National Cyber and Information Security Agency

Joint Statement on E-Commerce Applications

The National Cyber and Information Security Agency (NÚKIB) and the Office for Personal Data Protection have issued a joint statement drawing attention to e- commerce applications (apps) which request non-standard permissions on the user's device and may collect excessive amounts of user data, including personal information.

Currently, there are multiple e-commerce apps available for download in the Czech Republic. These apps generally require permissions of various levels on the user’s device. Some are entirely legitimate while others appear to be completely redundant in terms of the purpose of the app, i.e., the purchase and sale of goods.

The companies behindthese apps function within varying legislative environments. Due to this, authorities in third countries may require companiess to provide assistance in ways that would be considered non-standard from the perspective of Czech and European legislation (e.g., the company's obligation to cooperate with the intelligence services of a given country).

The following is recommended for users of e-commerce apps:

Users should be cautious when granting permissions to downloaded Some require permissions that may not be necessary for their proper functioning (e.g., access to location, contacts, videos, or other files). It cannot be ruled out that if an app collects data, it may be passed on to third parties for purposes unrelated to the original purpose of the app. Users should read the app's privacy policy before granting permission (if it is not readily available or it does not exist, it is not a trustworthy online marketplace). Users should focus on: whether the purposes for the processing of personal data are adequate and reasonable (i.e., for what specific purposes does the app use customer data), the scope of the processing of personal data for each purpose, which should be limited to what is strictly necessary, the time period during which users' personal data is stored (it should be limited only to the time strictly necessary – i.e., in the case of order processing, this would mean time necessary to process the order, possibly extended to the time necessary to make a return or refund claim), excessive permission requests for personal data processing (i.e., where unnecessary – for example, the collection of data strictly necessary for the processing of an order generally should not require the data subject's consent), a description of how the company upholds the user's rights (in particular, with regard to informing the user about data processing, the right to delete personal data, and the right of access to personal data), in the case of companies based outside the EU, the name of the company's representative in the EU whom any user may, if necessary, contact for any questions relating to the processing of personal data. In case of unclear or missing information, we recommend not to grant permissions to e‑commerce applications. There is a number of e-commerce apps available in the Czech Republic where there is a real possibility that their main objective is not financial gain but the collection of large amounts of data. NÚKIB has assessed that some of them use non-standard business practices (e.g., gamification of purchases or possible sale of counterfeits). Extremely low prices in selected online marketplaces may appear attractive, but they may carry certain risks, as it can be assumed that the provider obtains real value for its services and products in other ways (e.g., by over-collecting personal data of app users used beyond the processing of an order for goods. For example, it may pass this data on to third parties for a fee). E-commerce apps that carry these risks must not be installed on devices handling sensitive data, such as online banking or government systems. If you nevertheless wish to use an e-commerce app that may hold the aforementioned risks, for example for a one-off purchase, make sure to uninstall it from your device after use if you do not intend to use it further.

 

2024-08-23

The National Cyber and Information Security Agency participated in a Workshop on 5G and Telecommunications Infrastructure Security in Kosovo

In July this year, the National Cyber and Information Security Agency (NÚKIB) participated as a partner in a workshopon 5G and telecommunications infrastructure security in Kosovo. The workshop was organized by the Commercial Law Development Program (CLDP) division of the U.S. Department of Commerce in cooperation with the Kosovar telecommunications regulator ARKEP. The workshop addressedkey areas related to maintaining a secure and resilient telecommunications network.

Participants focused on identifying and limiting high-risk suppliers, interagency cooperation in eliminating such untrustworthy suppliers, security requirements for mobile network operators, and preventing reliance on them. A representative of NÚKIB contributed his expertise and, together with the US, Croatian, and Albanian experts, discussed with their Kosovar counterparts the proposed legislation, which includes 5G cybersecurity and a  supplier risk assessment mechanism.

