Instytut

Poland ranks 6th in the global cybersecurity ranking

“Cyber Coalition” – key role of Poland in NATO cyber warfare exercises

Establishment of the Tallinn Mechanism – Polish support for Ukraine’s cybersecurity

On the 20th of December 2023, the Ministries of Foreign Affairs of Poland, Denmark, Estonia, France, Canada, the Netherlands, Germany, Sweden, the United States, and the United Kingdom announced the creation of the Tallinn Mechanism. This initiative aims to strengthen NATO member states’ cooperation in the field of cybersecurity, with a particular focus on supporting Ukraine. 

The Tallinn Mechanism was established in response to the need for coordinating efforts to build Ukraine’s civilian capacity in the realm of cyberspace. Its primary goal is to assist Ukraine in maintaining its fundamental right to self-defense in the field of cybersecurity and meeting its long-term needs for digital resilience. According to the statements of the founding states, the directions of action within the Tallinn Mechanism will be distinct but complementary to military and civilian efforts to build cyber capabilities and digital development in Ukraine.  

Collaboration in exchanging information on threats, such as cyber-attacks on critical infrastructure, telecommunication systems, and supply chain threats, is particularly significant. These actions have a transboundary dimension, underscoring the necessity for close cooperation with allies and strategic partners, from Poland and Ukraine. 

Poland, already in August 2022, signed an agreement with Ukraine regarding cooperation in the areas of digitization and cybersecurity. Within this agreement, Poland has undertaken several projects to support Ukraine, including the construction of a mobile data center and the procurement of equipment and access to broadband satellite communication, such as the Starlink system. 

In the context of the newly established Tallinn Mechanism, Poland has agreed to play the role of the “Back Office,” collecting Ukraine’s cybersecurity needs and subsequently conveying specific offers of assistance and support from other allies. Poland’s participation in the Tallinn Mechanism aligns with the goals of the Cybersecurity Strategy of the Republic of Poland for the years 2019-2024, aiming to build a strong international position for Poland in the field of cybersecurity. Cybersecurity in Poland and support for Ukraine in this regard remain priorities for 2024. 

  

  

References: 

https://www.gov.pl/web/canada-en/mfa-statement-on-the-announcement-of-the-establishment-of-the-tallinn-mechanism 

https://cyberdefence24.pl/polityka-i-prawo/wsparcie-ukrainy-w-obszarze-cyfrowym-powstal-mechanizm-tallinski

Tackling disinformation in 2024: 6 tips for your day-to-day life

The year 2024 will be full of challenges in the fight against disinformation. With almost a billion people heading to the polls this year all around the world, we urgently need to band together to combat a flood of disinformation and digital manipulation that is about to come. In this article we share 6 tips for you to help combat this danger and do your bit to contribute to the work in this area. By incorporating these strategies, you not only bolster your personal defenses but also contribute meaningfully to the collective resilience required to navigate the complexities of a digital era rife with disinformation.  

 

Tip 1: Inform yourself with quality content and reliable sources

One of the most key actions to avoid falling prey to disinformation is to be mindful of our information consumption. At the core of this lies information hygiene — practices and habits individuals adopt to manage and maintain the quality, accuracy, and security of the information they consume, create, and share. Actively seeking information from credible, well-established media outlets can increase our information resilience and protect us against hoaxes and lies. Nowadays, not everything that is published on the Internet follows the standards of truthfulness that journalist are required to meet. Established media outlets adhere to rigorous journalistic standards, fact-checking procedures, and editorial oversight, offering a source of quality and reliable information.  

 

Tip 2: Keep an eye on fact-checkers’ news and analyses

Fact-checkers are entities that are dedicated to monitoring the most rumoured hoaxes and misinformation on the Internet, and to producing articles and analyses about them, in which they explain them, debunk them or provide context. By regularly checking fact-checkers, you gain access to expert insights and objective evaluations of the accuracy of news stories circulating online, as well as overview of the disinformations and hoaxes being spread. In a digital era where misinformation can proliferate rapidly, integrating fact-checkers’ updates into your information diet empowers you to being informed about those contents that seek to deceive you.  

 

Tip 3: Avoid sharing in autopilot mode

Surely, you have seen someone who sees a catchy headline about a hot topic on Twitter and automatically shares it, without looking at or reading the actual news story. In the age of quick publishing and the fight for attention, it’s easy to succumb to the allure of instant sharing. However, this can inadvertently contribute to the spread of misinformation. To counter this, cultivate a habit of pausing before sharing content, especially on social media. Take a moment to delve beyond the headline, scrutinize the details, and assess the credibility of the source. By resisting the urge to share in autopilot mode, you play a crucial role in breaking the chain of disinformation, promoting a culture of thoughtful content sharing, and fortifying the digital space against the proliferation of inaccuracies 

 

Tip 4: Cross-check information  

Before sharing or believing a news story, always check what other sources are writing. Are other sources writing the same story? Do the details match up? If yes, it is safe to trust. Always remember that if something important is discovered or an important event just happened, more than one source would be writing about it. Therefore, cross-checking information allows us to double check if the provided information is accurate.  

 

Tip 5: Details are key 

One of the best ways of deciphering if something is disinformation, is paying attention to the details. Many disinformation narratives are translated from other languages and therefore have a high probability of grammatical and spelling errors. If you see these types of mistakes, it should serve as a warning sign that the source might be untrustworthy. Additionally, pay attention to dates and spelling of names – a trustworthy source would not publish information with such obvious mistakes.   

 

Tip 6: Always think critically 

Does the information elicit strong emotions? Does the information seem too good to be true? It is essential that we question what we read and analyse it before we believe it. Evaluate whether the information makes sense and aligns with reality. If there is provided evidence, check the sources. Analyse whether the information source or author is trustworthy or not. If the source elicits strong emotions, think about why the author would want to evoke these specific emotions. Draw your own conclusions from what you read rather than allowing someone else to do your thinking for you. This type of critical thinking allows us to engage with the information we intake and increases the chances of uncovering disinformation.   

 

Tackling disinformation is no easy task and it is an ongoing battle. With so much chaos in the information space, it is not a surprise that sometimes we need a little help with deciphering whether something is disinformation. Resources like fact-checking websites are vital in our fight against disinformation and are a very useful tool for building a resilient society. Donating and continuing to fund such organizations is just another way of fighting disinformation.  

Digital development in the middle east: Japanese and Saudi giants invest in blockchain and semiconductors

On December 7th, the Japanese financial giant SBI Holdings and the Saudi oil powerhouse Saudi Aramco signed a memorandum of understanding, committing both parties to collaborate in the investment in digital assets, Web3 development, and support for Japanese startups exploring potential in the Middle East. The scope of cooperation between the entities indicates the deep commitment of both partners to the digital and technological future. 

The focused collaboration plan, in addition to the mentioned tasks, also includes the construction of semiconductor factories. Control over them will be exercised by the newly formed SBI Middle East based in Riyadh. The Middle East branch of SBI will become a regional operational center, building its position using SBI Holdings’ previous investments, including in Dubai ($100 million). Investments in semiconductor production are particularly important in the context of global power competition and the significance of this segment for the entire defense and high-tech industry. 

The direction in which both entities are heading in terms of digital investments is also noteworthy. SBI’s activity within the SBI Osaka Digital Exchange, a digital asset exchange, suggests that Japanese-Saudi cooperation will be largely based on tokenization—the process of transforming real assets into digital tokens on the blockchain. Blockchain technology may find applications primarily in tokenized oil contracts, enhancing operational efficiency and innovation in the supply chain. 

In the context of the global market for digital assets and cryptocurrencies, the Middle East is becoming an attractive environment for companies in the cryptocurrency, Web3, and artificial intelligence industries. This is due to increased regulatory activity in these areas in the largest digital markets. The actions of SBI Holdings confirm the growing interest in this capital region, which is becoming a new destination for companies aiming to develop innovative technologies. 

