Cybersecurity in the Czech Republic: the state faces a number of challenges. Underestimating them can have a serious impact in the future

Press Release on audit No 19/26 - 2 November 2020

The Supreme Audit Office examined cybersecurity assurance between the years 2015 and 2019. The audit revealed that most of the audited tasks of the Action Plan for the National Cyber Security Strategy of the Czech Republic for the period 2015 to 2020 have been fulfilled. While the cooperation between the National Cyber and Information Security Agency (NCISA) and the Ministry of the Interior (MoI) works to a certain extent – it has recently significantly helped in dealing with cyberattacks on health facilities – the cooperation is set up only at an informal level and takes place on an ad hoc basis. Such cooperation, however, cannot be relied upon in the future. The state does not have a clear overview of how much money is spent by individual ministries on cybersecurity.

The government CERT (Computer Emergency Response Team), part of the NCISA, recorded a total of 916 cyber incident reports between 2017 and mid-2020. Only the first half of this year accounted for 31% of them. This situation shows that cybersecurity in the Czech Republic will require adequate funding. But the state does not have a clear overview of how much money is actually spent on it. Only rough estimates from individual ministries are available.

For example, the United Kingdom has a different approach. It reports its expenses on national cybersecurity as a special budget item. This allows the responsible authorities to monitor and evaluate the money spent on behalf of the entire country.

Information on cybersecurity expenditures in the Czech Republic is obtained by the NCISA through questionnaires. In order to obtain the data it needed, the NCISA had to carry out a total of four such investigations in the years 2018 and 2019. These showed that between 2015 and 2019 ministries spent a total of CZK 2.8 billion on cybersecurity. Yet, they still lack hundreds of millions of Czech crowns.

The MoI, whose cybersecurity expenditures amounted to around CZK 750 million in the above mentioned period, estimated that it would need an additional CZK 309 million by 2020. The MoI manages 35% of the critical information infrastructure of the Czech state’s organisational units. At the same time, however, the MoI did not make use of the possibility to draw EU funds to finance cybersecurity. The NCISA drew a total of CZK 112 million from EU funds to finance two projects. Health institutions had the greatest interest in EU funds. They received support for projects amounting to around CZK 903 million.

The cooperation between the NCISA and the MoI was assessed by the auditors according to the 57 selected tasks of the Action Plan for the National Cyber Security Strategy of the Czech Republic for the period 2015-2020. They identified shortcomings in eight of them. For example, a detailed model or scheme on how cooperation in the field of cybersecurity should work has not been drawn up. This kind of cooperation between the MoI, the NCISA and other state bodies is thus primarily based on personal ties and takes place on an ad hoc basis, as required.

Also, an automated platform which would allow selected entities to share information on cybersecurity threats and incidents – identified in critical information infrastructure and major information systems – has not been finalised.

At the same time, the NCISA and the MoI are dealing with a shortage of experts. Obtaining and retaining experts is a long-standing challenge. In the future, if several incidents occur at the same time, there is a risk that the MoI and the NCISA will not have the capacity to assist entities which are not covered by the Act on Cybersecurity. With the exception of health service providers, who have had at least 800 acute care beds or the status of a specialised trauma care workplace in the last three years, these include a number of health facilities that do not meet the criteria to be classified as providers of so-called basic services.

Cyberattacks against health institutions at the turn of the year 2019/2020 have shown that even if these institutions do not fall within the obliged entities category according to legislation, a series of attacks against them would have a significant impact on the entire healthcare system in the Czech Republic. The auditors have therefore recommended the NCISA to examine how the criteria identifying the providers of so-called basic health services are set and, if necessary, amend those criteria.

Communication Department
Supreme Audit Office

print the page