The Cyber Security Strategy for the Czech Repblic covers the period 2015 to 2020. The Cyber Security Council (CSC) came into being through the Decision of the Government of the Czech Republic n. 781 (19 October 2011). The CSC advises the Prime Minister on cybernetic security. It also supports the NSA CZ, which is a body responsible for the cybernetic security on the issues demanding co-operation with other state bodies and operators of critical information infrastructures.
- Protection of fundamental human rights and freedoms and of the democratic rule of law principles.
- Comprehensive approach to cyber security based on principles of subsidiarity and cooperation.
- Trust building and cooperation among public and private sector, and civil society.
- Cyber security capacity building.
- Efficiency and enhancement of all relevant structures, processes, and of cooperation in ensuring cyber security.
- Active international cooperation.
- Protection of national CII and IIS.
- Cooperation with private sector.
- Research and development / Consumer trust.
- Education, awareness raising and information society development.
- Support to the Czech Police capabilities for cybercrime investigation and prosecution.
- Cyber security legislation (development of legislative framework). Participation in creation and implementation of European and international regulations.
WISER interview: Viktor Paggio, Národní bezpečnostní úřad - National Security Authority, Národní centrum kybernetické bezpečnosti - National Cyber Security Centre (October 2016)
National Cyber Security Strategy
|Year of adoption||
2011: The Cyber Security Strategy of the Czech Republic for the Period 2011-2015 was adopted in 2011. The strategy provides general cybersecurity principles and clearly stated goals.
In 2015 a new strategy was published, Czech Republic - National Cyber Security Strategy 2015-2020 (in English).
|Updates and revisions||
The Czech Republic’s National Cyber Security Strategy (NCSS) and the associated Action Plan (AP) were drafted by the Czech National Security Authority (NSA) and adopted by the Government in 2015.
Both cover the years 2015 to 2020. The previous NCSS and AP covered the years 2012 to 2015.
During the WISER interview with the National Security Authority representative, Viktor Paggio outlined the priorities for 2016:
|Implementation and monitoring||
In the interview with the National Security Authority representative, Viktor Paggio explained that the implementation of the National Strategy is incorporated in the Action Plan for the National Cyber Security Strategy of the Czech Republic for the Period from 2015 to 2020 (in English).
As of October 2016, most of the goals set by the Action Plan have been accomplished.
Every year, the NSA CZ presents the status of Action Plan implementation to the Goverment along with the Annual Report on Cyber Security. On July 20 2016, the Goverment took note of the 2015 Annual Report (in Czech).
Following the EU NIS Directive adoption, on September 30 2016, the NSA CZ proposed to the Goverment an ammendment to the Cyber Security Act, which constitutes basic legal framework of our action (source: Viktor Paggio). It should be noted that the Czech Repblic followed the examples of Estonia and Hungary in adopting a separate Cyber Security Act even prior to the EU NIS Directive.
The current legislation for the national Cyber Security Centre Legislation is outlined here.
2015, 1 Jan: The Law No. 181/2014 Coll. on Cyber Security entered into force together with implementing regulations.
On 19 December 2014 the regulations implementing the Law No. 181/2014 on Cyber Security were published in the Collection of Laws:
The Act Coll. on the Cyber Security and on the Amendments of the Related Acts: no. 181/2014: 29 Aug. 2014.
Decision No. 781 of 19 October 2011, the Government of the Czech Republic established the NSA to be the body responsible for cyber security and the national authority in this field.
Coverage with respect to the BSA Cyber Security Dashboard:
The Cyber Security Strategy of the Czech Republic for the period 2011-2015 was published in 2011. The strategy provides general cybersecurity principles and clearly stated goals. On 1 January 2015, the Act on Cyber Security came into force. This law includes comprehensive provisions on most aspects of cybersecurity and is complemented by several important regulations.
The country has also established a national CERT, CSIRT.CZ, as well as a CERT dedicated to government agencies: GOVCERT.CZ.
The National Cyber Security Centre was launched on 1 January 2015 to promote public-private partnerships. Furthermore, the Czech Republic is conducting a sector-based security risk assessment in cooperation with the academic and private sectors. The project is the first such assessment that addresses cybersecurity.
The Government CERT (GovCERT.CZ) based in Brno reached full operational capability at the same time as the NCSC in January 2016. Its main task is to collect reports of cyber incidents from specified entities, analyse them, and provide hel
CERT & CSIRT Capacity Building Strategy defined in the Action Plan 2015-2020.
Efficiency and enhancement of all relevant structures, processes, and of cooperation in ensuring cyber security
Develop a national coordinated incident handling procedure that will set acooperation format, contain a communication matrix, a procedure protocol and define each actor’s role.
Based on interview with Viktor Paggio.
The Czech National Security Authority (NSA) is establishing a new headquarters for its National Cyber-Security Centre (NCSC) and plans to significantly increase the centre's workforce.