 

References:
https://cryptonews.com/news/japans-sbi-holdings-and-saudi-aramco-explore-joint-digital-asset-ventures.htm
https://www.cryptotimes.io/japanese-cryptogroup-sbi-ties-with-saudi-aramco/ 

“Ashley” – the first AI chatbot created for conducting election campaigns

Over the past weekend in the USA, the Civox company launched its latest product: the chatbot “Ashley,” designed to conduct election campaigns and engage in campaign discussions with respondents. Ashley will be used by Shamaine Daniels, a Democrat from Pennsylvania, running for the US Congress in 2024. 

As conveyed by the creators of Ashley, it is the first AI tool based on generative artificial intelligence technology similar to OpenAI’s ChatGPT, dedicated entirely to political purposes. It is capable of conducting practically an infinite number of personalized one-on-one conversations simultaneously. Currently, it handles tens of thousands of connections per day, but the creators aim to reach a six-figure result. The bot’s task will be to profile voter groups and engage in conversations with them about electoral preferences, as well as activate participants within the Democrats’ candidate campaign. Like an experienced campaign volunteer, Ashley analyzes voter profiles to tailor conversations to key issues for them. 

Such use of AI raises many concerns in both the technological and political environments. Critics fear that it will reinforce misinformation in the polarized landscape of American politics, which is already grappling with deepfakes, fabricated videos, and images created using artificial intelligence algorithms. OpenAI CEO – Sam Altman, back in May, expressed concern before Congress about the ability of generative artificial intelligence to undermine the integrity of elections through interactive misinformation in one-on-one conversations with recipients. 

The development of artificial intelligence and the lack of legal acts regulating its political use suggests that the influence of AI on issues such as public opinion or election results will only grow in the future. Faced with this phenomenon, some countries, including the USA, are beginning to introduce appropriate standards. The question is whether human-managed legislative systems will keep pace with the development of artificial intelligence. 

 

References: 
https://cybernews.com/news/ashley-ai-powered-political-campaign-caller/
https://www.forbes.com/sites/rashishrivastava/2023/12/12/this-congressional-candidate-is-using-ai-to-have-conversations-with-thousands-of-voters/ 

British critical infrastructure at risk – report of the United Kingdom joint committee on National Security Strategy

The UK’s Joint Committee on National Security Strategy (JCNSS) has published an alarming report warning of the potential consequences of ransomware attacks (involving the blocking of data for ransom and its potential disclosure or destruction) against the country’s critical infrastructure. According to the committee, the United Kingdom faces a real threat, and a coordinated attack could cause serious damage to the country’s security system, economy, and the daily lives of its citizens. The Committee’s Chair, Margaret Beckett, stated during the report presentation that “the United Kingdom is one of the most digitally attacked countries in the world.” 

The report indicates that the country’s critical infrastructure, including healthcare and local government sectors, is vulnerable to cyberattacks and incapable of fully preventing them. Some sectors rely on older computer systems or have limited financial capabilities, making them particularly susceptible to such cyber threats. The report also identified the Achilles’ heel of British critical infrastructure as supply chains in the energy, water, telecommunications, and transportation sectors. 

The Commission emphasizes that an attack could occur at any time, and the current defensive measures of the government are insufficient to effectively protect against a large-scale attack. Importantly, the report confirmed that the majority of hacker groups attacking the United Kingdom originate from Russia or neighboring countries and conduct attacks with the silent approval of the Kremlin. Among the sources of cyberattacks, groups of hackers from North Korea and Iran were also identified. 

In light of this, the parliamentary committee calls on the government to take urgent steps to strengthen the country’s defense and readiness. The implementation of existing cybersecurity resilience regulations has been deemed inadequate. Allocating resources and increasing funding for agencies combating ransomware attacks, which have become a major threat to national security, is considered a top priority. 

