Main Page

National Cyber and Information Security Agency

Logo NÚKIB


Relevant and clear information on the new NIS2 Directive can be found at nis2.nukib.cz/en.

 

Selected News

Mobile App Security Threat Alert: WeChat by Tencent

The National Cyber and Information Security Agency (hereinafter the "Agency") is issuing a security threat alert regarding the use of Tencent's WeChat mobile application. The app collects a large volume of user data which - along with the way the data is collected - could be used for precise cyberattacks. The company behind the WeChat app is Tencent, based in the People's Republic of China (PRC), which, according to verified information from the Agency, is closely linked to the Chinese government and the Chinese Communist Party.

The WeChat app is used by approximately 1.3 billion active users worldwide. It is most popular in the PRC and countries with larger Chinese communities. In the Czech Republic, only about 40,000 people use the app, but among these users is a significant number of high-profile individuals such as diplomats, businesspeople, scholars, or Chinese dissidents. Their sensitive data collected by WeChat could thus be misused in the future, for example, for blackmail or coercion. 

The threat associated with the WeChat app is very similar to the threat surrounding the TikTok app operated by the Chinese company ByteDance, which the Agency warned about on March 8, 2023. "We are issuing this security threat alert not only based on our own analysis, but also on information from our domestic and foreign partners. However, compared to TikTok, the number of users on the WeChat platform is significantly lower, which is why in this case we are issuing a security threat alert instead of a warning," explains Lukáš Kintr, the director of the Agency.

WeChat is a social media and messaging mobile app with many additional features. It is developed and operated by Tencent, a company based in Shenzhen, China. Tencent is an entity subject to strict Chinese national legislation and regulations. For example, the State Security Law of 2015, the 2017 Law on State Intelligence Activities, the Companies Law of 2013, and the Regulations for Reporting Vulnerabilities in Network Devices require individuals and entities to cooperate with Chinese authorities, even against the interests of their international partners or customers. According to publicly available sources and information from the Agency's partners, Tencent is intertwined with the PRC public administration and the Chinese Communist Party. The PRC's influence operations in the Czech Republic leads to concerns of misuse of the data collected by the app

WeChat has already been banned in India, Canada, and some US states. This year, the Netherlands issued a recommendation for government employees not to use apps from countries that conduct offensive cyber operations against the state. Similarly, Canada banned the app in 2023 on government devices. 

Recommendations of the Agency

"If you need to use WeChat, it is advisable to have the app installed on a separate device from the one you use for all other purposes. If this is not possible, we recommend you keep it on your device only for the strictly necessary period of time and only allow permissions that are required for its functioning," stated the Agency's Director Lukáš Kintr.

In the case of the WeChat app, the Agency has issued a security threat alert – therefore it is not a warning under the Act on Cyber Security, as was the case with the TikTok app. Even so, the Agency believes it is advisable not to underestimate the threat associated with using the WeChat app and to accordingly adapt or significantly restrict further use.

The full security threat alert can be found at the link: https://www.nukib.cz/download/publications_en/WeChat_Security%20Threat%20Alert.pdf

Czech Republic Participated in the Third Annual International Counter Ransomware Summit Hosted by the White House

Deputy Director of the National Cyber and Information Security Agency (NÚKIB) Pavel Štěpáník and Cyber Attachée to the United States Berta Jarošová represented the Czech Republic during the third annual International Counter Ransomware Summit convened by Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger in Washington DC.

The Czech Republic, together with more than 40 other states, joined the collective statement against ransomware payments. NÚKIB discouraged from paying ransomware demands in recent analysis and recommendation on ransomware.

Over the past year, the Czech Republic contributed to various projects of the International Counter Ransomware Task Force led by Australia and Policy Pillar led by Singapore, including on strengthening information sharing or cyber insurance against ransomware.

During the two-day summit hosted by the White House, the Czech Republic pointed out to the rise of ransomware-as-a-service showed by the Report on the State of Cyber Security 2022 and recalled the warning against ransomware issued by NÚKIB in June 2023. More recently, the Czech law-enforcement authorities also participated in the take-down of Ragnar Locker ransomware gang.

