The National Cyber and Information Security Agency (NCISA) is the central administrative office for cyber security including the protection of classified information in the field of information and communication systems and cryptographic protection. The position of the director of NCISA has been held by Karel Řehka since March 20, 2020. The military career of General Řehka is closely tied to the Special Forces, where he worked his way up from the Commander of the 6th Special Brigade, through the Commander of the Forward Air Controllers, to the Commander of the 601st Special Forces Group, where he served in 2010-2014. In 2011 he became commander of the Task Force of the ISAF Special Forces in Afghanistan. From November 2014 to July 2017, he held the position of Director at the newly established Special Forces Directorate of the Ministry of Defence of the Czech Republic. In connection with the rich military career and the current position of the director of NCISA, we asked Mr. Řehka a few questions.

1) Mr. Řehka, you served in the army for many years and you reached the rank of Brigadier General. If you look back, what did the army give you and what did it take from you?

The service in the army has given me a lot of experience. When I think about it, it's actually pretty hard to say what in particular, because military service has shaped me during the course of my whole life. When I was 14 years old, I started studying at a military grammar school and since then I have spent most of my time in a military environment. The most important things it has given me are probably personal discipline, the ability to serve an ideal based on inner beliefs, the ability to work hard on the assigned tasks and also on myself, and the ability to lead people. What is also valuable is the experience of living in a close-knit team, friendship and also the knowledge that living in peace, security and prosperity is something that we should not take for granted and that we should highly value. Because that is not the case everywhere. But there was a lot of things. I have travelled and seen a lot, I could study and work abroad, I met interesting and inspiring people, I could always learn something new. That's amazing. The most valuable experience of all was that I could lead great people, serve them, learn from them and be proud of them.

Picture: Battle Group Poland manoeuvres (led by the USA) - Bull Run 2017 training. Karel Řehka greets the then Commander of the Battle Group, with Polish colleagues in the background. | archive of Karel Řehka

And what did the army take from me? I do not think that the army took anything from me. If I missed out on anything or had to sacrifice something, it was not the army's fault, but my own decision. I always had the freedom of choice and those were my decisions. I'm sorry I didn't always give my family what I should have and what they deserved. But that is not the army's fault. How I set my priorities and how I managed to stick to them is my personal decision and responsibility.

2) When you look back at the plans for purchases and modernizations with regard to the Concept of Construction of the ACR, how do you assess the current situation? And how do you think the Allies will react, for example, the White House?

I really do not dare to assess the current situation. I have never been responsible for the modernization of the entire army, and I also have spent the last three years of military service abroad, solving other problems. So I was not involved in revising the old and creating a new construction concept. 

We all know that the modernization of the military has not been the priority for many years, not to the degree that I think it should have been. There was an accumulation of internal debt, technology was lagging behind and, thanks to constant changes in assignments and resources, there was also huge internal instability, which has an impact not only on the machinery, but above all on the most valuable thing - people. I think soldiers realize that the military is not the only problem in the society and may not always be the highest priority. That's the way it was, is and always will be. But one thing is the expenditure and another is its predictability. That is absolutely essential, it is really impossible to build a modern army without it. 

I do not dare to assess the current situation of the army, nor am I in a position to do so. But overall, I'm optimistic. There are, of course, things that may frustrate me, but on the other hand I see a lot of positives. Defence is gradually becoming a serious and important topic to which attention is being paid. I see a serious discussion in public more often, we talk about threats, strategies, allied commitments and the like. The debate is also running at the highest political level, and I think there is enough agreement. I believe that society is really beginning to perceive the importance of defence and security more. That is encouraging for me.

How will the Allies react? The Czech Republic is a sovereign, developed and confident democratic country, and I think the allies perceive us in this way. At least I have such an experience. Our soldiers make a significant contribution to this. If we take defence seriously, are transparent and predictable, we will also have the respect of our allies. Our economy obviously does not have easy times ahead, but the country's leadership has repeatedly declared that defence remains a priority. That is important.

3) 601 SFG, which you commanded in the years 2010-2014, has always been an elite unit, which always had something extra in terms of equipment and armaments. Don't you think that most soldiers are "jealous" of this unit? Do you think that other army units will reach the armaments and equipment they deserve?

