Czech cyber security preparedness still lacking
Cyber security shot up the agenda in recent weeks in the Czech Republic after the highly publicized hacking of the prime minister’s e-mail and twitter accounts by a group based in the United States. But if that’s raised questions about the state’s readiness to counter and combat cyber threats, the same questions hold true, perhaps even more so, for the private sector.
The dangers were highlighted at the start of this year by the hacking of Prime Minister Bohuslav Sobotka’s emails. That was embarrassing enough and has prompted a police investigation and steps from the National Cyber Security Centre, the state body tasked with protecting key state infrastructures and services from attack, to action. The centre is now examining how it can better safeguard targets through so-called ‘active defense,’ details of that are not being revealed.
At the governmental level, a law outlining the framework, responsibilities, and strategy for cyber security, such as identifying key installations such as power stations and networks, emergency services and the police from being disrupted and hacked, have been in place for a year now. The strategy document warned that police capabilities to deal with cyber security needed to be substantially bolstered.
But there has been action. A major two-day exercise back in October also, for example, simulated a hacking attack on a nuclear power plants.
Cooperation agreements between the centre and NATO and with key countries which lead in cyber security such as the US, South Korea, Israel and Estonia and Czech universities have also been forged.
But a lot of questions still seem to be posed. For one thing, the line between public and private which is drawn by the laws on Czech cyber security are not quite so clear cut on the ground. State institutions and strategic state companies often outsource part of their IT and cyber security responsibilities to private companies. Some may store key date in cloud systems that might be based far away from the country.
“They are certainly not prepared very well but they are improving and in some sectors they are improving very rapidly. The problem is motivation because top management of the company has to be ready and consider cyber security as the main topic and, unfortunately, that often does not happen.”
Flídr warns as well that some companies when faced with fulfilling their legal cyber security responsibilities actually prefer to take a fine rather than do the work required because it comes out as a cheaper option in the short-term.