Czech Republic (CZ)

Current status:

The Cyber Security Strategy for the Czech Repblic covers the period 2015 to 2020. The Cyber Security Council (CSC) came into being through the Decision of the Government of the Czech Republic n. 781 (19 October 2011). The CSC advises the Prime Minister on cybernetic security. It also supports the NSA CZ, which is a body responsible for the cybernetic security on the issues demanding co-operation with other state bodies and operators of critical information infrastructures.

Principles:

  • Protection of fundamental human rights and freedoms and of the democratic rule of law principles.
  • Comprehensive approach to cyber security based on principles of subsidiarity and cooperation.
  • Trust building and cooperation among public and private sector, and civil society.
  • Cyber security capacity building.

Main goals:

  • Efficiency and enhancement of all relevant structures, processes, and of cooperation in ensuring cyber security.
  • Active international cooperation.
  • Protection of national CII and IIS.
  • Cooperation with private sector.
  • Research and development / Consumer trust.
  • Education, awareness raising and information society development.
  • Support to the Czech Police capabilities for cybercrime investigation and prosecution.
  • Cyber security legislation (development of legislative framework). Participation in creation and implementation of European and international regulations.

WISER interview: Viktor Paggio, Národní bezpečnostní úřad - National Security Authority, Národní centrum kybernetické bezpečnosti - National Cyber Security Centre (October 2016)

National Cyber Security Strategy

Year of adoption

2011: The Cyber Security Strategy of the Czech Republic for the Period 2011-2015 was adopted in 2011. The strategy provides general cybersecurity principles and clearly stated goals.

In 2015 a new strategy was published, Czech Republic - National Cyber Security Strategy 2015-2020 (in English).

Updates and revisions

The Czech Republic’s National Cyber Security Strategy (NCSS) and the associated Action Plan (AP) were drafted by the Czech National Security Authority (NSA) and adopted by the Government in 2015.

Both cover the years 2015 to 2020. The previous NCSS and AP covered the years 2012 to 2015.

During the WISER interview with the National Security Authority representative, Viktor Paggio outlined the priorities for 2016:

  • Provide prompt & reliable assistance to NCSC's constituency – administrators of the strategic ICT networks defined by the Cyber Security Act (in English).
  • Continue to invest in the NCSC’s human capital providing the employees with top courses and trainings.
  • Further develop the ICS-SCADA & forensics lab, and other priorities.
Implementation and monitoring

In the interview with the National Security Authority representative, Viktor Paggio explained that the implementation of the National Strategy is incorporated in the Action Plan for the National Cyber Security Strategy of the Czech Republic for the Period from 2015 to 2020 (in English).

As of October 2016, most of the goals set by the Action Plan have been accomplished.

Every year, the NSA CZ presents the status of Action Plan implementation to the Goverment along with the Annual Report on Cyber Security. On July 20 2016, the Goverment took note of the 2015 Annual Report (in Czech).

Legal conditions

Following the EU NIS Directive adoption, on September 30 2016, the NSA CZ proposed to the Goverment an ammendment to the Cyber Security Act, which constitutes basic legal framework of our action (source: Viktor Paggio). It should be noted that the Czech Repblic followed the examples of Estonia and Hungary in adopting a separate Cyber Security Act even prior to the EU NIS Directive.

The current legislation for the national Cyber Security Centre Legislation is outlined here.

2015, 1 Jan: The Law No. 181/2014 Coll. on Cyber Security entered into force together with implementing regulations.

On 19 December 2014 the regulations implementing the Law No. 181/2014 on Cyber Security were published in the Collection of Laws:

  • Regulation No. 316/2014 Coll. on Security Measures, Cyber Security Incidents and Reactive Measures (“Cyber Security Regulation).
  • Regulation No. 317/2014 Coll. on the Determination of Important Information Systems and their Determination Criteria.
  • Decision of the Government No 315/2014 Coll. which amends the Decision of the Government No. 432/2010 Coll. on the Criteria for the Determination of the Elements of the Critical Infrastructure.

The Act Coll. on the Cyber Security and on the Amendments of the Related Acts: no. 181/2014: 29 Aug. 2014.

Decision No. 781 of 19 October 2011, the Government of the Czech Republic established the NSA to be the body responsible for cyber security and the national authority in this field.

Coverage with respect to the BSA Cyber Security Dashboard:

The Cyber Security Strategy of the Czech Republic for the period 2011-2015 was published in 2011. The strategy provides general cybersecurity principles and clearly stated goals. On 1 January 2015, the Act on Cyber Security came into force. This law includes comprehensive provisions on most aspects of cybersecurity and is complemented by several important regulations.