Every army needs a high degree of equipment unification, without which it is impossible to wage wars. The result of military operations and war is largely determined by the sustainability of forces and logistics, and this cannot be ensured in combat without unification. 

The truth is that special forces perform specific tasks that often require a different approach to problem solving and material. They are small and that is an advantage as we can afford a lower degree of unification. Our special forces have historically had a relatively good quality of equipment, but to think that they do not face their own problems in material security would be naive. Yes, a soldier from other parts of the army may consider the SFG equipment sexy, but believe me, even the special forces don't have everything they desire and they have to solve their own problems all the time.

Picture: In the years 2010-2014, Karel Řehka commanded the 601 SFG. Pictured during a training parachute jump from a Mi-171 helicopter over Prostějov. | archive of Karel Řehka

I completely understand that if a soldier does not get the basic equipment needed for his work, but sees that it is possible elsewhere, he may be jealous. My personal experience is that when other units worked with us, the Special Forces, be it in problem solution, training, development or operation, and they saw how we work in reality, a relationship of mutual respect was established very quickly. Moreover, our Special Forces have contributed many times to the development of equipment throughout the army, through their own initiative, work and know-how.

I cannot say if most soldiers are jealous of the 601 SFG, but I don't think so today. Will other units get everything they need? I very much wish so and hope so. The Special Forces are close to my heart, I think they are important for the Czech Republic and their importance will surely not decrease in the future. At the same time, however, I know that Special Forces will not win the wars for us. Only the military as a whole can do this, and it is important that all its components work. Moreover, the Special Forces do not live in a bubble, they are a part of the army. I am convinced that a sovereign and confident Czech Republic needs a strong army and that it must be a combined army, albeit with some capacity restrictions, depending on the current security situation. I am also convinced that the command of the army and the leadership of the Ministry of Defence is doing its utmost to ensure that all soldiers have the equipment they need and deserve. 

4) The army is currently ready to take over the command of the mission in Mali. Can the deployments in Mali and Afghanistan, where you have extensive experience, be compared?

I don't know much about Mali, although I had the opportunity to get to know the country briefly when our Special Forces were operating there. I do not know how to answer that question. Comparing operational deployment is not just about the difference in the geographic environment, but you must also compare what the operational task is and who and how is performing it. Moreover, Afghanistan is not a monolith, not even geographically. In Afghanistan, you can work in the city, in the sand of a desert, in the mountains on a rock or in the snow, in the forests, in the dense vegetation by the water, etc. Mali is not the same everywhere either. And the operational tasks also differ. Our military has performed almost everything over the years in Afghanistan, from providing medical assistance and training, through personal protection, air support, airport operations to combat operations. So it depends on what exactly I should compare and I don't have this kind of information.

However, it is almost certain that our units in Mali will not have at hand such a level of Allied combat and logistical support and a robust command and control infrastructure built over the years. And that's a huge difference no matter where and on what task we work. 

Picture: Brigadier General Ing. Karel Řehka | archive of the NCISA

5) You have recently become the Director of the National Cyber and Information Security Agency (NCISA). How did you reach this position? Was it difficult to leave a promising military career?

I reached this position by learning about the selection procedure, applying for it and succeeding. I perceived it as a challenge and an opportunity to participate in something strategically important for the security of the Czech Republic. Cyber security is absolutely essential for the security of the state today, NCISA is a young and successful organization in the development phase, and I wanted to be part of it. 

Of course, NCISA is a slightly different world than the military. On the other hand, I don't see much change in myself. I continue to be swamped with work from morning to evening, I still have to learn new things and I continue to work for the security of my country. So everything is the same. Basically, I just moved to another part of the "battlefield". 

6) What does your normal working day look like? Is it significantly affected by the coronavirus, or does the office work the same in every situation?

I cannot really say, because my work is definitely not monotonous and my working week always looks different, at least in the two months I’ve been at the post. But mostly it's a series of business meetings in different places, with different people and on different topics, meeting people, phone calls, video-conferences, and if I'm home for the night, then coming home in the evening and continuing to work. If possible, I will insert sports training here and there. I also commute between Prague and Brno as needed during the week. 

