The National Cyber and Information Security Agency (NÚKIB) together with the Ministry of Industry and Trade, the Ministry of Foreign Affairs, the Security Information Service, the Office for Foreign Relations and Information, and the Military Intelligence published The Recommendation for assessing the trustworthiness of technology suppliers of 5G networks in the Czech Republic (hereinafter the „Recommendation“). The role of the next-generation telecommunications networks for society is essential. Therefore, efforts to reduce security risks are necessary in order to create and maintain a resilient infrastructure in the Czech Republic. The aim of the Recommendation is to offer operators – and the entire electronic communications sector – the views of the relevant state institutions on crucial points for assessing the trustworthiness of suppliers of technologies for 5G networks, and to propose criteria that can contribute to the selection of trustworthy suppliers.
The publication of the Recommendation further builds upon the internationally declared position of the Czech Republic within the field of security of 5G networks. In 2019, a series of recommendations called Prague Proposals on cyber security of communication networks was announced. Subsequently, the Czech Republic also considerably participated in the preparing the EU 5G Toolbox, which was published on the European Union level in 2020.
“The Recommendation provides guidance especially for the supplies to the information and communication systems of the critical infrastructure of the Czech Republic. During the preparation of the criteria, the possibility of their evaluation as well as their measurability was emphasized. These criteria are also universal principles that can be applied in a similar way in other sectors when implementing technologies.” says Karel Řehka, the director of NÚKIB. “Although Recommendation does not extend, cancel, or otherwise regulate any rights and obligations stipulated by generally binding legal regulations, it is necessary to set a trend, when trust towards a supplier does not only depend on the level of the final technical form of the delivered solution, but also reflects the strategic level – meaning the business, legal and political environment, in which the supplier operates.” the director adds.
Among the criteria the Recommendation suggests there is, for example, the evaluation of the fact that a supplier has a transparent ownership structure, or that he is able to prove that he applies the so-called security by design principle in his products, and that he practices effective security rules and processes.
The Recommendation was also discussed at the working group for cyber security under the 5G Alliance, which includes representatives of state bodies, representatives of academia, mobile operators, and other representatives of entrepreneurs in the electronic communications sector.
You can find the whole document : The Recommendation for assessing the trustworthiness of technology suppliers of 5G networks in the Czech Republic
Q&A on NÚKIB’s activities in the field of 5G networks – the Recommendation
Q: Why do you publish the Recommendation?
A: The need to address the matters connected with the trustworthiness of technology suppliers has been discussed at the expert level for some time now. The importance of this debate has further increased after the publication of the EU toolbox of mitigating measures for secure rollout and operation of 5G networks, known as the EU 5G Toolbox. Some of its measures, to which the Czech Republic has committed itself to fulfil, require the activity of the state, for which, however, legal competences are currently lacking. Thus, before these competencies are implemented via legislation, the state acts within the limits of its current powers and provides operators with guidelines that can help increase the security of their networks and services.
Following a discussion of the relevant state security institutions, the Recommendation was prepared. The document presents - within the current state competencies - its view on supply chain security, and offers operators ways to increase the security of their networks and minimize the negative impact on providing their services to end customers.
Q: Why do you publish the Recommendation now?
A: Although the rollout of 5G networks is already underway and these networks are already in commercial operation in some parts of the Czech Republic, all functionalities that these networks have the potential to bring are still not put into operation. Until the legislation that will allow the state to provide operators with a legal framework for building these networks is adopted, we want to help the telecommunications sector by publishing security guidelines, at least in the form of a recommendation, which offers operators non-binding security criteria.
Q: Who is the Recommendation for?
A: The aim of the recommendation is to provide guidance to telecommunications operators who are critical infrastructure information and communication systems administrators. The Recommendation offers a view of selected state institutions on the basis for assessing the trustworthiness of technology suppliers in 5G networks and proposes criteria that can contribute to the selection of trusted suppliers. Nevertheless, the proposed criteria are universal principles that can be applied in a similar way in other sectors when implementing technologies.
Q: Do operators have to comply with the Recommendation?
A: The Recommendation is by its nature a non-binding, supporting material, and therefore does not bring new obligations to the operators. Some parts of the Recommendation, however, correspond with existing legal obligations or with the best practice that operators follow voluntarily within their own business processes. The Recommendation is, in addition, based on international best practice and was prepared after discussions of relevant security state institutions.
Q: If the Recommendation is not mandatory for operators, does this mean that there are currently no restrictions on the selection of suppliers?
A: Operators, as well as other entities obliged by the Cyber Security Act must comply with the supplier management obligations set out in this Act, as well as other legal obligations. Furthermore, the NÚKIB warning from 2018 is still effective, which the relevant entities regulated by the Cyber Security Act must take into account.
Q: It is possible to understand the Recommendation as a model for future legal regulation?
A: The form of possible future regulation is currently subject to expert discussion, and the resulting legislation will be in the hands of legislators, so its form cannot be anticipated at this time.
Q: The topic of 5G networks has been discussed for a long time now. Why didn't the state start addressing this issue earlier?
A: NÚKIB, as well as other state bodies have been dealing with the topic of cyber security of 5G networks for a long time. It was already in 2019 when NÚKIB organized the first Prague 5G Security Conference that generated a significant international response, and we were also one of the main initiators of addressing this issue at the EU level, from which the EU 5G Toolbox emerged. Immediately after the adoption of the common approach of the EU Member States we began the process of preparing the Czech legal environment for the implementation of the EU 5G Toolbox measures, and the currently issued Recommendation is a part of this process.
Q: It is true that operators cannot evaluate some of the supplier trustworthiness criteria in the Recommendation themselves?
A: When creating the criteria, emphasis was placed on their universal applicability and evaluability by the entities operating electronic communications networks and services - operators. However, if an operator is not able to evaluate some of the criteria effectively, for example due to the lack of information or staff capacity, or if the relevant supplier does not meet some of the criteria, this does not automatically mean that it would not be appropriate to use the supplier. The suitability of the application and the weight of each criterion always depends on the context of the respective supply and especially on the consideration of the operator. However, we are convinced that fulfillment of the criteria will increase the credibility of the supplier.
Q: Will the Recommendations affect the price of telecommunications services?
A: The Recommendation does not impose any new rules or obligations on operators, so it should not affect service prices. In other countries, where similar measures have been taken, an increase in service prices for this reason has not been observed. However, it is necessary to keep in mind that the security of electronic communications networks should be a fundamental interest of the state, as well as any individual, and its provision is not free of charge.