National Cyber and Information Security Agency

NÚKIB officials met with South Korean and Taiwanese partners

Lukáš Kintr, the Director of the National Cyber and Information Security Agency (NÚKIB), together with Pavel Štěpáník, the Deputy Director of the Strategic Affairs and Engagement Division, were part of the Czech delegation led by Markéta Pekarová Adamová, the Speaker of the Chamber of Deputies of the Parliament of the Czech Republic, which visited South Korea and Taiwan between 22 and 29 March 2023. As part of the journey, they participated in numerous meetings with their counterparts or political representatives of the countries concerned. They discussed the security threats facing their countries and their experiences in dealing with them. The visit aimed not only to exchange practical knowledge but also to build and strengthen relations with both countries, which are considered important partners of the Czech Republic. It was also the first-ever visit to both countries by the Director of NÚKIB.

"Despite the considerable geographical distance, I assess the cooperation with both countries as very beneficial and crucial for increasing the security of the Czech Republic," commented Lukáš Kintr, the Director of NÚKIB." Both South Korea and Taiwan are countries with unique expertise in protecting their strategic infrastructure from cyber-attacks. In the context of the security situation, they have immediate experience with the threats under discussion.", Director Kintr added.

The trip commenced with a visit to South Korea, where NÚKIB representatives and their counterparts discussed not only cybersecurity threats but, among others, cybersecurity exercises, cooperation with the private sector, cybersecurity education and training, and information sharing. 

The second part of the trip took place in Taiwan. During the meeting with representatives of the Ministry of Digital Affairs of Taiwan, particularly with Deputy Minister Herming Chiueh and Director General of Administration for Cyber Security, Hsieh Tsui-chuan, their discussion revolved around the lack of cybersecurity experts and the possible ways to motivate and promote a working career in public administration. A central theme of the meeting was avoiding strategic dependencies on risky ICT suppliers. As in the meeting with the South Korean officials, there was also a discussion on cyber threats, exercises and possibilities for mutual cooperation, during which it was agreed to implement exchange internships for experts from both countries. As a part of his program on Taiwan, Deputy Director Pavel Štěpáník participated in the "Taiwan-Czech Forum and Democratic Resilience" conference, where he spoke on the "Safeguarding Democratic Institutions: Lessons from Europe and Taiwan" panel. In his presentation, he stressed the importance of cybersecurity, which starts with every technology user. He also talked about supply chain security and the need to consider its strategic perspective, not just the technical one. The final agenda point, before the departure of the Czech delegation, was the meeting with Audrey Tang, the Minister of Digital Affairs, where, among other things, the topics of emerging and disruptive technologies, especially artificial intelligence and quantum cryptography, and the system of education of cybersecurity professionals were also discussed.

"One of the key pillars of the Czech National Cyber Security Strategy is strong and reliable alliances based on mutual trust, shared values and common interests. As part of our international cooperation, we will continue to pay close attention to our partners in the Indo-Pacific region. There is no substitute for face-to-face meetings, which are essential for building strong alliances," commented Lukáš Kintr, the Director of NÚKIB, at the end of the foreign visit.

2023-03-29

The TikTok app poses a security threat

The National Cyber and Information Security Agency (NÚKIB) has issued a WARNING against a cybersecurity threat consisting of installing and using the TikTok app on devices accessing critical information and communication infrastructure systems, information and communication systems of essential services and important information systems. NÚKIB has issued this warning based on the Agency´s findings and information from partners. The Agency is concerned about potential security threat stemming from the use of TikTok primarily due to the amount of user data that is collected by the app as well as the way the data is handled. Such large-scale data collection is concerning due to the legal and political environment of the People's Republic of China (PRC), given that ByteDance, the developer and administrator of TikTok, falls under the legal jurisdiction of the PRC. The warning applies to authorities or persons which are obliged to implement security measures pursuant to the Cyber Security Act. The warning is in effect from the moment of posting on the notice board of the NÚKIB.

Based on the warning, obliged persons must respond by taking appropriate security measures. This threat is assessed as "High," meaning probable to very probable. The NÚKIB recommends prohibiting the installation and use of TikTok on devices that have access to the regulated system (corporate devices as well as personal devices used for work purposes) as the best way to eliminate or minimize the threat. The Agency also encourages the public to reconsider using TikTok as well as the quantities and types of data that they share through the app. We do not recommend using the app to “persons of interest” who hold high-level political, public, or decision-making positions. The warnings issued and the recommendations outlined above are in accordance with the Cyber Security Act, which requires NÚKIB to promote prevention in the field of cyber security.

