National Cyber and Information Security Agency

Czech Government Approved the Report on the State of Cybersecurity in the Czech Republic for 2022

On Wednesday, 19 July 2023, the Government of the Czech Republic approved the "Report on the State of Cybersecurity of the Czech Republic for 2022"[1]. The document, prepared by the National Cyber and Information Security Agency (NÚKIB), shows that although there has been a slight year-on-year decrease in the total number of cyber incidents recorded by the NÚKIB, the Police of the Czech Republic recorded an almost twofold increase in cybercriminal activities over the same period. A twofold increase was also recorded in the number of cyber incidents within the critical information infrastructure, with the majority of them being attacks on the availability of services. State-sponsored cyber actors and the activities of cybercriminal groups remain the greatest threat to Czech cybersecurity. A significant step towards improving the security of the Czech Republic was the launch last year of the drafting of a new Cybersecurity Act, which includes, among other things, the EU cybersecurity directive NIS2, and it also deals with the supply chain security of information and communication technologies to strategically important infrastructure. The Cybersecurity Act is expected to take effect in the second half of 2024.

Statistical data from the report shows that although the Czech Republic has seen a slight year-on-year decline in the total number of cyber incidents recorded by the NÚKIB from 157 in 2021 to 146 in 2022, the Police of the Czech Republic recorded increased cybercriminal activities to more than 18,000 crimes in the same period. The report also presents that the public sector recorded the highest number of cyber incidents, followed by the healthcare and private sectors. The most common attacks in the past year were phishing, spear-phishing, vishing, and fraudulent emails or availability attacks (mainly DDoS attacks). Most incidents were recorded in April and October last year, with DDoS attacks significantly contributing in both cases. "Russian-language hacking groups were mainly responsible for this increase. In 2022, the NÚKIB issued 16 alerts and three warnings related to the current threat or vulnerability, with some of the warnings directly related to risks arising from the Russian invasion of Ukraine. Similarly, several incidents registered by the NÚKIB were directly related to the Russian aggression in Ukraine. Moreover, it is almost certain that this conflict will continue to affect Czech cyberspace," said Lukáš Kintr, Director of the NÚKIB.

The report also states that the NÚKIB has recently recorded increased incidents in the transportation sector. While in previous years, they were only in the order of units, in 2022, there were already 14 incidents. Then, for the second year, there is a decline in the number of recorded cyber incidents categorized as very significant. In contrast, there has been an increase in the number of significant incidents. A positive trend that started in 2021 is the growing number of organizations increasing their cybersecurity budgets. However, finance and the lack of cybersecurity experts remain one of the main issues and challenges for Czech institutions and organizations.

A significant step in cybersecurity in the Czech Republic in 2022 was preparing a new Cybersecurity Act, which is an essential pillar for maintaining a secure Czech cyberspace and is expected to come into force in October 2024. The new law contains everything the Czech Republic needs from a cybersecurity perspective. It responds to the dynamic developments in the security environment and reflects the practical experience of almost a decade of work with the current Cybersecurity Act. It also deals with the need for a mechanism for verifying the supply chain security of the most critical infrastructure for the state. Last, but not least, it is closely related to the new European cybersecurity directive NIS 2, which is part of the upcoming legislation. The final text of the NIS2 Directive was adopted during the Czech Presidency of the Council of the European Union. "I am pleased that in the six months under our leadership, the EU has achieved a huge shift in cybersecurity. I am glad that the individual Czech institutions have shown they can work as a team even during such a challenging period. Not only from a cybersecurity perspective, I can say that I am proud of how the Czech Republic has presented itself and what it has achieved," said Director Kintr.

Although a significant part of the NÚKIB's agenda last year consisted of participating in the preparation and implementation of the Czech Presidency of the Council of the European Union, the NÚKIB also worked intensively on the further development of cooperation with partners within the EU and NATO. Last year, the Office's awareness-raising activities and its organization of cyber exercises (7 domestic and three international) aimed at raising awareness of current cyber threats and creating conditions for training future experts in the field of cyber security remained equally intensive. "We have participated in several domestic and international events, organized exercises, training sessions, seminars, or conferences, and have consistently worked to raise awareness and educate the public and our employees. More than 51,000 users have taken the freely available courses on our educational portal osveta.nukib.cz. The goal of all our activities is to make the Czech Republic a safer place to live," concluded Lukáš Kintr, Director of the NÚKIB.