The aim of such projects is to fulfill the strategic objectives of the current Czech National Cyber Security Strategy related to improving international cooperation, strengthening alliances, sharing experiences, building capacities, and promoting Czech interests abroad. It is an effective way of transferring Czech know-how and gaining valuable knowledge and experience. In the past, NÚKIB has been involved in various projects in Albania, Kosovo, Montenegro, North Macedonia, and Serbia. Examples include a technical workshop organized by NÚKIB for the Ministry of Defence of Bosnia and Herzegovina in 2023, or a table-top cyber exercise for representatives of decision-making institutions, which the Agency co-organized in Albania this year.

Among other things, NÚKIB has long been cooperating with the CLDP division on projects aimed at securing 5G networks and telecommunications infrastructure. These projects include U.S.-hosted events for various foreign partners. In 2022, NÚKIB representatives, for example, participated in workshops for partners in Croatia, and in early 2023 for the governments of Tunisia, South Africa and selected African countries, as well as for the Polish government and other European partners.

2024-08-07

NÚKIB Representatives Co-Organized a Cyber Security Exercise in Albania

On 3 April 2024, a cyber exercise was held in Tirana, Albania, which was designed as an interactive, non-technical tabletop exercise aimed at high-level decision-makers, including security and strategic communication experts. The National Cyber and Information Security Agency (NÚKIB) was represented by Irena Adler Pavelková and Miroslava Čavojská from the Exercise Unit, who were directly involved in the preparation of the exercise scenario, its presentation, and moderation of the discussion among the participants. The exercise was organized within the framework of the EU Cybersecurity Capacity Building in the Western Balkans, which the Estonian governmental organization e-Governance Academy led in cooperation with the Dutch non-profit organization CILC.

In collaboration with colleagues from the Albanian National Authority for Electronic Certification and Cyber Security (AKCESK), a scenario was prepared for participants from various government institutions and bank representatives, including the Bank of Albania. The scenario focused on the escalating cyber crisis in the banking sector and highlighted the multidimensional nature of cyber threats. One of the objectives of the simulation was to discuss Albania's new cybersecurity legislation and to focus on cooperation and crisis communication between the institutions involved. The cyber exercise was also attended by the Deputy Prime Minister of Albania, Bellinda Balluku, who expressed her support for the project while emphasizing the importance of cyber security and increasing the resilience of the whole society in cyberspace.

2024-04-09

Experts from all over the world discussed security issues at the NÚKIB conference

The impact of artificial intelligence on cybersecurity, the protection of subsea cables from cyber threats and foreign interference, cyber warfare, and the fight against organized cybercriminal groups were the key topics of this year's Prague Cyber Security Conference (PCSC). The event, organized by the National Cyber and Information Security Agency (NÚKIB) in coordination with the Ministry of Foreign Affairs of the Czech Republic, brought foreign guests and government officials from more than sixty countries to Prague, not only from European Union and NATO but also e.g. from Australia, Israel, South Korea, and Singapore. More than 300 visitors were listening with interest to panel discussions at the Congress Centre of the Czech National Bank on 19 and 20 March 2024.

The event was opened with a greeting recorded for the PCSC participants by the President of the Czech Republic, Petr Pavel: "The Prague Cyber Security Conference aims to stimulate debate and bring us closer together in addressing the challenges we face. I believe this discussion will contribute to the future of cybersecurity not only in the Czech Republic but the whole democratic world." President Pavel's speech was followed by a speech by European Commission Vice-President Eva Jourová, who highlighted the threat of malware and said that international cooperation is needed to strengthen cybersecurity. Anne Neuberger from the USA, Deputy National Security Advisor for Cyber and Emerging Technology, also addressed the same topic in her speech, highlighting the International Counter Ransomware Initiative in the context of malware and thanking partners, including the Czech Republic, for being part of it.

