Czech Republic: a new cyber security leader in Central Europe
A new cyber security leader in Central
Lucie Kadlecova1 and Michaela Semecka
The Czech Republic has a long history of industrial development and technological innovation. Since the nineteenth century, the nation has been famous for its prominent sectors of heavy industry' and its technological prowess, which have provided its governments with a steady source of income. Not surprisingly, this historic heritage is reflected in present day Czech society, which has embraced a leading role in information technology (IT). Today, analysts recognize the international success of Czech IT companies such as Avast and AVG (both of which produce antivirus software) as well as the sterling reputation of the technical universities in Prague and Brno. The Czech Republic, and the city of Brno in particular, are sometimes referred to as the “Central European Silicon Valley.’’ However, some critics allege that the Czech government initially underestimated the nation’s great IT potential and the sector’s importance to the development and security' of Czech society', only' beginning to take cyber security seriously after Czech cyber space suffered a major cy'berattack in the spring of 2013.
Prior to the 2013 cy'berattack that served as a wake-up call for Czech authorities, responsibility' for cyber security' was rather decentralized. Multiple ministries and government agencies exercised power over cy'ber space, resulting in various gaps and overlaps in their areas of responsibility'. Only in late 2011 was the Czech National Security Authority (NSA) appointed as the main authority for cyber security'. It was tasked with creating a National Cyber Security Centre (NCSC) in order to centralize and coordinate government action. Shortly afterward, a cyber security strategy' for 2012-15, the first document of its kind in the Czech Republic, was adopted (National Cyber Security' Centre, 2012). The strategy' had two very basic but essential goals: to propose a legislative framework for addressing cy'ber security issues and to build the capabilities necessary to ensure a basic level of national cy'ber security. The latter task included the creation of a governmental Computer Emergency Response Team (CERT) in 2012. Although the 2012-15 strategy' did not set out extremely ambitious goals, it laid a foundation for building the basic capacities and capabilities which guarantee a fundamental level of national cyber security and provide a solid basis for further development.
The impetus for the establishment of a more wide-ranging approach to cyber security came about in March 2013 when Czech cyber space was hit by a serious campaign of cyberattacks targeted at Czech media websites, the banking sector, and mobile telephone operators.” Although the disruption of services in those sectors lasted only couple of days, Czech authorities took it as a wake-up call requiring a series of complex actions, which followed not long after. First was the enactment by Parliament of an Act on Cyber Security and Change of Related Acts (Act No. 181/2014 Coll., 2014) which entered into force at the beginning of 2015. This comprehensive act replaced a hodgepodge of laws and regulations which had not fully addressed the entire spectrum of cyber activities. Before its enactment, the draft bill was scrutinized by various IT practitioners, companies, and experts, which allowed for broad debate on the topic and provided a valuable bottom-up perspective. This process initiated an ongoing program of cooperation between governmental institutions, the private sector and academia.
At the same time, a new National Cyber Security Strategy for the Period 2015-20 was adopted (National Cyber Security Centre, 2015). This strategy moved on from proposals for elementary capabilities envisioned in the first strategy to the ambitious goal of securing the highest possible level of cyber security in the Czech Republic. Most importantly for this chapter, the strategy outlined the Czech Republic’s aspirations “to play a leading role in the cyber security field within its region and in Europe,” which was highly ambitious but nevertheless reflected the swift progress of the country up to that point in improving cyber security (National Cyber Security Centre, 2015: 7). To fulfil this high aspiration and to adopt a truly comprehensive approach to cyber security, the Czech government agreed in winter 2016 to separate the NCSC from the NSA and form a National Cyber and Information Security Agency (NCISA), a civilian agency dedicated to cyber security. NCISA was authorized to undertake a wide spectrum of activities and provide a higher quality of service to the government and the IT sector. By 2025, NCISA will have grown ten-fold in budget and staff. It will acquire new premises around 2022. NCISA has been operational since August 2017, taking over and broadening the existing portfolio of the NSA’s cyber activities.
Thus, despite a relatively late start, the Czech Republic has quickly adapted to the challenges inherent in the cyber space environment. With its government, the private sector, and academia working together, it has the potential to become a new leading regional player. Nevertheless, there still remain a number of unresolved cyber issues that first need to be addressed.