The full Report on the State of Cybersecurity in the Czech Republic for 2022 is available here.

[1] The Report on the State of Cybersecurity in the Czech Republic is the primary document summarising what has been happening in the country's cybersecurity field over the past year. The main author is the NÚKIB, which sent out a 77-question questionnaire at the beginning of 2023 to entities regulated by the Cybersecurity Act and several other key institutions and organizations that the Cybersecurity Act does not regulate. The questions covered various topics, such as cyberattacks, cybersecurity costs, cybersecurity staffing capabilities, users, technologies, and processes in place. A total of 317 entities completed the questionnaire, 236 regulated and 81 unregulated. From the data obtained, the NÚKIB drew information for the Report on the State of Cybersecurity in the Czech Republic for 2022. All data from the questionnaires are anonymized.

Representatives of more than 20 countries discussed the possibilities of using AI and the engagement of the private sector in cybersecurity

On Monday, 19 June 2023, the National Cyber and Information Security Agency (NÚKIB) hosted an online roundtable called the Prague Cyber Security Meeting, this year's version of the traditional Prague Cyber Security Conference. The event was divided into two thematic blocks, attended by representatives from two dozen countries and the European Commission. Private sector representatives also gave short presentations at the beginning of each session. At the end of the program, participants were informed of the date of the next Prague conference, which will take place on 19 and 20 March 2024. The meeting aimed to open up essential topics for discussion, such as the risks associated with artificial intelligence or the private sector's possible involvement in cyber incidents.

Lukáš Kintr, the Director of the NÚKIB, opened the online meeting: "Keeping abreast of the latest technological advances, including new and disruptive technologies, is essential for the international community. It is a struggle we cannot afford to ignore if we want to remain secure, resilient, and effective in addressing cybersecurity challenges." In his speech, the Director Lukáš Kintr said that the public sector faces many security challenges while being equipped with very limited capabilities.

The speech of the Director was followed by the first topical session, which focused on the impact of Emerging Disruptive Technologies on cyber security, mainly Artificial Intelligence. Country representatives discussed the impact of AI on the risk-based approach and the new opportunities that these technologies bring to cybersecurity solutions. Present government representatives further debated which Emerging Disruptive Technologies beyond AI are most influencing when it comes to the national approaches to cybersecurity.

The second topical part of the meeting focused on private sector involvement in dealing with significant cyber incidents, especially those within critical or strategically important infrastructure. During this part, private sector representatives had input and brought a different perspective to the discussion with government representatives. Governmental participants then discussed the extent to which the private sector should be present in incident response or the most beneficial framework for such collaboration.

Pavel Štěpáník, Deputy Director of the Strategic Affairs and Engagement Division, also participated in both panels on behalf of the NÚKIB in the Prague studio. At the end of the program, he thanked all participants for their involvement and contributions. The Director of the NÚKIB, Lukáš Kintr, finally concluded with his closing remarks: "We should all work on increasing our resilience in cyberspace and beyond. As I said before, we cannot slow down our efforts to strengthen our cyber diligence or get carried away by a false sense of security."

NÚKIB officials met with South Korean and Taiwanese partners

Lukáš Kintr, the Director of the National Cyber and Information Security Agency (NÚKIB), together with Pavel Štěpáník, the Deputy Director of the Strategic Affairs and Engagement Division, were part of the Czech delegation led by Markéta Pekarová Adamová, the Speaker of the Chamber of Deputies of the Parliament of the Czech Republic, which visited South Korea and Taiwan between 22 and 29 March 2023. As part of the journey, they participated in numerous meetings with their counterparts or political representatives of the countries concerned. They discussed the security threats facing their countries and their experiences in dealing with them. The visit aimed not only to exchange practical knowledge but also to build and strengthen relations with both countries, which are considered important partners of the Czech Republic. It was also the first-ever visit to both countries by the Director of NÚKIB.

"Despite the considerable geographical distance, I assess the cooperation with both countries as very beneficial and crucial for increasing the security of the Czech Republic," commented Lukáš Kintr, the Director of NÚKIB." Both South Korea and Taiwan are countries with unique expertise in protecting their strategic infrastructure from cyber-attacks. In the context of the security situation, they have immediate experience with the threats under discussion.", Director Kintr added.

The trip commenced with a visit to South Korea, where NÚKIB representatives and their counterparts discussed not only cybersecurity threats but, among others, cybersecurity exercises, cooperation with the private sector, cybersecurity education and training, and information sharing. 

The second part of the trip took place in Taiwan. During the meeting with representatives of the Ministry of Digital Affairs of Taiwan, particularly with Deputy Minister Herming Chiueh and Director General of Administration for Cyber Security, Hsieh Tsui-chuan, their discussion revolved around the lack of cybersecurity experts and the possible ways to motivate and promote a working career in public administration. A central theme of the meeting was avoiding strategic dependencies on risky ICT suppliers. As in the meeting with the South Korean officials, there was also a discussion on cyber threats, exercises and possibilities for mutual cooperation, during which it was agreed to implement exchange internships for experts from both countries. As a part of his program on Taiwan, Deputy Director Pavel Štěpáník participated in the "Taiwan-Czech Forum and Democratic Resilience" conference, where he spoke on the "Safeguarding Democratic Institutions: Lessons from Europe and Taiwan" panel. In his presentation, he stressed the importance of cybersecurity, which starts with every technology user. He also talked about supply chain security and the need to consider its strategic perspective, not just the technical one. The final agenda point, before the departure of the Czech delegation, was the meeting with Audrey Tang, the Minister of Digital Affairs, where, among other things, the topics of emerging and disruptive technologies, especially artificial intelligence and quantum cryptography, and the system of education of cybersecurity professionals were also discussed.

"One of the key pillars of the Czech National Cyber Security Strategy is strong and reliable alliances based on mutual trust, shared values and common interests. As part of our international cooperation, we will continue to pay close attention to our partners in the Indo-Pacific region. There is no substitute for face-to-face meetings, which are essential for building strong alliances," commented Lukáš Kintr, the Director of NÚKIB, at the end of the foreign visit.

The TikTok app poses a security threat

The National Cyber and Information Security Agency (NÚKIB) has issued a WARNING against a cybersecurity threat consisting of installing and using the TikTok app on devices accessing critical information and communication infrastructure systems, information and communication systems of essential services and important information systems. NÚKIB has issued this warning based on the Agency´s findings and information from partners. The Agency is concerned about potential security threat stemming from the use of TikTok primarily due to the amount of user data that is collected by the app as well as the way the data is handled. Such large-scale data collection is concerning due to the legal and political environment of the People's Republic of China (PRC), given that ByteDance, the developer and administrator of TikTok, falls under the legal jurisdiction of the PRC. The warning applies to authorities or persons which are obliged to implement security measures pursuant to the Cyber Security Act. The warning is in effect from the moment of posting on the notice board of the NÚKIB.

Based on the warning, obliged persons must respond by taking appropriate security measures. This threat is assessed as "High," meaning probable to very probable. The NÚKIB recommends prohibiting the installation and use of TikTok on devices that have access to the regulated system (corporate devices as well as personal devices used for work purposes) as the best way to eliminate or minimize the threat. The Agency also encourages the public to reconsider using TikTok as well as the quantities and types of data that they share through the app. We do not recommend using the app to “persons of interest” who hold high-level political, public, or decision-making positions. The warnings issued and the recommendations outlined above are in accordance with the Cyber Security Act, which requires NÚKIB to promote prevention in the field of cyber security.

"I proceeded to issue the warning based on a comprehensive analysis of information about TikTok that we obtained from public sources and our allies. The amount of data being collected and handled, combined with the legal environment in China and the growing number of users in the Czech Republic, leave us with no other choice than to describe TikTok as a security threat," said Lukáš Kintr, director of the NÚKIB, on the issued warning. Kintr added: "The warning does not distinguish between users from the public and private sectors. The key issue is whether a threat to a particular system could harm the functioning of the Czech Republic and the security of each of us.

The warning in its entirety can be found here: https://www.nukib.cz/download/publications_en/2023-03-08_Warning-TikTok-App.pdf.