Prague will host the international competition European Cyber Security Challenge in September. We talked with Jaroslav Strouhal, Deputy Minister of the Interior for the Management of the Information and Communication Technologies Section, about the digitalisation of the state administration and the security of the Czech Republic.

The digitalisation of state administration is a big topic that concerns us all. How far are we modernising the state apparatus, what has been implemented and what is still ahead of us? Not only about this, but we also talked with Mr Jaroslav Strouhal, Deputy Minister of the Interior for the Management of the Information and Communication Technologies Section. We also talked about the upcoming international cybersecurity talent competition, the European Cyber Security Challenge.

In the past, you have stated that the Czech Republic is no longer lagging behind the rest of Europe in the digitalisation process and that there has been a significant increase in demand for digital services during the pandemic. Is this also the case in the public administration?

Czech eGovernment has come a long way in the last ten years – it has built the fundamental pillars of digitalisation – basic registers, the Data Mailbox Information System and the network of public administration contact points (CzechPOINT). At the same time, a law on the right to digital services was passed, which, among other things, requires public administration not to ask users for data that the state already has. This law came into force on 2 February 2021. The (very robust and secure) infrastructure for digital public administration is therefore essentially complete, and the legislative changes have ensured a smoother course for further digitalisation. The so-called banking identity was also launched on 1 January 2021, thanks to which almost five million citizens have already established an electronic identity to communicate with the state. Indeed, we have seen a surge in the use of eGovernment tools during the covid-19 pandemic. When we talk about eGovernment tools (digitalisation), I refer primarily to the Citizen Portal (the transactional part of the Public Administration Portal), the Data Mailbox Information System and electronic identity.

During the pandemic, new digital services for self-service were added to the Citizen Portal, e.g. the possibility of online establishment of a data mailbox for natural persons and natural persons engaged in business, as well as the possibility of setting up automatic archiving of data messages, the possibility of obtaining an online extract from the Criminal Register without the need to be a data mailbox holder (with the option of selecting automatic translation of the extract into all official EU languages) or the extension of the Citizen Portal with the new functionality of the “service forms” (this is an extension of the offer of forms which serves as a signpost to the submissions and forms placed on the portals of the cooperating authorities, by Law No. 12/2020 Coll., on the right to digital services). One of the most important new services is access to patient records (the so-called patient summary), which is available for download to the Citizen Portal by selected healthcare institutions.

At the same time, new login options have been added – identification means provided by private and state providers, namely the STARCOS smart card from I.CA, mojeID from CZ.NIC, the improved mobile application Mobile Key of eGovernment from the Ministry of the Interior of the Czech Republic or providers from banking institutions. Furthermore, the Citizen Portal continuously expanded access to newly connected portals of central administrative authorities, private entities, regions or municipalities.

At the same time, the new Gov.cz mobile application was made available to the public on iOS and Android platforms, which offers a range of digital services (for the time being, however, it operates in a validation test run). In addition, the design system of the Ministry of the Interior was used for the smart quarantine platform and the covid.gov.cz website. These new services and functionalities, together with the restriction of movement and contact during the pandemic, have resulted in increased demand and an increase in users of all eGovernment tools.

Data mailboxes have facilitated communication for authorities, companies and citizens for almost 12 years. In that time, the total number of boxes set up has increased from the original 380,000 to the current 1.3 million, and the monthly number of data messages sent has grown from 1.5 million in 2009 to the current 11-12 million. In the gradual development of the data mailbox system, when the number of boxes, users and sent messages gradually increased, the emergency caused by the pandemic of covid-19 entered. It was at this time when it was recommended to limit personal contacts with people as much as possible and to use the possibilities of electronic communication instead of sending letters and personal visits to post offices, offices and other institutions, that the advantages and possibilities of using data mailboxes became visible.

The fact that this plan has taken hold is demonstrated by the statistics from March this year when a record number of data messages were sent in one month, more than 12 million.

At the pandemic, data mailboxes began to be used for situations that previously could not be resolved except by personal contact. An example of this would be kindergarten applications, which could be sent through data mailboxes. In the first year of primary school, enrollment was carried out in the same way, i.e. without the child and the parents being present.

Based on a resolution of the Government of the Czech Republic, users were allowed to send so-called Postal Data Messages (PDZ) free of charge during periods of emergency. Postal data messages enable mutual communication between companies, tradespeople and citizens via a data box. After the end of the state of emergency, these messages are charged again. Still, as of April 2021, Postal Data Messages have been substantially reduced to five crowns, including VAT per message, which contributes to the fact that more and more companies and citizens are using this method of communication.
How important a role does digitalisation play in the government’s current plans? And how are they being implemented?