This chapter is divided into two main parts. First, the authors introduce two successes that highlight the Czech Republic’s role as a regional cyber power. These are the development of highly advanced systems for identifying and protecting critical information infrastructure and for utilizing the great capacity of the Czech Republic’s human resources in IT. Next, the chapter examines two issues that have slowed the otherwise rapid cyber development in the country and which need to be urgently addressed in the next few years in order to allow the country to become the region’s cyber security leader. These are a low level of implementation of e-govemment, in which the Czech Republic has fallen behind the rest of developed Europe, as well as slow progress in building up cyber defense capabilities. The chapter’s conclusion will wrap up the whole argument and point out a direction for future development.
Protection of critical information infrastructure: a case of building trust
As in many European states, critical information infrastructure (CII)3 protection has become the Czech Republic’s top priority since it laid down the building blocks for better cyber security in 2011. CII includes the communication and information systems essential for the smooth functioning of a society and economy. CII is a valuable target for enemies that are both state and non-state actors in cyber space. Energy, finance, medical, transportation, and telecommunication assets located around the globe have been targeted for disruption by a wide array of actors. Given its importance and the increasing potential for exposure to cyberattacks, the need for protection of CII cannot be underestimated.
A strong foundation for CII protection begins with a comprehensive legal framework. In the Czech Republic, the cornerstone is the Act on Cyber Security (Act No. 181/2014 Coll., 2014) and its implementing regulations.4 The Act, which preceded the 2016 EU Directive on Security of Network and Information Systems (NIS Directive) (European Union, 2016), entered into force on January 1, 2015 and was amended two years later based on the newly adopted EU legislation. It defines regulated entities and their obligations.5
The Act also gives the government authority to declare a state of cyber emergency.6 In order to stop major incoming attacks, a declaration of a state of cyber emergency grants the NCISA authority to issue orders to internet service providers (ISPs), which are not regulated entities in normal situations. In practice, this measure is only likely to be used exceptionally. Cooperation between ISPs and the government CERT generally works well and orders could be issued after appropriate consultation and recommendation. No state of cyber emergency has yet been declared, but its use has been extensively tested both at the national and international level.7 One of the hypothetical instances, when the cyber emergency could be used, would be a case of cyber terrorism as defined in the Czech Audit of the National Security (Ministry of Interior, 2018a).
A state of cyber emergency is something unique to the Czech Republic in the context of international cyber crisis management (Boeke, 2018). A declaration of a state of cyber emergency precedes a general state of emergency and gives NCISA an opportunity to handle a cyber incident by itself. Only if NCISA is unable to handle the situation within 30 days would the Prime Minister declare a state of emergency under the Crisis Act (Act No. 240/2000 Coll., 2000). No other European state has such a provision for declaring a state of cyber emergency, nor is there a similar EU policy. Most EU member states foresee declaring a full state of emergency immediately and handling the situation on the basis of their general crisis management acts, not their cyber-related legislation.
Although the Czech legislation creates a solid foundation for protection of CII, cyber security cannot be fully ensured unless the regulated entities are willing to maximize protection of their own systems. Therefore, the Czech legislation was drafted with trust and cooperation between the state and regulated entities in mind. All regulated entities were involved in the process of drafting the law. A map of institutions affected by the legislation was drawn up. Their representatives were invited to meetings in which they were given a chance to voice their doubts, provide feedback, and propose amendments to the wording of the legislation. Three years later, in 2017 when the Act on Cyber Security had to be amended to conform to the EU NIS Directive, the Czech Republic took the same approach again. Before the legislation was submitted to Parliament, a draft of the amended law was made public and was available for comment to anyone from the general public and the expert community.
By giving all the stakeholders a chance to influence the final wording of the cyber security law, the Act was perceived not as a purely authoritarian decree by the state but rather as the outcome of the cooperation of a number of subjects. Such an approach was promoted by several institutions and regulated entities on a number of occasions. It established a sound basis for further development of good relations with the private sector. NCISA is profiting from this approach, as it is still evident that regulated entities are more open to cooperation than they might otherwise be (Kadlecova, Bagge, Borovicka & Semecka, 2017: 16).
