Commander of the Cyberspace Defense Forces: We are in a conflict phase, perhaps close to a war phase

• Russia and Belarus are currently the main source of threats in cyberspace, admits General Karol Molenda in an interview with CIS.
• The Cyberspace Defense Forces conduct not only defense, but also offensive operations.
• Karol Molenda also discusses how Poland is building a unique cybersecurity model within NATO. It is based on cooperation, information exchange, and integration with the private sector.
• Cybersecurity will be one of the main topics of the fall conference "Industry for Defense." Leaders from industry, science, and government will gather in Katowice on October 15 to discuss building Poland's resilience and defense potential in the face of new geopolitical and technological challenges.

As part of Operation "Safe Podlasie," the military is protecting the Polish-Belarusian border. What are the Cyberspace Defense Forces defending?

Military ICT infrastructure, and indirectly, a vast amount of sensitive and valuable data from the perspective of national security. The Military Defence Forces (WOC) is a response to a commitment made in 2016. At that time, the North Atlantic Alliance decided that cyberspace was also an operational domain in which military operations could be conducted. This necessitated the creation of separate units dedicated to cybersecurity.

The Civil Defense Forces are primarily responsible for CyberOps, countering attacks on IT systems and infrastructure. We are quite unique compared to other branches of the armed forces because we not only train but also conduct operations here and now, in peacetime .

Are we at war in cyberspace? The general explains.

We often hear from politicians that we have a "cyberwar." But in your opinion, peace?

Under international law, no one has declared war on us, so as a soldier, I'm talking about peacetime. However, in my opinion, in cyberspace, we should rather talk about states of competition, conflict, and war.

When it comes to CyberOps, I think we are already in the conflict phase, perhaps close to the war phase.

When would you say that there is definitely a war going on?

- The threshold of war isn't clearly defined. NATO is generally moving away from defining a rigid border, because if an adversary knows where it is, they will always operate on the border and test what happens when they cross it.

If an attack were to damage critical infrastructure, resulting in injuries or deaths, it would be difficult to say we're still in conflict. It would be a strong enough argument to consider it a war. For now, we're repelling the attacks.

How much defense is there, how much offensive action is there in WOC operations?

Our greatest effort is directed at countering attacks, but we also identify the infrastructure and activities of our adversaries, learning their tactics, techniques, and procedures they use against us or our partners. At the same time, we are also building offensive capabilities.

Meaning?

We have three units dedicated to providing competencies for the full spectrum of operations. Each unit has teams ready to conduct active defense and offensive operations. They possess the necessary knowledge and tools to achieve results in the adversary's digital space if our infrastructure were to be attacked in such a way that political factors would decide not only to defend ourselves.

However, if someone wants to consider attacking, they must first and foremost be able to defend themselves. For example, at the beginning of the full-scale war in Ukraine, the Russians fell victim to groups like Anonymous . It turned out that, although they were very active externally, they lacked the ability to defend themselves against the tools they themselves used.

Cybercriminals operating in Poland are financed by the GRU and the FSB

Who poses the greatest threat to us in cyberspace today?

In terms of CyberOps, our biggest challenge is countering APT (Advanced Persistent Threats) groups . These are state-sponsored groups that have been given specific tasks to impact a given country's infrastructure and achieve results there.

Are they military units or state-funded criminals?

"Different countries have different approaches to this. There are several publicly available reports that clearly indicate that one of these groups operates within the GRU, the Russian military intelligence service . Experts have designated it APT28. The FSB has APT29. Today, we monitor nearly 20 such groups at the Foreign Intelligence Agency."

APT groups have the go-ahead and a protective umbrella. If someone attacks on behalf of the Russian Federation, the likelihood that the Russian Federation will extradite them after our investigation is zero. That's why the FBI places identified APT group members on wanted lists – there's a chance they can be apprehended if they travel to other countries, for example .

What do these abbreviations mean?

"These designations are assigned by experts based on the groups' modus operandi or the tools they use. Attribution isn't easy; it requires years of experience. These groups typically attack under a foreign flag , seizing control of foreign infrastructure, and only then conducting offensive operations using it."

Today, we undoubtedly see the most activity coming from Russia or Belarus. Practically every day, attempts are made to somehow influence the military infrastructure or our partners.

What methods do these groups use?

"In many cases, these groups use easy solutions, usually social engineering tools, to steal login credentials. Experts now say that attackers don't break security, but log into the system. Of course, if social engineering doesn't work and the adversary is determined, they then try more sophisticated tactics, including against our partners. Because attackers exploit the weakest links in the system, we must ensure that we improve cybersecurity across all our networks."

