Milestones Related to the Development of Organizational Aspects of Cybersecurity and Protection against Cyber-Threats in the Czech Republic

Although the Czech Republic belongs to the most “internetised” countries in the world, its information and communication security policy (as well as the protection of the critical information infrastructure) lagged behind for a relatively long time, when compared to most of the remaining European countries. Building the hierarchy regarding the umbrella teams of the Cybernetic Emergency Response Teams (CERT) and Computer Security Incident Response Teams (CSIRT) type (regardless of whether we call them governmental, national or otherwise) was unthinkable without the contribution of the private sector that substituted many functions of the state in this field. The whole process can be understood as an interaction of international and national pressures appealing to the solution of the situation.

that they cannot handle themselves. In case of a cyber-attack from abroad, communication between top CERT/CSIRT teams in individual countries of the world is often faster and more efficient than police cooperation channels (and is also usable in communicating with countries with no existing mutual police cooperation channels).

CERT/CIRT Teams in the World and in Europe
The situation with regard to the existence of CERT/CSIRT teams in Europe is as follows: • "At least some" CERT/CSIRT teams exist in each European Union member state, as well as in many other European countries. • Some teams or institutions of such nature run the non-governmental (academic) subjects (sometimes with some state support). Iceland can serve as an example. [19] • In many countries, CERT/CSIRT teams provide some form of service for the widest public (awareness, education, alerts etc.). Germany, the German Federal Office for Information Security can serve as an example. [4] [5] • In a number of countries, there is a number of CERT/CSIRT platforms serving only individual private customers (firms, internet service providers, universities). • In some countries, CERT/CSIRT teams serve mostly governmental and military structures (e.g. Turkey). • In some countries, such structures do not exist at all.
It should be also emphasized that a particular platform will become a CERT/CSIRT team only at the moment when other existing CERT/CSIRT teams will accept it and establish channels of basic mutual cooperation.
The way of the status of a CERT/CSIRT team, however, must not be complicated, if the following key information is clearly and truthfully declared: • Who is the founder and operator of the team? • Basic contact information (e-mail for immediate communication, phone number, postal address, etc.). • Scope (scope of responsibility) of the team. • Overview of the offered services.
To get an idea about the "density" of the CIRT/CSERT teams in Europe, the most suitable are the overviews (maps) created by the European Union Agency for Network and Information Security (in 2007, the only platform for the Czech Republic mentioned was CESNET-CERTS). [7] One of the key prerequisites for the functionality of national CERT/CSIRT teams is its high-quality and efficient links to foreign counterparts, which is typically formalized through "accreditation" in key transnational structures: • The world-wide association Forum of Incident Response and Security Teams (FIRST, interconnecting about 300 teams). [15] [33] • Organizational and certification site for the Task Force on Computer Security Incident Response Teams (TF-CSIRT) Europe, associated with Trans-European Research and Education Networking Association (TERENA). [53] • The European Union Agency for Information Technology (ENISA), which focuses on information security from the point of view of manufacturers and operators. [21] During the accreditation, the "identity, credibility and functionality" of a particular CERT/ CSIRT team is verified. This means, in practice, that the individual team has to document its own work, including all relevant information, as well as to guarantee generally accepted patterns of behaviour and response. Preparation for such a process usually takes several years, the process itself several months (structured usually to three tiers): • recognition (acceptance) of the entity ("listed" status); • accreditation; • certification (according to relevant ISO standards).
Through becoming a member of these organizations, the CERT/CSIRT teams will get the way for important and useful information, exchange and cooperation. The forum of Incident Response and Security Teams organizes a five-day conference once a year, TF-CSIRT meetings are held three times a year. The meetings are always hosted by one of the European teams. In January 2008, for example, this meeting was held in Prague, in the Czech Republic. [24] It is also necessary to emphasize that the national environment in each country is so specific that no foreign model can be copied for the purposes of another country.
A "Tough Way" to Determine the "Umbrella Hierarchy" of CERT/CSIRT Teams in the Czech Republic

"Prehistoric Times"
The Czech Republic certainly does not belong to the countries that would be understood as pathfinders for a CERT/CSIRT team in Europe. This only illustrates the little emphasis connected to information security issues in the Czech Republic in the recent past. [29] [55] Although the Czech Republic has been connected to the Internet since 1993 or 1994, for a long time it was impossible to talk about a comprehensive security policy in this area.
The topic of establishing a team (hierarchy of teams) of the CERT/CSIRT-type in the Czech Republic was one of the "chronic" aspects of the efforts related to the information security agenda in the Czech Republic for more than 10 years.
The need to create a CERT/CSIRT team in the Czech Republic was mentioned already in the document called Crime Reduction Policy in Relation to Information Technologies adopted by the Ministry of the Interior of the Czech Republic in 2001. 2  the fact that responsibility for information infrastructure in the Czech Republic has long been the subject of competence struggle (mostly "negative competence struggle", when no institution was willing to take the responsibility for the respective agenda).
Between the years 2003 and 2007, the Czech Republic had the Ministry of Informatics of the Czech Republic that was more or less responsible for the cybersecurity agenda. After the dissolution of this Ministry, the agenda was not completely transmitted to another institution, and it caused a period of disputes that had an impact on the situation in the respective area for many years.
In addition, the Ministry of Informatics of the Czech Republic entrusted itself with important tasks specified in a document called Action Plan Implementing the National Security Information Security Strategy of the Czech Republic. 3 [52]

Pilot Teams and its Competitors
In 2006 and 2007, the process of building the National CERT/CSIRT team continued through the Consortium, which won the tender of the Security Research Project of the Ministry of the Interior of the Czech Republic for the period 2007-2010 (project called Cyber Threats in the Security Interests of the Czech Republic). 4 [48] The consortium also included the "academic" CESNET-CERTS team, the first domestic CERT/CSIRT team with relevant practical experience, already connected to the relevant transnational platforms. The process of building a coordinating model workplace-team of CERT/CSIRT-type (CSIRT.CZ) within the academic network CESNET started in the mid-2007. Its pilot operation was launched on 3 rd April 2008. The team has been continuously organizing methodical education (with the participation of a number of private entities, representatives of the Security Information Service, the Police of the Czech Republic and the National Security Authority). During its existence, CSIRT.CZ has gained a reputation at home and abroad, but its formal international accreditation was blocked due to the uncertainty about its future after the end of the project.
A certain blind alley in this regard was the parallel activity of the private firm Relsie, which concluded in a Memorandum of Understanding with the Ministry of the Interior of the Czech Republic in February 2007 (describing the vision to build a CERT/CSIRT facility, called CERT.ORG). But this company was, in fact, an unknown player for foreign partners, so it cannot reach its goals. [46] For foreign counterparts, the situation in the Czech Republic became even more unclear. Two competing "CERT/CSIRT" teams were confusing for them. In September 2008, the security team of NIC.CZ 5 (CZ.NIC-CSIRT) was created. The effectiveness of this team has been so far the most advanced of all teams of this type in the Czech Republic. A number of incidents was vigorously resolved, not only "archived" through this team.
Despite all partial shifts, political consensus on practical steps towards building a national CERT/CSIRT-type team had not been achieved since 2007 until the beginning of 2010. At a later stage, the responsibilities (and costs) associated with this step were refused by the Ministry of the Interior of the Czech Republic, the Ministry of Defense of the Czech Republic as well as the National Security Authority of the Czech Republic. It is no wonder that these delays caused embarrassment not only in the domestic expert community. [14] [32]

Overcoming the Competence Vacuum
The situation (at least for some time) started to clarify after the introduction of the "caretaker government" in the Czech Republic (June 2009 to July 2010), especially due the Resolution of the National Security Council of 5 th January 2010 No. 4, On the Analysis of the Current Level of Cyber Security of the Czech Republic. This document imposed the main competences and responsibilities for the next steps regarding the cybersecurity agenda unambiguously on the Ministry of the Interior of the Czech Republic. [50] Following the aforementioned Resolution of the National Security Council, a new Cyber Security Department was established within the Ministry of the Interior of the Czech Republic at the beginning of 2010. [35] [44] [47] One of its first registrable activities was the participation at the session of the CSIRT.CZ Working Group on 25 th March 2010 (interconnecting representatives of major internet service providers, content providers, state security forces, Czech Telecommunication Office, CZ.NIC, NIX.CZ 6 and the academic sector). [26] [47] But no tangible steps were then taken by the state (the Ministry of the Interior of the Czech Republic), and the initiative was taken over by the private sector, especially by the administrator of the Czech national domain, CZ.NIC. At its own expenses and responsibility, it created a CERT/CSIRT-type team that used the company's background and served the widest public. [34] This situation continued until 16 th December 2010, when a Memorandum on Computer Security Incident Response Team of the Czech Republic was signed between the Ministry of the Interior of the Czech Republic and the CZ.NIC, 5 CZ.NIC is an association of legal persons founded in 1998 by the leading Internet service providers in the Czech Republic. The main activity of the association is the operation of the domain name register .cz. At present, the association is improving the domain management system, supporting new technologies beneficial to the Internet infrastructure in the Czech Republic. CZ.NIC is a member of international organizations that associate with similar organizations around the world (CENTR, ccNSO and others) and also a member of EURid, a European .eu domain. [43] 6 NIX.CZ (Neutral Internet Exchange) is a platform that interconnects Internet Service Providers in the Czech Republic to interconnect their Internet networks. This association is formed by telecommunication companies operating in the Czech Republic because they have a common interest in ensuring that their computer networks are mutually interconnected and their customers can quickly communicate via the Internet within the Czech Republic. Members of the platform contribute together to the technologies that can improve the exchange efficiency and securely. [41] (17) 3 (2018) according to which the CZ.NIC temporarily (from the 1 st of January 2011) took the agenda of the national security team CSIRT.CZ. [10] The Memorandum also stated that the Ministry of the Interior of the Czech Republic addressed the status of CERT/CSIRT teams within the state administration and sought to support the inclusion of CSIRT.CZ in international structures, in particular by confirming the status of CSIRT.CZ as a "National CSIRT Team". Furthermore, it coordinates the activities of CSIRT.CZ, evaluates information received from CSIRT.CZ in case CSIRT.CZ suspects that the incident could have an impact on the state or state administration systems. The Ministry of the Interior of the Czech Republic also had the right to request an audit of the performance of CSIRT.CZ activities. [34] As it was already stated above, CSIRT.CZ was a research project carried out by CESNET that ended on 31 st December 2010. As of 1 st January 2011, under the agreement of the Cyber Security Department of the Ministry of the Interior of the Czech Republic, the CESNET and CZ.NIC, took the responsibility for the relevant equipment to be able to maintain the continuity of CSIRT.CZ. [34] CSIRT.CZ, perceived as a "national CSIRT team" since its creation, became in 2010 a co-worker of the European Union Agency for Information Technology (Point of Contact for the Czech Republic). [54]

Transfer of the Agenda to the National Security Authority of the Czech Republic
The "coordination role" of the Ministry of the Interior of the Czech Republic did not last long. On the basis of the Resolution of the Government of 19 th October 2011 No. 781, on the Umbrella "National Authority" Responsible for the Area of Information Security Regarding the Public Sector of the Czech Republic, the relevant competence was transferred to the National Security Authority of the Czech Republic. The new administrator was already, whether alone or in co-operation with other stakeholders, very active in many relevant areas. [22] The Government approved of the establishment of the National Cyber Security Center as a part of the National Security Authority of the Czech Republic. [30] At the same time, the Government of the Czech Republic set up the Cyber Security Council as a part of the National Security Council and the National Cyber Security Center as a part of the National Security Authority of the Czech Republic. At the same time, the Government imposed a number of specific tasks on the National Security Authority of the Czech Republic. The relevant Cyber Security Strategy for the years 2012 to 2015 was already elaborated also under the coordination of the National Security Authority of the Czech Republic. [49] [36] [37] [38] [49] [58] In January 2012, CSIRT.CZ reviewed the period of one year of its operation with the following conclusion: The CSIRT.CZ team officially represented the Czech Republic in the world (in the relevant international forums and is also the first contact point for foreign counterparts). In July 2011 it organized the pilot training seminar The World of Internet and Domains, intended for employees of the state administration and members of the security forces, especially the Police of the Czech Republic. The team was cooperating with the Internet Service Providers in the Czech Republic. Special attention was paid to the practical issues that should help (especially) the police investigators to orient themselves in the issue of basic forms of cybercrime and to learn to address directly the specific subjects that can support their work. Participants of the pilot course were also the intelligence operations specialists, judges etc. In 2011, CSIRT.CZ was invited to the Law Enforcement Authorities Expert Working Group of the European Union Agency for Information Technology. The work of this expert group resulted in a document, mapping the experience raised from the interconnection of law enforcement and cybersecurity experts, and suggesting a set of recommendations. [6] [12] [20] This cooperation did not end in 2012. Due to the fact that the National Security Authority of the Czech Republic was not able to launch its Gov-CERT, that was already "under construction" in the former premises of the Ministry of Defense in Brno), the decision was (17) 3 (2018) made to sign another Memorandum, moving this "turning point" until 2015. Until then, the national cyberspace will be dominated by the CZ.NIC. [9] [57] "The current solution to cyberspace protection is unsatisfactory. CSIRT.CZ of the CZ. NIC is good and professional, but this fact cannot substitute the absence of the Gov-CERT team, which must be a part of the security system and the protection of cyberspace … The members of the national CSIRT […] has no powers or responsibilities that are key to handling security threats. CSIRT has only a consultative role […] Four half-time CZ.NIC specialists are responsible for the security of the Czech cyberspace, but they do not have any competencies as well as the right to handle classified information […] With time, they can be supported and even replaced by the employees of the Gov-CERT in Brno, but without any support in the legislation, it still will be a group of experts with no power to enforce their will." [27]

Proposal of the Modified Institutional Framework
The proposal, with one of the first drafts of the Act on Cyber Security (February 2012), included the framework for the provision of information security functions in the Czech Republic. It was envisaged to create two umbrella CERT/CSIRT teams in the Czech Republic.
1. The "National" CERT will be built on the fundament of the CZ.NIC (CSIRT.CZ), with the use of the experience of the model workplace-team operated by CESNET (CSIRT. CZ), according to the research project of the Ministry of the Interior of the Czech Republic. The "National" CERT will establish or deepen existing links with and among similar teams within the Network Monitoring Cluster and, in the first phase, perhaps, also regarding the public sector. CSIRT.CZ will be involved in resolving cyber-security incidents in networks operated in the Czech Republic. CSIRT.CZ will also provide co-ordination assistance, but not physical support, to resolve individual incidents (but this assistance will not be provided directly to end users). CSIRT.CZ will collect and evaluate data on reported incidents and report respective incidents to those responsible for operating the individual network(s) that is (are) the source(s) of the incident, in accordance with the severity of the incident. CSIRT.CZ will fulfil the role of so-called National Point of Contact (PoC), as well as the center of education and dissemination of cyber security related education. It will also assist to establish the CERT/CSIRT teams in networks operated in the Czech Republic, including help regarding the establishing of co-operation connections with foreign/global security platforms. [34] 2. At the same time (or later) the construction of the "Government" CERT team (GovCERT.CZ) would be launched. This team would be primarily designed to monitor government networks and (public) critical information infrastructure, or to coordinate and methodologically run other sub-centers of this type that operate or will operate within specific public institutions. 7 7 The National Cyber Security Center will pursue efforts to protect networks primarily within public institutions, such as ministries, energy companies, hospitals or the Czech National Bank. The National Center for Cyber Security (in its embryonic condition) is directly subordinated to the Director of the Office.
