National Cyber and Information Security Agency

The National Cyber and Information Security Agency (NÚKIB)
Director
Ing. Karel Řehka

Legal and Administrative Division
- Legal Department
  Provides complete legal services for the Agency’s operations and secures the fulfilment of various obligations stemming from the Agency’s position as a central administrative body. The Legal Section is also the administrator of selection processes and public orders, which includes the creation and maintenance of contractual documentation. Furthermore, the Legal Section is responsible for dealing with transgressions under the jurisdiction entrusted to the Agency and oversees further proceedings led by the Agency.
- Security Department
  - Security Unit
  - Case Service Unit
- Operational Department
  - Finance Unit
    Provides complex accounting services and communicates with financial institutions on behalf of the Agency. It also provides and sets accounting methods and processes. It performs FKSP expenditure accounting and assures all the Agency’s budgeting, including responsibility for its construction and budget proposals for all areas of the Agency’s activities and all economic analyses. It provides complex administration of all bookkeeping and accounting operations and administers finances kept in the Czech National Bank in foreign currencies for the use of employees on business trips abroad.
    - Vehicle Fleet Working Group
  - Operational and Service Unit
    Coordinates and provides material and technical provisioning for the Agency except for information and communication technologies and keeps an inventory of all the Agency’s property. It also coordinates and provides services associated with real estate administration and participates in the operation of the Agency’s facilities; establishes relations with outside building administration organizations (supplies of energy, water, gas, heating, etc.); and inspects technological equipment. It oversees the maintenance of all property and assures the operation and service of the Agency’s vehicles.
- Human Resource and Education Department
  Performs activities in human relations, education, wages, and social policies in accordance with the Labour Code and all associated regulations. It oversees the observance of all employment regulations and keeps employee records. It organizes recruitment and offers internships to university students. It participates on the creation of labour regulations and internal management.
- Investment and Development Department
  Assigns and leads the creation of investment projects and assures their completion. It submits proposals for construction and repairs to the Agency’s property of an investment nature and proposes these for the relevant year’s budget. It prepares and maintains project documentation including discussion of individual projects as part of pre-project, project, and execution activities. Submits zoning and construction permit requests on behalf of the Agency as well as other permits necessary to complete projects. It prepares and builds construction projects and repairs to the Agency’s property of an investment nature that will be performed on the basis of a construction permit. It acts as the investor in construction projects of all kinds that it prepares and executes. It provides all necessary pre-requisites associated with putting a facility into operation.
National Cyber Security Centre (NSCS)
- Cyber Security Policy Department
  - Cyber Exercise Unit
    Coordinates and prepares a wide range of technical and non-technical cyber security exercises on the national and international level (Cyber Czech, Cyber Coalition, Locked Shields, CMX); it also creates tailored mobile cyber security for partners; and contributes to educational awareness activities.
  - Strategic Information and Analysis Unit
    Creates analytic and informational materials about significant attacks and trends in cyber security for decision-makers and Czech and foreign administrative bodies. The department evaluates the political and security context and the effects of incidents and trends on the Czech Republic while creating non-technical outputs. We use the information to create analyses that are primarily based on open sources. The department’s other activities include monitoring the media in the area of cyber security, as well as lectures and educational activities.
  - National Strategy and Policy Unit
    Prepares long-term strategies and provides analyses and the necessary expertise, including material and legal recommendations, to ensure the NCSC and the Czech Republic fulfil all set cyber security goals in the most effective way possible. It provides effective coordination and harmonization of cyber security policies across public administration and strives to build a coherent national cyber security community in the Czech Republic through cooperation with other institutions.
  - International Organizations and Law Unit
    It primarily represents the Czech Republic at international cyber security events, as well as defending Czech positions in international organizations including NATO and the EU. To this end, it cooperates with other ministries, the private sector, and academic institutions. It also contributes to preparing legislation and international treaties; supports other Agency units during cyber security exercises; and implements the Cyber Security Law to ensure harmonization with relevant European regulations.
- Government CERT Department (GovCERT)
  - Reactive Unit
    The department’s main task is the initial coordination, evaluation, and resolution of cyber security incidents and managing communication channels with other entities.