The country has also established a national CERT, CSIRT.CZ, as well as a CERT dedicated to government agencies: GOVCERT.CZ.

The National Cyber Security Centre was launched on 1 January 2015 to promote public-private partnerships. Furthermore, the Czech Republic is conducting a sector-based security risk assessment in cooperation with the academic and private sectors. The project is the first such assessment that addresses cybersecurity.  

Operational capacities

The Government CERT (GovCERT.CZ) based in Brno reached full operational capability at the same time as the NCSC in January 2016. Its main task is to collect reports of cyber incidents from specified entities, analyse them, and provide hel

CERT & CSIRT Capacity Building Strategy defined in the Action Plan 2015-2020.

Efficiency and enhancement of all relevant structures, processes, and of cooperation in ensuring cyber security

  • Develop an effective cooperation model at the national level among the cyber security actors – CERT and CSIRT teams, etc. and reinforce their existing structures and processes.
  • Develop, in coordination with other entities, a scheme and a detailed model of cooperation in ensuring cyber security.
  • Analyse the cyber security agenda and, based on the analysis, define main national interests and priorities for cyber security.
  • Carry out technical and non-technical cyber security exercises at the national level.
  • Develop a national coordinated incident handling procedure that will set acooperation format, contain a communication matrix, a procedure protocol and define each actor’s role.

Develop a national coordinated incident handling procedure that will set acooperation format, contain a communication matrix, a procedure protocol and define each actor’s role.

  • Develop a unified methodology for cyber security incident handling on the basis of the Act on Cyber Security and related regulations.
  • Develop a communication matrix for cyber security authorities (national actors, CII, IIS).
  • Provide description of a safe communication interface, which will enable the NSA to receive XML messages with cyber security incident reports automatically. It will also contain an XML schema description that meets the content of the form for cyber security incident reports, mentioned in the regulation no. 316/2014 Coll., complemented by the other non-obligatory options.
  • Develop a protocol of procedures successfully employed in ensuring cyber security.

Based on interview with Viktor Paggio.

The Czech National Security Authority (NSA) is establishing a new headquarters for its National Cyber-Security Centre (NCSC) and plans to significantly increase the centre's workforce.
The expansion is scheduled to be carried out between 2018 to 2023 with the aim of establishing a new laboratory, training centre and data protection centres as well as increasing the office's workforce.

Public-private partnerships

Within the NCSC's constituency there are only businesses of stategic importance regulated by the Cyber Security Act. The NCSC helps them to safeguard their critical information infrastructure, provides them with security information and assistance, and enhances their knowledge about internet security. Most of the Czech businesses, including internet service providers, deal with the National CSIRT Team of the Czech Republic (CSIRT.CZ) run by CZ.NIC. (Source: Viktor Paggio).

The NSA has an ‘agreement on government security programme’ with Microsoft, under which the parties are able to share and exchange cyber security information, which means that the NSA has access to Microsoft products’ source codes and documentation. A similar information exchange agreement has been concluded between NSA and Cisco. Based on this memorandum of understanding, these two entities share cyberthreat information and exchange information on current cyber security trends and best practices.

Beyond these measures, there are currenlty no public-private partnerships for cyber security and no sector-specific security priorities established through government agencies.

A private cyber security cluster operates through the Network Security Monitoring Cluster (NSM Cluster), a co-operative industrial cluster focusing on the network security and security in IT. It currently counts 21 members together with Mararyk University in Brno. Its activities include networking and know-how sharing; education and training about network security monitoring; and information sharing on network security trends. It also interacts with other associations and international organisations with regard to network security monitoring and security IT topics, for example, with ENISA and IT Security in Germany. One of its priority goals is to become an interregional grouping in the Czech Republic and within the EU.

Co-operation between the NSA and the universities is developing rapidly. The NCSC contributes to cyber security courses, co-operates with university CERT/CSIRTs, and makes use of university cyber infrastructure. For example, the Computer Security Incident Response Team (CSIRT-MU) is a part of the Institute of Computer Science, which is responsible for the development of information and communication technologies at the university.

Risk assessment plan

The Action Plan 2015-2020 sets out two actions on risk assessment with the aim of developing a methodology at the state level. The two actions are:

  • Choose a risk and a threat assessment methodology for the cyber security field at the state level.
  • Assess, on a continuous basis, cyber security risks and threats at the state level.
Progress measures Annual reports and progress checks on the Action Plan.