The Committee also proposed conducting regular national exercises to prepare for the consequences of serious attacks and modernizing and increasing funding for the National Cyber Security Centre (NCSC). The UK government has two months to respond to the published recommendations and present an action plan to secure the country against potential attacks. 

 

 

References: 
https://cybernews.com/news/uk-risk-catastrophic-ransomware-attack-risk/ 

https://www.theguardian.com/technology/2023/dec/13/uk-at-high-risk-of-catastrophic-ransomware-attack-report-says 

The first AI law in the world – European Union comes to a provisional agreement on ai act draft by Liliana Kotval

The first legislative proposal of its kind in the whole world- the EU Artificial Intelligence Act- was first presented by the EU Commission in April of 2021, and on December 9th, nearly 3 years later, a provisional agreement was finally made on the Act draft. After 3-day talks between the Council presidency, held by Spain until the end of this year, and the European Parliament’s negotiators, the provisional agreement will ensure that AI systems on the European market and used throughout the EU are to be safe and respect fundamental rights and EU values, all the while also aiming to stimulate European AI investment and innovation. Carme Artigas, the Spanish secretary of state for digitalization and AI has stated: 

“This is a historical achievement, and a huge milestone towards the future! Today’s agreement effectively addresses a global challenge in a fast-evolving technological environment on a key area for the future of societies and economies.” 

The Act will follow the main concept of having a risk-based approach, where the higher the risk, the stricter the rules. Some AI that is deemed unacceptable in terms of risk (such as cognitive behavioral manipulation, emotion recognitions, social scoring, biometric categorization, predictive policing) will be completely banned from the EU. The main new elements of the provisional agreement concluded upon are: 

  • Better protection of rights through an obligation of deployers of high-risk AI systems to conduct a fundamental rights impact assessment prior to releasing AI systems; 
  • Extension of the list of prohibitions, however with the possibility to use remote biometric identification by law enforcement authorities in public spaces; 
  • A revised system of governance with enforcement powers at EU level; 
  • Rules on high-impact general-purpose AI models that can cause systemic risk in the future. 

Furthermore, this provisional agreement clarifies that the regulations are not to be applied to areas outside the scope of EU law and do not affect or compensate national security. The AI Act will not apply to systems used exclusively for military or defense objectives or for the sole purpose of research and innovation. These regulations fall under law enforcement exceptions, where AI is necessary to provide protection. Fundamental rights will still be protected against any misuses of AI systems by law enforcement.  

The governance architecture has been agreed upon to have enforcement at EU level at an AI Office within the Commission to oversee the most advanced AI models, contribute to fostering standards and testing practices, and enforce common rules in all member states. A scientific panel of independent experts will advise the AI office. Additionally, an AI Board will comprise of member states’ representatives to remain as a coordination platform and advisory body to the Commission. Finally, an advisory forum for stakeholders, like industry representatives, SMEs, start-ups, civil society, and academia will provide technical expertise to the AI board. 

Those that violate the agreed terms of the AI Act will suffer penalties. The fines for such breaks in the law have been calculated based on the percentage of the offending company’s global annual turnover in the previous financial year or a predetermined amount, whichever is higher. Depending on the gravity of the violations, the financial penalties are as follows: 

  • €35 million or 7% of revenue for violations of banned AI applications 
  • €15 million or 3% of revenue for violations of the AI Act’s obligations 
  • €7,5 million or 1,5% of revenue for the supply of incorrect information 

A natural or legal person may also make a complaint to the market surveillance authority concerning non-compliance with the Act.  

What are the next steps regarding the Act? This provisional agreement should apply 2 years after its entry into force, which, as of now, should be in 2026. Nevertheless, work will continue at the technical level in the next weeks and the Spanish presidency will submit the text to the member states’ representatives (Coreper) for endorsement. Both institutions will need to confirm the entire propositional text before formal adoption by the co-legislators. 

