News

Fast And Furious: Czechs Overtake the EU in Cybersecurity

The flagship of the European determination to achieve more protection in cyberspace, the draft of the EU Cyber-Security Directive no. 2013/0027 (the "Directive") [1], has been on the table for more than two years now. Since then, the member states have been arguing about various issues, some of them technical, other essential (see below). It is a pity because the importance of cyberspace in our economy and in our lives is rapidly growing while its security is falling behind - in Seneca´s words: "While we are postponing, life speeds by." [2]

The Czech lawmakers are not famous for spearheading legal innovations. Instead, they usually find very challenging even to incorporate the EU legislation in Czech legal system. Therefore, it was surprising to hear that this time they do not want to drag behind, instead they want to lead. This little country in the heart of Europe decided to teach other Europeans a lesson by adopting something like the Directive, as soon as possible, instead of waiting for the EU to reach the agreement.

This political resolve seemed like a good idea, particularly as the largest DoS attack on web-sites of Czech media, banks, mobile phone operators, the stock exchange and even the Czech National Bank took place shortly afterwards.[3] Although the attack was not massive, the poor defense of these web-sites rendered many of them unavailable for minutes or even hours. People could not use internet-banking, read news, use the most popular Czech search engine or pay the bills for their mobile phones.

The fruits of the Czech legislative haste are finally here: six months have passed since the Czech Cybersecurity Law no. 181/2014 Coll. (the "Law") came into force on the 1 January 2015. This may be a good time to look back for the main lesson learnt: “There’s never time to do it right, but there’s always time to do it over again".[4] Hopefully, the new legal framework of the Czech cyberspace will be fixed one day; Until then, others can at least learn from our experience (how not to do it):

1.                Scope unclear

EU has not been able to agree, which parts of the cyber infrastructure are so important that they should be protected/regulated by the Directive. While many EU countries consider the services provided by search engines and social media websites to be critical for European security, EU Parliament does not. The Czechs untied this Gordian knot in an original and imaginative way:

1.1             Law is built on a very general, circular and absolutely incomprehensible definition of critical infrastructure: "Critical information infrastructure means an element or system of elements of the critical infrastructure in the sector of communication and information systems within the field of cyber security".[5] To make things more complicated, the Law establishes also the category of "important" information networks and systems but it is not clear why. This division does not follow the private/public sector split, although most "critical" infrastructure is probably private while the majority of the "important" infrastructure public;

1.2             To the existing general criteria defining critical infrastructure of the country in various aspects (ability to cause at least 250 deaths, 2,500 wounded, GDP loss exceeding 0,5% or to affect lives of at least 125,000 people) were added specific "cyber" criteria, such as (i) having important effect on critical infrastructure, (ii) being irreplaceable without extreme costs or in less than eight hours or (iii) containing personal data about more than 300,000 citizens. Too bad that this important update was carried out less than two weeks ahead of the Law coming in force. Some guidelines and charts were published later[6] but a person with average intelligence will find hard to understand (as I did), which of these criteria have to be fulfilled in order for the specific part of infrastructure to be considered critical; and

1.3             Relevant Czech authorities are free to determine on ad hoc basis, which public institutions and private companies fall in the scope of the Law; There is no chance to appeal such authoritative decision - the corporations must feel as if in the Martix: "Being The Critical/Important One is just like being in love. No one can tell you you're in love (apart from the NSA), you just know it.".

As a result, many companies did not suspect that they could by the Critical/Important until NSA contacted them with this marvelous news.

2.                Extremely short notice

The European legislation usually comes into force after a sufficient buffer period is provided to achieve compliance. In contrast, the Czech lawmakers adopted the Law only three months in advance. I was at the Parliament hearing where the authors of the Law dismissed these worries as baseless because "three months are more than enough for everyone to get ready". Although most of the obligations under the new Law are activated after one year, big corporations will have find it extremely challenging to achieve a full compliance. For them, it takes one year just to mobilize the resources and obtain the internal approvals for the new security measures.

