The Czech Republic's National Cyber and Information Security Agency (NUKIB) is instructing critical infrastructure organizations in the country to avoid using Chinese technology or transferring user data to servers located in China.
The agency warned that these actions constitute a significant cybersecurity threat and should be entirely avoided unless there's a reasonable justification for continuing the practice.
The NUKIB states that it has re-evaluated its risk estimate of significant disruptions caused by China, now assessing it at a "High" level, indicating a high probability of occurrence.
"Current critical infrastructure systems are increasingly dependent on storing and processing data in cloud repositories and on network connectivity enabling remote operation and updates," reads NUKIB's warning.
"In practice, this means that technology solution providers can fundamentally influence the operation of critical infrastructure and/or access important data, making trust in the reliability of the supplier absolutely crucial."
NUKIB noted that it has already confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs.
Additionally, the agency emphasizes that the Chinese government has access to data stored by private cloud service providers within the country, ensuring that sensitive data is always within its reach.
Apart from critical infrastructure, NUKIB also warns about consumer devices, such as smartphones, IP cameras, electric cars, large language models, and even medical devices and photovoltaic converters manufactured by Chinese firms.
These are all characterized as risky devices that can transfer potentially sensitive data to Chinese infrastructure.
All entities subject to the Czech Cybersecurity Act, including energy, transport, healthcare, public administration, financial services, and other critical industries, must adopt security measures to mitigate risks.
NUKIB's warning does not impose a ban on transferring data to the PRC or allowing remote administration from it, but critical infrastructure organizations must now include the threat in their risk analysis and decide what measures need to be applied to mitigate it.
The order, with its full text available here, is not legally binding for the general public.
However, NUKIB still recommends that Czech nationals carefully consider the bulletin and evaluate the products they use.
Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
Comments
ThomasMann - 6 months ago
And for doing this, they were paid by the friends of Europe in the US ?
Drags - 6 months ago
I am always wondering why only China is being warned against, not the US - also with a proven track record of espionage against their "allies".
Also, who lets any of this infrastructure open to the outside? Why are other tech companies unable to keep up with, for example, Huawai? Especially in the ISP sector.
Wannabetech1 - 6 months ago
Oh oh now they are being "Xenophobic"!! Or are only "certain" people "Xenophobic"?
powerspork - 6 months ago
Cloud provider having access to your data is just part of the model regardless of the host country. China may stoop lower in their moral values compared to some other places, but don't expect your "important data" to be safe anywhere. And certainly don't store it in a country that could reasonably be called your adversary.
I don't know why we need to explain these things to adults.
AutomaticJack - 6 months ago
This ^^^