Effective inter-agency coordination, trusted public-private partnership and close international cooperation are key in tackling ransomware. For this reason, NÚKIB and the National Center for Combating Terrorism, Extremism, and Cybercrime (NCTEKK) agreed to co-establish an informal working group on ransomware in the future to strengthen cooperation among relevant actors and institutions at the national level.

On the margins of the International Counter Ransomware Summit, Deputy Director Pavel Štěpáník met with National Cyber Director Kemba Walden and held various bilateral engagements on cybersecurity and cyber resilience with partners in the United States, including the National Institute for Standards and Technology, the Department of Energy and the Centre for Strategic and International Studies.

Joint Statement from the Third Annual Counter Ransomware Summit: International Counter Ransomware Initiative 2023 Joint Statement | The White House

Joint Statement Against Ransomware Payments: CRI joint statement on ransomware payments - GOV.UK (www.gov.uk)

The National Cyber and Information Security Agency of the Czech Republic issued a joint recommendation on the security of software products in cooperation with US federal agencies and other international partners

NÚKIB, along with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and other international partners, published an update to the joint guidance “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software”.

Below is the press release by the Cybersecurity and Infrastructure Security Agency (CISA).

 

CISA, U.S. and International Partners Announce Updated Secure by Design Principles Joint Guide

Joint product with additional partners includes expanded principles and guidance for technology providers to increase the safety of their products used around the world

Released October 16, 2023

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), along with 17 U.S. and international partners, published an update to “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software” that includes further detail on key principles, guidance, and is co-sealed by eight additional international cybersecurity agencies. CISA Director Jen Easterly will discuss the importance of this updated guidance and next steps during Singapore International Cyber Week.

Initially published in April 2023, this joint guidance urges software manufacturers to take urgent steps necessary to design, develop, and deliver products that are secure by design.

This updated guidance includes feedback received from hundreds of individuals, companies, and non-profits. It expands on the three principles defined in the initial guidance: Take Ownership of Customer Security Outcomes, Embrace Radical Transparency and Accountability, and Lead From the Top. This update highlights how software manufacturers can demonstrate these principles to their customers and the public, emphasizing that software manufacturers must be able to compete on the basis of security. This joint guidance is intended to help software manufacturers demonstrate their commitment to secure by design principles and give customers suggestions on how to ask for products that are secure by design.

In the coming weeks, CISA will be releasing a Request for Information on secure by design practices, inviting feedback on this guidance and to understand steps that companies are undertaking in line with secure by design principles.

Joining CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of AustraliaCanadaUnited KingdomGermanyNetherlands, and New Zealand (CERT NZNCSC-NZ), who co-sealed the initial version, this updated guidance benefitted from insights and partnerships with cybersecurity agencies in the Czech RepublicIsraelSingaporeKoreaNorway, OAS/CICTE CSIRTAmericas Network, and Japan (JPCERT/CC and NISC).

“I am extremely proud of the expansive, insightful and aligned U.S. and international partnerships that have come together with a shared vision of a future in which technology products are secure by design,” said CISA Director Jen Easterly. “Thanks to the feedback of hundreds of partners, we have revised this guidance to focus even more on how companies can demonstrate their commitment to secure by design principles. To achieve the National Cybersecurity Strategy’s goal of rebalancing the responsibility in cyberspace, customers need to be able to demand more from their vendors – and this joint guidance gives them the tools to do exactly that.”

“We appreciate the cooperation with CISA and other international partners on this joint output. Within the EU, the Cyber Resilience Act seeks to reinforce product security and consumers´ safety, said Lukáš Kintr, Director of the National Cyber and Information Security Agency of the Czech Republic. “In a globally interconnected and technology-driven world, our collective endorsement of Security by Design approach aims to strengthen our resilience and protection of our citizens and critical infrastructure across the continents.”

“'Security by Design' is a change in the paradigm of cybersecurity responsibility between the stakeholders. INCD would like to see the shift of responsibility from the end-user to the manufacturers and service providers. In the modern world, cybersecurity is a basic commodity, like water, energy and environmental protection; hence- it should be secure by design and by default,” said Gaby Portnoy, Director General INCD. “INCD is proud to take part in CISA's publication of this product, which we see as critical step towards a secure and resilient technology for all customers. INCD will encourage manufacturers in the Israeli market is to adopt this guidance.”