    - Industrial Technology Security Working Group
  - Network Traffic Analysis Unit
    Operates network probes, IDS/IPS systems and honeypots as well as analysing data from network probes, IDS/IPS systems, honeypots, and system logs (servers, network elements, etc.)
  - Analytical Unit
    Examines data and forensically analyses computers, mobile devices, and artefacts created in association with security incidents. It also analyses malware and performs reverse engineering.
  - SecOps Unit
    The SecOps (Security Operations) Department develops, deploys, and secures applications that are on the bleeding edge of technology. These activities are performed for the internal needs of the GovCert section, and for the needs of cooperating external entities. The projects the department works on includes the Cyber Czech exercises, which are the largest cyber exercises in the country. SecOps experts also significantly contribute to the oversight of entities so mandated according to the Cyber Security Law.
  - Penetration Testing Unit
    Performs penetration tests to asses security. It currently offers external and internal penetration tests, testing of mobile apps, WIFI networks, denial of service, as well as tests to specific devices or implementing new technologies upon agreement.
- Regulation Department
  The Regulation Department deals with issues regulated by Act No 181/2014 Coll. on Cyber Security. It communicates with regulated entities, whether in relation to their regulation or in providing methodological support. It participates in the preparation of legislation on cyber security and plays a crucial role in identifying and protecting critical information infrastructure, important information systems, and essential services’ information systems within the Czech Republic.
  - Private Sector Regulation Unit
    Ensures the identification of operators of essential services. Applies, preserves and interprets Decree No 437/2017 Coll., on the Criteria for the Determination of an Operator of Essential Service. Ensures the identification of critical information infrastructures in the private sector. Provides interpretation and support in private sector regulation. Communicates with the relevant controllers.
  - Public Sector Regulation Unit
    Ensures the identification of important information systems. Applies, preserves and interprets Decree No 317/2014 Coll., on Important Information Systems and their Determination Criteria. Ensures the identification of critical information infrastructures in the public sector. Provides interpretation and support in public sector regulation. Communicates with the relevant controllers.
  - Cloud Computing Regulation Unit
    Provides assessment of cloud computing offers in accordance with the Public Administration Information Systems Act and the Act on Cyber Security. Applies, preserves and interprets the so-called Cloud Decree (expected effect in 2021 at the latest). Consults impacts of systems disruption for the purposes of cloud computing processes in public authorities. Provides interpretation and support in regulation of cloud computing services used by public authorities. Communicates with the relevant controllers.
- Audit Department
  Oversees the adherence of regulated entities to the Cyber Security Law. Together with the Regulation Department, it contributes to creating cyber security legislation and offers methodological support to regulated entities. It also cooperates with other oversight bodies when their jurisdiction overlaps into cyber security.
Information Security Division
- ICT Security Department
  - Cryptology and Cryptologic Resource Development Unit
    Undertakes and provides basic and applied research and development in cryptology, crypto-analysis, and cryptologic resources; develops and approves national encryption algorithms; and creates the national cryptographic security policy. It also provides the development of cryptologic patterns for use in cryptologic resources to protect classified information (CI); analyses and evaluates encryption systems and cryptologic algorithms designated to protect CI; and contributes to the Agency’s public orders in the area of research, development, and production of cryptographic resources.
  - Information and Communication System Certification Unit
    Fulfils tasks issued by the National Security Communication Centre; certifies information systems used to handle classified information (CI); approves security projects for communication systems used to handle CI; fulfils the Agency’s tasks as the body charged with certifying information systems that handle CI for NATO and the EU and other international organizations; evaluates information systems that handle CI from NATO, the EU, and other international organizations; maintains communication with NATO, EU, and other international organizations to certify information systems and maintain continuous oversight of certified systems according to the demands of NATO, the EU, and other international organizations.
  - Cryptographic Resources and Facility Certification Unit
    Secures and provides certification of cryptographic resources (CR) and sets security standards in the certification of CR; certifies cryptographic facilities (CF) and sets security standards for CF. It approves the qualifications of materials to assure CR; approves projects that add CR into mobile and temporary systems. It communicates with the NATO, the EU, and other international organizations to assure international certification (approval) of CR by these organizations. It participates in oversight of selected areas in the protection of classified information within the Czech Republic. It secures and oversees the qualifications of cryptographic protection workers (specialized tests).
  - Tempest Unit
    Fulfils tasks issued by the National Centre for Measuring Compromising Electromagnetic Radiation from the point of view of classified information (CI) leaks through electromagnetic radiation; undertakes zonal evaluation of CI procession spaces; the certification of shielded chamber that protect CI; analyses and evaluates cryptographic resources from the point of view of protection from compromising radiation; and preventing the use of information-gathering resources in areas where negotiations take place.
  - Encryption Service Unit
    Assures and fulfils tasks from the National Centre for the Distribution of Cryptographic Material (NCDCM); assures and performs oversight of the qualifications of cryptologic protection workers (tests of qualifications); assures and undertakes the production of key materials to operate cryptographic resources; distributes key materials and cryptographic resources; assures the maintenance and service of specialized devices for the production of key materials and cryptographic resources.
  - Mathematic-Analytic Working Group
- Information Technology Department (ITD)
  - Network Infrastructure and Application Support Unit
    Systemically supports the ERP application, HR, wages, and the case service. Installs systems, supports users, administration, optimization, and maintenance of databases for the above-listed systems. Deals with strategic and development intents in information systems (JIS, new locations, GDPR, etc.). Operates the Registration Certification Authority for x509 employee certificates. Issues server x509 certificates (CESNET) and certificates for FW (probes). Creates and updates the DRP plan for key applications.
  - Server Infrastructure Department
    Installs, prepares, administers, and optimizes server infrastructure. It also administers the virtualization environment, mail services, data repositories, and physical servers. It also maintains the operation of internally developed tools for secure communication. It maintains all the Agency’s communication channels.
  - Client Support Unit
    Supports IT users. It deals with hardware and software problems at user workstations and devices. It procures necessary IT acquisitions. Transfers documents to inventory.
- Education, Research, and Project Department
  Assures the Agency’s educational activities, holds conferences and seminars about cyber security; educates civil servants; supports educational institutions spreading awareness among students of all ages and the general public; and prepares and operates thematic e-learning courses. It coordinates research and development in cyber security and manages the Agency’s ICT projects.
  - Education Unit
    Organizes cyber security educational and awareness activities, conferences, and exercises; prepares and operates topical e-learning courses. Its primary target group are public servants and other people who hold roles listed in the Cyber Security Law. A secondary target group are individuals identified as “vulnerable in cyberspace.” These are children and students at all levels and seniors.
  - Project Management Unit
    Provides effective management of a wide range of NÚKIB projects throughout their lifecycle. It fulfils the usual roles of a project office in an organization: directly participates on the management of projects; issues methodological materials; and allows for the oversight of the projects. It also supports education about project management.
  - Research and European Cooperation Unit
- PRS Department
  Responsible for the implementation and operation of the publicly regulated services of the Galileo system in the Czech Republic and coordinates all activities associated with access to PRS information and technology. In accordance with valid European legislation (1104/2011/EU), it fulfils the role of a Competent PRS Authority while specifically taking responsibility for organizating access and granting access rights to authorized users; protection and distribution of classified PRS information; processing of operational and security regulations to use the PRS; and evaluate the potential risks to the PRS, including defining appropriate resolutions and preventive measures. It is a contact point for a permanent connection to the PRS security centre, to which all security violations and incidents, as well as disruptive electromagnetic interference on frequencies reserved for the PRS, are reported.
Director’s Cabinet
- Communication Unit
- International Relations Unit
  Actively develops international cooperate in the Agency’s area of expertise. It also makes, maintains, and develops contacts with partners abroad. It also deals with all foreign business trips undertaken by Agency employees. Coordinates and directs the activities of cyber attachés and employees sent to NATO CCD COE in Tallinn.
- Government Agenda and Legislation Unit
  Coordinates and realizes the agency’s powers in the legislative process and offers opinions on legal regulations in the Agency’s area of expertise. It oversees the preparation of non-legislative materials presented to the Cabinet, National Security Council, the Committee for Cyber Security, or other state bodies, or it creates these materials itself. It also oversees the cabinet’s agenda and strategic communication with ministries and other state institutions.
Security Director
Cyber Security Manager
Cyber Security Architect
Cyber Security Auditor
Internal Auditor
Data Protection Officer (DPO)

