It has been more than two years from the largest cyberattacks on Czech websites. The media paid a lot of attention to these attacks as the first wave targeted the main news portals in the Czech Republic. The second wave targeted financial institutions. Despite the media attention the attacks suddenly ended, as surprisingly as they had started. According to security experts, no serious damage was caused. Attackers used the the Distributed Denial-of-Service (DDoS) method method to disrupt the functionality of targeted websites, so people did notice that something is going on as they were not able to access their emails1, but the media started to bring up famous cases from abroad and describe various catastrophic scenarios related to cybersecurity issues. It was probably thanks to these incidents that the public acknowledged that the responsibility for this domain is in the hands of the National Security Authority (NSA). The NSA was given the authority over cybersecurity in 2011. The Parliament passed the resolution on 19th September, 2011 and took the responsibility from the Ministry of Interior, where the police and other offices were attempting to address this area. It took four years to prepare and pass the necessary legislation to confirm the position of the NSA. By chance, the attacks occurred when the law on cybersecurity was discussed in the Parliament. As the NSA officials say with a smile, it was the best promotion for the law. The law on cybersecurity came into force in January 2015. Four years have passed since the NSA got involved in the domain of cybersecurity. A tremendous progress has been made since then, there is no doubt about that. The NSA increased its international cooperation on cybersecurity by sending an expert to the NATO Centre of Excellence in Tallinn, and established a virtual cyber shooting range in Brno together with the centre for cybersecurity. The question is, whether the actions taken during the last years made up for the delay the Czech Republic had in the field of cybersecurity when compared to other EU states.
2. Legislative Framework For Cybersecurity
The law on cybersecurity is the flagship of the NSA regarding the national approach towards security. It consists of several legislative documents – the law on cybersecurity (181/2014 Coll., from 23rd July, 2014), a governmental order changing the criteria for the identification of a critical infrastructure component (315/2014 Coll., from 8th December, 2014), a governmental notice on cybersecurity (316/2014 Coll., from 15th December, 2014), and a governmental notice on important information systems and identification criteria (317/2014 Coll., from 15th December, 2014).
2.1 The Law On Cybersecurity
The law on cybersecurity was drafted by the NSA in close cooperation with law experts from the Masaryk University. The draft was submitted for comments to a wider audience including different governmental bodies, bodies, Internet Service Providers (ISPs), NGOs, and private, NGOs, and private companies. The final document was afterwards submitted to the Parliament. The law itself is not very complex, as the purpose was clear – confirm the responsibility of the NSA towards the issue of cybersecurity and define basic terminology.
The law defines critical information infrastructure as a system or an item from the critical infrastructure in the field of communication and information systems with regards to cybersecurity. In other words, only systems, networks, or items directly related to critical infrastructure can be regarded as part of critical information infrastructure. Critical infrastructure is defined in the law on crisis management (240/2000 Coll., on crisis management) and selected according to given criteria. Critical infrastructure is organized in nine groups as defined in the governmental notice:
• Energy (Electricity, Gas, Oil products, Heating)
• Water management
• Medical care
• Communication and information systems
• Financial market and currency
• Emergency services
• Public services
Within the communication and information systems group is the definition of a critical infrastructure item related to cybersecurity:
• An information system influencing the operation of a critical infrastructure component, with inappropriate replacement costs, or replacement period longer than 8 hours;
• A communication system influencing the operation of a critical infrastructure component, with The law on cybersecurity is the flagship of the NSA regarding the national approach towards security. „ inappropriate replacement costs, or replacement period longer than 8 hours;
• An information system managed by the public sector containing personal data on at least 300000 persons;
• A communication system providing a connection of a critical infrastructure component with guaranteed data transfer capacity of at least 1 Gbit/s.4
The law also specifies the roles of the national and governmental Cyber Emergency Response Teams (CERTs). The governmental CERT is established within the NSA, whereas the role of the national CERT is outsourced to a private entity.
Important information systems and important networks are also defined by this law. Important information systems are the systems that are managed by the public sector and these systems do not qualify as critical information infrastructure, but their disruption would have an impact on public sector functions.
Important networks provide a direct foreign connection into public communication networks or provide connectivity to critical information infrastructure.
Important information systems and their detailed identification criteria are based on the notice issued jointly by the NSA and the Ministry of Interior. The obligation to report incidents and security breaches is established in the law as well. It also defines roles, in which dedicated staff is obliged to communicate with the NSA and defines a cybersecurity event (an event which might cause a cybersecurity incident) and a cybersecurity incident (a violation of data security/integrity in information systems and networks). The responsible persons have to report security incidents immediately after detection to the national CERT (incidents in important information networks) or directly to the NSA – the governmental CERT (incidents in critical information infrastructure or important information systems).
The obligation to report incidents and security breaches is established in the law as well. It also defines roles, in which dedicated staff is obliged to communicate with the NSA and defines a cybersecurity event (an event which might cause a cybersecurity incident) and a cybersecurity incident (a violation of data security/integrity in information systems and networks). The responsible persons have to report security incidents immediately after detection to the national CERT (incidents in important information networks) or directly to the NSA – the governmental CERT (incidents in critical information infrastructure or important information systems).
In reaction to the gathered intelligence and reports from international partners or domestic CERTs, the NSA has the authority given by this law to issue warnings, reactive measures, and protective measures. Reactive and protective measures have to be implemented in critical information infrastructure, important information systems, or important networks. The NSA can declare the state of cyber danger. The state is declared for a maximum of seven days. It can be prolonged by the NSA, but the duration of the state cannot exceed thirty days. When the state of cyber danger is declared, reactive measures declared by the NSA have to be implemented by ISPs and in important information systems. The announced measures have to be implemented without delay.