Of course, the coronavirus affected everyone. I was a member of the Central Crisis Staff, our office had to activate its own crisis staff, we had to address the protection of our employees, minimal presence at workplace, hygiene measures, etc. In addition, cooperation and negotiations with other institutions were somewhat limited. However, the office must continue to function and fulfil its legal obligations regardless of the situation. On the contrary, due to the deteriorating situation in cyber security, we had to temporarily strengthen some of our capacities. Moreover, NCISA is not only about cyber security, but all tasks must be solved. 

7) What role does the so-called hybrid warfare currently play on the world battlefield? Are the information battles using disinformation tools (websites, etc.) a stronger weapon than the usual, conventional ones?

Each potential adversary seeks out the weaknesses of the opposing party and tries to influence them using all available and suitable tools in order to achieve their goal. That's the way it was, is and always will be. Only the environments differ. We have entered the information age, we live in an information society, information and knowledge are becoming the most important assets. Information technology allows us to do things we couldn't have even imagined a few years ago. At the same time, however, we are becoming dependent on them and therefore creating new vulnerabilities. This is true throughout society in all its activities, including warfare, because warfare is, after all, a social matter. The truth is that in our geographical area today, information activities, especially in cyberspace, and other non-military tools in warfare are gaining in importance. But to say that these are the only important tools and that the conventional ones are no longer needed would be nonsense and a gamble. It always depends on the environment and the situation that changes over time. Something may be more important now, but in ten years it may be different. But in those ten years, you will not build an operational army without an existing foundation. So yes, we need to immediately build capabilities against hybrid threats, but that doesn't mean we don't need conventional military forces.

8) Can it be said that even in peacetime we are still at war, but in a different sense?

That always depends on how you define war. If I were to define modern war myself, I would say it is "mutual rivalry, where each side of the conflict tries to assert its own interests by enforcing its own will and one of the means it uses is violence" and according to that yes, we are at war. But if we use some other existing definitions, such as those based on the level of violence and the number of victims, then no, we are not at war. I am a little cautious in this area, because in the past I have been accused of intimidation, I have had my statements taken out of context, some people even took their time and went to ask the Ministry of Defence about me and so on. But I have always emphasized that it depends on the context and how you define war. So let's say the answer to whether we are at peace or at war can be ambiguous. However, the fact that some parties are hostile to us is clear. Cyberspace is a shining example.

9) Recently, cyber attacks have been carried out on a number of Czech hospitals. What is the main motivation of the attackers? Is it a financial interest, that is, let's say a ransom, or the already mentioned means of an invisible war, which aim to undermine the sovereignty of the state, institutions and organizations?

Today's world is constantly under some cyber attacks, it is a daily reality. We can imagine some attacks as traps set in space, waiting for someone to get caught in them. Other attacks are carefully tailored to a single entity, field, or area. Part of the attacks may be carried out by less professional individuals, other by highly organized and specialized groups. And the motivation of the attackers in all these cases can vary, from the intention to enrich themselves financially, through various forms of protest or competitive struggle, to sophisticated espionage actions. But to this specific situation I must add that NCISA never commented on the possible perpetrators of attacks on our medical facilities during the coronavirus crisis or their motivation. None of the theories discussed in the press have their origin in NCISA.

Picture: Brigadier General Ing. Karel Řehka | archive of the NCISA

10) Is there any reliable defence of computer networks, taking into account how many people in the given institutions have access to the system and may even unknowingly endanger it? 

Yes, there is. The right way is to comply with the set standards in both technical and process areas. In other words, everything should be set up to adequately protect what is valuable. You will differently protect a cabin in the woods and differently a ministry, bank or research institution. This means that you need to clearly state which assets are to be protected. And according to that, you plan and implement protection and defence. And it's not just about technical means, i.e. hardware, software or network solutions, but also about the choice of suitable configurations, process and control settings or the selection of quality people.

It should be added that cyber security is not a final, static state. It is always a continuous process that responds as quickly as possible to any external and internal changes. And I must also add that even a perfectly prepared subject can become a victim of an attack. In such a case, however, the attack will be detected in time and its consequences will be minimized by appropriately set procedures.