News

The European Commission Warns of Dependence on Risky 5G Technology Providers

July 24, 2020

Today, EU member states and the European Commission issued their preliminary report about fulfilling the so-called EU 5G toolbox. This is a set of tools representing a common approach by EU member states to securing future 5G networks specifically founded on the objective evaluation of risks associated with the coming of 5G networks and adequate measures with the goal of reducing these risks. According to the Commission, all member states took specific steps to raise the level of security, which demonstrates their willingness to move forward in a coordinated way on a pan-EU level while also stating it is necessary to immediately begin reducing the risks of dependence on a single vendor and to accelerate the setting of processes for screening direct foreign investments.

The EU 5G toolbox was published at the end of January and shows the agreement among the member states with the European Union Agency for Cybersecurity (ENISA) on the need for building secure 5G networks. Individual measures within this document are based on, for example, creating risk profiles of individual technology suppliers and the creation of specific measures that will prevent the participation of suppliers that are deemed to be highly risky. Another significant risk the toolbox identifies is being dependent on a single supplier. The specific form and speed of the measures are implemented is the responsibility of the individual member states.

The current report maps the advances the individual member states have made in adopting the necessary measures. The main advances came in increasing the powers of the national regulators so they can better assure the cybersecurity of 5G networks. The Commission sees similar advances in measures that will limit infrastructure suppliers’ access based on their risk profiles. Contrarily, more must be done to mitigate risks from a single supplier or in setting foreign direct investment screenings.

“From my point of view, it’s key that the European Commission is supporting an identical approach to what the Czech Republic has backed for some time. That means an approach based on risk evaluation while also advancing the implementation of the EU 5G toolbox as a clear signal of the efforts behind an EU-wide solution that the Czech Republic is also working towards,” NÚKIB Director Karel Řehka said of the European Commission’s report.

The Czech Republic is also not lagging behind in another area listed in the EU 5G toolbox: screening foreign direct investments, the oversight of which is the responsibility of the Ministry of Industry and Trade. “The ministry is intensively working on implementing a national mechanism for screening foreign direct investments. It has created a bill on its implementation that has already passed the first parliamentary reading. The legislative process will continue at the beginning of September. We are also working on joining a system of European cooperation in this field that will formally begin in October this year,” deputy head of the European Union and Foreign Trade Department at the Ministry of Industry and Trade Martina Tauberová said.

The toolbox is a fundamental EU document about 5G network security. The Czech Republic and France took the dominant role in preparing it. “Together with our colleagues within the French Agence nationale de la sécurité des systèmes d'information (ANSSI), we had the chief role in preparing the toolbox. I’m not exaggerating when I say it was thanks to the Czech Republic that the risk evaluation of technology suppliers for 5G networks including non-technical parameters, such as trust in the particular supplier, got into the final document,” said Czech Cyber Attaché at the National Cyber and Information Security Agency Lukáš Pimper, who was responsible for this process in Brussels.

In the conclusion to the report, the Commission also emphasizes that assuring the resilience of 5G networks is absolutely necessary for our society as this technology will have an influence on electronic communication and other important sectors, such as energy, transportation, finance, and healthcare. It will also allow for greater automation of industry than is possible today.

Celá zpráva 2020-11-30

Organizational Structure

News

The European Commission Warns of Dependence on Risky 5G Technology Providers