Officials react to cyber attacks

Draft laws allowing the National Security Office (NBÚ) to recommend a state of emergency are being drawn up to help combat an unprecedented wave of cyber attacks that have crippled websites in the Czech Republic.

More than a week after the disruptive online assaults began, local authorities have conceded the country's preparedness for such attacks is "limited," and they are still baffled as to who is behind the mysterious action.

"We are working with stakeholders and trying to gather as much information as possible to help us catch the perpetrators," said Police Presidium spokesman Markéta Johnová.

"I can confirm that we are cooperating on the international level," she added, without disclosing details "for tactical reasons."

In the first series of attacks March 4, hackers targeted the online pages of Czech news sites, including Hospodářské noviny (iHned.cz) and Mladá fronta Dnes (iDnes.cz), while the most popular Czech search engine Seznam.cz was attacked the following day. On March 6, online banking in the Czech Republic was disrupted after hackers targeted the websites of some of the country's largest financial institutions.

The websites of the three largest Czech banks - ČSOB, Komerční banka and Česká spořitelna - and Raiffeisenbank were all put out of operation. Banks have insisted no client data was leaked during the DDoS (Distributed Denial of Service) attacks.

Internet sites of the Prague Stock Exchange, the energy exchange, securities exchange and central depository were also rendered inaccessible. One day later, hackers struck again, this time attacking the websites of the T-Mobile and Telefónica mobile operators, with a Telefónica spokesperson saying the attack had come from an IP address in Russia.

Ondřej Filip, director of the CZ.NIC organization that regulates Internet domain names, also says he believes the attacks have come from one direction, probably from somewhere in Russia.

"The attacks we saw in the recent past did not necessarily have to come from computers infected with viruses, owned by the people who did not know anything," he added. "They could have easily come from a single center. They themselves were able to build such a center in a few hours' time," Filip said.

As authorities continue to investigate the source of the attacks, members of the Cyber Security Council, which advises the prime minister, met March 12 to debate possible prevention measures. The meeting was arranged by the National Cyber Security Center (NCKB), which falls under the NBÚ and is expected to be fully operable from 2016.

An NCKB spokesperson told The Prague Post that the source of the attacks has not yet been identified but that most of them came from abroad.

The spokesman added that the response by local authorities to the hacking had been "not bad," but a spokesman for the Police Presidium said the country's readiness was "limited."

In a statement, the Police Presidium said it sees a need to "immediately set up communication links, procedures and responses both in the commercial sector and the public sector."

NBÚ Director Dušan Navrátil says the Cabinet has given his office a "tight" schedule to draft a new law on cyber security and to staff the new National Center for Cyber Security, but he believes the funding is sufficient to do it. Under the proposal, the NBÚ would have the power to recommend to the prime minister that a state of emergency be declared if banks or power utilities come under online attack.

If the Cabinet agreed to a state of emergency, the NBÚ would then be able to force Internet providers to resolve the problem, event it meant cutting off their customers. At present, only police have that power, but Navrátil denies the new law amounts to "Big Brother" or that the NBÚ will monitor content or shut down the Internet.

Petr Jirásek, chairman of the Cyber Security Working Group of the Czech chapter of the Armed Forces Communications and Electronics Association, says he is looking forward to seeing the new cyber laws.

"If it is a criminal act, we already have appropriate laws to investigate and punish the perpetrators. Our laws are adequate," he told The Prague Post. "What we have to also do is share information, cooperate and educate people from an early age about such acts and potential danger. We must concentrate on prevention."

At present, the punishment for unauthorized access to a computer system depends on the level of the damage inflicted. If it totals up to 5 million Kč, the perpetrator faces three to eight years in prison.

A study drafted by consultancy firm Pricewaterhouse Coopers has found the cost to Czech Web servers, banks and telecommunication operators as a result of the recent attacks has not exceeded 10 million Kč. According to the PwC study, the corporate internal costs directly associated with the fight against cyber criminals were lower than 1 million Kč, although companies are about to spend tens of millions to combat hackers.

Andrew Greene can be reached at
agreene@praguepost.com