Posted on 4.11.2014 by Jan Andrš
The Czech Republic, usually falling behind in European regulations, is ahead of the crowd for now. The new cyber security law has put the Czech Republic in first place in the race to create a comprehensive country-wide cyber security solution. The law has already passed both chambers of parliament, been signed by the president and will come into force in 2015.
The New Shield in Central Europe
And what is so great about that, you ask? Well, the Czech Republic will increase its resilience and ability to respond to new threats. Those threats have already impacted some European countries. The massive attacks on Estonia in 2007 were a prime example of the vulnerability of one country’s cyberspace. Attackers swamped the websites of various Estonian organizations, including the Estonian parliament, banks, ministries, newspapers and broadcasters, and seized their functions for a couple of days mostly with “distributed denial of service” attacks. The intruders were allegedly connected to the Russian youth organization Nashi.
The main goal of the law is to implement security standards for the information systems of public administration authorities and critical infrastructure elements. Many of those elements are not owned by the state itself. That is why the new cyber security law establishes lines for legal actions against those who will not comply. The security standards will be enforced with periodical compliance audits of all public administration bodies and also private elements of the critical national infrastructure, starting 2016.
The government coordination agency that can immediately respond to computer incidents is called the Computer Emergency Response Team (CERT). The agency is part of both the national and international cyber threat early warning systems. CERT optimizes options used to identify potential cyber attacks and coordinate countermeasures and remedial actions. In cooperation with other relevant government agencies, the center coordinates and proposes preventive measures to avert or thwart potential attacks against information and communication systems of the state and elements of the critical national infrastructure.
Blurry Lines and the Great Burden Placed on Government Officials
The new law definitely has some issues, mostly with detailed descriptions of some key processes that could undermine cyber security efforts. For example, it forces every organization to report security incidents to the system, but does not specify the exact form of transmission. Imagine sending a cyber security threat report via carrier-pigeon! This exposes the whole system to errors and false-positives.
Also, where the lines are, is still disputed. Can the whole network be cut off under attack? Where do we draw the line between security attack and coincidence? These and other questions must be answered during the implementation of the system to prevent subsequent complications. And who is going to answer them? The greatest burden will now lie on Czech government officials who are expected to implement the law and smooth any sharp edges.
Sources and more info on the topic: