Main Page

National Cyber and Information Security Agency

Logo NÚKIB

Selected News

Thanks to the work of NÚKIB during CZ PRES, EU cybersecurity has increased

The six-months-long Czech Presidency of the Council of the European Union (CZ PRES) has finished. While it was historically the second presidency for the Czech Republic, for the National Cyber and Information Security Agency (NÚKIB) as the central administrative body for cyber security, it was a premiere, due to its establishment only 5 years ago. However, it was a successful one. We managed to lead several working groups in the Council and outside of it, successfully organized a wide range of meetings, conferences, seminars and we have also fulfilled all three defined priorities for CZ PRES:

reaching consensus across all Member States on a proposal for a Regulation of the European Parliament and of the Council of the EU setting out measures to ensure a high common level of cybersecurity in EU institutions, bodies and agencies, advancing negotiations on the draft of the Cyber Resilience Act (CRA), enhancing and reinforcing the topic of supply chain cybersecurity in information and communication technologies (ICT).

Although NÚKIB had already been working on these issues before the Presidency, which we intend to continue to do in the future, CZ PRES has offered us a unique opportunity to take the lead and to move forward with our priorities. In this spirit, Lukáš Kintr, the Director of NÚKIB, expressed himself at the NIS Cooperation Group Meeting in September: "We will do our very best to move the cybersecurity agenda forward and thus significantly strengthen the resilience of the European Union as a whole." The fulfilment of all three priorities of NÚKIB has helped to achieve the Czech Republic's cybersecurity objectives set for CZ PRES and to build a substantial basis for further direction of the Czech Republic, as well as of the Union as a whole. We have therefore succeeded in fulfilling the goals we had set for the Presidency.

What exactly did we achieve? In October, the Council of the EU adopted conclusions on ICT supply chain cybersecurity, which highlighted the importance of joint action in addressing this issue, and outlined concrete steps and initiatives needed to strengthen this area across all EU Member States. This should eventually lead to reducing the impact of risky suppliers on the most important national information infrastructures. NÚKIB is already finalising the legislation draft that will reflect this objective and enhance the Czech Republic's cyber security.

Another priority set for CZ PRES was fulfilled in November, when the Council of the EU approved a general approach and thus expressed a unified position of all 27 Member States on the regulation draft on cybersecurity of the Union's institutions, bodies, offices and agencies. This regulation intends to enhance and fill the gaps in the current unsatisfactory state, where there are no common rules between EU entities and large differences in their levels of cybersecurity. The general approach was negotiated in a working party chaired by NÚKIB.

Last but not least, our priority was to start the debate on the Cyber Resilience Act, which sets out rules for the placing of products with digital elements on the European market. The aim of the CRA is to ensure the cybersecurity of these products throughout their lifecycle and to improve the awareness of their users. Following a readthrough of the proposal, the first revision of the text focused on the scope of the regulation was also prepared during CZ PRES and a progress report written by our Agency was approved. It will now be up to our Swedish colleagues to take the next steps necessary for adoption of this regulation.

Within the framework of CZ PRES, NÚKIB has organised approximately sixteen international events in Brno, Prague and Brussels, which were attended physically or virtually by hundreds of people. One of these events was the first informal reception of delegates of the EU’s Horizontal Working Party on Cyber Issues and NATO’s Cyber Defence Committee. The aim behind it was to strengthen cooperation between the EU and NATO, which was also one of the main priorities of the Czech Republic during the Presidency. It was the first ever meeting of this format, therefore we had successfully started a tradition in which the upcoming Presidencies intend to continue. However, without a doubt, the biggest and most important event was the high-level Prague Cyber Security Conference held on 3 November 2022, which was attended by over 500 cyber security experts from more than 80 countries, EU and NATO.

The aim of all activities was not only to exchange practical experience, but also to deepen mutual cooperation of all like-minded partners. The common goal has always been and always will be the strengthening of the EU’s security, to which we had, at least in the cyber area, significantly contributed by fulfilling the set priorities.

The Czech Republic enters the final phase of drafting legislation to reduce the risks associated with suppliers of information and communication technology.

After initial deliberations on which and to what extent suppliers should be assessed and which infrastructure should be affected by limiting the use of high-risk suppliers, the National Cyber and Information Security Agency (NÚKIB) is now finalizing legislation that should significantly limit the influence of high-risk suppliers on the Czech Republic’s most important infrastructure.

