Germany is finalising legislation aimed at shoring up the cyber security of suppliers of critical national infrastructure (CNI), according to Klaus Vitt, federal government commissioner for information technology.
The country is also working to ensure digital sovereignty through new IT security legislation and negotiations on IT security regulations and transatlantic trade at a European Union (EU) level.
“No matter how technology develops and what new threats arise, government is expected to safeguard internet security and provision. It shares a responsibility for the internet as an infrastructure,” Vitt told attendees of the ISSE 2015 security conference in Berlin.
“Ensuring IT security is part of providing vital services and making our country a more attractive place to do business in the future. For this reason the federal government works hard to ensure a high level of IT security,” he said.
To make the most out of the digital revolution, the German government has introduced a framework for action in the form of the IT Security Act, which went into effect on 25 July 2015.
“The act represents a milestone in improving the security of IT systems and focuses on critical infrastructures where we cannot afford IT disruptions or failures,” said Vitt.
Under the new law, operators of critical infrastructures in seven sectors must meet minimum standards of IT security and must report significant IT security incidents to the federal office of information security, known as BSI.
“The BSI will then analyse all the information received and then forward it to all critical infrastructure operators. This is intended to help them take steps to protect their infrastructures before they can be attacked in the future,” Vitt said.
To improve IT security on the internet, the new law also contains stricter requirements for providers of telecommunication and telemedia services.
“With the new law, we want to make German IT systems and digital infrastructure the most secure in the world,” said Vitt.
The German IT Security Act calls for co-operation between government authorities and operators of critical infrastructures. It also gives the BSI greater power when it comes to the IT security of the federal administration.
“Federal authorities will now have to meet even tougher standards that report cyber attacks to the BSI,” said Vitt.
The new law will also help the BSI detect malware in federal networks more quickly than before, he said, and give it a greater role in setting minimum standards for the security of in federal information technology.
Specific rules for critical national infrastructure
According to Vitt, the federal government is currently drafting specific rules for the critical national infrastructure.
He said the rules for the energy, water, food and ICT sectors are scheduled to be completed by early 2016, while the rules for the transport, health, financial and insurance sectors are due to be completed by the end of 2016. Each sector will then have two years to comply with the new standard and reporting requirements.
Vitt said this is only the first step. “We must expand our efforts to include our digital sovereignty. The IT industry and government are currently discussing how to make information technology not only secure but also trustworthy.
“We will be able to take advantage of the economic and social protection of the digital revolution only if we can trust the security and integrity of our IT systems,” he said.
Trustworthy IT, said Vitt, is essential to digitising the processes and products of government and industry in Germany.
“I know it will not be possible to develop digital sovereignty in all areas of IT and that we will have to focus on core areas and key technologies,” he said.
At the same time, Vitt added, Germany will do everything it can to be able to evaluate the IT products it wants to use.
“The federal government can no longer stand by and watch when highly sensitive IT which is relevant for the security and fundamental rights in Germany is controlled by countries outside the European Union. We must secure core areas of our digital infrastructure,” he said.
With this in mind, he said Germany will closely monitor the sale of German companies specialised in IT security and “step on the brakes” if it is necessary.
“I also expect the global players in the IT industry to co-operate with the German and European IT security industry – for example, we must be able to incorporate domestic IT security components into operating systems and communication systems – not only for critical infrastructure, but also for the new digital infrastructure,” said Vitt.
In the federal administration, for example, he said Germany wants to use encryption systems developed in Germany with commercially available operating systems
The EU Network and Information Security directive
Vitt said the federal government is actively involved in the negotiation on the EU Network and Information Security (NIS) directive which addresses issues of IT security at the European level which Germany’s IT Security Act governs at the national level.
“So our IT Security Act is a blueprint for the German position in the current negotiation in Brussels. Germany is taking a leading role here, and I believe the other member states agree with our position on key items,” he said.
On the on-going negotiation of the Transatlantic Trade Investment Partnership (TTIP), Vitt said Germany’s federal minister of the interior is working to make sure that the high European standards for IT protection and security are not undermined by products from outside of the EU.
“But the intensive public discussion of TTIP shows that the digital framework we want will be effective only if it is flanked by European, and if possible, international measures. This is true for IT security and data protection,” he said.
In May 2015, the European Commission presented its strategy for the single digital market. Vitt said that here again Germany’s federal minister of the interior is working to ensure that IT and cyber security have a central role in this strategy.
“For the single digital market to succeed, Europe-wide measures are needed to protect the availability, integrity and the trustworthiness of IT systems and the digital infrastructure. We also want to make sure that reform of rules for telecommunication and internet services pay attention to IT security issues,” he said.