One of the pillars upon which Czech cyber security legislation was built and which contributes to greater mutual trust is the minimal amount of state coercion that is applied. Operators of СИ, like other regulated entities, have free choice in how they implement the security measures set forth in the Act on Cyber Security. Because the main responsibility' for network protection lies with them and they' are the ones most familiar with their own network infrastructure, they' are best equipped to strengthen their own systems. Therefore, the legislation avoids setting rigid rules by' indicating the desired end state of affairs and giving institutions free choice in how to reach it. Cy'ber security is a fast-developing field and national legislation should be flexible enough to accommodate new elements or tactics of protection. A similar approach may prove to be suitable, for instance, for the banking sector, which is well known for its emphasis on cy'ber security and the implementation of extra measures of security'.
In the spirit of mutual trust, the state acts more as a partner than a sanctioning authority. NCISA, which controls implementation of the Act on Cyber Security', devotes considerable effort to explaining responsibilities to all regulated entities. The Agency keeps in close touch with CII operators, ready' to assist them with implementing the legislation. Its goal is not to penalize but to help secure systems of critical infrastructure to the highest degree possible.
NCISA also strives to be a partner when it conducts cyber security audits of regulated entities. The primary aim of these controls is not to look for errors and impose penalties, but to help subjects to maximize the security of their systems and networks. Therefore, NCISA, which conducts the audits, highlights solutions and suggests remedies for shortcomings rather than simply identifying shortcomings, penalizing them, and leaving it at that. This “auditing to improve” is quite unique in the Czech state administration and has further increased mutual trust between the national cyber security authority and the operators of CII (Kadlecova, Bagge, Borovicka & Semecka, 2017: 20).
As developments abroad have demonstrated, the Czech approach to protection of CII has been influential. Transposition of the EU NIS Directive into the national legislation of the Czech Republic has been relatively smooth and fast. Czech cyber security legislation is built around a right to undisturbed access to the Internet and information rather than on resolving conflict between security and personal data protection, as it is sometimes framed elsewhere. The EU NIS Directive is based on a similar logic. Czech experts are regularly being invited to visit partner states in the Balkans, Ukraine, and Morocco to help build local cyber security frameworks and draft legislation.
Trust between CII operators and the state is vital. Without trust, operators would be hesitant to share information about cyber incidents and the state would be left in the dark. It would not be able to help resolve cyberattacks and would not be able to perceive the bigger picture of cy'ber security' in the country. Creating an environment in which all stakeholders are involved in formulating rules, in which the state is perceived as a partner rather than a sanctioning authority, and in which not errors but remedies for errors are highlighted, has proven to be one of the lasting building stones of national cyber security in the Czech Republic.
Investing in human capital: investing in the future of cyber security
People are the most important ingredient of cyber security. A state can possess all the latest technologies and have a comprehensive legal framework in place, but without a dedicated, skilled workforce not much success can be achieved. It is people who set forth visions and the steps to achieve them. It is people who build strong relationships with national and international partners. And it is people who come up with innovative ideas. The Czech Republic has proven that it has great capacity in terms of human resources, both in the state administration and in the private sector.
This strength has been confirmed during international cyber security exercises, in which the Czech team has constantly taken top positions. Locked Shields, organized by the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE), is the largest cyber security exercise and serves as an example. In its 2017 iteration, in which more than 900 experts from 25 countries took part, the Czech team won first place, followed by teams from Estonia and NATO’s NCIRC. The Czech team was comprised of representatives of NCISA, the state administration, the intelligence services, the private sector, and academia. The exercise gave the Czech Republic’s diverse team an opportunity to cooperate closely as they practiced handling a major cyberattack.
The potential of the Czech Republic’s human capital has also been reflected in the successes of Czech IT companies, such as the antivirus companies Avast and AVG. Avast has more than 400 million users worldwide. Its success was put into the spotlight when its stock was listed on the London Stock Exchange in May 2018. The company was valued at jQ2.4 billion and was one of the UK’s biggest technology listings ever (London Stock Exchange, n.d.).