 

 

References 

  1. “Artificial Intelligence Act: Council and Parliament Strike a Deal on the First Rules for AI in the World”, European Council, 09 December 2023, https://www.consilium.europa.eu/en/press/press-releases/2023/12/09/artificial-intelligence-act-council-and-parliament-strike-a-deal-on-the-first-worldwide-rules-for-ai/  

Be Aware – QR Codes Have Become a Vector for Phishing Attacks. By Liliana Kotval

 

Malicious attacks have been commonly initiated via dangerous links or attachments in emails and text messages. However, now there is another, recently developed form of scamming to be aware of: QR codes. QR code phishing attacks, known as “quishing”, have been rising sharply in number worldwide; from August to September of this year, there was a steep 427% increase in the use of malicious QR codes, and furthermore, these attacks jumped from making up just 0.4% to 8.8% of all malicious incidents. (1)

From Perception Point (2)

 

Most often, QR codes captured with a smart camera translate into website URLs, apps or map addresses. However, just as these QR codes can be very useful in providing a quick pathway to a website, they can also link to fraudulent websites with malicious software or fraudulent payment gates. The sheer easiness of creating a QR code means that almost anyone could distribute it not only via emails or websites, but also in physical printed copies plastered to a wall or bulletin board throughout cities.  

In reality, quishing attacks are another form of traditional scamming through generating malicious links. Cyber criminals have been relying on emails with dangerous links or attachments to scam their targets, and now via QR codes, however, unlike the previous methods, malicious QR codes appear to be identical to their normal counterparts. Additionally, in emails, since most QR codes are attached via PNG or PDF files, they are more likely to bypass existing security walls in email applications than malicious links that have been inserted in an email’s body. It is important to take the same precautions with a QR code as with an unknown email: avoid QR’s that come with a message of urgency to verify one’s identity or take advantage of a limited time offer, keep software up to date, analyze the environment in which the QR code is posted (restaurants and reputable websites will be less likely to post fraudulent codes), and use a QR scanner with security protection. (3) 

Nevertheless, no context is entirely safe to trust the intention of a QR code, whether in emails, on websites, in restaurants, or on posters. With the origins of the rise of malicious QR codes during the COVID pandemic, scammers were able to replace restaurant menu QR codes to steal personal and payment details of customers. The FBI released a public service announcement in January of 2022 to warn civilians of the increase in reporting in the US of these fraudulent activities. (4) Furthermore, last month in Newcastle, UK, scammers placed malicious QR codes in city car parks, leading to victims paying £60 each once scanning the QR (5)A similar startling case also from last month in the UK showcases an elderly woman losing £13,000 after scanning a fraudulent QR covering the genuine one in a railway station car park. (6) Through just a quick scan of the code, the scammers were able to set up an online banking account on her device, take out a loan, block her credit card and change its payment address. 

 

 

Malicious QR codes can be sneakily placed, and have even been used to scam multinational companies, including a U.S. energy company that suffered the biggest QR code phishing attack seen in August this year. 1,000 emails embedded with a malicious QR code were distributed to the company, while also targeting firms in manufacturing, insurance, technology, and financial services (7).  Most of the phishing emails contained PNG image attachments of a QR code that then redirected to malicious Bing URLs. This was the first time QR codes had been used at this scale, and in the future, these types of attacks are expected to increase in commonality as a viable attack vector. Employees of companies should now be further trained to be wary of QR codes in emails, especially those embedded in PNG or PDF files.  

The way quishing attacks are crafted- through encoding phishing links in redirects- is nothing new. However, what is new is how hackers are using a trusted domain, that has been used by millions of people since the 2010’s, to carry out attacks that cannot be easily distinguished as phishing. The ability to hide URLs inside QR codes in a PNG or PDF file means that quishing emails are more likely to bypass security and make it to inboxes. Attacks are becoming more and more clever; we must also be just as diligent in keeping up to date with the latest trends and identifying what should and should not be trusted. 

