On Wednesday, 19 July 2023, the Government of the Czech Republic approved the "Report on the State of Cybersecurity of the Czech Republic for 2022"[1]. The document, prepared by the National Cyber and Information Security Agency (NÚKIB), shows that although there has been a slight year-on-year decrease in the total number of cyber incidents recorded by the NÚKIB, the Police of the Czech Republic recorded an almost twofold increase in cybercriminal activities over the same period. A twofold increase was also recorded in the number of cyber incidents within the critical information infrastructure, with the majority of them being attacks on the availability of services. State-sponsored cyber actors and the activities of cybercriminal groups remain the greatest threat to Czech cybersecurity. A significant step towards improving the security of the Czech Republic was the launch last year of the drafting of a new Cybersecurity Act, which includes, among other things, the EU cybersecurity directive NIS2, and it also deals with the supply chain security of information and communication technologies to strategically important infrastructure. The Cybersecurity Act is expected to take effect in the second half of 2024.
Statistical data from the report shows that although the Czech Republic has seen a slight year-on-year decline in the total number of cyber incidents recorded by the NÚKIB from 157 in 2021 to 146 in 2022, the Police of the Czech Republic recorded increased cybercriminal activities to more than 18,000 crimes in the same period. The report also presents that the public sector recorded the highest number of cyber incidents, followed by the healthcare and private sectors. The most common attacks in the past year were phishing, spear-phishing, vishing, and fraudulent emails or availability attacks (mainly DDoS attacks). Most incidents were recorded in April and October last year, with DDoS attacks significantly contributing in both cases. "Russian-language hacking groups were mainly responsible for this increase. In 2022, the NÚKIB issued 16 alerts and three warnings related to the current threat or vulnerability, with some of the warnings directly related to risks arising from the Russian invasion of Ukraine. Similarly, several incidents registered by the NÚKIB were directly related to the Russian aggression in Ukraine. Moreover, it is almost certain that this conflict will continue to affect Czech cyberspace," said Lukáš Kintr, Director of the NÚKIB.
The report also states that the NÚKIB has recently recorded increased incidents in the transportation sector. While in previous years, they were only in the order of units, in 2022, there were already 14 incidents. Then, for the second year, there is a decline in the number of recorded cyber incidents categorized as very significant. In contrast, there has been an increase in the number of significant incidents. A positive trend that started in 2021 is the growing number of organizations increasing their cybersecurity budgets. However, finance and the lack of cybersecurity experts remain one of the main issues and challenges for Czech institutions and organizations.
A significant step in cybersecurity in the Czech Republic in 2022 was preparing a new Cybersecurity Act, which is an essential pillar for maintaining a secure Czech cyberspace and is expected to come into force in October 2024. The new law contains everything the Czech Republic needs from a cybersecurity perspective. It responds to the dynamic developments in the security environment and reflects the practical experience of almost a decade of work with the current Cybersecurity Act. It also deals with the need for a mechanism for verifying the supply chain security of the most critical infrastructure for the state. Last, but not least, it is closely related to the new European cybersecurity directive NIS 2, which is part of the upcoming legislation. The final text of the NIS2 Directive was adopted during the Czech Presidency of the Council of the European Union. "I am pleased that in the six months under our leadership, the EU has achieved a huge shift in cybersecurity. I am glad that the individual Czech institutions have shown they can work as a team even during such a challenging period. Not only from a cybersecurity perspective, I can say that I am proud of how the Czech Republic has presented itself and what it has achieved," said Director Kintr.
Although a significant part of the NÚKIB's agenda last year consisted of participating in the preparation and implementation of the Czech Presidency of the Council of the European Union, the NÚKIB also worked intensively on the further development of cooperation with partners within the EU and NATO. Last year, the Office's awareness-raising activities and its organization of cyber exercises (7 domestic and three international) aimed at raising awareness of current cyber threats and creating conditions for training future experts in the field of cyber security remained equally intensive. "We have participated in several domestic and international events, organized exercises, training sessions, seminars, or conferences, and have consistently worked to raise awareness and educate the public and our employees. More than 51,000 users have taken the freely available courses on our educational portal osveta.nukib.cz. The goal of all our activities is to make the Czech Republic a safer place to live," concluded Lukáš Kintr, Director of the NÚKIB.
The full Report on the State of Cybersecurity in the Czech Republic for 2022 is available here.
[1] The Report on the State of Cybersecurity in the Czech Republic is the primary document summarising what has been happening in the country's cybersecurity field over the past year. The main author is the NÚKIB, which sent out a 77-question questionnaire at the beginning of 2023 to entities regulated by the Cybersecurity Act and several other key institutions and organizations that the Cybersecurity Act does not regulate. The questions covered various topics, such as cyberattacks, cybersecurity costs, cybersecurity staffing capabilities, users, technologies, and processes in place. A total of 317 entities completed the questionnaire, 236 regulated and 81 unregulated. From the data obtained, the NÚKIB drew information for the Report on the State of Cybersecurity in the Czech Republic for 2022. All data from the questionnaires are anonymized.