Czech professional soldier, Karel Řehka, has extensive experience in the army in addition to having completed degree programmes longside allies within NATO. He has participated in several foreign missions and is a recipient of the Arnošt Lustig Prize for courage, bravery, humanity and justice. He is also the current director of the National Office for Cyber and Information Security (NÚKIB).
Could you describe the current state of threats that aff ect us in cyberspace to help a company or hospital manager familiarise themselves with the issue? Are we not a little paranoid after all? Is it not primarily the business of companies that make a living from it?
It can be said that the more your organisation is digitised, dependent on IT and connected to the outside world, the greater the chance that you will face threats in cyberspace. You may be threatened by a targeted attack. Still, you may also become an accidental victim of a mass campaign that will only run into some of your vulnerabilities and exploit them. In addition, the goals of the attack can be diff erent, from financial gain to intentional damage to your organisation.
Cybersecurity is simply something we need to address. However, what we are still lagging in is the level at which the debate is taking place. This must be addressed primarily by the organisation’s top management. It is a set of technical and non-technical measures, for example, organisational measures. And you really cannot apply it without management intervention. In addition, the debate on cybersecurity needs to be conducted at the strategic level in the context of overall national security. And that is a pretty different discipline.
As for the condition, it is inadequate. The number of attacks is rising worldwide and is growing in the Czech Republic as well. And this trend is likely to worsen. But again, we should not panic. Suppose we invest effort, people, time and money in digitisation. In that case, we must also invest in cybersecurity and look for the right balance.
You will probably agree that developing information security is a never-ending process. What are the most prominent mistakes managers make in implementing it? When and how do you think they should start?
Cyber threats have long aff ected us. In any case, the best way to get started is to build a cybersecurity system in parallel with building our digital infrastructure and processes in the organisation.
We, as NÚKIB, regulate and control systems that are important for the functioning of the state as well as the safety and health of its inhabitants. Administrators of these systems only need to comply with applicable laws and regulations. Everyone else should do a risk analysis first. You can follow our cybersecurity decree – a document called the Minimum Security Standard, which is available on our website free of charge, and anyone can set the security of their organisation according to it.
The first step is always to get the right people to do the security and give them the necessary resources and powers. It is also important to have plans for crisis situations and to practice them. Last but not least, it is necessary to rain the staff , for which NÚKIB off ers free e-learning courses.
I consider it the most common mistake when an organisation’s management transfers responsibility for cybersecurity to people in the IT department and thinks its mission is accomplished. Likewise, when an organisation’s management outsources cybersecurity as a service, which may not be a bad thing, it does not mean that the organisation is no longer responsible for it.
There are often objections from the security community that while, for example, the rules for fi re safety are enshrined in legislation and apply to everyone, this is not the case in information security. How do you view this request? Would you welcome the introduction of clear rules, for example, in the form of some certification?
In principle, I agree with that. Key systems are already subject to our regulation. However, there are, of course, many times more those that are not regulated. Certifications of products, services or processes are now being prepared at the EU level, which is good. However, it is a long process because, given the nature of cyberspace, it is nonsense for one state to try to establish something like this. There is a need for agreement at the international level, especially in the EU, where we strive for maximum harmonisation of the single market. Of course, NÚKIB is also making preparations for the EU certification system and its implementation in the Czech Republic.
In my view, it is still important to maintain the principle of risk assessment and management. Not everything is equally important, and the measures or standards implemented should correspond to the severity of the risks.
But the truth is that today there is no reason why, for example, every hospital or offi ce should not meet at least the basic cybersecurity standard. NÚKIB strives for this and does so within its legal scope. But here, it is necessary to go far beyond the scope of activity of our offi ce, and it is not an easy process.
One final question. You certainly spend a lot of time online. How do you relax when you are offline?
To tell the truth, I have not had much time left for offline activities just lately, which I take as a personal shortcoming that I have to work on. In my spare time, I try to keep fit, run, read, learn new things and spend time with my family as well as people close to me.
Thank you for the interview.
text: Vít Ruprich, Petr Šubert
foto: archiv NÚKIB