Could you give me an example?

"We've noticed this pattern, for example, within the system of providing support to Ukraine. Approximately 90 percent of all military aid passes through our country, and we engage our partners in the logistics and transportation sectors. Adversaries have taken notice and have begun targeting entities with whom we share information. They assume they will be able to extract any important data."

That's why we have a number of agreements with partners regarding military support. This is an unprecedented model – thanks to our experience, we have begun to develop a Polish perspective on cybersecurity.

What does the Polish perspective on cybersecurity mean?

What exactly does it involve?

The military, especially cyber forces, shouldn't focus solely on their own systems. This philosophy leads to a false sense of security: if our infrastructure is secure, we're ready for operations.

Meanwhile, the military must also utilize infrastructure that doesn't belong to it—fuel flow, energy, transportation , logistics. These sectors are not adequately prepared to counter APT groups with specific missions and sophisticated tools. Therefore, if we obtain information important from a security perspective, we also share it with our partners. For example, if we learn of a vulnerability that could be exploited to attack infrastructure, we report it.

We are also building a completely new philosophy of information sharing within NATO.

Meaning?

For years, the "need to know" principle prevailed. Information was readily available in many places, but everyone kept it to themselves. However, we strive to promote the "need to share" philosophy: if you have information that could be beneficial to your partner, share it.

Let me give you an example of working with partners in Ukraine. If they see an APT group attack using compromised infrastructure, they inform us – this allows us to protect our devices and ensure that the same infrastructure isn't used against us. If everyone protects themselves against such an attack, the adversary will have to build new infrastructure, which is time-consuming and expensive.

Do you feel that the advantage is now on our side?

"A defender always has it worse. I think we've definitely made a lot of progress; we know our opponents much better than we did just a few years ago."

When I look at our team, it sometimes feels like we know them better than they know themselves. Our analysts are able to spot when an adversary is building infrastructure that could be exploited for an attack. Based on their recommendations, we can prepare appropriately in advance.

Of course, this doesn't change the fact that tomorrow an attack could occur, exploiting, for example, a zero-day vulnerability we weren't aware of. We must remain vigilant enough to ensure that even if an adversary penetrates our first layer of defense, we can stop them. Vigilance is crucial; sometimes those responsible for security don't even know they've been attacked or have aliens on board.

What is the ultimate goal of these groups?

"They receive specific orders and operate like military units. Obtaining information is definitely one of the main goals, because whoever has information has an advantage."

However, in many cases, the adversary can build so-called footholds, its presence in the infrastructure, and later even damage or disable it.

We take a proactive approach – we have teams actively impacting our infrastructure, searching for vulnerabilities. They also conduct social engineering activities against our users. We overhaul our procedures. We also verify whether our defense teams have detected these active activities. At the same time, we have teams hunting for adversaries on our networks and those of our partners.

Can you give an example of such action?

As part of our cyberhunting efforts, we discovered an instance where an adversary was exploiting a Microsoft software feature to gather information. This feature was enabled by default and invisible to the user. After our analysis, we notified Microsoft , and the company confirmed our findings and appreciated our input.

Furthermore, we developed tools and scripts that allow organizations to independently determine whether they have been victims of this type of attack and how to protect themselves. We made these tools publicly available, and our findings were later cited in international reports on the activities of foreign intelligence agencies.

What should a system owner be concerned about? What are the signs that we have an "alien" in our midst?

"What worries me most is the silence. If we were receiving regular reports every day that an adversary was trying to impact our infrastructure, and then nothing happened for a week, that would be our biggest concern. The likelihood that the adversary has given up is zero, so the silence means they've changed their modus operandi and we're not seeing anything."

Do you expect that in the future we will be dealing with the destruction of infrastructure using captured footholds?

"I don't think this is an impossible scenario. I think it's better to keep it in the back of your mind and constantly conduct penetration tests and build awareness."

Cyberspace is notoriously unsafe, particularly because it's a domain constantly being transformed by humans. It takes a lot of effort to keep up with technological changes.

The Polish approach to cybersecurity as a model for NATO

The WOC is collaborating with the private sector. Cyber LEGION is an example of this. Where did the idea to invite civilian programmers to support you come from?

"There's a group of experts in Poland who have long expressed their willingness to help us, but they have no intention of changing jobs or permanently donning a uniform. So far, we've invited them to collaborate, including as part of Locked Shields, the largest cyberdefense exercise."

Cyber LEGION is an idea designed to gain their support, but also to give them a sense of mission. To date, we have over a thousand applications, and the response has been incredible. Among the volunteers are internationally renowned experts, including those who laughed in 2019 when I said I'd still be dressing them in uniform.