 

Current status: NIS Directive and national CERTs/CSIRTs

Computer security  incident response teams (CSIRTs)

May 2014: opening of the National Cyber Security Centre including a fully operational Government Computer Emergency Response Team for cyber security incidents handling.

Main tasks of the Cyber Security Center (website in Czech/ English): 

  • Coordination of activities of state bodies in the field of cybernetic security and contribution to fulfilling international obligations in this field.
  • Coordination between state bodies while fulfilling obligations in the field of cyber security stemming from membership of the Czech Republic in international organizations and coordination of participation of the Czech Republic in international organizations and other international activities associated with cyber security.
  • Providing for good cooperation between its members.
  • Discussion of current issues of cyber security and drafting expert proposals and recommendations to the Government.
  • Collection and analysis of information about cyber security provided by its members.
  • Drafting of report on the cyber security in the Czech Republic which shall be presented by the Prime Minister to the Government on a regular basis as a policy document outlining priorities and corresponding tasks in the field of cyber security.
  • Cooperation with external entities and using their information in order to provide for cyber security of the Czech Republic.

CSIRT.CZ - (website only in Czech)

In addition to CSIRT.CZ there are other teams in Czech Republic that are officially recognized by the world´s infrastructure of CERT / CSIRT teams and published in the team list of the Trusted Introducer:

  • CZ.NIC-CSIRT (website in Czech/English) Security Team for monitoring the network operated by CZ.NIC.
  • CESNET-CERTS (website in Czech/ English) Security Team that oversee the national research and education network, which is operated by CESNET.
  • CSIRT-MU (Website in Czech/ English) security team that oversees network of Masaryk University in Brno. How to report a computer security incident e-mail csirt@muni.cz or web form (Czech only) are the primary contacts to report an incident. Out of working hours or when it is not possible to report an incident via e-mail, you can always report an incident via phone number +420 549 49 4242, which is operated 24/7.
  • ACTIVE24-CSIRT(Website in English) security team of ACTIVE24, Ltd.

E-mail (primary contact): csirt@active24.cz

Phone (for escalations only): +420 234 262 077

Phone (in emergency only): +420 605 204 530

Best practices:

On target for the priorities set out in the national Action Plan for 2015-2020 with regard to capacity-building for CERTs/CSIRTs, including competence and skill development. New legal framework planned in line with EU NIS Directive to build legal capacities. Could encourage the development of local and national cyber security clusters involving both public and private sector organisations.

Threat Monitoring Exercises and Showcases at EU and International level

The Czech Republic is a long-term partner of the organiser of the Czech ECSM – the National Center for Safe Internet (NCBI, Národní centrum bezpečnějšího internetu)

For the 2016 European Cyber Security Month, the country will take part in many of the events, namely the ECSM Round Table on 30 September 2016. In September it will run the technical part of the Cyber Czech 2016 Exercise, presenting the pilot of anti-cyberbullying „Digital Footprint“ e-learning course for high schools, and also present its activities at the 2016 Future Forces international exhibition in Prague. (Source: Viktor Paggio).

The Czech Republic has taken part in NATO Cyber Coalition exercises since 2010. The agencies involved in 2015 were the NSA, MOD, Ministry of Foreign Affairs, Police, intelligence services, and also the Masaryk University and partners from the private sector (CSIRT.CZ and an antivirus company called AVAST). The Czech Republic also takes part in NATO Crisis Management Exercises (CMX), which usually involve some cyber scenarios. CSIRT.CZ has participated in the Cyber Europe exercises since 2010. National cyber exercises include Cyber Czech, which took place in October 2015 and in March 2016, utilising the KYPO Cyber Exercise & Research Platform of the Masaryk University. Last but not least, NSA and CSIRT.CZ take part in regional CECSP Exercises.

Report an incident - general contact details

The Regulation on Cyber Security also specifies the procedures for the reporting of cyber incidents, both to GovCERT.CZ (website in Czech/ English) and to CSIRT.CZ (website in Czech only). A report is to follow a predefined form and can be submitted via an e-form on the respective website, via e-mail, data mailbox, specified interface, or on paper.

For the incident reports, use the address: cert.incident@nbu.cz

For the non-incident related messages, use the cert@nbu.cz.

If it is not possible (or not advisable for security reasons) to use e-mail, the GovCERT can be reached by telephone at +420 725 875 205.

The GovCERT's hours of operation are generally restricted to regular business hours (09:00-17:00 Monday to Friday except holidays).

Languages Czech / English
Date of last WISER analysis  October 2016. Earlier assessments made in September 2016.

 

Contact us for more info