The cheapest option wins. This simplified description reflects the current selection process for suppliers of cameras and security systems for Czech strategic infrastructure. As a result, cameras made in China are currently overseeing security at selected power plants, hospitals, government offices, cities, public transport vehicles, and even schools. However, this is about to change.
The National Cyber and Information Security Agency (NÚKIB) is preparing a law aimed at helping the state identify untrustworthy security system suppliers and reduce the use of their products in strategic institutions. Organizers of public tenders will be notified if participants in the competition include entities subject to international sanctions. This will also apply to brands like Hikvision and Dahua, which are widely used in the Czech Republic.
One of the reasons for this is the experience with the Chinese approach, where companies gain various advantages from the state in exchange for providing valuable information to the Chinese government, even if it violates international law. Compliance with strict GDPR regulations by these technology manufacturers is highly questionable. Often, neither the customer (the future owner and data controller) nor the supplier fully understands GDPR issues, and as a result, these concerns are not addressed at all.
What does SCANLOCK CZ, a distributor of security technologies in the Czech market focused primarily on European technologies with high added value, think about the new law? The company welcomes the law. However, it would propose an even stricter approach—ensuring that legislative changes prevent camera systems from untrustworthy sources from being installed at state-interest sites, as well as in critical infrastructure and the energy sector.
For public-serving entities, such as schools, offices, and municipalities, the option should be available to evaluate whether the nature of their sensitive data is crucial enough. They could then decide for themselves whether to apply the same approach to public tenders that the state will enforce in critical infrastructure under the new law.
According to SCANLOCK, it is worth considering whether suppliers of products from China and Russia should participate in subsidy programs. A large portion of the funds from these subsidies flows into countries where manufacturers of these products are supported by state subsidies with the aim of gaining specific markets. Such companies are not only price-advantaged in competition compared to companies from other countries, but there is always a risk of sensitive data leaks. This can occur due to the use of outdated software or through the application of special protocols that allow companies to deliberately manipulate data and use it for their own purposes. Sometimes, it takes little effort to find out from a tender which institution uses which technologies, where they are deployed, and to what extent.
SCANLOCK highlights that in public tenders, the needs and interests of the end user should be considered more than just the price. Most tenders are issued based on the technical specifications of specific cameras, such as their sensitivity, resolution, or sensor size, but they fail to specify what the entire system should accomplish in terms of functional properties for the specific object or customer. They also do not differentiate which individual technologies are suitable for the intended use.
As a result, the state resembles a customer looking to buy a new car, knowing exactly what fuel consumption it should have, what parking system it needs, and what tread pattern the tires should have, but without defining what features the car should have and for what purpose it will be used. It’s unclear whether the car will be used for commuting to work or for transporting sand.
A gradual and slow change is already happening. Public tenders can now be seen on the market that evaluate the quality of the requested solution in a sophisticated way (with a weighting criterion of 60%) in relation to the price (40%). Additionally, there are tenders that, in accordance with EU Council Regulation No. 833/2014, exclude from participation any entities owned by a legal person, entity, or body based in the Russian Federation, or that are more than 50% publicly owned or controlled by the Russian government. These restrictions apply not only to suppliers but also to subcontractors.
SCANLOCK hopes that the National Cyber and Information Security Agency will draft the law in a way that protects the security of our state, with a strong emphasis on safeguarding the legislative, executive, and judicial branches of power. They also believe that this law will be applied to critical infrastructure and will support technologies developed with the goal of maintaining security, rather than serving any ideology or specific state for its benefit, whether that be financial or information-security related.
If these technologies do not serve to protect health, property, intellectual property, or state security, such technology as a whole negates its primary purpose.
A model for policymakers could be the federal law of the United States known as the National Defense Authorization Act, or NDAA for short. We will address this issue in more detail at a later time.
Additional sources of information: iROZHLAS.cz; Bloomberg.com
Compiled by: Ing. Ondřej Linduška (Scanlock CZ, spol. s r.o.)
