The Czech Republic’s National Cyber and Information Security Agency (NUKIB) has issued a significant warning to organizations operating in the country’s critical infrastructure. The agency is instructing these entities to avoid using Chinese technology and, more importantly, to stop transferring user data to servers that are located in China. This directive stems from a re-evaluation of the risk posed by China, which NUKIB now considers to be “High,” indicating a high probability of cyber disruptions. This heightened risk assessment is a direct result of confirmed malicious activities by Chinese cyber-actors targeting the Czech Republic, including a recent campaign that specifically targeted the Ministry of Foreign Affairs.
The NUKIB warning emphasizes that modern critical infrastructure systems are increasingly reliant on cloud repositories and network connectivity for remote operations and updates. This dependency means that technology providers can have a fundamental influence on the operation of these systems and can potentially access critical data. As a result, the agency stresses that trust in the reliability of a technology supplier is “absolutely crucial.” The agency’s assessment also highlights a key concern: the Chinese government’s ability to access data stored by private cloud service providers within the country. This ensures that any sensitive information transferred to these servers is never truly out of the government’s reach.
While the primary focus of the warning is on critical infrastructure—such as organizations in energy, transport, healthcare, public administration, and financial services—NUKIB also extends its caution to consumer devices. The agency notes that devices like smartphones, IP cameras, electric cars, and even medical devices and photovoltaic converters manufactured by Chinese firms pose a risk. These devices, much like the infrastructure technology, have the potential to transfer sensitive data to Chinese servers, which could then be accessed by the government.
It’s important to note that NUKIB’s directive doesn’t function as a legally binding ban on data transfers or remote administration from China for the general public. Instead, it places a new requirement on critical infrastructure organizations: they must now formally include this threat in their risk analysis. This means they are responsible for evaluating the potential risks and deciding on the necessary measures to mitigate them. For the broader public, NUKIB’s advice serves as a strong recommendation to carefully consider the bulletin and be more discerning about the products they use in their daily lives.
This move by NUKIB underscores the growing geopolitical concerns surrounding cybersecurity and the reliance on technology from foreign nations. By assessing the risk as “High,” the Czech Republic is taking a proactive stance to safeguard its national security and protect its most vital systems and data from potential foreign influence and malicious cyber activity. The warning serves as a significant step in formalizing cybersecurity best practices and ensuring that critical organizations are aware of and prepared to counter these evolving threats.
Reference: