for issuing sick leave, is now used en masse for other medical purposes, which carries a serious risk of abuse and fraud, and the Institution does not have full control over this.

Another interesting problem is e-Time.

E-Time?

- Before the Digitalization Council, I had no idea that something like this existed. The e-Czas system, created by a Polish institution and financed from public funds, enables precise time marking of events in IT systems. This is crucial for automating decisions and maintaining deadlines. Although it is free, it remains almost unused by institutions and companies. We have also issued a position on this matter.

We have also taken up protecting minors from harm on the web. This may soon translate into specific actions.

Meaning?

- The Council has prepared a position on the actions necessary to protect minors from sexual abuse on the Internet - this concerns the so-called CSAM (child sexual abuse material - ed.), which is completely different from the recently famous issue of children watching pornography. Minister Michał Gramatyka promised to take up this topic, so we have prepared assumptions of what should be included in such an act.

I am waiting for a signal from the management whether the ministry will deal with this. I hope that in the near future it will be possible to solve at least this problem. Until now, we have often heard from different sides that something cannot be done now because of the elections.

How to solve the problem of child abuse on the Internet?

In this case, there are arguments that Polish regulations will not help much because such materials are a global problem.

- Many European countries have already implemented effective mechanisms. It is crucial to equip services - police, prosecutors, courts - with specific tools that will allow for faster identification and combating of sexual crimes against children on the Internet.

The currently operating systems, such as Dyżurnet in NASK, react only after a report is made – we want to create tools that will allow for a proactive response , i.e. here and now, when we are dealing with such a crime.

What does that mean exactly?

- For this purpose, you can prepare a database of so-called hashes, i.e. a collection of encoded "fingerprints" of files (e.g. photos or films), which allow you to quickly and automatically recognize known, illegal content without having to watch it again. Of course, such a database must be strictly controlled, with limited access. It is not only about efficiency, but also about protecting the psyche of experts or police officers who analyze the materials - today many of them have to watch the same drastic content many times. Thanks to technology, this can be automated, the response of services can be accelerated and the number of victims can be reduced.

And of course, this is not the end of the list. There are many other threads to be addressed in digitalization.

For example?

- Digital competences are very important, the issue of cybersecurity is very important, especially in the energy sector . And also the information security of the state. At the very end, the topic of access to public information appeared in the Council's discussions, in which we draw attention to the risk associated with access to data that is sensitive from the point of view of state security.

Small municipalities often do not have the resources or knowledge to properly protect sensitive data or infrastructure, and they operate under many regulations and are required to take many actions that require transparency based on inquiries as part of access to public information, publishing documents in the Public Information Bulletin, social media or local media.

This creates serious risks, such as the unintentional disclosure of personal data, business secrets, information about IT infrastructure, such as the disclosure of an IP address or a contract with data on IT services and systems used to secure the IT network. Perhaps by the end of the term we will be able to send a letter to the MC on this matter.