The Czech Republic can be proud of its well-above-average programming talent too. Many countries face a lack of cyber security experts and it would be incorrect to say that the Czech Republic is in every way an exception. However, statistics indicate that the situation there is better than in most countries. Around 3% of the population are employed as software developers, whereas in the United States the number hovers around two to 2.5%. The number of programmers is enhanced by their quality. Statistics on GitHub (a web-based service for hosting open-source software projects) indicate that Czech software developers are creative and skillful. The Czech Republic ranks twenty-first among the countries of the world in the number of “pushes” on GitHub. In other words, it is the twenty-first-ranked country whose developers upload the most codes onto the platform (Strosova, 2018). Combined with a stable economy, a favorable location, and a relatively low-cost workforce, it is not surprising that corporations such as Microsoft, IBM, and Red Hat have located their development divisions in the Czech Republic.
Thanks to Czech academia, the trend to a strong cyber security workforce is likely to continue in the foreseeable future. Strong cyber security teams can be found at the main universities — the Czech Technical University in Prague (CVUT), the Technical University in Brno, Charles University, and Masaryk University are top European educational and research institutions in their fields. For example, the origin of the research cyber security team at Masaryk University in Brno, which is a member of the Forum of Incident Response and Security Teams (FIRST), dates back to the 1980s, when the university’s computer network was being created. As the university team grew, more projects came in and more cooperation with other entities was established. In 2007, the university team reached an agreement with the U.S. Army. A few years later it commenced cooperation with NATO as well. Nowadays, it tests and improves the skills of its members in its own
“cyber range” (Fojtu, 2018: 5). Another example of success is CVUT, which is well-known for its Institute for Informatics, Robotics and Cybernetics, which strives to create synergies among different research projects and produce unique IT outcomes. Cyber security education programs at universities and high schools are constantly broadening and increasing in number, and with them the pool of future cyber security experts in the Czech Republic and beyond.
E-government: wasting an opportunity
E-government in the Czech context is understood as governance using modern electronic tools to make public administration more friendly, accessible, efficient, faster, and cheaper for its citizens (Ministry of Interior, 2018b). At least that is the perception of e-government as it is seen through the lens of the Ministry of Interior, the main national authority responsible for implementation of e-government in the Czech Republic. This definition is essentially correct, and if it is successfully implemented, it would help the Czech Republic to achieve its goal of becoming a regional leader in the cyber domain. However, the reality is far from the vision. The Czech authorities need to first overcome a series of shortcomings, such as the lack of stable leadership and a coherent framework for implementation of e-govemment.
At first glance, the Czech Republic appears to be a fairly well-interconnected and digitalized country with a high degree of dependency on information and communications technologies. Based on the available data from Eurostat, the percentage of Czech households with internet access has gradually grown in recent years, reaching 83% in 2017, which is not that far off the European average of 87% (Eurostat, 2018a). A similar trend can be observed with regard to private enterprises in the Czech Republic, whose access to the internet even exceeded the European average of 97% in 2017 by one percentage point (Eurostat, 2018b). These seem to be promising indicators, which one would expect to be reflected in the development of e-government. However, the percentage of individuals using the internet for interaction with public authorities in the Czech Republic has shown a rather irregular trend of growth, which has caused the country to fall behind the European average in some respects. For instance, in 2010 the percentage of Czech individuals using the internet for communication with public authorities was 23%. That increased to 30% in 2012 and 32% in 2015, but it stagnated at 36% in 2016 when the EU average was already at 48% (Eurostat, 2018c). A similar picture from a different point of view is provided by the UN E-government Knowledge Database which positioned the Czech Republic in fiftieth place worldwide in 2016. That would not be a bad result if the country had not already placed at forty-sixth in 2012 and fifty-third in 2014, suggesting that there has not been much progress in Czech e-government in the past decade (UN, 2016).