After the summer holidays we will start our first meetings with them, for now we have to process this huge number of applications.

This involves collaboration with specific specialists. How else do WOCs collaborate with the private sector?

We are one of the few institutions in NATO that have developed trusted relationships with both universities and the private sector. We have signed agreements with all the largest technology suppliers – the so-called Big Techs . Contrary to some narratives, these agreements are not about data transfer, but about ensuring direct contact between our experts and the suppliers' engineers.

This is crucial, especially in crisis situations – when our specialists detect a vulnerability, we need quick contact with the appropriate people, not the sales department. We've had cases where a vulnerability was actively exploited, and thanks to these relationships, the vendor immediately began working on a fix or provided us with recommendations for temporary protection.

Moreover, thanks to the trust we've built, we're now informed in advance of new vulnerabilities—before they're officially announced. This allows us to act faster and more effectively. Such bilateral, expert collaboration is the foundation of security in today's world.

You've emphasized many times in this conversation that you're doing something unique compared to NATO. Do you feel that, after six years, the WOC DK is unique?

"It is. Even this feeling borders on certainty. Back in 2019, we realized that if we wanted to build strong cyber capabilities, we had to create the talent ourselves, not compete for it on the market. That's why we focused on long-term development – from computer science classes in high schools, through the CYBER.MIL program, to increasing the number of students at military universities. Today, we're seeing tangible results – over a hundred new second lieutenants, graduates of cybersecurity-related programs, join the Military Defence Forces each year."

At the same time, we knew we needed a partner who would help us accelerate our development – hence the collaboration with the American side, initiated by an agreement with the United States European Command. This allowed us to draw on the experience that had been built in the US over a decade.

Initially, we also had to streamline national structures. Previously, different units were responsible for system security and functionality separately. This caused friction, delays, and gaps in protection. Therefore, we opted for an innovative model – combining competencies within a single structure. This allows for faster response, more effective risk analysis, and a balance between functionality and security.

Is it different in NATO?

In many NATO countries, responsibility is still fragmented, resulting in a slower flow of information and a real threat. I know of cases where attacks were successful solely because of a lack of coordinated action. We focused on integration.

Moreover, we also actively support external partners, including critical infrastructure. This isn't standard yet, but we see that more and more countries—including the United Kingdom, Germany, the United States, and France—recognize the importance of this approach and share similar views. We are pioneers in this field, but we are not alone in this path.

Artificial intelligence and drones are changing the battlefield. How does the WOC respond?

So others are already learning from Poland?

We successfully export our knowledge and experience. However, it's not just others who learn from us; we do it too and want to do it.

And so – again – we came up with something unique. We heard that at many conferences everyone was talking about collaboration and information sharing. Only when someone said, "OK, but what exactly did you do in this case?" would there be silence, because the information was very sensitive. That's why every year we organize the CSIRT Summit in Legionowo, a space for exchanging information about NATO SECRET . However, to enter the meeting, there's a condition for the country: you have to bring your own case study. Only then can you listen to others. The idea was picked up by the Americans, so our event now has a truly high profile.

We're constantly drawing conclusions, which is why our structure is constantly changing. The Director of the Human Resources Department is probably not particularly pleased that we constantly receive organizational and staffing proposals, but that stems from the fact that technology is changing rapidly. In 2019, when we were shaping the structure of the Cyberspace Defense Forces, we weren't as active in artificial intelligence. Now, it's impossible to imagine not implementing this element, so we built the Artificial Intelligence Implementation Center to address this groundbreaking technology and its presence in our infrastructure.

What does it do?

Artificial intelligence can truly support commanders by analyzing vast data sets from sensors and systems, suggesting decisions that were once made by the command staff. Those who can process this data faster and translate it into operational decisions will gain an advantage. We want to implement solutions already available on the market, but also have a team of engineers who understand these technologies, can train models on classified data, and implement them in our systems.

I'm convinced our adversaries are working on this too, so if we weren't, we could imagine a scenario where two forces would clash: one would use AI algorithms to make decisions, and the other wouldn't. It's easy to imagine which would have the advantage.

We are also working on autonomous weapons systems, drone swarms, and satellite data analysis – all of which use AI to increase effectiveness and resistance to interference.

CISI recruits the best young officers—masters and engineers—who have already gained experience at military technical universities. Our goal is to create a team that not only understands technology but also can safely and effectively implement it, taking into account threats such as data contamination. This is an investment in capabilities that will be crucial on the future battlefield.