In connection with the construction of this workplace-team, it will be especially necessary 8 to interconnect both platforms, as well as ensure their connection to the "military" team of a similar type (CIRC.CZ). Both teams are to be understood first and foremost as partners who "lighten each other's burden". However, GovCERT would have a veto right in a number of questions, but at the same time it does not possess such technical and human resources (it is reportedly a problem to fill the relevant positions in public institutions), such as the National CERT that was built mainly on the basis of CZ.NIC.
The whole process is planned to go from "more limited" to "more ambitious" goals. The relevant experts saw this proposal as a shift in the positive direction (compared with many years of inactivity in the past). 9 The limits related to the involved bodies (important and not-important public administration information systems, and "selected" service providers and network operators) were not entirely clear. This vision has been widely commented by the domestic expert community as somewhat unusual: "In the world of information security, there are certain common terms (see, for example, outputs of the European Union Agency for Information Technology) […] according to which the 'National CERT or CSIRT' is a body, which stands on the top of the whole hierarchy in a particular country, and coordinates the other CERTs/CSIRTs. It is also the primary contact point for communication with CERTs/CSIRTs in other countries, and is also the country's principal representative in cyber-security related international organizations. In addition to 'national' CERTs or CSIRTs, there are still 'governmental' CERT/CSIRT teams that take care of those systems that are serving to the public administration bodies (state and local government) […] Typically, they have somewhat 8 Due to the fact that there are several platforms in the Czech Republic already bearing the name CERT or CSIRT, it was decided that this "governmental" concept would differentiate (as in other countries) by the prefix "Gov" (derived from the word "government" or "governmental"). In addition, this term indicates the "superiority" of such a platform over the other CERTs (CSIRTs) existing within the state. 9 At the same time, it is said that this concept could be improved and reshaped according to developments in countries that are more developed in the field of information security (for example, Germany). [3] [5] (17) 3 (2018) different powers (and modes of operation) than the national teams.
[…] In the Czech Republic, in the proposal of the Cyber Security Act, what is usually 'governmental', on the contrary, refers to 'national' (and what is usually 'national' is referred to as 'central') […] in such a way that the authors of the proposal do not use the 'settled' terminology.
[…] Let's note one more thing: the 'National Supervisory Workplace' ('governmental' CERT) will be 'plugged in' inside another workplace called National Cyber Security Center (the only contact point for foreign partners). And this National Cyber Security Center is also 'plugged in' the National Security Authority of the Czech Republic as its organizational component." [45] This begs for a rhetorical question: Will our foreign counterparts understand such an unconventional structure, if a serious incident occurs?
The management of the CSIRT.CZ and NIC.CZ were aware of this situation and tried to "calm down" similar negative or hesitating comments: "Teams designated as governmental and national have a very specific role in the CERT/CSIRT security infrastructure. Teams referred to as government are usually intended to oversee the networks of state administration, self-government and so-called critical infrastructure of the country. National teams usually fulfil the role of the National Point of Contact, sharing information with other teams abroad, and with the entities and organizations of their country […] A similar model is currently being used in the Czech Republic: The National CSIRT of the Czech Republic, fulfils the role of the governmental team, at least temporarily, according to the Memorandum signed in 2012." [6] Gradual Stabilization, the Way to the National Cyber and Information Security Agency (Years 2012 to 2017) On  National Cyber and Information Security Agency with its 120 employees took over the agenda of the National Security Authority of the Czech Republic that previously fell under the responsibility of the National Cyber Security Center that had been operating since 2011. The National Cyber and Information Security Agency's headquarter in Brno is in offices that previously served the National Cyber Security Center.