The first e-government strategy was approved by the Czech government in 1999. Since then the most important phase in the development of e-government was the period 2007-13, when all activities in this regard were concentrated in the Ministry of Interior and the main pillars of e-government in the Czech Republic were built. The flagship project of this period was the creation of a network of one-stop access points to e-government services called Czech POINT in post offices and municipal buildings. Citizens can access all public records through the one-stop points and obtain transcripts from national registers, which reduces administrative burdens (Ministry of Interior, 2018c). Following the success of Czech POINT, the government initiated another scheme, a data-box project that has provided the general public with a secure repository for official electronic communications with the public authorities since 2009 (Ministry' of Interior, 2018d). Finally, the third important and successful project of the era was the basic registers, a central information source aggregating the public authorities’ information systems. The basic registers include, for instance, the register of inhabitants and the register of persons and companies. The basic registers also serve as a central hub for interchange of information held in information systems like those for vehicles and drivers (National Registers Authority, 2018). Since the implementation of these three projects, the Czech government has set further goals that do not seem to promise the relative success of Czech POINT, data boxes, and basic registers. An example of such projects is the introduction of new e-ID cards and the implementation of intelligent electronic forms that would facilitate citizens’ interaction with the public authorities without the need for visiting offices in person.
With a closer look at recent developments in Czech e-government, three major shortcomings can be identified.4 First of all is the low quality of the national strategies for e-government, which have rarely been re-evaluated or updated, resulting in a lack of detail about the effect of e-government implementation. Furthermore, most of the strategies can be criticized for their rather broad scope. Second, Czech e-govemment lacks stable political and executive leadership, which has resulted in a lack of a continuous vision and effort to implement goals for expanding e-government. Finally, the national government is often criticized for a strictly top-down approach to e-government, which fails to encourage participation by stakeholders during the preparatory' phases of new legislature, strategic documents and e-government schemes (Spacek, 2015).
The Czech government tries hard not to be passive in the implementation of its e-government projects, as the examples of Czech POINT, the data boxes and the basic registers illustrate; nevertheless, it lags behind e-government role models such as Estonia and its highly' developed digital society. The Czech projects currently' are not evolving much further, and the Czech Republic is falling behind in the successful implementation of new schemes, as well as suffering from a number of other serious shortcomings. Although the Czech Republic might have the potential to take advantage of more advanced e-government services, it will not do so unless those deficiencies are addressed. The first step in this direction might be the Strategy for Coordinated and Complex Digitalization in Czech Republic 2018+ which promises to deliver a complex solution for digital agenda including e-government and which was approved by the government in October 2018 (Sedlak, 2018).
Active cyber defense: no legal framework - yet
To maximize national security' in the country, there are still some issues that need to be resolved. Cy'ber defense is one of them and ensuring it is of fundamental importance to overall national security'. A symbolic building block of cyber defense was laid with publication of the National Cy'ber Security Strategy for the Period 2015-20 and its Action Plan. In these strategy' documents, the Czech government decided to create, under the aegis of military intelligence, a National Cyber Operations Center,10 which is responsible for the cy'ber defense of the country. The center opened in 2016. Two years later it published its first cyber defense strategy, which was a necessary precondition for effective and complex cy'ber defense (National Cyber Operation Centre, 2018). In that strategy, the Center outlined its plans for developing active cyber defense capabilities. However, a law that would have framed its activities failed to pass through Parliament and as of ntid-2018, the legal framework for cyber defense is still in limbo.
A mandate for cyber defense is essential to complete the spectrum of national security measures. Where cyber security11 ends, cyber defense12 begins. NCISA, the national authority in the field of cyber security, is responsible for handling cyber security incidents affecting its constituency. However, when cyberattacks are conducted on a massive scale and cannot be handled by traditional cyber security tools alone, military intelligence should step in and help to resolve the situation by active measures (Packa, 2015). The exact situations that would trigger of use of active cyber defense are yet to be determined. Of course, cyber security and cyber defense are not two separate issues. In the event of a cyber security incident, military intelligence cannot suddenly take over responsibility from the civilian authorities. For cyber defense measures to be effective, military intelligence must be in contact with cyber security agencies on a daily basis. Therefore, a comprehensive cooperation framework between cyber security and cyber defense entities should be set up, applicable in both peacetime and conditions of war.