In June 2022, the National Security Council of the Czech Republic instructed NÚKIB to prepare draft legislation introducing a supplier assessment mechanism with a deadline for submission to the government by May 2023. "I am pleased that, despite the complexity of this issue, we are succeeding in meeting the timetable for preparing the draft legislation. We are already close to being able to consult the specific wording of this extremely important legislation with partners from the public administration, as well as private and academic sectors," Lukáš Kintr, Director of NÚKIB, commented on the progress and added: "I believe that if all parties involved in the preparation are active and constructive, the Czech Republic can have a comprehensive system for reducing the state's dependence on untrustworthy foreign suppliers within two years. In the field of information technology, we hope to avoid the situation we are currently observing, for example, in connection with oil and gas supplies from the Russian Federation."

The supplier assessment mechanism should enable the state to detect untrustworthy suppliers of technological components of the most significant strategic infrastructure of the Czech Republic, assess risk associated with these suppliers, and, in case of high risk, restrict the use of such suppliers in the infrastructure.

As the term "most significant" suggests, the pending legislation should not apply to all systems and services regulated by the Act No 181/2014 Coll. on Cyber Security and change of Related Acts (Act on Cyber Security) but only to their subset with the most significant impact on the state and society. From the current division of the mandatory subjects of the Cybersecurity Act, the new legislation should impact critical information infrastructure and the information systems segment of essential services.

Nevertheless, the categorisation of regulated entities in the cybersecurity field will change due to the update of the EU Network and Information Security (NIS) Directive, the so-called NIS2.  The implementation of NIS2 into national law is carried out by NÚKIB, so the two legislative changes are being prepared together and in synergy. The resulting proposals should thus comply in full with both Czech and EU-wide needs and requirements. NIS2 will only change the concepts concerning the supplier assessment mechanism, not the scope of the entities affected.

According to the draft mechanism, the assessment should be conducted by NÚKIB in cooperation with ministries, intelligence services, and other state organizations equipped with relevant information for assessing the supplier's credibility. The basis of the mechanism, however, will be fundamental information on suppliers provided by individual administrators of the regulated infrastructure. This information shall be combined with the state’s own information and information obtained from its peer partners and will be used to assess whether specific supplier assessment criteria are met. The criteria are to examine the existence and severity of threats posed by supply chains to national security or public order through the potential of foreign state takeover of a supplier, using the supplier for state espionage, disrupting the availability of critical foreign infrastructure, etc.

The assessment itself will be conducted by the state, focusing on suppliers already delivering their services to the strategic infrastructure, as well as their subcontractors and potential suppliers. If a risk associated with a supplier is identified, the state will be able to restrict its use in the regulated infrastructure, similar to the current warning under the Act on Cyber Security, or even prohibit such supplier by the means of measures of general nature affecting all relevant infrastructure managers. There will be no entitlement to assess a supplier and it is not the state's ambition to assess them all. Only those with an indication of a possible threat, for example due to the current security situation, will be assessed.

In particular, the mechanism is intended to assess potential suppliers. Consequently, all parties should be aware of the restrictions before selecting a specific supplier and signing a contract. However, a supplier may be assessed as untrustworthy after the contract has already been concluded. In that case, the infrastructure administrator shall be given a reasonable period to replace the untrustworthy supplier with a trustworthy one so that the restriction affects their business or other activities to the least possible extent. The whole process will therefore be as transparent and protective over the rights of the infrastructure administrator and the supplier as possible. That includes the possibility for the concerned authorities and persons concerned to comment on the scope of the intended prohibition on the use of the supplier.

The community of experts will have the opportunity to comment on the draft in a public consultation in the first quarter of next year. Information on further progress, including the possibility of commenting on the draft, will be provided on the NÚKIB website.

The high-level Prague Cyber Security Conference

On Thursday 3 November 2022, the Prague Cyber Security Conference, the largest event of the National Cyber and Information Security Agency (NÚKIB) within the framework of the Czech Presidency of the EU Council, took place in the Prague Congress Centre. The conference, which took place in a hybrid format, was a successor of the traditional Prague 5G Security Conference held in previous years. In total, over 500 cyber security experts from more than 80 countries attended the event. Approximately two dozen speakers consisted of both Czech and foreign statesmen, leading EU and NATO representatives and delegates from Asia. The discussion was mainly focused on supply chain security and new technologies, as this topic is also one of the priorities of the Czech Presidency. The event was a part of the two-day EU Secure and Innovative Digital Future Conference, which NÚKIB co-organised with the Ministry of Industry and Trade, the Office of the Government and in coordination with the Ministry of Foreign Affairs.

