CROPT, a cyber incident information exchange system between CSIRT NASK and the Central Bureau for Combating Cybercrime, will be ready by mid-next year. Maciej Siciarek, head of CSIRT NASK, discusses it.
Eugeniusz Twaróg: What is CROPT?
Maciej Siciarek, CSIRT NASK: It's a system for exchanging data between specific institutions dealing with cybercrime. The idea for the project arose from the natural need to deepen cooperation between these institutions, equipping them with tools that will help achieve two goals: faster problem recognition and easier identification of the perpetrator. If we can precisely pinpoint the causes of an incident—in other words, “identify the attack vector,” we'll be able to warn other entities. There's also a third goal: combining all data and exchanging information between all participants in the incident management process.
Who will be included in this cooperation?
Let's start with the scale and nature of these challenges, and we'll automatically recognize the actors involved in combating cyberthreats in Poland. In 2024, CSIRT NASK recorded approximately 100,000 incidents, including advanced and most dangerous to both public institutions and the commercial sector: ransomware attacks. These are activities aimed at taking over infrastructure – infecting computer systems with malware and encrypting data to extort ransom. For us, these are obviously challenging situations. We want to help the attacked entity recover its infrastructure, but also support law enforcement agencies in apprehending the perpetrator. The CROPT project is an idea to improve the fight against cybercrime through deeper cooperation. In this case, we're primarily talking about NASK's collaboration with the Central Bureau for Combating Cybercrime (CBZC).
You're already collaborating. What will CROPT change?
Among other things, there will be a single, common system for aggregating incident information and enabling its further transmission. We will collect the material in a unified manner, which will facilitate analysis and also enhance the credibility of this data as evidence. This information is highly volatile, and procedures must be developed to enable its effective collection and proper transmission. As part of this project, we will also purchase the necessary equipment and share knowledge during training sessions.
What level of investment is needed to build such a system?
The project is valued at PLN 37.5 million. Completion is scheduled for mid-2026.
The division between incident handling and prosecution of perpetrators is quite clear…
Exactly. Authorities such as the Police, the Prosecutor's Office, and the Central Anti-Corruption Bureau (CBZC) are responsible for prosecuting perpetrators and holding them accountable. The NASK CSIRT handles incident management and supports the attacked institution. We operate in the same area, and our primary goal is shared – improving cybersecurity, but these sub-objectives may differ. Dealing with a cyber incident requires a wealth of technical skills, knowledge of securing digital traces, and ultimately, the appropriate authorizations to turn these traces into indictments and convict the perpetrators. Inter-institutional cooperation is the core of the CROPT project. We need it because these serious incidents continue to pose a challenge for us.
How many such serious cases are there?
Social engineering scams—phishing and fake investments—dominate among the incidents. These target citizens, but the scale and purpose of these attacks vary. These scams are also typically carried out by different groups. Looking solely at public entities, however, between 2022 and 2024, they reported ransomware attacks on their data processing environments to CSIRT NASK nearly 100 times. This is not much compared to previous figures. However, specialized criminal groups are behind these attacks, with multi-million dollar ransoms for data recovery or suppression, and potential data leaks of thousands of individuals. We're talking about entities such as hospitals and local government companies responsible for various municipal services.
Moreover, many companies fail to report crimes and pay ransoms. In the case of ransomware attacks, is this purely a criminal, profit-driven activity, or is it connected to the situation beyond our eastern border and could it be considered an element of hybrid warfare?
Generally, we're dealing with criminal activity, but some of these incidents are certainly being perpetrated by attackers linked to foreign intelligence agencies. I wouldn't argue that every attack is a result of our involvement in the Ukrainian-Russian war, as we know of groups motivated solely by financial incentives. However, if we consider entities creating critical infrastructure or providing essential services, the involvement of foreign intelligence agencies is more likely.
Sam Altman recently said he's terrified by what's happening with the development of artificial intelligence. Do you see this trend in attacks?
We utilize modern technologies to build cybersecurity, but fraudsters also use these tools. This is evident, for example, in ads for fake investments, which often use deepfakes. Advertisements for such investments are published on social media, many people believe the offer and lose their savings. It starts with a credible-looking video featuring an idol or athlete who convinces them to invest. We believe it is necessary to create a system at the platform operator level to prevent the publication of fraudulent ads. Such advertising is a method of stealing Poles' money and siphoning off their money. Instead of building GDP or natural consumption, these złotys build cybercriminals' budgets. For fraudsters, this is a gigantic business. And here, too, we see the need for cooperation and decisive action on the part of platforms.
Finally, we returned to the topic of cooperation. The Australians developed a model system, involving all services and stakeholders, including financial regulators. Everything is under political auspices, meaning it has full regulatory protection. What do you think of this idea? I have the impression that there are many centers in Poland dedicated to combating cybercrime, but there's a slight lack of coordination…
This is a somewhat external perspective, but the perspective from the inside is that the national cybersecurity system is functioning and, in many cases, relies on cooperation. We are fighting frauds starting with false advertisements together with experts from the Polish Financial Supervision Authority's CSIRT. We want to handle serious ransomware incidents more effectively with the police thanks to the CROPT project. We also exchange information daily with other national CSIRTs and even colleagues from other countries. But I agree that we should strive for closer cooperation and greater coordination. This is precisely to more effectively combat criminals who generate losses on a large scale but also harm citizens. Their protection is our priority.
Scamming Out! 2.0
Bankier.pl and “Puls Biznesu” have launched the Scamming Out! campaign for the second time – an information and educational campaign aimed at increasing public and decision-making interest in the growing threat posed by cyber fraudsters. We invite you to follow the campaign on both platforms and on the dedicated website: scammingout.pl.
