Czech cyber agency warns against using services and products that send data to China

NÚKIB, the Czech Republic’s cybersecurity agency, has issued a warning regarding the threat posed by technology systems that transfer data to, or are remotely managed from, China.

The growing use of data-intensive technologies in critical sectors — with NÚKIB citing transportation, energy, healthcare and public administration — means critical infrastructure is increasingly dependent on cloud storage and remote operation.

“In practice, this means that technology solution providers can significantly influence the operation of critical infrastructure and/or access important data, making trust in the reliability of the provider absolutely crucial,” the agency warned on Wednesday.

This poses a particular issue for Chinese products and services, because of malicious activities and hacking campaigns that have been linked to Beijing.

Earlier this year, based on an intelligence assessment by NÚKIB and all three of Prague’s intelligence agencies, the Czech government publicly accused the Chinese government of attempting to hack its Ministry of Foreign Affairs in a campaign that began in at least 2022.

At the time, Jan Lipavsky, the country’s foreign affairs minister, said the attribution was intended to expose China, “which has long been working to undermine our resilience and democracy. Through cyberattacks, information manipulation, and propaganda, it interfered in our society — and we must defend ourselves against that.”

The Czech agency was also among the agencies from more than a dozen allied countries that last week blamed three Chinese technology companies for cyber-espionage campaigns targeting global critical infrastructure.

Lukáš Kintr, NÚKIB’s director, wrote on Wednesday that “the security threat posed by the PRC [People’s Republic of China] to the Czech Republic in this context should not be taken lightly,” adding it was “evidenced by the words of the PRC's Minister of Foreign Affairs, Wang Yi, who publicly stated that the PRC does not wish for Russia to lose the war in Ukraine.”

NÚKIB explained its warning did not amount to a direct ban on the use of any technologies that transfer data or enable remote administration from China, but that regulated entities were required to take the threat into account during their official processes for procurement and security.

It also recommended that the public at large “carefully assess the use of the affected products and technologies, or alternatively, consider what kind of information they put into them or what activities they use them for.”