“Security by design and default are essential principles to secure the technologies that have permeated our daily lives. Technology manufacturers should be intentional about ensuring that cybersecurity is a key aspect of product development from the start, such that their products are inherently safe and secure for all users,” said Mr. David Koh, Commissioner of Cybersecurity and Chief Executive, Cyber Security Agency of Singapore. “Security should not be an “optional extra”. CSA is proud to collaborate with CISA and other partner agencies to develop the guide on Security by Design. CSA strongly encourages its adoption.”

“Cyberattacks resulting from software vulnerabilities are continuously increasing, and given their significant impact, secure management of these vulnerabilities is crucial. In Korea, there are actual cases where specific attack groups held multiple vulnerabilities in widely used solutions, and these vulnerabilities were exploited for attacks,” said Vice President Choi, Kwang Hee of KISA and head of KrCERT/CC. “Reviewing this guide has given us insight into the perspectives of international affiliated agencies. To ensure the secure development of domestic software products, we also plan to release a Korean version."

“Products and services that are Secure by Design make up keystones in our common cyber resilience. This concept improves the quality of our guidance and advisories by incorporating elements such as zero trust and software supply chain risk management”, said Mr. Martin Albert-Hoff, Director of The Norwegian National Cyber Security Centre. “The NCSC NO are proud to work together with CISA and the other partner agencies, and this cooperation contributes to strengthen cyber resilience in today’s unpredictable global situation.”

"Successful results in the cybersecurity field can only be achieved in a collaborative manner. We are therefore delighted to contribute to this guide with the experience accumulated in the OAS/CICTE CSIRTAmericas Network, which brings together government Computer Security Incident Response Teams (CSIRTs) from 21 countries of the Americas and promotes the exchange of valuable information among them,” said Alison August Treppel, Executive Secretary at the Inter-American Committee Against Terrorism of the Organization of American States. “Aligned with the Network's experience, this guide recognizes the need for technology manufacturers, and CSIRTs as well, to shift from a reactive mindset to a model of continuous measurement and improvement of risk mitigation services. This guide serves as a clear example of the work the OAS has been conducting over the last 20 years, and will continue to do, to support member states in strengthening their cybersecurity capabilities, and building a more secure, resilient, and open cyberspace for all."

“The concept of Security by Design was already incorporated in Japan’s Cybersecurity Strategy (hereafter referred to as the Japanese strategy). This updated guidance gives shape of the concept of Security by Design, and comes into alignment with the Japanese strategy,” said Mr. Atsuo Suzuki, Director General, Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC). “We are pleased with joint sealing of this updated guidance, which contributes to the implementation of concrete measures based on the Japanese strategy.”

This guidance is intended to further catalyze progress toward investments and cultural shifts necessary for measurable improvements in customer safety; expanded international conversation about key priorities, investments, and decisions; and a future where technology is safe, secure, and resilient by design.

Recognizing that many private sector partners have made invaluable contributions toward advancing secure by design and provided valuable input to this update, the authoring agencies are actively seeking more feedback on this new version of the joint guide. At CISA, feedback can be sent to: SecureByDesign@cisa.dhs.gov.

For more information on CISA’s efforts to promote secure by design principles, visit our Secure by Design webpage.

Czech Government Approved the Report on the State of Cybersecurity in the Czech Republic for 2022

On Wednesday, 19 July 2023, the Government of the Czech Republic approved the "Report on the State of Cybersecurity of the Czech Republic for 2022"[1]. The document, prepared by the National Cyber and Information Security Agency (NÚKIB), shows that although there has been a slight year-on-year decrease in the total number of cyber incidents recorded by the NÚKIB, the Police of the Czech Republic recorded an almost twofold increase in cybercriminal activities over the same period. A twofold increase was also recorded in the number of cyber incidents within the critical information infrastructure, with the majority of them being attacks on the availability of services. State-sponsored cyber actors and the activities of cybercriminal groups remain the greatest threat to Czech cybersecurity. A significant step towards improving the security of the Czech Republic was the launch last year of the drafting of a new Cybersecurity Act, which includes, among other things, the EU cybersecurity directive NIS2, and it also deals with the supply chain security of information and communication technologies to strategically important infrastructure. The Cybersecurity Act is expected to take effect in the second half of 2024.