Digitalisation plays a crucial role in current government plans, which the covid-19 pandemic has amplified. A set of tools had to be developed very quickly to enable citizens to do business from the comfort of their homes. I am thinking of the ever-expanding services on the Citizen Portal and national systems for vaccination registrations and other mobile applications. Government tasks and their implementation are monitored within the Digital Czech Republic programme, which creates a legislative framework for the digital transformation of the Czech Republic in accordance with European law. Thanks to the programme, individual authorities are implementing digital transformation projects, e.g. electronic applications for a driving licence, etc.

What would you say are your most significant achievements in the digitalisation process so far?

Personally, I am most proud of integrating the systems into the Citizen Portal, which is a kind of signpost to public administration services (launched in July 2018). We have recently experienced a steep increase in users (more than doubling since the beginning of 2021). We attribute this not only to the overall rise in popularity of online communication during the covid-19 pandemic but also to the expansion of the range of services on offer. One of the newest services, and a much-used one, is the electronic application for a driving license, which we launched in partnership with the Ministry of Transport of the Czech Republic.

The state currently offers approximately 230 services accessible online from the Citizen Portal. In general, the highest demand is for the services of the Portal of the Social Security Agency, the Financial Administration, the Labour Office or eReception, but also for statements from the Criminal Register, from the driver’s point account, the trade register or the establishment of a data box provided free of charge directly from the Citizen Portal.

Currently, a citizen can, for example, from home:

• Apply for treatment benefits for self-employed workers in connection with the Covid-19 pandemic or submit a wage reimbursement application to the Antivirus Programme for Businesses,
• file a tax return,
• obtain an insurance deposit statement for self-employed workers,
• receive an annual report from a health insurance company,
• apply for a voter ID card,
• obtain a certificate from the Social Security Agency regarding sickness and pension insurance and incapacity for work,
• receive confirmation from the cadastral office about the entry or changes in the land register,
• obtain information on the imminent expiry of MOT service inspection, ID card or travel document (passport).

In general, the Right to Digital Services Law, which came into force on 1 February 2021, is a significant positive change. I am also proud, of course, of the Data Mailbox Information System, which has been in operation for 12 years and has saved the state around CZK 30 billion in postal costs in that time. In total, 1,311,690 data mailboxes have been set up during the existence of ISDS, of which about 318,000 DS FO and about 242,000 DS PFO have been set upon request.

A total of 883,156,110 data messages were sent.

Along with the digitalisation of government, the need for innovation and investment in cybersecurity goes hand in hand. Where are we now in this respect, and how long do you think we still have to go? What do you see as the most significant challenges along the way?

I fully agree with the statement that along with the digitalisation of the civil service, we also need to innovate and invest in cybersecurity. However, at the moment, I have to say that the area of cybersecurity funding in the state administration is significantly undersized. This fact is also pointed out by the National Cyber Security and Information Security Agency (NÚKIB) in its annual reports on the state of cybersecurity. However, insufficient funding for cybersecurity can cause major problems, as demonstrated by the ransomware attacks in the Czech healthcare sector in 2020. Today, we can no longer do without information and communication technologies, but their security is often lacking, with a lack of funding being one of the main reasons. Without sufficient innovation and investment in cybersecurity, we will not be able to face and keep up with new tools and sophisticated attacks by attackers.

At the end of September and the beginning of October, we will host the European Cyber Security Challenge, and the most excellent experts in the field of cybersecurity will head to Prague. Naturally, hosting such an event brings prestige in itself, but what else do you hope to gain from the event?

The European Cyber Security Challenge (ECSC) is a major international event developing trans-national cooperation, held under the European Union Agency for Cyber Security (ENISA). It aims to promote cybersecurity talent across Europe and harness its potential in government organisations, the corporate sector, and science and research. ENISA has been organising the ECSC since 2014, with each European Union country taking turns in the honorary role of host. As mentioned, 2021 belongs to the Czech Republic, and this time too, young talents from all over Europe will come together to have fun and compete in cybersecurity.

