The new version of the draft amendment to the KSC Act (National Cybersecurity System) includes old ways to get rid of Huawei from the Polish telecommunications market. But today it will be much harder for a company to appeal a decision, and it even seems completely impossible.
How is a high risk supplier selected?
According to the draft amendment to the KSC Act, a supplier of ITC equipment or services (information and communication technologies) may be considered a high-risk supplier. In addition, it does not have to be based on objective and technical criteria.
How is a high risk supplier selected? The chairman of the College for Cybersecurity, i.e. the minister responsible for computerization, calls its meeting. The college is a body clearly defined by both the draft amendment to the Act and its justification as opiniującego. It is composed of ministers for internal affairs, IT, energy, national defense, foreign affairs, the prime minister, the head of the National Security Bureau, the minister coordinator of special services, the chairman of the Polish Financial Supervision Authority and the head of the state budget unit responsible for cybersecurity. Each member of the College presents an analysis and the decision is made by the minister of computerization – the hardware or software vendor is at high risk for defense, state security or public safety and order, or for human life and health or not. It is worth noting that there are neither market representatives nor experts related to the telecommunications market. In general, there is no one in the College related to the telecommunications industry.
The opinion examines the following:
- Possibility of threats to national security of an economic, intelligence and terrorist nature and threats to the fulfillment of allied and European obligations, including information on threats obtained from members of the European Union and the North Atlantic Treaty Organization.
- The likelihood of being controlled by a state outside the European Union and the North Atlantic Treaty Organization.
- The mode, scope and type of the supplier’s links with the entities specified in the Annex to Council Regulation (EU) 2019/796.
- Number and type of vulnerabilities and incidents detected in ICT products and services (information and communication technologies).
- The manner and scope in which the supplier exercises supervision over the process of persistence and delivery of hardware or software.
- Content of previously issued supplier recommendations.
In the opinion of the college, it also takes into account the certificates issued for the products and services of the supplier in the European Union countries and the North Atlantic Treaty Organization, as well as the analysis of products and services made by CSIRT GOV CSIRT MON or CSIRT NASK. Importantly, the analysis may or may not be commissioned. It is the chairman of the College who decides to conduct it.
In summary, the College may rely on objective and independent analyzes, including its own, to verify the actual safety of a product or service, but well… it doesn’t have to. If the supplier is considered a high-risk supplier, its new products may not be put into use, and already used ones are to be removed within 7 years of the decision, or 5 if the equipment is part of the critical infrastructure.
The decision may be appealed against to the Administrative Court. Its full copy is sent only to the minister for computerization. The applicant only receives the non-classified part of the judgment. Court proceedings may not stay the decision. So if, in any extreme case, it takes seven years, during that time the operators will have to replace the equipment of a potentially dangerous supplier anyway, and no one will compensate them.
It is worth adding that when creating the current version of the draft, in principle, most of the comments received during the consultations were omitted. Including operators, who will also not participate in the work of the College, have been completely ignored.
In fact, the operats have probably been completely forgotten with the current version of the regulations. Vendor locks will put them at high cost to replace already used equipment, which will eventually be passed on to customers. Raising prices will not be difficult, after all, we have the lowest prices for telecommunications services in Europe. The new regulations impose a number of obligations on operators related to, inter alia, with obtaining security certificates and reporting incidents. Most of these provisions are needed, but will likely require further consultations, which may again extend the implementation time of the amendment to the Act. Which, in turn, will again translate into a delay in the start of the 5G network frequency auction, which all operators are waiting for. At the same time, they are completely left out of the process of assessing potential high-risk suppliers.
Also read: Valve evaluates games on Steam Deck itself
What does this mean in practice? Blocking Chinese suppliers very easily
Based on the criteria, it is very easy to block the construction of a 5G network using equipment from Chinese suppliers. Although ZTE almost does not exist in Poland, the matter practically only concerns Huawei.