"I proceeded to issue the warning based on a comprehensive analysis of information about TikTok that we obtained from public sources and our allies. The amount of data being collected and handled, combined with the legal environment in China and the growing number of users in the Czech Republic, leave us with no other choice than to describe TikTok as a security threat," said Lukáš Kintr, director of the NÚKIB, on the issued warning. Kintr added: "The warning does not distinguish between users from the public and private sectors. The key issue is whether a threat to a particular system could harm the functioning of the Czech Republic and the security of each of us.

The warning in its entirety can be found here: https://www.nukib.cz/download/publications_en/2023-03-08_Warning-TikTok-App.pdf.

2023-03-08

Thanks to the work of NÚKIB during CZ PRES, EU cybersecurity has increased

The six-months-long Czech Presidency of the Council of the European Union (CZ PRES) has finished. While it was historically the second presidency for the Czech Republic, for the National Cyber and Information Security Agency (NÚKIB) as the central administrative body for cyber security, it was a premiere, due to its establishment only 5 years ago. However, it was a successful one. We managed to lead several working groups in the Council and outside of it, successfully organized a wide range of meetings, conferences, seminars and we have also fulfilled all three defined priorities for CZ PRES:

reaching consensus across all Member States on a proposal for a Regulation of the European Parliament and of the Council of the EU setting out measures to ensure a high common level of cybersecurity in EU institutions, bodies and agencies, advancing negotiations on the draft of the Cyber Resilience Act (CRA), enhancing and reinforcing the topic of supply chain cybersecurity in information and communication technologies (ICT).

Although NÚKIB had already been working on these issues before the Presidency, which we intend to continue to do in the future, CZ PRES has offered us a unique opportunity to take the lead and to move forward with our priorities. In this spirit, Lukáš Kintr, the Director of NÚKIB, expressed himself at the NIS Cooperation Group Meeting in September: "We will do our very best to move the cybersecurity agenda forward and thus significantly strengthen the resilience of the European Union as a whole." The fulfilment of all three priorities of NÚKIB has helped to achieve the Czech Republic's cybersecurity objectives set for CZ PRES and to build a substantial basis for further direction of the Czech Republic, as well as of the Union as a whole. We have therefore succeeded in fulfilling the goals we had set for the Presidency.

What exactly did we achieve? In October, the Council of the EU adopted conclusions on ICT supply chain cybersecurity, which highlighted the importance of joint action in addressing this issue, and outlined concrete steps and initiatives needed to strengthen this area across all EU Member States. This should eventually lead to reducing the impact of risky suppliers on the most important national information infrastructures. NÚKIB is already finalising the legislation draft that will reflect this objective and enhance the Czech Republic's cyber security.

Another priority set for CZ PRES was fulfilled in November, when the Council of the EU approved a general approach and thus expressed a unified position of all 27 Member States on the regulation draft on cybersecurity of the Union's institutions, bodies, offices and agencies. This regulation intends to enhance and fill the gaps in the current unsatisfactory state, where there are no common rules between EU entities and large differences in their levels of cybersecurity. The general approach was negotiated in a working party chaired by NÚKIB.

Last but not least, our priority was to start the debate on the Cyber Resilience Act, which sets out rules for the placing of products with digital elements on the European market. The aim of the CRA is to ensure the cybersecurity of these products throughout their lifecycle and to improve the awareness of their users. Following a readthrough of the proposal, the first revision of the text focused on the scope of the regulation was also prepared during CZ PRES and a progress report written by our Agency was approved. It will now be up to our Swedish colleagues to take the next steps necessary for adoption of this regulation.

Within the framework of CZ PRES, NÚKIB has organised approximately sixteen international events in Brno, Prague and Brussels, which were attended physically or virtually by hundreds of people. One of these events was the first informal reception of delegates of the EU’s Horizontal Working Party on Cyber Issues and NATO’s Cyber Defence Committee. The aim behind it was to strengthen cooperation between the EU and NATO, which was also one of the main priorities of the Czech Republic during the Presidency. It was the first ever meeting of this format, therefore we had successfully started a tradition in which the upcoming Presidencies intend to continue. However, without a doubt, the biggest and most important event was the high-level Prague Cyber Security Conference held on 3 November 2022, which was attended by over 500 cyber security experts from more than 80 countries, EU and NATO.

