National Cyber and Information Security Agency

The TikTok app poses a security threat

The National Cyber and Information Security Agency (NÚKIB) has issued a WARNING against a cybersecurity threat consisting of installing and using the TikTok app on devices accessing critical information and communication infrastructure systems, information and communication systems of essential services and important information systems. NÚKIB has issued this warning based on the Agency´s findings and information from partners. The Agency is concerned about potential security threat stemming from the use of TikTok primarily due to the amount of user data that is collected by the app as well as the way the data is handled. Such large-scale data collection is concerning due to the legal and political environment of the People's Republic of China (PRC), given that ByteDance, the developer and administrator of TikTok, falls under the legal jurisdiction of the PRC. The warning applies to authorities or persons which are obliged to implement security measures pursuant to the Cyber Security Act. The warning is in effect from the moment of posting on the notice board of the NÚKIB.

Based on the warning, obliged persons must respond by taking appropriate security measures. This threat is assessed as "High," meaning probable to very probable. The NÚKIB recommends prohibiting the installation and use of TikTok on devices that have access to the regulated system (corporate devices as well as personal devices used for work purposes) as the best way to eliminate or minimize the threat. The Agency also encourages the public to reconsider using TikTok as well as the quantities and types of data that they share through the app. We do not recommend using the app to “persons of interest” who hold high-level political, public, or decision-making positions. The warnings issued and the recommendations outlined above are in accordance with the Cyber Security Act, which requires NÚKIB to promote prevention in the field of cyber security.

"I proceeded to issue the warning based on a comprehensive analysis of information about TikTok that we obtained from public sources and our allies. The amount of data being collected and handled, combined with the legal environment in China and the growing number of users in the Czech Republic, leave us with no other choice than to describe TikTok as a security threat," said Lukáš Kintr, director of the NÚKIB, on the issued warning. Kintr added: "The warning does not distinguish between users from the public and private sectors. The key issue is whether a threat to a particular system could harm the functioning of the Czech Republic and the security of each of us.

The warning in its entirety can be found here: https://www.nukib.cz/download/publications_en/2023-03-08_Warning-TikTok-App.pdf.

2023-03-08

Thanks to the work of NÚKIB during CZ PRES, EU cybersecurity has increased

The six-months-long Czech Presidency of the Council of the European Union (CZ PRES) has finished. While it was historically the second presidency for the Czech Republic, for the National Cyber and Information Security Agency (NÚKIB) as the central administrative body for cyber security, it was a premiere, due to its establishment only 5 years ago. However, it was a successful one. We managed to lead several working groups in the Council and outside of it, successfully organized a wide range of meetings, conferences, seminars and we have also fulfilled all three defined priorities for CZ PRES:

reaching consensus across all Member States on a proposal for a Regulation of the European Parliament and of the Council of the EU setting out measures to ensure a high common level of cybersecurity in EU institutions, bodies and agencies, advancing negotiations on the draft of the Cyber Resilience Act (CRA), enhancing and reinforcing the topic of supply chain cybersecurity in information and communication technologies (ICT).

Although NÚKIB had already been working on these issues before the Presidency, which we intend to continue to do in the future, CZ PRES has offered us a unique opportunity to take the lead and to move forward with our priorities. In this spirit, Lukáš Kintr, the Director of NÚKIB, expressed himself at the NIS Cooperation Group Meeting in September: "We will do our very best to move the cybersecurity agenda forward and thus significantly strengthen the resilience of the European Union as a whole." The fulfilment of all three priorities of NÚKIB has helped to achieve the Czech Republic's cybersecurity objectives set for CZ PRES and to build a substantial basis for further direction of the Czech Republic, as well as of the Union as a whole. We have therefore succeeded in fulfilling the goals we had set for the Presidency.

What exactly did we achieve? In October, the Council of the EU adopted conclusions on ICT supply chain cybersecurity, which highlighted the importance of joint action in addressing this issue, and outlined concrete steps and initiatives needed to strengthen this area across all EU Member States. This should eventually lead to reducing the impact of risky suppliers on the most important national information infrastructures. NÚKIB is already finalising the legislation draft that will reflect this objective and enhance the Czech Republic's cyber security.

Another priority set for CZ PRES was fulfilled in November, when the Council of the EU approved a general approach and thus expressed a unified position of all 27 Member States on the regulation draft on cybersecurity of the Union's institutions, bodies, offices and agencies. This regulation intends to enhance and fill the gaps in the current unsatisfactory state, where there are no common rules between EU entities and large differences in their levels of cybersecurity. The general approach was negotiated in a working party chaired by NÚKIB.