 

 

(1) „QR Code Phishing (Quishing) Attacks Have More Than Quadrupled in Just One Month”, Perception Point, 23.10.2023, https://perception-point.io/blog/qr-code-phishing-quishing-attacks-have-more-than-quadrupled-in-just-one-month/ 

(2) Ibid. 

(3) „In the Wrong Hands, QR Codes Are a Dangerous Threat to Your Mobile Device Security”, University of Virginia, https://security.virginia.edu/QRHack#:~:text=QR%20hacking%20is%20just%20another,not%20always)%20safe%20to%20scan 

(4) „Cybercriminals Tampering with QR Codes to Steal Victim Funds”, Federal Bureau of Investigation, 18.01.2022, https://www.ic3.gov/Media/Y2022/PSA220118 

(5) „New Castle City Council Issues Warning Over QR Code Scam”, BBC, 22.11.2023, https://www.bbc.com/news/uk-england-tyne-67495975 

(6) „Thornaby: Woman Targeted in £13k Railway Station QR Code Scam”, BBC, 18.11.2023, https://www.bbc.com/news/uk-england-tees-67335952 

(7) Nathaniel Raymond, „ Major Energy Company Targeted in Large QR Code Phishing Campaign”, Cofense, 16.08.2023, https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/

CRA: A political agreement is reached between the Council and the Parliament

 

The European Parliament and the Council reached a political agreement on the Cyber Resilience Act last night following months of negotiations.

 

Today’s agreement is a milestone towards a safe and secure digital single market in Europe. Connected devices need a basic level of cybersecurity when sold in the EU, ensuring that businesses and consumers are properly protected against cyber threats. This is exactly what the cyber resilience act will achieve once it enters into force – José Luis Escrivá, Spanish Minister of Digital Transformation

 

The CRA, in a nutshell

The CRA is a worldwide pioneer legislation in the realm of cyber resilience. It introduces a comprehensive set of mandatory requirements for all software and hardware providers that with the aim of improving the level of cybersecurity of digital products in the EU market.

Tech manufacturers and operators will be obligated to adhere to cybersecurity measures throughout the entire life cycle of their products, spanning from the design phase to post-market placement. Cybersecurity requirements will depend on the risk level associated to the product. Moreover, the legislation calls for manufacturers to enhance transparency and responsibility regarding the cybersecurity of their products.

Upon the implementation of the CRA, hardware and software will need to have the CE marking to circulate in the EU market, which will only be granted after compliance with the regulation have been approved.

 

The political agreement follows months of negotiations

The agreement, welcomed by the Commission, follows months of discussions, as the Parliament and the Council did not agree on the first reading of the Commission’s proposal. The agreed text maintains the primary directions of the first, especially concerning:

  • Responsibility for compliance towards manufacturers.
  • Processes for handling vulnerabilities by manufacturers to ensure the cybersecurity of digital products, along with obligations for economic operators .
  • Actions to enhance transparency regarding the security of hardware and software products.
  • Establishment of a market surveillance framework for enforcing the rules.

The co-legislators failed reach a consensus on several aspects of the Commission’s proposals. Some modifications to specific sections of the Commission’s proposal have been put forward in the new agreement, primarily concerning:

  • The scope of the legislation, with a simpler methodology for the classification of the digital products.
  • A general extension of the expected product lifetime to 5 years, except for products designed to be in use for a shorter period.
  • Strengthened role of the EU Agency for Cybersecurity (ENISA)
  • Extension of the adaptation period for manufacturers to three years after the legislation enters into force.
  • Support measures for Small and Micro Enterprises, such as support for testing and conformity assessment procedures.

 

Next steps

Following the provisional agreement, it will now be subject to formal approval by the EU Parliament and the Council. Then, the text will be submitted to the representatives of the member states in the EU for endorsement.

 

 

*The image is credited with “© Raimond Spekking / CC BY-SA 4.0 (via Wikimedia Commons)”