The aim of all activities was not only to exchange practical experience, but also to deepen mutual cooperation of all like-minded partners. The common goal has always been and always will be the strengthening of the EU’s security, to which we had, at least in the cyber area, significantly contributed by fulfilling the set priorities.

2023-01-18

The Czech Republic enters the final phase of drafting legislation to reduce the risks associated with suppliers of information and communication technology.

After initial deliberations on which and to what extent suppliers should be assessed and which infrastructure should be affected by limiting the use of high-risk suppliers, the National Cyber and Information Security Agency (NÚKIB) is now finalizing legislation that should significantly limit the influence of high-risk suppliers on the Czech Republic’s most important infrastructure.

In June 2022, the National Security Council of the Czech Republic instructed NÚKIB to prepare draft legislation introducing a supplier assessment mechanism with a deadline for submission to the government by May 2023. "I am pleased that, despite the complexity of this issue, we are succeeding in meeting the timetable for preparing the draft legislation. We are already close to being able to consult the specific wording of this extremely important legislation with partners from the public administration, as well as private and academic sectors," Lukáš Kintr, Director of NÚKIB, commented on the progress and added: "I believe that if all parties involved in the preparation are active and constructive, the Czech Republic can have a comprehensive system for reducing the state's dependence on untrustworthy foreign suppliers within two years. In the field of information technology, we hope to avoid the situation we are currently observing, for example, in connection with oil and gas supplies from the Russian Federation."

The supplier assessment mechanism should enable the state to detect untrustworthy suppliers of technological components of the most significant strategic infrastructure of the Czech Republic, assess risk associated with these suppliers, and, in case of high risk, restrict the use of such suppliers in the infrastructure.

As the term "most significant" suggests, the pending legislation should not apply to all systems and services regulated by the Act No 181/2014 Coll. on Cyber Security and change of Related Acts (Act on Cyber Security) but only to their subset with the most significant impact on the state and society. From the current division of the mandatory subjects of the Cybersecurity Act, the new legislation should impact critical information infrastructure and the information systems segment of essential services.

Nevertheless, the categorisation of regulated entities in the cybersecurity field will change due to the update of the EU Network and Information Security (NIS) Directive, the so-called NIS2.  The implementation of NIS2 into national law is carried out by NÚKIB, so the two legislative changes are being prepared together and in synergy. The resulting proposals should thus comply in full with both Czech and EU-wide needs and requirements. NIS2 will only change the concepts concerning the supplier assessment mechanism, not the scope of the entities affected.

According to the draft mechanism, the assessment should be conducted by NÚKIB in cooperation with ministries, intelligence services, and other state organizations equipped with relevant information for assessing the supplier's credibility. The basis of the mechanism, however, will be fundamental information on suppliers provided by individual administrators of the regulated infrastructure. This information shall be combined with the state’s own information and information obtained from its peer partners and will be used to assess whether specific supplier assessment criteria are met. The criteria are to examine the existence and severity of threats posed by supply chains to national security or public order through the potential of foreign state takeover of a supplier, using the supplier for state espionage, disrupting the availability of critical foreign infrastructure, etc.

The assessment itself will be conducted by the state, focusing on suppliers already delivering their services to the strategic infrastructure, as well as their subcontractors and potential suppliers. If a risk associated with a supplier is identified, the state will be able to restrict its use in the regulated infrastructure, similar to the current warning under the Act on Cyber Security, or even prohibit such supplier by the means of measures of general nature affecting all relevant infrastructure managers. There will be no entitlement to assess a supplier and it is not the state's ambition to assess them all. Only those with an indication of a possible threat, for example due to the current security situation, will be assessed.

In particular, the mechanism is intended to assess potential suppliers. Consequently, all parties should be aware of the restrictions before selecting a specific supplier and signing a contract. However, a supplier may be assessed as untrustworthy after the contract has already been concluded. In that case, the infrastructure administrator shall be given a reasonable period to replace the untrustworthy supplier with a trustworthy one so that the restriction affects their business or other activities to the least possible extent. The whole process will therefore be as transparent and protective over the rights of the infrastructure administrator and the supplier as possible. That includes the possibility for the concerned authorities and persons concerned to comment on the scope of the intended prohibition on the use of the supplier.

The community of experts will have the opportunity to comment on the draft in a public consultation in the first quarter of next year. Information on further progress, including the possibility of commenting on the draft, will be provided on the NÚKIB website.

2022-11-24