“The prominence of cybersecurity has grown over the last decade and become one of the top priorities in many national policies. This is mainly due to the overlap with other security spheres and also due to incidents that have given this concept notoriety and forced the general public to think about the need for security in cyberspace. Connected to this is the need to protect cyberspace so that the comprehensive security of the Czech Republic is preserved as much as possible, as well as the right of individuals to informational self-determination."[1]

The definition of cybersecurity can be somewhat problematic. For many people, cybersecurity is an area that is essentially dealt with exclusively by information and communication technology departments.

This premise is wrong from the outset because cybersecurity concerns each of us who uses any element of ICT in our daily lives. If we do not realise that we are a key, and in many cases, crucial element of cybersecurity (whether in our private lives or at work), then we are actually increasing the likelihood of successful cyberattacks.

At present, cybersecurity cannot be underestimated or downplayed. It is an area that is crucial for many organisations, but also for individuals, and should therefore be addressed in a long-term and systematic way.

“Organisational management should understand and accept that cybersecurity management falls much more into other areas of security and crisis management. After all, even today's sophisticated attacks are often multidisciplinary and combine the areas of ICT, social engineering, personnel and object security.”[2]

Returning to the concept of cybersecurity itself, it is appropriate to start from an analysis of this term. The word cyber represents a interconnection with elements of information and communication technologies and cyberspace as such.

Security

There are many definitions of security[3], but there is no single, generally accepted one. Most definitions of the term security are given in the literature rather than in the legislation itself.[4]

Mareš defines security as “a state in which threats to a facility (usually a state, or even international organisations) and its interests are limited to the lowest possible level, and this facility is effectively equipped and willing to cooperate in eliminating existing and potential threats."[5]

Požár defines “security as a feature of a facility or entity that determines the degree, level of its protection against potential damage and threats."[6]

This definition was further specified in the Výkladový slovník kybernetické bezpečnosti (Cybersecurity Glossary):

Security

A feature of an element (e.g. an information system) that is protected against losses at a certain level, or also the state of protection (at a certain level) against losses. IT security includes the protection of confidentiality, integrity and accessibility in the processing, storage, distribution and presentation of information.[7]

It should be noted that security is currently not just a concern of the state, which, however, still plays a primary role in ensuring security, but that it is a process implemented by other entities (legal entities and natural persons), which have recently been forced to deal more with the issue of security, or more precisely securing their activities against attacks.

Given this expansion of security’s scope, it is necessary to address, inter alia, the following issues:

• Whose security is it (international organisation, state, organisation, individual, etc.)?
• What values are protected (organisation, people, data, etc.)?
• What are (should be) these values protected against (physical, cyber, combined attacks, etc.)?
• What resources need to be spent to protect these values? [8]

The ideal goal of security is to create a state of “absolute security”. However, this state is a utopia, because it cannot be realistically achieved,[9] as there will always be a threat or risk that was not considered in the concept of security creation or was intentionally neglected.

However, the purpose of security is not to cover all real, less real or completely unpredictable and unlikely risks in all circumstances, as such an implementation would create a completely dysfunctional complex, which would in essence deny or even completely eliminate the application and implementation of security.

Example: In everyday life, it can also happen to you, for example, that you lock yourself out of your apartment. If you have considered this possibility, you probably have spare keys with your family, friends, or elsewhere. However, if you do not have spare keys, you will probably call a locksmith or kick down the door.

Cybersecurity

As with the concept of security, cybersecurity does not have a single generally accepted definition. Cybersecurity is a subset of security as such.

When defining cybersecurity, it is appropriate to start from already established definitions. Here are some of these definitions:

1.          Cybersecurity is a set of measures taken to protect a computer system against unauthorised access or attack.[10]

2.          The Oxford Dictionary states that cybersecurity is the state of being protected against the criminal or unauthorised use of electronic data. Cybersecurity must then include the measures that need to be taken to achieve this.[11]

3.          According to Jirásek et al., cybersecurity is “a set of legal, organisational, technical and educational tools designed to ensure the protection of cyberspace.”[12]

4.          In a relatively similar way, cybersecurity is defined in “Národní strategie kybernetické bezpečnosti České republiky na období let 2015 až 2020.” (The National Cybersecurity Strategy of the Czech Republic for 2015–2020). This strategy states that: “Cybersecurity is a set of organisational, political, legal, technical and educational measures and tools aimed at ensuring a secure, protected and resilient cyberspace in the Czech Republic, both for public and private sector entities and for the general Czech public.”[13]

While these definitions seek to define the concept of cybersecurity, they are a little bit inaccurate.

The first definition focuses only on the computer and computer system and their protection against two types of cyberattacks, while the spectrum of both the targets of the attacks and especially the attacks themselves is much more diverse.[14]

The second definition then protects only electronic data and not computer systems as such.

The third definition focuses on the adoption of means to protect the elements of ICT in cyberspace. This definition is relatively precise, but its restriction to cyberspace can only be misleading as cybersecurity can also be applied to ICT elements that are not involved in cyberspace or create its own “off-line cyberspace”.[15]

The last of the definitions is then explicitly limited to cyberspace in the Czech Republic, while completely ignoring the possibility of protecting the interests of citizens of the Czech Republic or other entities who are not established in the Czech Republic. We believe that the narrowing of cybersecurity to cyberspace in the Czech Republic is understandable from the point of view of the implementation of the Cybersecurity Act, but inappropriate from the point of view of the implementation of cybersecurity.

Another definition of cybersecurity can be found, for example, in the Definition of Cybersecurity – Gaps and overlaps in standardization[16] by ENISA, the European Agency for Cybersecurity[17]: “Cybersecurity refers to the security of cyberspace, where cyberspace refers to a set of links and relationships between objects that are accessible through a general telecommunications network and to a set of objects whose interfaces allow their remote control, remote access to data, or their connection to management actions within cyberspace. Cybersecurity will include the “CIA” paradigm of the triad for relationships and objects within cyberspace, and will be extended to ensure the protection of the privacy of entities (natural persons and legal entities) and the resilience [recovery from an attack].”

Given the effort to define the concept of cybersecurity, it is appropriate to proceed from the procedural rules that cover cybersecurity.

Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union states[18] in Article 4 (2) that "security of network and information systems means the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible through, those network and information systems."

Definition of Cybersecurity by Polish law is – resistance of information systems to activities violating the confidentiality, integrity, availability and authenticity of the data processed or related services offered by these systems (Act of 5 July 2018 on the national cybersecurity system  Journal of  Laws of  2018, item 1560).

P – Definition of Cybersecurity – FIX ME

The above definitions seek in various ways to define the range of relationships, interests and entities against which cybersecurity is applied. At the same time, they also define cyberspace as the environment in which cybersecurity is applied.

Due to a certain inconsistency in opinions on what is and what is not cybersecurity, it is appropriate to present our own definition of cybersecurity, which arose both on the basis of an analysis of previous definitions and on the basis of our own experience.

Cybersecurity can be defined as:

• a set of legal, organisational, technical and educational instruments aimed at ensuring the protection of computer systems and other elements of ICT, applications, data and users,
• the ability of computer systems and services used to respond to cyberthreats or attacks and their consequences, as well as planning to restore the functionality of computer systems and related services.

Cybersecurity is implemented both within and outside cyberspace. It is not appropriate to limit the application of the above means and principles, geolocatively in any way (whether in the territory of a given state, the Union or cyberspace itself).