To sum up, the law confirms the authority of the NSA over the cybersecurity domain, but at the same time it limits its authority only to a particular part of cyberspace. Critical information infrastructure has the most obligations given by this law. It is derived from the critical infrastructure. It is a logical step. However, the law inherits the problems related to the definition of critical infrastructure. For example, chemical plants are missing on the list. Therefore information systems operating chemical plants cannot be regarded as a part of Czech critical information infrastructure and they are not under the authority of the NSA.
2.2 Governmental Order 315/2014 Coll
The purpose of this order was to adjust the detailed criteria for the different critical infrastructure groups as defined by the governmental order on criteria to define a critical infrastructure component (432/2010 Coll.). The order changes the detailed parameters, not the nine groups listed above.
2.3 Governmental Notice 316/2015 Coll
This governmental notice was drafted by the NSA and it sets some cybersecurity standards applicable to entities specified above by the law. It also gives more detailed information on the communication patterns and defines basic terms used in the law. The notice defines the obligation for critical information systems managers to conduct a security audit at least once per year with a focus on cybersecurity. The management is also obliged to set up and use risk management methodology and to define its security policy with a focus on a list of defined topics (ranging from supplier management to secure usage of mobile devices). The obligation to ensure organizational security and to define security requirements for suppliers is applicable also to the management of important information systems. This applies also to the obligation related to information assets management, human resources security, operation and communication management, or to business continuity planning. There are special requirements singled out for the management of critical information infrastructure. Technical security standards cover mainly the level of encryption and the approved algorithms for the encryption of personal or sensitive information. It also mentions basic rules for password policies in affected entities as well as activity logging for audit purposes. It states that all users must have a unique identifier under which their actions in the system can be tracked, the passwords for such accounts have to be changed regularly, and they have to meet the minimal requirements mentioned in the notice. The notice also specifies which applications have to undergo penetration testing, and what documentation has to be available for the used applications or systems.
Failure to comply with this notice is punishable by the law. The penalty is defined for a legal entity as 100 000 CZK and 50 000 CZK for a physical person. Regulatory authority in the respective field might also use this failure as an argument to start its own investigation.
The governmental notice gives more information on the incidents as it defines different types of incidents based on the cause of the incident or on the consequence of the incident. A standard form for incident reports is also part of the notice. The attachment to the notice defines official scales for measuring the confidentiality level, the integrity level, and the availability level of the information asset. The scales for risk and threat assessment are also part of this document.
2.4 Governmental Notice 317/2015 Coll
This notice defines the criteria necessary to identify important information systems. The identification is based on two main criteria – the impact and area of activity.
The impact of a security incident is defined from two perspectives. The first one is the impact on the provision of services by the state. The disruption of a system might disrupt the operation of a public authority or the provision of information to the public; or the management of a supervisor of critical information infrastructure or important information system; and the disruption would be longer than three days. The second perspective is more focused on the real consequences. The disruption of the system may jeopardize a critical infrastructure component; cause more than 10 casualties or seriously injure more than 100 people; cause damage estimated as greater than 5% of the budget of a given public authority; impact private life of more than 50 000 persons; or significantly jeopardize public interest.
The area of the activity criterion is basically defining which activities of the public sector in combination with the impact criterion lead to the identification of an important information system. In other words, an important information system can only be an information system operated by a public authority used for the listed activities with possible impact as defined by the governmental notice. In total, 92 systems have been identified as important information systems by this notice.
The legislative framework appears to be sufficient to commence more efficient governance of cybersecurity in the Czech Republic. Nevertheless, since it is based on the existing laws defining the critical infrastructure, the imperfections of this law are transposed into the legislation related to cyberspace. Amendment to critical infrastructure legislation is needed, or at least an update of related governmental notices. The selection process of critical infrastructure is crucial for its protection. It is possible to see that even if the cybersecurity law is perfect, it cannot be applied to critical systems operating infrastructure that might be important, but is not regarded as critical infrastructure. On the other hand, it is fair to say that this issue is more common in the EU, as the process to identify critical infrastructure on a national or European level is sometimes ambiguous or obsolete.
Amendment to the legislation has to be expected in case the EU directive on cybersecurity is passed. Despite the fact that the essence of the directive´s draft communication and cooperation between the public and private sector – is covered by the Czech law, new definitions of market operators have to be incorporated into the law as current definitions of actors will not be sufficient. But this is just a theory until the draft of the directive is finalized and approved.
It is possible to conclude that the theoretical apparatus is in place and sufficient. But it is the implementation which is the key to actually improving the level of security. Based on the notices described in this paper, negotiations between the NSA and managers of critical information infrastructure and important networks continue to identify a particular information system, for which the new legal obligations will be valid. Afterwards, a necessary period will be given to the management to actually implement the legal obligations for the selected networks and systems. And only after this implementation is finished, it is possible to say that the level of cybersecurity in the Czech Republic was influenced by the new legislation. This moment in the near future is but only a beginning of a never-ending process to maintain up-to-date standards and measures in order to secure cyberspace. There are many tasks to be performed to actually improve the cybersecurity level in the Czech Republic, and hopefully the NSA together with other stakeholders will manage to do so before Czech cyber assets will become interesting for cyberattackers on a larger level.