The conference's guests were then personally welcomed by the Director of NÚKIB, Lukáš Kintr: "This conference represents more than just a series of discussions; it is a convergence of expertise and ideas focused on bolstering global cybersecurity resilience." In his speech, the Director of the Agency talked about the need to adapt to changes in the cybersecurity landscape: "The dramatically altered global security situation requires us to act now, for yesterday was already late. We must change our approach to dangerous actors and security to meet the new challenges in cyberspace. In light of the ever-evolving challenges, this conference serves as an important platform to discuss and share experiences and knowledge, promote international cooperation, and advocate for innovative solutions."

The discussion program began with a session in which participants recalled the 2019 Prague Proposals on 5G network security, five years since their creation and adoption, a significant milestone in global efforts to ensure the security of next-generation networks. Other panel discussions on both days focused on cyber and information security areas. Thus, the debates were exceptionally responsive to the growing diversity of threats in cyberspace and the emerging opportunities associated with the development of new technologies. For example, the security of subsea cables, which carry almost all internet data worldwide and whose potential damage could significantly affect the functioning of critical infrastructure, was discussed. Artificial intelligence was also a topic, and the Western world is now catching up with its development and looking for ways to address opportunities and risks associated with it. The discussion included the Artificial Intelligence Act, which was adopted by the European Union a few days ago.

One of the items on the agenda was cloud security, which has recently become one of the critical topics of transatlantic cooperation. Speakers on this panel brought different perspectives from both government and industry. There was also a discussion on post-quantum technologies. The security community is keenly aware that with the upcoming breakthrough in quantum computing, current encryption methods used to secure sensitive information will become potentially vulnerable, necessitating the development and transition to quantum-resistant cryptography. Therefore, the debate focused on strategies for post-quantum encryption, challenges related to timing and standardization, and opportunities for international collaboration between governments, research, and industry partners. The last panel focused on one of today's most significant cyber threats: ransomware, which requires a truly comprehensive approach to tackle. Evidence of the seriousness of this threat and the need to counter it includes a joint statement against ransom payments in ransomware attacks. The Czech Republic joined it along with more than 40 other countries in November 2023.

At the end of the conference, Czech Foreign Minister Jan Lipavský said: "Today, as we conclude the Prague Conference on Cyber Security, we see that critical infrastructure security is more urgent than ever. The cyber world is a battlefield where we face many challenges. Collaboration with like-minded partners is key to ensuring we do not lose the technology race. Another is working closely with the private sector. After all, we are all part of this effort to shape the future of a free and democratic world."

Cybersecurity can only be done through international cooperation, and conferences are an excellent opportunity to hold bilateral meetings - this was the same at PCSC. Representatives of NÚKIB used the event to meet with delegations from NATO, South Korea, Taiwan, USA, Australia, Japan, Singapore, Belgium, Croatia and Lithuania. Collaboration with the private sector is also essential in cybersecurity, which is why NÚKIB also held meetings with several private sector representatives during the conference.

This year, the Prague conference was opened to the private sector for the first time. Its role in the context of cybersecurity is becoming increasingly relevant. "Today, we can no longer ignore the importance and potential of cooperation with key players from the private sector. Only a society-wide approach and mutual synergy between the state and selected technology and cybersecurity companies is the only way forward. We need to progressively combine the strengths of the state, the private sector, and academia into one coordinated response to cyber threats nationally and internationally," said Director Lukáš Kintr on the topic of cross-sector collaboration.

Partners at this year's conference included Amazon Web Services, MSD, ICZ, Appsec, CISCO, and Mastercard. "For more than a decade, AWS has worked alongside governments and regulatory bodies across Europe to understand and meet their evolving needs in areas like cybersecurity, data privacy, and digital sovereignty. The multi-stakeholder exchanges at the Prague conference on cybersecurity underscore the vital importance of cooperation between governments, public institutions, and private organizations. Such collaboration drives innovation, and fosters resilience on the continent and globally," said Arnaud David, Director Public Policy EMEA, Digital and AI, at Amazon Web Services.

 

2024-03-21