To create a stable environment for cyber defense activities, Czech military intelligence officials decided to anchor their cyber defense activities in legislation. In October 2016, they proposed an amendment to the Act on Military Intelligence, which was meant to clearly set forth their competencies in the area of cyber defense. In the amendment, it was proposed that Czech military intelligence have the right to introduce “technical means” onto “electronic communication providers’ networks” (Military Intelligence, 2016). However, authority to conduct active cyber operations against a foreign adversary, which is the main element of cyber defense, was omitted.
The amendment was severely criticized by the community of experts in cyber security'. Three major cyber security' organizations — CZ.NIC, which operates the domain name registry for the “.CZ” domain and is the operator of the national Computer Security' Incident Response Team (CSIRT); NIX.CZ, a trade association of Internet service providers in the Czech Republic; and the ICT Union, a professional association of companies active in the field of information technology — sent a letter to then Prime Minister Bohuslav Sobotka asking that the legislation be tabled and discussion with affected stakeholders reopened (CZ.NIC, 2017). They' argued that the proposed new authority of military intelligence to place “technical means” onto the ISPs’ networks would be problematic for several reasons. Their most serious concern was the issue of privacy. If devices were to be installed on the ISPs’ networks, it would be technically possible to intercept and record most Internet traffic. Given that the purpose of military intelligence is to gather and assess information, it would be difficult to believe that they would refrain from reading the content of Internet traffic. In addition, such a measure would create a “single point of failure.” If the military intelligence authorities lost control over its devices to a third party, its devices would be a place from which networks across the country could be attacked and possibly the Internet could be cut off altogether (CZ.NIC, 2017).
Military' intelligence tried to dispel those doubts. Its representatives argued that they would be looking only for anomalies in network traffic, not content. If an anomaly appeared, intelligence officials would examine the content of a suspicious communication only' after seeking and receiving permission from a court to do so. Despite those assurances, many critics still considered the “black boxes,” as the media labelled the technical means of military intelligence, to be a threat to privacy' (topek, 2016).
The amendment to the Act on Military Intelligence did not pass. The Chamber of Deputies did not manage to enact the law before parliamentary elections in October 2017 and military intelligence still lacks legal authority to conduct active cyber defense operations.
In the summer of 2018, military intelligence issued its first Cyber Defense Strategy, which listed enactment of a legal framework as one of its priority goals (National Cyber Operation Centre, 2018). At the moment, however, it is still unclear when the amendment will be resubmitted to the Chamber of Deputies, how its wording will change, and to what extent those changes will be consulted with the expert community.
The Czech Republic is a latecomer to national cyber security in comparison to other countries which aspire to be or are considered to be leaders in the field. Nevertheless, the enormous progress in legislation, policy and leadership of the past few years shows the large cyber potential which the country possesses. The country’s human resources and its advanced system for identifying Cl I and protecting it from attack are shining examples of that. This progress, together with the will of government authorities to continue it, can indeed ensure that the Czech Republic achieves its goal, outlined in the most recent cyber security strategy for the period 2015—20, of playing a leading role in the field of cyber security, not only in the region but in the whole of Europe. However, before that happens, the Czech authorities need to address several pressing issues which are holding the country back from fulfilling its ambition. E-government and cyber defense are examples of deficiencies that are closely linked to national cyber security. Ignoring them can have fatal impact on the reputation of the country abroad with regard to cyber issues. If those issues are addressed in the coming years, the Czech Republic will truly be the leader in cyber security that it hopes to become.
- 1 Lucie Kadlecova’s work is supported by the Grant Agency of Charles University under grant number 250418.
- 2 For more details on the 2013 campaign of cyberattacks, see, Kadlecova, Bagge, BoroviCka and Semecka (2017).
- 3 Cll is defined in the Act on Cyber Security as “an element or system of elements of the critical infrastructure in the sector of communication and information systems within the field of cyber security” (Act No. 181/2014 Coll., 2014: §2b).
- 4 Regulation No. 316/2014 Coll, on Security Measures, Cyber Security Incidents and Reactive Measures, Regulation No. 317/2014 Coll, on the Determination of Important Information Systems and their Detennination Criteria, Decision of the Government No. 315/2014 Coll., which amends the Decision of the Government No. 432/2010 Coll, on the Criteria for the Detennination ot the Elements of the Critical Infrastructure, are available here: www.govcert.cz/en/legislation/legislation/.
