top of page
Grzegorz Ocieczek

Preventing Espionage Targeting Critical Infrastructure

At the outset of the consideration, the question of whether we are currently facing a growing phenomenon of espionage, particularly with regard to critical infrastructure facilities and equipment, and if so, from whose side such activity threatens us, and what steps should be taken to minimize this phenomenon. 

From my perspective as a former Deputy Head of the Internal Security Agency, it seems that the issue of both, on the one hand, the protection of critical infrastructure and, on the other hand, the prevention of espionage is extremely important given the current geopolitical situation related primarily to the aggression war behind the eastern border of our country. It should be noted that the two issues I mentioned are closely related, and the progress of civilization, including technology, allows us to take the position that nowadays espionage is extremely sophisticated and can take many forms. It is worth recalling what critical infrastructure is and why it is subject to such increased protection by state authorities including, among others, the secret services.  

According to Article 2 b of the Council Directive of December 8, 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (1), which in turn followed the adoption on October 20, 2004 of the Communication on Critical Infrastructure Protection in the Fight against Terrorism, European critical infrastructures are those located within the territory of the Member States, the disruption or destruction of which would have a significant impact on two or more Member States. Whether the impact is significant, in turn, is assessed with reference to so-called cross-cutting criteria. In turn, according to Article 2a of the aforementioned Directive, the concept of critical infrastructure is defined, which means a component, system or part of infrastructure located on the territory of the Member States, which is essential for the maintenance of essential social functions, health, safety, security, material or social well-being of the population, and the disruption or destruction of which would have a significant impact on a Member State as a result of the loss of these functions.  

Similarly, Polish legislation defines the concept of critical infrastructure in the Act of April 26, 2007 on crisis management (2). The law in question defines the basic concepts related to critical infrastructure, both of a domestic and foreign nature, as well as indicating the various criteria on the basis of which it is distinguished. According to Article 3(2) of the Law on Crisis Management, critical infrastructure is understood as systems and their functionally related facilities, including construction facilities, equipment, installations, services that are key to the security of the state and its citizens and that serve to ensure the efficient functioning of public administration bodies, as well as institutions and entrepreneurs. These systems, in turn, include such systems as energy supply, energy resources and fuels; communications, ICT networks, financial, food supply; water supply, health care, transportation, rescue, ensuring continuity of operation of public administration, production, storage, storage and use of chemical and radioactive substances, including pipelines of hazardous substances.  

In turn, Article 3(2a) of the Law on Crisis Management assumes that European critical infrastructure is: systems and their constituent functionally related facilities, including construction facilities, equipment and installations that are key to the security of the State and its citizens and that serve to ensure the smooth functioning of public administration bodies, as well as institutions and entrepreneurs, designated in the relevant systems. As can be easily seen, critical infrastructure is a key element in ensuring the smooth functioning of the state and its citizens, while any disruption to it can cause extremely adverse effects in the various spheres of functioning of both citizens and the state mentioned above. We can see how important it is to ensure the smooth functioning of critical infrastructure from the point of view of the security of citizens by following reports within the framework of armed conflicts, including those between Russia and Ukraine or the recent increase in military action between Israel and Palestine.  

Ensuring the protection and security of critical infrastructure and, consequently, achieving its smooth and collision-free operation must take place in cooperation between state bodies and enterprises that own the said infrastructure. In this regard, it is necessary to take measures to ensure physical, technical, personal, ICT security as well as legal security. The National Program for the Protection of Critical Infrastructure, introduced in Poland in 2023, which aims to create conditions for improving the security of critical infrastructure, in particular in terms of: preventing disruptions to the functioning of critical infrastructure, preparing for crisis situations that may adversely affect critical infrastructure as well as responding to situations of destruction or disruption to the functioning of critical infrastructure and, finally, its restoration after a possible attack that may take on at least the dimension of sabotage, resulting from actions taken even of an espionage nature. Currently, there are about 760 objects classified as critical infrastructure facilities in Poland, with most of them being communication facilities and facilities responsible for energy supply (4). 