Last but not least, our priority was to start the debate on the Cyber Resilience Act, which sets out rules for the placing of products with digital elements on the European market. The aim of the CRA is to ensure the cybersecurity of these products throughout their lifecycle and to improve the awareness of their users. Following a readthrough of the proposal, the first revision of the text focused on the scope of the regulation was also prepared during CZ PRES and a progress report written by our Agency was approved. It will now be up to our Swedish colleagues to take the next steps necessary for adoption of this regulation.

Within the framework of CZ PRES, NÚKIB has organised approximately sixteen international events in Brno, Prague and Brussels, which were attended physically or virtually by hundreds of people. One of these events was the first informal reception of delegates of the EU’s Horizontal Working Party on Cyber Issues and NATO’s Cyber Defence Committee. The aim behind it was to strengthen cooperation between the EU and NATO, which was also one of the main priorities of the Czech Republic during the Presidency. It was the first ever meeting of this format, therefore we had successfully started a tradition in which the upcoming Presidencies intend to continue. However, without a doubt, the biggest and most important event was the high-level Prague Cyber Security Conference held on 3 November 2022, which was attended by over 500 cyber security experts from more than 80 countries, EU and NATO.

The aim of all activities was not only to exchange practical experience, but also to deepen mutual cooperation of all like-minded partners. The common goal has always been and always will be the strengthening of the EU’s security, to which we had, at least in the cyber area, significantly contributed by fulfilling the set priorities.

2023-01-18

The Czech Republic enters the final phase of drafting legislation to reduce the risks associated with suppliers of information and communication technology.

After initial deliberations on which and to what extent suppliers should be assessed and which infrastructure should be affected by limiting the use of high-risk suppliers, the National Cyber and Information Security Agency (NÚKIB) is now finalizing legislation that should significantly limit the influence of high-risk suppliers on the Czech Republic’s most important infrastructure.

In June 2022, the National Security Council of the Czech Republic instructed NÚKIB to prepare draft legislation introducing a supplier assessment mechanism with a deadline for submission to the government by May 2023. "I am pleased that, despite the complexity of this issue, we are succeeding in meeting the timetable for preparing the draft legislation. We are already close to being able to consult the specific wording of this extremely important legislation with partners from the public administration, as well as private and academic sectors," Lukáš Kintr, Director of NÚKIB, commented on the progress and added: "I believe that if all parties involved in the preparation are active and constructive, the Czech Republic can have a comprehensive system for reducing the state's dependence on untrustworthy foreign suppliers within two years. In the field of information technology, we hope to avoid the situation we are currently observing, for example, in connection with oil and gas supplies from the Russian Federation."

The supplier assessment mechanism should enable the state to detect untrustworthy suppliers of technological components of the most significant strategic infrastructure of the Czech Republic, assess risk associated with these suppliers, and, in case of high risk, restrict the use of such suppliers in the infrastructure.

As the term "most significant" suggests, the pending legislation should not apply to all systems and services regulated by the Act No 181/2014 Coll. on Cyber Security and change of Related Acts (Act on Cyber Security) but only to their subset with the most significant impact on the state and society. From the current division of the mandatory subjects of the Cybersecurity Act, the new legislation should impact critical information infrastructure and the information systems segment of essential services.

Nevertheless, the categorisation of regulated entities in the cybersecurity field will change due to the update of the EU Network and Information Security (NIS) Directive, the so-called NIS2.  The implementation of NIS2 into national law is carried out by NÚKIB, so the two legislative changes are being prepared together and in synergy. The resulting proposals should thus comply in full with both Czech and EU-wide needs and requirements. NIS2 will only change the concepts concerning the supplier assessment mechanism, not the scope of the entities affected.

According to the draft mechanism, the assessment should be conducted by NÚKIB in cooperation with ministries, intelligence services, and other state organizations equipped with relevant information for assessing the supplier's credibility. The basis of the mechanism, however, will be fundamental information on suppliers provided by individual administrators of the regulated infrastructure. This information shall be combined with the state’s own information and information obtained from its peer partners and will be used to assess whether specific supplier assessment criteria are met. The criteria are to examine the existence and severity of threats posed by supply chains to national security or public order through the potential of foreign state takeover of a supplier, using the supplier for state espionage, disrupting the availability of critical foreign infrastructure, etc.

The assessment itself will be conducted by the state, focusing on suppliers already delivering their services to the strategic infrastructure, as well as their subcontractors and potential suppliers. If a risk associated with a supplier is identified, the state will be able to restrict its use in the regulated infrastructure, similar to the current warning under the Act on Cyber Security, or even prohibit such supplier by the means of measures of general nature affecting all relevant infrastructure managers. There will be no entitlement to assess a supplier and it is not the state's ambition to assess them all. Only those with an indication of a possible threat, for example due to the current security situation, will be assessed.