- 5 Entities regulated by the Act are: (a) operators of critical information infrastructure systems, (b) operators of critical information infrastructure communication systems, (c) electronic communication service providers, (d) operators of important networks, and (e) operators of important informa- tion systems.
- 6 The Act on Cyber Security defines a state of cyber emergency as “a state in which there is a high measure of threat to the security of information of information systems or electronic communication network services or to the security and integrity of electronic communication networks, and this could lead to breaches or threats to the interests of the Czech Republic in line with the meaning of the Act on the Protection of Classified Information” (Act No. 181/2014 Coll., 2014: section 21(1)).
- 7 Crisis management is part of every national exercise the NCISA organizes. At the international level, it has been tested for example during NATO CMX in 2016 and 2017.
- 8 For detailed statistics, see, European Commission (2017).
- 9 David Spacek (2015) from Masaryk University in Brno has identified more shortcomings than the ones discussed here. Only the most significant ones were selected for the purpose of this chapter.
- 10 The National Cyber Operations Centre was originally called the National Cyber Forces Centre. It has changed its name with publication of the Czech Cyber Defense Strategy.
- 11 In the Czech Republic, cyber security is understood as a term encompassing a broad range of preventive and reactive measures intended to increase robustness and resilience of national information infrastructure. The exact wording of the Czech definition of cyber security can be found through the National Cyber Security Centre (2015).
- 12 There is no unified definition of cyber defense in the Czech Republic. For purposes of this article, cyber defense is understood as defense in cyber space and/or through cyber space.
Act No. 181/2014 Coll, of July 23, 2014 on Cyber Security and Change of Related Acts, www.govcert.
cz/download/kii-vis/preklady/Act_l 81_2014_EN_vl .0_fmal.pdf National Cyber Operation Centre. (2018). “Strategic kybemeticke obrany CR 2018—2022.” wwvv.acr.
army.cz/assets/infonnacni-servis/zpravodajstvi/strategie-kyberneticke-obrany.pdf National Cyber Security Centre, National Security Authority. (2012). “Strategic pro oblast kybemeticke bezpecnosti Ceske republiky na obdobi 2012—2015.” www.govcert.cz/download/legislativa/con tainer-nodeid-719/20120209strategieprooblastkbnbu.pdf National Cyber Security Centre, National Security Authority. (2015). “National Cyber Security Strategy of the Czech Republic for the Period from 2015 to 2020.” www.govcert.cz/download/gov-cert/con tainer-nodeid-1067/ness-15-20-150216-en.pdf
“Act No 181/2014 Coll, of July 23, 2014 on Cyber Security and Change ot Related Acts.” www.gov
cert.cz/ download/kii-vis/preklady/Act_l 81_2014_EN_vl .0_fmal.pdf
“Act No 240/2000 Coll, on Crisis Management and on Amendments of Certain Acts.” www.hzscr.cz/ hasicien/file/crisis-management-act-n-240-2000-coll-pdfaspx Boeke, S. (2018, July). “National Cyber Crisis Management: Different European Approaches,” Governance: An International Journal of Policy, Administration, and Institutions, 31(3): 449—464.
CZ.NIC. (2017, January .30). “Organizace CZ.NIC, ICT Unie a NIX.CZ se postavily proti novele zakona о Vojenskem zpravodajstvi.” www.nic.cz/page/3478/organizace-cznic-ict-unie-a-nixcz-se- postavily-proti-novele-zakona-o-vojenskem-zpravodajstvi/
European Commission. (2017). “Europe’s Digital Progress Report 2017, Czech Republic.” https://ec.