As previously mentioned, an important element in ensuring the protection of critical infrastructure is the efficient functioning of the state apparatus capable of providing counter-attacks including the recognition of such facilities, which may take the form of intelligence activities by either foreign services or competing companies aimed at the so-called hostile takeover of the facility or equipment. In this regard, in my opinion, an important issue is that of proper prevention, whether of a general or specific nature, aimed at employees employed or performing duties in the area of facilities classified as key from a strategic point of view. In our country, there has been a discussion for many years about the need for legislative changes and a reevaluation of the thinking on espionage. Until recently, the legislature provided for extremely low criminal penalties for the crime of espionage. According to Article 130 of the Criminal Code, which was previously in effect, there was a maximum penalty of 10 years for taking part in activities for foreign intelligence against the Republic of Poland. Of course, such a punishment has never been handed down, while the average amount of punishments handed down by the courts was within the lower threat of this very serious and underestimated crime from the point of view of state security. It should be mentioned that publicly available information from the National Prosecutor's Office showed that in 2019 - 2022 a total of only two indictments were filed against six people mainly for spying for Russia, Belarus and China. Fortunately, as early as 2019, legislative work has been undertaken to change this state of affairs and introduce not only harsher penalties, but, above all, to detail certain activities that can take the form of espionage activities, which until now have not been criminalized. The purpose of the legislative changes undertaken related to the broader crime of espionage was the need to adapt the provisions of the Criminal Code to the ever-changing geopolitical situation, technological advances and the constant modification of the modus operandi of potential perpetrators of criminal acts, as well as the increasing threat of open armed conflicts, which in turn intensifies the espionage activities undertaken by foreign intelligence services and others. Special services responsible for combating the crime of espionage, including first and foremost representatives of the Internal Security Agency, have repeatedly stressed that failure to introduce changes in the subject of the subject in question may result in the inability to take effective action by the competent authorities, which are responsible for ensuring the security of the state, including the protection of citizens, as well as facilities and equipment classified as critical infrastructure. At the same time, it has been repeatedly emphasized that the perpetrators use modern technologies means and methods of operation, which in no way comply with the current criminal legislation and in a purely facade way protect the interests of citizens from espionage activities. At the same time, it should be mentioned that with regard to the provisions related to the concept of espionage, there were both a number of gaps and difficulties of interpretation, among others, concerning a number of vague concepts such as the concept of "news" which was used in the context of transmitting information to, for example, a foreign intelligence service. Another important aspect has become the need for the use of modern tools, which are necessary to identify the threats of espionage with which to effectively combat this phenomenon.  

A curiosity was also the fact that the previous legislation did not penalize the issue of actions on the territory of Poland by foreign services that acted to the detriment of our foreign partners did not fulfill the elements of the crime of espionage, moreover, with respect to such person(s) the officers of the Internal Security Agency could not undertake activities, including those of an operational and exploratory nature, because this did not fall within the catalog of the Agency's tasks, which was defined in Article 5 of the Law on Internal Security Agency and the Intelligence Agency.  

In addition, the arguments presented in favor of changing the current legislation was the issue of regulating the crime of espionage in other countries, including, among others, the French Republic or the Federal Republic of Germany. For example, the regulations envisaged in France are more detailed and take into account, for example, spying on behalf of non-public entities such as private entities or companies. In Germany, on the other hand, an essential element is the issue related to the fact of gaining access to state secrets and, in addition, the model includes a definition of intelligence activities as well as issues of criminalization of persons indirectly linked to the intelligence structures of a foreign state.  

The above arguments became the impetus for the introduction of legislative changes in our country, especially since in Poland it is the Internal Security Agency and its Head who is mainly responsible for issues concerning combating and countering espionage, the direct result of which can be attacks on critical infrastructure. The Criminal Code, as amended in 2023, provides, among other things, in addition to a significant increase in criminal sanctions including life imprisonment for participating in or acting for the benefit of a foreign intelligence service, also for taking part in the activities of a foreign intelligence service not directed against the Republic of Poland conducted on its territory without the consent of a competent authority granted under separate regulations, as well as making preparations for foreign intelligence activities themselves. An important amended provision is also an issue concerning the very notification of readiness to act for a foreign intelligence service against the Republic of Poland or for the purpose of providing foreign intelligence with information the transmission of which may cause damage to the Republic of Poland.  

In my opinion, the amended regulations have clearly facilitated the ability of the officers of the Internal Security Agency to carry out operational and exploratory activities, and thus more efficiently manage any crisis situations that may arise, including attacks on critical infrastructure facilities and equipment. Measures taken in the field of critical infrastructure protection are implemented on many levels including: in cyberspace, countering terrorist threats, or in the sphere of proper functioning of telecommunications systems. This is because only efficient monitoring of potential threats can minimize the possibility of their occurrence, and this in turn is possible thanks to appropriate regulations that are in line with the current geopolitical situation. 


References

[1] Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European Critical Infrastructure and the assessment of the need to improve their protection, Official Journal of the European Union L 345/75. 

[2] Act of 26 April 2007 on crisis management Journal of Laws 2007 No. 89 item 590.

[3] A. Karolewski, M. Rejman - Karolewska. Ochrona infrastruktury krytycznej, Przegląd naukowo – metodyczny [Protection of critical infrastructure, Scientific and methodical review]. Edukacja dla bezpieczeństwa, No. 2/2015 (27), p. 108.


Recent Posts

See All

Comments


bottom of page