The situation in the Czech Republic grew closer to what is considered a standard in advanced European countries.
Main areas of the activity of the National Cyber and Information Security Agency are as follows: [39] • operating of the Government CERT (GovCERT.CZ); • cooperation with other domestic CERT/CSIRT teams; • cooperation with international CERT/CSIRT teams; • drafting of security standards for information system regarding critical information infrastructure and "Important Information Systems" (defined by law); • support of education in the field of cyber security; • research and development in the area of cyber security; • protection of classified information in the field of information and communication systems and cryptographic protection.
The National Cyber and Information Security Agency operates the National Public Regulated Service Center (NCPRS), which fulfils the task of the so-called Competent Public Regulated Service Authority; it is one of the services provided by the European satellite system Galileo.
A new building in the barrack premises in Brno is planned to be built that will serve almost 400 staff members. The new office should be opened in 2023.

Conclusion
The Czech Republic is a relatively highly "internetised" country, where projects such as Data Boxes (state-guaranteed e-mail like communication system) and CzechPoint (offices for dissemination of state-guaranteed data and confirmed documents) are strongly promoted. But the security aspect of the whole issue remained for a long time behind the "edge of interest", and the whole country was in this regard understood by its foreign counterparts as an "untrusted partner".
Public sector institutions within the Czech Republic, for a long time, have only been looking after their own "cyberspace-sections" and the nationwide structure remained rather in the hands of active private sector players.
Only after 2011 the country invested more in a coordinated way of protecting its information infrastructure. Resolute political (governmental) decision in this regard.
Only formal and rhetorical "fulfilment" of necessary tasks and demands of the transnational and foreign counterparts.
Efforts realistically meet individual requirements, being aware of their importance.
Non-standard terminology, problematic for both home and foreign/transnational counterparts. Use of standard terminology as much as possible.
"Waiting tactics" regarding the relevant private actors.
Sincere public-private cooperation, with clearly defined rules. When co-operation with private players started, its results were bodies without formal competencies.
Delegating unambiguously specified competencies to renowned and trusted private players. Rigidity in relation to the possible employment of top-level (and adequately paid) experts in the state administration.
Accepting the need to remunerate top experts adequately.
Total underestimation and under-dimensioning of the topic.
Accepting the theme of cyber security as today's major priority, the failure of which would lead to serious and quantifiable negative effects regarding the state and society.

Instead of Conclusion: Recommendations Related to the Issue of Cybersecurity
As part of the "umbrella" cybersecurity institutions in the Czech Republic, it is necessary to address specific aspects of collection and distribution of information about threats from/to participating centers, as well as creation of a register of incidents, threats and vulnerabilities accessible by relevant entities to enhance the active protection of the cyberspace of the Czech Republic. [17] [18] [28] It is also necessary to clarify the relevant communication and competence flows set within the Czech Republic as well as regarding the communication abroad. [56] In addition to building a hierarchy at the national level, a clear hierarchy of responsibility for information security within the Police of the Czech Republic should be built. The qualified interconnection of the professional and strong team with sufficient equipment and staff cannot be perceived only in terms of the structure of the Police, but it is necessary to point out the existing need for co-operation with other bodies of state administration and commercial sphere.
Outside the Police of the Czech Republic, it is necessary to establish the links of the direct cooperation with the intelligence services, the critical infrastructure elements and the IT security specialist in the private sphere.
In all concerned public institutions, unambiguous contact points should be created regarding the topic of information security (which should remain stable regardless any personnel and organisational turbulence). Stakeholders from each institution need to exchange relevant experience on a regular basis (or even daily), or even create a joint "knowledge fund".