11) Can you tell us how many attacks our country is exposed to every day? At least approximately?

There are statistics that are only estimates because they only talk about the attacks that have been detected. Nowadays it is said that there are several billions of attacks targeting users across the Internet every day. How much of this is the attacks within the Czech Republic is difficult to estimate, and the numbers given are therefore not very telling. It can also be assumed that NCISA will learn about only a fraction of the total number. Our attention is focused on systems important for national security and the functioning of the state.

12) Are there mechanisms in place to reliably detect attackers and get justice?

There are mechanisms available that significantly increase the chances of success. In this area, what is necessary is close coordination and cooperation of experts from various institutions and fields - technicians, analysts, investigators, active defenders, lawyers and other specialized areas. This also means high demands on the necessary technical means. So it's not a simple matter. I think that in the Czech Republic, everyone involved pays a lot of attention to it and gives a lot of effort, but due to the very nature of cyberspace, it can sometimes be difficult to track down the attacker. A number of capabilities are continuously being built and further developed. I will mention the most recent approval of the amendment to the Military Intelligence Act, which will enable the use of the long-sought detection and offensive capabilities of our state. Without them, our cyber security system will never be complete. Personally, I firmly hope that the amendment will be approved. This would be a significant step towards safer cyberspace for the Czech Republic.

13) Can a cyber attack on a hospital, power plant, infrastructure elements, etc. be called terrorism? If so, what is the adequate response to such a terrorist attack?

That depends on the situation. For example, a terrorist attack in the Czech Republic is legally defined by the Criminal Code and it depends on whether the attack fulfils the factual basis. However, this cannot be generalized, many cyber attacks have a different nature and purpose, such as enrichment, espionage, activism, efforts to discredit or influence public opinion, etc. The reaction may differ. If a criminal offence has been committed, criminal proceedings are instituted in accordance with the applicable laws. For example, if it is a hostile attack by another state, the response may depend on a political decision. It always depends on the specific situation.

14) The cybersecurity of the Galileo navigation system also falls under the responsibility of NCISA. Does the Office therefore ensure this security in general for the entire system or only for the services that the Czech Republic "draws from"?

NCISA performs the function of the so-called Competent PRS Authority, as required by Decision 1104/2011/EU of the European Parliament and of the Council, and performs tasks related to the organization and management of authorized users' access to the publicly regulated service provided by the Galileo system. It is therefore a broader and in a way unique horizontal service, which includes ensuring the operation of the monitoring centre for the operational use of PRS, protection of PRS information, definition of security rules for the operation of the Galileo system and supervision of their observance. 

NCISA employees also represent the Czech Republic in the Council for Security Accreditation of European Global Navigation Satellite Systems, established at the European GNSS Agency (GSA) in Prague, where it plays an important role in the management function of this body.

15) What bodies in the Czech Republic take care of cybersecurity? Does the Police, the Czech Armed Forces, etc. have their own security department, which all come under NCISA?

Cybersecurity basically affects every one of us, but of course there is a big difference between that and the protection of the individual, institution or company and entities whose activities are indispensable for the state. In the Czech Republic, there are certain selected entities from the public and private spheres, the proper operation of which is necessary for the functioning of our society. They are obliged to comply with the parameters of the Cyber Security Act, i.e. the previously mentioned standards in the field of cyber security. These include the existence of their own cybersecurity organizational elements. And the role of NCISA is, among other things, to coordinate the activities of these entities.

So both the army and other security forces have such units, and security teams can also be found in other institutions and private companies.

16) Does NCISA's competence include the possibility not only to warn, notify of and monitor possible cyber attacks, but also to directly order certain institutions to take certain measures?

Yes, NCISA has not only a coordinating and preventive role, but also an executive and control role. It is the central administrative body for cyber security, for the protection of classified information in the field of information and communication systems and cryptographic protection, and acts as the Competent Authority for the publicly regulated service of the European Navigation Satellite System. Executive roles include, for example, issuing various reactive measures or issuing warnings, but always in accordance with the applicable laws of the Czech Republic.