The company may appeal against the decision of the College, but in fact, it may not find out why it was blocked, because it may be considered classified information. In addition, appealing against the decision does not affect the necessity of its implementation, which was properly secured in the draft. Which will also be a huge financial blow for operators, as well as an effective threat to using Huawei equipment. Because in the project no one provided for compensation to operators for the necessity to replace equipment.
Theoretically, there is a wicket in the form of submitting the case to the Court of Justice of the European Union. This is currently the case in Sweden, where there have been shortcomings in the proceedings of the Administrative Court in a similar case. But even in the case of a judgment favorable to Huawei, which may lead to changes in European regulations, it may not change anything in Poland.
There are voices saying that the new version of the KSC Act may violate EU regulations, concerning, inter alia, freedom to conduct a business or discrimination on the basis of nationality. In the explanatory memorandum to the Draft, we read many references to the Polish Constitution. If we add to this the last judgment of the Polish Court of Justice which places the Constitution above the laws of the European Union, Poland may not recognize the judgment of the CJEU (not for the first time). For dessert – The constitution has no clear definition threats to national security, which further enhances the discretionary nature of the decision. All these factors mean that once a supplier is considered a high risk supplier, his hands may be completely tied.
Also read: The New York Stock Exchange has accepted Bitcoin. This is an important event for cryptocurrencies
What can Poland gain from the attempt to block Huawei?
The first version of the KSC Act Amendment Draft was clearly dictated by the United States. He was the president then our great friend Donald Trump. Although, despite the change in the presidency, US policy towards China has not changed, our relations with the Americans have cooled down. Not to say that they don’t exist at all.
Recently, information has emerged that Poland is interested in a financial loan from the Chinese government. Which seems to be a reason for easing the regulations hitting one of the biggest Chinese companies. If the Polish government hopes that by hitting Huawei it will gain a bargaining chip in talks with China, it is rather grossly mistaken.
A country with our position, with our financial problems, should not wave the saber at the world’s greatest power, hoping that it can gain something from it.
What else was included in the Draft amendment to the KSC Act?
In fact, it is not a matter of blocking suppliers, and a completely different matter blocked the Project for many months. The government could not agree on the strategic network operator. Ultimately, the Polska 5G company is to be established, which will allocate the 700 MHz band for the construction of the 5G network. In this strategic network for services, but already in the Project, there is no mention of the operator of this network. 2 × 20 MHz blocks for commercial use and 2 × 10 MHz for strategic use will be available for distribution. In all this, either one of the operators will be privileged, or the players present in Poland will have to come to an agreement within the consortium.
It is completely incomprehensible how this is going to happen, because everything is supposed to work at the beginning of next year. While 5G on 700 MHz cannot be used in Poland in most of the eastern part of the country. First, our eastern neighbors must stop broadcasting terrestrial television in this band, and military systems are also at stake. Do you also see President Lukashenka getting in hand with us and releasing the frequency? Within a few months? As a result, I have an overwhelming impression that the Polish 5G project may be a fiction of the CPK. A creation will be created that will be financed, but will not be able to function for reasons beyond its control.
The project also provides for the establishment of two funds – cybersecurity and a special purpose fund dealing with the strategic network. In the case of the latter, the financing for its operations will come from fees for the reservation of the 5G network band (700 MHz and 3.6 GHz) and from reservation fees. It is therefore closely related to the 3.6 GHz band auction, which can (finally!) Take off.
Will anything else change in the regulations? I sincerely doubt. It would require a lot of pressure from China, to which we can be very resistant, or e.g. from cellular operators. Although I have the impression that in the case of the KSC, neither pressure nor voices of reason may pass any test. Of course, we do not have to assume that the rulers will take advantage of the new regulations and immediately block Huawei without commissioning tests to Polish institutions. But with the current level of trust in the authorities, if such laws arise, they automatically make us suspect that they will be fully used.