In particular, the mechanism is intended to assess potential suppliers. Consequently, all parties should be aware of the restrictions before selecting a specific supplier and signing a contract. However, a supplier may be assessed as untrustworthy after the contract has already been concluded. In that case, the infrastructure administrator shall be given a reasonable period to replace the untrustworthy supplier with a trustworthy one so that the restriction affects their business or other activities to the least possible extent. The whole process will therefore be as transparent and protective over the rights of the infrastructure administrator and the supplier as possible. That includes the possibility for the concerned authorities and persons concerned to comment on the scope of the intended prohibition on the use of the supplier.

The community of experts will have the opportunity to comment on the draft in a public consultation in the first quarter of next year. Information on further progress, including the possibility of commenting on the draft, will be provided on the NÚKIB website.

2022-11-24

The high-level Prague Cyber Security Conference

On Thursday 3 November 2022, the Prague Cyber Security Conference, the largest event of the National Cyber and Information Security Agency (NÚKIB) within the framework of the Czech Presidency of the EU Council, took place in the Prague Congress Centre. The conference, which took place in a hybrid format, was a successor of the traditional Prague 5G Security Conference held in previous years. In total, over 500 cyber security experts from more than 80 countries attended the event. Approximately two dozen speakers consisted of both Czech and foreign statesmen, leading EU and NATO representatives and delegates from Asia. The discussion was mainly focused on supply chain security and new technologies, as this topic is also one of the priorities of the Czech Presidency. The event was a part of the two-day EU Secure and Innovative Digital Future Conference, which NÚKIB co-organised with the Ministry of Industry and Trade, the Office of the Government and in coordination with the Ministry of Foreign Affairs.

"A secure digital future requires strong cyber defence but also much more. It requires secure infrastructure, reliable partners, and resilient supply chains. That is what Europe is working on," said the President of the European Commission Ursula von der Leyen in her opening speech. Additionally, Czech Prime Minister Petr Fiala, Estonian Minister of Entrepreneurship and Information Technology Kristjan Järvan, Australian Minister of Home Affairs and Minister for Cyber Security Clare O'Neil and NATO Deputy Secretary General Mircea Geoană spoke in a similar vein. NÚKIB Director Lukáš Kintr, as a representative of the main event’s organiser, stated in his speech: "We need to re-evaluate our thinking, clarify our European strategy and strengthen the resilience of our digital backbone in the long term. A connected Europe will only be as secure as the technologies on which it is built."

Panel discussions focused on the security of the Information and Communication Technologies (ICT) supply chain

The opening speeches were followed by a series of four panel discussions where experts from different parts of the world discussed the security of ICT supply chains, their evolution, challenges, implications and solutions. The panels followed up on the recently adopted Council conclusions, which emphasised the importance of this topic among all EU countries. To handle the challenges that this issue poses to democratic countries, the exchange of good experiences is essential. The Russian invasion of Ukraine has shown the possible consequences of dependency on unreliable suppliers, who do not share Western values and interests. Given the dependency of today's society on ICT, the consequences of such crisis in this sector would be much more serious for our society. The speakers of the conference agreed that cooperation with national and international partners, as well as between governments, academia and the private sector, is crucial for building a resilient and secure infrastructure based on trusted technologies. Furthermore, experts mentioned the need for diversity of providers to ensure their reliable and secure functioning which is absolutely essential for our society, the state and other regional actors.

The first day of the EU Secure and Innovative Digital Future Conference was concluded with speeches by the Czech Minister of Foreign Affairs Jan Lipavský, and the NÚKIB Director Lukáš Kintr, who not only thanked the participants and the organisers of the Prague Cyber Security Conference, but also stressed the need for critical information infrastructure protection, for international cooperation and for an immediate focus on the security of the entire ICT supply chain ecosystem.

Bilateral meetings were also held during the Conference

Events such as the Prague conference also present opportunities for formal and informal meetings, where it is possible to share information and practical experience with partners and allies. Among others, representatives of NÚKIB met with delegations from Australia and the United States of America. While Director Kintr discussed national infrastructure resilience and education with the Australian Minister-Counsellor of the Department of Home Affairs for Europe Jaycob McMahon, he and the U.S. Department of Homeland Security representative Irang Kahangama had a discussion about joint exercises and enhanced information sharing with the Cybersecurity and Infrastructure Security Agency. Supply chain security was a common topic for both sessions, as well as for the entire conference.

2022-11-08