The development of modern technologies is a big topic in the Czech Republic and the European Union, which supports both the digitalisation of public services and the development of the corporate sector. The European digital agenda is thus linked to a number of areas in which the EU is investing and creating uniform rules for. Specifically, these are areas such as telecommunications, artificial intelligence, cross-border data sharing, online privacy and data protection, and in all these areas, cybersecurity is a cross-sectional issue.

On behalf of the Ministry of the Interior of the Czech Republic, I can state that the Czech Republic participates in EU projects for the digitalisation of public services with projects set out in the Digital Czech Republic strategy, specifically in the Czech Republic in a Digital Europe pillar. And I think we can all agree that these projects cannot be tackled without experts. From this point of view, competitions such as the ECSC are of considerable importance for the Czech Republic. What the Czech Republic expects from the ECSC can be simply summarised in the following points:

• Identify young talent in the field of cybersecurity,
• increase interest in cybersecurity,
• increase knowledge and skills in the field of cybersecurity,
• increase interest in cybersecurity careers and connect participants with employers,
• create a network of young cybersecurity professionals.

With the increasing digitalisation of the Czech government and modern technologies such as IOT, AI or the transition to 5G networks, the need for IT security experts is constantly growing, and there is never enough of them. In order to alleviate this shortage of experts, many countries have launched national cybersecurity competitions aimed at students, university graduates or even non-ICT professionals with the explicit aim of finding new and young cyber talent and encouraging young people to pursue a career in cybersecurity. With the ECSC project, ENISA has added a pan-European layer to these efforts, as cyber threats know no national borders either.

We agree that developing young talent is important in this sector. How big a problem is the lack of cybersecurity professionals, especially in the state administration, for the Czech Republic and the government’s plans? And is there any way to address this situation?

According to experts, there is a significant shortage of cybersecurity experts in the Czech Republic, and there is a noticeable shortage, especially in the state administration, from where the private sector is pulling over experienced experts. However, the shortage of experts is now beginning to manifest itself in companies as well. The lack of cybersecurity staff is a problem that the public administration cannot ignore in the long term. For this reason, some measures are proposed within the Ministry (see the conclusion of this response), and training is undoubtedly one of them to reduce current and future cyber threats in the area of cybersecurity.

In the context of ever-expanding cybersecurity legislation, both nationally and at the EU level, and the increasing number of cyber attacks, the demand for security professionals is already significant. It will continue to rise over the next three to five years. Thousands of experts are in short supply, and, given the continued growth of cyber threats, the global cybersecurity workforce would need to grow by tens of per cent per year for organisations to effectively defend their critical ICT assets. Part of the problem is that cybersecurity professionals need continuous and long-term training or they lose the ability to keep up with hackers, and the current shortage of security professionals in the job market is leading some to resign from training for time reasons, which is worrying and could act as a time bomb for the future.

While the question of addressing the shortage of cybersecurity professionals is a simple one, the answer is highly complex, and there is no quick fix to trying to attract new people into the field. In my view, there are essentially two solutions, a long term one and a short term one. The long-term solution is to:

• seek out cybersecurity talent already in schools and connecting them with public administration or key industry organisations,
• design a funding strategy, e.g. a model in which costs are shared between key actors such as government, private sector and educational institutions, which could ensure greater financial stability over time for both cybersecurity projects and cybersecurity professionals,
• increase the dissemination of information on the Cybersecurity Higher Education Database, an interactive database of cybersecurity degrees in EEA countries and Switzerland, developed under the auspices of ENISA. This database enables young talent to make informed decisions about the different opportunities that higher education in cybersecurity offers and helps universities to attract high-quality students motivated to keep Europe safe in cybersecurity,
• promote as much as possible national and EU level exercises of a similar nature to the ECSC (see the previous question) that foster cybersecurity talent across Europe and harness their potential in government organisations, the corporate sector as well as in science and research.

In the short term, there are far fewer options, as the demand for cybersecurity experts far outstrips the supply. The following rules are set within the Ministry:

• in the context of individual projects (information systems), cybersecurity is included in the solution from the outset so that it is not necessary to “graft” security onto the final solutions,
• missing experts are replaced by services, i.e. instead of in-house staff, very good cooperation is established with the National Agency for Communication and Information Technologies, s.p. (NAKIT), which is one of the service organisations of the Ministry of Interior that has professionals with the appropriate skills,
• Stabilisation of existing employees is ensured by means of “bonus programmes”, e.g. completion of special courses in the field of cybersecurity, cooperation with foreign experts from EU countries, as well as experts from Israel and the USA, and last but not least, above-standard financial remuneration for top employees.