europa.eu/digital-single-market/scoreboard/czech-republic European Union. (2016). “Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.” https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ. L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:TOC Eurostat. (2018a). “Broadband and Connectivity - Households.” http://appsso.eurostat.ec.europa.eu/ nui/show.do?dataset=isoc_bdel5b_h&lang=en
Eurostat. (2018b) “Internet Access.” http://appsso.eurostat.ec.europa.eu/nui/show.do? dataset=isoc_ci_in_en2&lang=en
Eurostat. (2018c). “Individuals Using the Internet for Communication with Public Authorities.” http:// appsso.eurostat.ec.europa.eu/nui/submitViewTableAction.do Fojtu, M. (2018). “Pocitacova bezpecnost Ceska se hlida v Bme.” Absolvent, http://absolventi.muni.cz/ univerzita-absolventum/casopis-absolvent
Kadlecova, L., Bagge, D. P., Borovicka, V. & Semecka, M. (2017). 77/f Czech Republic: A Case of a Comprehensive Approach toward Cyberspace. NATO CCDCoE, Tallinn, Estonia.
London Stock Exchange, (n.d.) “AVAST PLC ORD 10P.” www.londonstockexchange.com/exchange/ p rices-and-markets/stocks/summary/company-summary/GB00BDD85M81 GBGBXSTMM.html? lang=en
Military Intelligence. (2016, October 5). “Navrh zakona, kterym se mSni zakon c. 289/2005 Sb., о Vojenskem zpravodajstvi, ve zneni pozdejsich pfedpisu, a nektere dalsi zakony.” https://apps.odok. cz/en/veklep-detail?pid=ALBSA9LJ NBU U
Ministry of Interior of the Czech Republic. (2018a). “Audit narodni bezpecnosti.” www.vlada.cz/assets/ media-centrum/aktualne/Audit-narodni-bezpecnosti-20161201 .pdf
Ministry of Interior of the Czech Republic. (2018b). “Co je eGovernment?” www.mvcr.cz/clanek/co- je-egovernment.aspx
Ministry of Interior of the Czech Republic. (2018c). “Czech POINT.” www.mvcr.cz/clanek/czech- point-czech-point.aspx
Ministry of Interior of the Czech Republic. (2018d). “Data Box - Another Step in Electronification of Public Administration.” www.mvcr.cz/mvcren/article/data-box-another-step-in-electronification- of-public-administration.aspx
National Registers Authority. (2018). “Basic Registers.” www.szrcr.cz/index.php?lang=2
National Cyber Security Centre, National Security' Authority. (2015). “National Cyber Security Strategy of the Czech Republic for the Period from 2015 to 2020.” www.govcert.cz/download/gov-cert/con tainer-nodeid-1067/ness-15-20-150216-en.pdf
National Cyber Operation Centre. (2018). “Strategic kyberneticke obrany CR 2018-2022.” www.acr. anny.cz/assets/infonnacni-servis/zpravodajstvi/strategie-kybemeticke-obrany.pdf
Packa, R. (2015). “Difference Between Cyber Security and Cyber Defence from a Czech Perspective,” Cyber Security Review, 20-24.
Sedlak, J. (2018, October 3). “Digitalni Cesko: Tohle je statni plan, jak z CR udclat digitalni velmoc.” www.lupa.cz/ clanky/digitalni-cesko-tohle-je-statni-plan-jak-z-cr-udelat-digitalni-velmoc/?utm_sour ce=newsletter-html-d&utm_medium=text&utm_campaign=2018-10-04
Spacek, D. (2015). “E-Govemment Policy and Its Implementation in the Czech Republic: Selected Shortcomings,” Central European Journal of Public Policy, 9(1): 78—101.
Strosova, S. (2018, September 8). “Technologic nejsou hokej. Cesko je rnozna talent, ale rozhodne ne velmoc.” www.forbes.cz/technologie-nejsou-hokej-cesko-je-mozna-talent-ale-rozhodne-ne- velmoc/
Topek, M. (2016, November 4). “Vojenska kontrarozvedka bude sledovat ecskv internet, vlada ji chce svent kybernetickou ochranu.” https://zpravy.aktualne.cz/domaci/vojenska-kontrarozvedka-bude- sledovat-cesky-intemet-vlada-j/r~3t’483e428a2611 e682380025900fea04/?redirected= 1521222256
UN E-Government Knowledgebase. (2016). “UN E-Govemment Survey 2016.” https://publicadminis tration.un.org/egovkb/en-us/Reports/UN-E-Govemment-Survey-2016