"A secure digital future requires strong cyber defence but also much more. It requires secure infrastructure, reliable partners, and resilient supply chains. That is what Europe is working on," said the President of the European Commission Ursula von der Leyen in her opening speech. Additionally, Czech Prime Minister Petr Fiala, Estonian Minister of Entrepreneurship and Information Technology Kristjan Järvan, Australian Minister of Home Affairs and Minister for Cyber Security Clare O'Neil and NATO Deputy Secretary General Mircea Geoană spoke in a similar vein. NÚKIB Director Lukáš Kintr, as a representative of the main event’s organiser, stated in his speech: "We need to re-evaluate our thinking, clarify our European strategy and strengthen the resilience of our digital backbone in the long term. A connected Europe will only be as secure as the technologies on which it is built."

Panel discussions focused on the security of the Information and Communication Technologies (ICT) supply chain

The opening speeches were followed by a series of four panel discussions where experts from different parts of the world discussed the security of ICT supply chains, their evolution, challenges, implications and solutions. The panels followed up on the recently adopted Council conclusions, which emphasised the importance of this topic among all EU countries. To handle the challenges that this issue poses to democratic countries, the exchange of good experiences is essential. The Russian invasion of Ukraine has shown the possible consequences of dependency on unreliable suppliers, who do not share Western values and interests. Given the dependency of today's society on ICT, the consequences of such crisis in this sector would be much more serious for our society. The speakers of the conference agreed that cooperation with national and international partners, as well as between governments, academia and the private sector, is crucial for building a resilient and secure infrastructure based on trusted technologies. Furthermore, experts mentioned the need for diversity of providers to ensure their reliable and secure functioning which is absolutely essential for our society, the state and other regional actors.

The first day of the EU Secure and Innovative Digital Future Conference was concluded with speeches by the Czech Minister of Foreign Affairs Jan Lipavský, and the NÚKIB Director Lukáš Kintr, who not only thanked the participants and the organisers of the Prague Cyber Security Conference, but also stressed the need for critical information infrastructure protection, for international cooperation and for an immediate focus on the security of the entire ICT supply chain ecosystem.

Bilateral meetings were also held during the Conference

Events such as the Prague conference also present opportunities for formal and informal meetings, where it is possible to share information and practical experience with partners and allies. Among others, representatives of NÚKIB met with delegations from Australia and the United States of America. While Director Kintr discussed national infrastructure resilience and education with the Australian Minister-Counsellor of the Department of Home Affairs for Europe Jaycob McMahon, he and the U.S. Department of Homeland Security representative Irang Kahangama had a discussion about joint exercises and enhanced information sharing with the Cybersecurity and Infrastructure Security Agency. Supply chain security was a common topic for both sessions, as well as for the entire conference.

The Council of the EU adopted conclusions on strengthening the security of information and communication technology supply chains

The topic of strengthening the security of the information and communication technology (ICT) supply chain is one of the priorities of the National Cyber and Information Security Agency (NÚKIB), and indeed the Czech Republic, for the Presidency of the Council of the EU. Yesterday, all EU Member States agreed on the importance of this issue in the Council of the EU. Following the conclusions initiated and negotiated by NÚKIB representatives, steps will now be taken to strengthen the security of ICT supply chains across the EU.

The current geopolitical crisis related to the war in Ukraine clearly demonstrates the gravity of the potential consequences of the strategic dependencies of EU countries on fossil fuels from third countries, such as the Russian Federation. With unanimous adoption of the conclusions, the EU Member States agreed on the need to avoid similar serious strategic dependencies in relation to ICT, which will form the digital backbone of our society. "This is a great success for our Agency and our country in the context of the Czech Presidency of the Council of the EU. We are glad that the whole Union understands the need to learn from the current situation and that we want to work together on our cybersecurity," said Lukáš Kintr, Director of NÚKIB.

Experience with incidents, such as Solarwinds and NotPetya, has revealed that cyberattacks through the supply chain can have a widespread negative impact on our society and economy. It can be assumed that the occurrence of such attacks is highly likely to increase in the future. This growing threat needs to be actively addressed and prepared for, not only at national but also at European level. The conclusions therefore come with a range of measures to address this threat with other EU Member States in unison.

Concrete steps include the creation of an ICT Toolbox inspired by the 5G Toolbox, the development of methodological guidance on how to include cybersecurity aspects in the public procurement process and exploring of possibilities of financing the replacement of high-risk technologies.

You can also read about the conclusions of the Council of the EU here: https://www.consilium.europa.eu/en/press/press-releases/2022/10/17/the-council-agrees-to-strengthen-the-security-of-ict-supply-chains/.

 

.