Statistical data from the report shows that although the Czech Republic has seen a slight year-on-year decline in the total number of cyber incidents recorded by the NÚKIB from 157 in 2021 to 146 in 2022, the Police of the Czech Republic recorded increased cybercriminal activities to more than 18,000 crimes in the same period. The report also presents that the public sector recorded the highest number of cyber incidents, followed by the healthcare and private sectors. The most common attacks in the past year were phishing, spear-phishing, vishing, and fraudulent emails or availability attacks (mainly DDoS attacks). Most incidents were recorded in April and October last year, with DDoS attacks significantly contributing in both cases. "Russian-language hacking groups were mainly responsible for this increase. In 2022, the NÚKIB issued 16 alerts and three warnings related to the current threat or vulnerability, with some of the warnings directly related to risks arising from the Russian invasion of Ukraine. Similarly, several incidents registered by the NÚKIB were directly related to the Russian aggression in Ukraine. Moreover, it is almost certain that this conflict will continue to affect Czech cyberspace," said Lukáš Kintr, Director of the NÚKIB.

The report also states that the NÚKIB has recently recorded increased incidents in the transportation sector. While in previous years, they were only in the order of units, in 2022, there were already 14 incidents. Then, for the second year, there is a decline in the number of recorded cyber incidents categorized as very significant. In contrast, there has been an increase in the number of significant incidents. A positive trend that started in 2021 is the growing number of organizations increasing their cybersecurity budgets. However, finance and the lack of cybersecurity experts remain one of the main issues and challenges for Czech institutions and organizations.

A significant step in cybersecurity in the Czech Republic in 2022 was preparing a new Cybersecurity Act, which is an essential pillar for maintaining a secure Czech cyberspace and is expected to come into force in October 2024. The new law contains everything the Czech Republic needs from a cybersecurity perspective. It responds to the dynamic developments in the security environment and reflects the practical experience of almost a decade of work with the current Cybersecurity Act. It also deals with the need for a mechanism for verifying the supply chain security of the most critical infrastructure for the state. Last, but not least, it is closely related to the new European cybersecurity directive NIS 2, which is part of the upcoming legislation. The final text of the NIS2 Directive was adopted during the Czech Presidency of the Council of the European Union. "I am pleased that in the six months under our leadership, the EU has achieved a huge shift in cybersecurity. I am glad that the individual Czech institutions have shown they can work as a team even during such a challenging period. Not only from a cybersecurity perspective, I can say that I am proud of how the Czech Republic has presented itself and what it has achieved," said Director Kintr.

Although a significant part of the NÚKIB's agenda last year consisted of participating in the preparation and implementation of the Czech Presidency of the Council of the European Union, the NÚKIB also worked intensively on the further development of cooperation with partners within the EU and NATO. Last year, the Office's awareness-raising activities and its organization of cyber exercises (7 domestic and three international) aimed at raising awareness of current cyber threats and creating conditions for training future experts in the field of cyber security remained equally intensive. "We have participated in several domestic and international events, organized exercises, training sessions, seminars, or conferences, and have consistently worked to raise awareness and educate the public and our employees. More than 51,000 users have taken the freely available courses on our educational portal osveta.nukib.cz. The goal of all our activities is to make the Czech Republic a safer place to live," concluded Lukáš Kintr, Director of the NÚKIB.

The full Report on the State of Cybersecurity in the Czech Republic for 2022 is available here.

 

[1] The Report on the State of Cybersecurity in the Czech Republic is the primary document summarising what has been happening in the country's cybersecurity field over the past year. The main author is the NÚKIB, which sent out a 77-question questionnaire at the beginning of 2023 to entities regulated by the Cybersecurity Act and several other key institutions and organizations that the Cybersecurity Act does not regulate. The questions covered various topics, such as cyberattacks, cybersecurity costs, cybersecurity staffing capabilities, users, technologies, and processes in place. A total of 317 entities completed the questionnaire, 236 regulated and 81 unregulated. From the data obtained, the NÚKIB drew information for the Report on the State of Cybersecurity in the Czech Republic for 2022. All data from the questionnaires are anonymized.