Within the NCSC's constituency there are only businesses of stategic importance regulated by the Cyber Security Act. The NCSC helps them to safeguard their critical information infrastructure, provides them with security information and assistance, and enhances their knowledge about internet security. Most of the Czech businesses, including internet service providers, deal with the National CSIRT Team of the Czech Republic (CSIRT.CZ) run by CZ.NIC. (Source: Viktor Paggio).
The NSA has an ‘agreement on government security programme’ with Microsoft, under which the parties are able to share and exchange cyber security information, which means that the NSA has access to Microsoft products’ source codes and documentation. A similar information exchange agreement has been concluded between NSA and Cisco. Based on this memorandum of understanding, these two entities share cyberthreat information and exchange information on current cyber security trends and best practices.
Beyond these measures, there are currenlty no public-private partnerships for cyber security and no sector-specific security priorities established through government agencies.
A private cyber security cluster operates through the Network Security Monitoring Cluster (NSM Cluster), a co-operative industrial cluster focusing on the network security and security in IT. It currently counts 21 members together with Mararyk University in Brno. Its activities include networking and know-how sharing; education and training about network security monitoring; and information sharing on network security trends. It also interacts with other associations and international organisations with regard to network security monitoring and security IT topics, for example, with ENISA and IT Security in Germany. One of its priority goals is to become an interregional grouping in the Czech Republic and within the EU.
Co-operation between the NSA and the universities is developing rapidly. The NCSC contributes to cyber security courses, co-operates with university CERT/CSIRTs, and makes use of university cyber infrastructure. For example, the Computer Security Incident Response Team (CSIRT-MU) is a part of the Institute of Computer Science, which is responsible for the development of information and communication technologies at the university.
|Risk assessment plan||
The Action Plan 2015-2020 sets out two actions on risk assessment with the aim of developing a methodology at the state level. The two actions are:
|Progress measures||Annual reports and progress checks on the Action Plan.|
Current status: NIS Directive and national CERTs/CSIRTs
|Computer security incident response teams (CSIRTs)||
May 2014: opening of the National Cyber Security Centre including a fully operational Government Computer Emergency Response Team for cyber security incidents handling.
Main tasks of the Cyber Security Center (website in Czech/ English):
CSIRT.CZ - (website only in Czech)
In addition to CSIRT.CZ there are other teams in Czech Republic that are officially recognized by the world´s infrastructure of CERT / CSIRT teams and published in the team list of the Trusted Introducer:
E-mail (primary contact): email@example.com
Phone (for escalations only): +420 234 262 077
Phone (in emergency only): +420 605 204 530
On target for the priorities set out in the national Action Plan for 2015-2020 with regard to capacity-building for CERTs/CSIRTs, including competence and skill development. New legal framework planned in line with EU NIS Directive to build legal capacities. Could encourage the development of local and national cyber security clusters involving both public and private sector organisations.
Threat Monitoring Exercises and Showcases at EU and International level
The Czech Republic is a long-term partner of the organiser of the Czech ECSM – the National Center for Safe Internet (NCBI, Národní centrum bezpečnějšího internetu)
For the 2016 European Cyber Security Month, the country will take part in many of the events, namely the ECSM Round Table on 30 September 2016. In September it will run the technical part of the Cyber Czech 2016 Exercise, presenting the pilot of anti-cyberbullying „Digital Footprint“ e-learning course for high schools, and also present its activities at the 2016 Future Forces international exhibition in Prague. (Source: Viktor Paggio).
The Czech Republic has taken part in NATO Cyber Coalition exercises since 2010. The agencies involved in 2015 were the NSA, MOD, Ministry of Foreign Affairs, Police, intelligence services, and also the Masaryk University and partners from the private sector (CSIRT.CZ and an antivirus company called AVAST). The Czech Republic also takes part in NATO Crisis Management Exercises (CMX), which usually involve some cyber scenarios. CSIRT.CZ has participated in the Cyber Europe exercises since 2010. National cyber exercises include Cyber Czech, which took place in October 2015 and in March 2016, utilising the KYPO Cyber Exercise & Research Platform of the Masaryk University. Last but not least, NSA and CSIRT.CZ take part in regional CECSP Exercises.
|Report an incident - general contact details||
The Regulation on Cyber Security also specifies the procedures for the reporting of cyber incidents, both to GovCERT.CZ (website in Czech/ English) and to CSIRT.CZ (website in Czech only). A report is to follow a predefined form and can be submitted via an e-form on the respective website, via e-mail, data mailbox, specified interface, or on paper.
For the incident reports, use the address: firstname.lastname@example.org
For the non-incident related messages, use the email@example.com.
If it is not possible (or not advisable for security reasons) to use e-mail, the GovCERT can be reached by telephone at +420 725 875 205.
The GovCERT's hours of operation are generally restricted to regular business hours (09:00-17:00 Monday to Friday except holidays).
|Languages||Czech / English|
|Date of last WISER analysis||October 2016. Earlier assessments made in September 2016.|