None of the sponsors of the Law would admit so but the delay in starting the public debate was probably a part of a strategy to avoid detailed scrutiny and well-deserved criticism. Many companies hope that NSA will not pick them as critical/important, which is why they do not dare raising their voices against the Law.

3.                Security measures unclear

Uncertainty prevails also in respect of another key element of the Law, which are the security steps to be taken by the operators of the critical infrastructure in order to make it less vulnerable to cyber-attacks.

The Law is full of general terms like risk management, security policy or organizational security, some of them even do not seem related to cyberspace (e.g. the assets management or suppliers setting). When reading and trying to understand these hollow concepts, you can almost hear the famous criticism: "And there are simply too many notes, that's all. Just cut a few and it will be perfect."[7]

Again, the sponsors of the Law promised that this emptiness would be soon enough filled with meaning and wisdom. However, in reality, the relevant government decree specifying the security measures was adopted less than two weeks before the kick-off and it is far from perfect.

The decree is hard to understand because it uses lot of white-collar newspeak or, to put it bluntly, rubbish. From this perspective, you are lucky that the official English translation of this masterpiece is not available. As a result, you will never have the pleasure to learn the difference between a simple "asset",  "primary asset", "supportive asset", "technical asset" "asset guarantor", you will remain ignorant of the risks posed by "insufficient defense of the outer perimeter"[8] (is this military textbook?) and you will never be enlightened as to in which areas the security policy must be defined (there are 21 of them, such as "classification of assets", "access management", "physical security" or "management of technical vulnerabilities".

To sum up, the decree looks like product of the IT clerk cloned with a military theoretic, who was asked to transform an Excel table into a Word document despite his extremely poor drafting skills. The result will definitely please a bureaucrat who is looking forward to digesting complex and incomprehensible text into even longer set of policies, procedures and other paperwork. On the contrary, an IT expert will find it challenging to be used as a manual for actual strengthening the cybersecurity of his employer.

4.                No real control, no real sanctions

Some of the suspect companies "critical" for the Czech cyberspace complained about the lack of information during the discussion at the Czech Parliament. The sponsors of the Law tried to calm them down by stressing that the highest fine for breaching the Law is actually pretty low (approx. EUR 3,600).

The Czech authorities even unofficially promised that the compliance with the Law will actually not be inspected from the very beginning. After all, it is no secret that the cybersecurity budget for 2015 is too small to hire any real experts with ands-on cybersecurity experience. That is why the official admitted that most of the "experts" working for the government would be recruited among IT students or fresh graduates and that these recruits are likely to quit fairly soon due to better salaries offered in private sector.

And the coordination of the Czech cybersecurity will remain problematic even after this initial run-in period because it is chaotic by design. Instead of one leader responsible for everything, we have the government CERT (established by the NSA) and national CERT (private organization contracted by NSA). This could make sense if the NSA (government CET) controlled public entities and the national CERT controlled private parties: but it does not. Instead, NSA interferes to some extent also in the cybersecurity of the private sector, which creates an unnecessary confusion (to say it politely). Borrowing Henry Kissinger's words: "Who do I call if I want to call the Czech Cyberprotector?"

This chaos probably stems from the lack of the framework for public-private partnerships on cybersecurity, which is typical for most EU countries. These two worlds simply do not like to share the sensitive information. No wonder - imagine that you are a corporation investing worldwide millions of dollars in security and the Law forces you to give your most intimate security information to a local private entity having also other activities (national CERT) or to a public body lacking experts and infrastructure to do the job properly (government CERT). 

5.                Conclusion

To summarise, sometimes is better no law than a bad law. If the Czech lawmakers really intended to increase the security of our local cyberspace, they should have done it differently, more efficiently, clearly and transparently. If somebody is to benefit from the current status, it will be advisors: lawyers will be explaining the Law to the executives and to the IT experts who will pretend to understand and to comply with this largely bureaucratic exercise.

The companies, which really wanted to become more cybersecure, did so without waiting for the Law. The invisible hand of the market worked perfectly here because many of the Czech targets of the 2013 cyber-attacks came to understand that it simply does not look good to have their on-line presence shut down for hours or even days.

Stanislav Bednar,

Associate of DLA Piper Prague LLP