Czech Agency Warns of Chinese Tech Risks in Critical Infrastructure

▼ Summary
– The Czech Republic’s cybersecurity agency (NUKIB) advises critical infrastructure organizations to avoid using Chinese technology and transferring user data to Chinese servers due to significant cybersecurity threats.
– NUKIB has reassessed the risk of disruptions caused by China as “High,” citing increased dependency on cloud storage and remote operations in critical systems.
– The agency has confirmed malicious activities by Chinese cyber-actors targeting the Czech Republic, including an APT31 campaign against the Ministry of Foreign Affairs.
– NUKIB warns that the Chinese government can access data stored by private cloud providers in China, making sensitive data vulnerable to exposure.
– The warning extends to consumer devices like smartphones and medical equipment from Chinese firms, which may transfer sensitive data to Chinese infrastructure.
The Czech Republic’s National Cyber and Information Security Agency (NUKIB) has issued a strong advisory urging operators of critical infrastructure to steer clear of Chinese technology and refrain from sending user data to servers based in China. This guidance stems from a heightened risk assessment that now classifies potential disruptions linked to China as posing a high probability of occurrence, elevating concerns over national security and data integrity.
According to the agency, modern critical systems rely heavily on cloud storage and remote network operations, making the trustworthiness of technology suppliers absolutely essential. NUKIB emphasized that providers of these solutions hold substantial influence over infrastructure functionality and data accessibility, underscoring the need for rigorous vendor evaluation.
The warning follows confirmed instances of malicious cyber activity by Chinese actors targeting Czech institutions, including a recent campaign aimed at the Ministry of Foreign Affairs. NUKIB also highlighted that under Chinese law, the government maintains access to data held by private cloud providers within its borders, ensuring that sensitive information remains within state reach.
Beyond traditional infrastructure, the advisory extends to consumer products such as smartphones, IP cameras, electric vehicles, and even medical devices originating from Chinese manufacturers. These items are flagged as potential conduits for transferring sensitive data to Chinese infrastructure, broadening the scope of cybersecurity vigilance.
Entities governed by the Czech Cybersecurity Act, spanning energy, transportation, healthcare, public administration, and financial sectors, are now required to incorporate these threats into their risk analyses and implement appropriate mitigation strategies. While the directive does not impose an outright ban, it mandates that organizations justify any continued use of such technologies and adopt protective measures.
Although the bulletin is not legally binding for the general public, NUKIB encourages all Czech citizens to review its recommendations and thoughtfully assess the technology products they use in both personal and professional contexts.
(Source: Bleeping Computer)