Germany is stepping up its efforts to improve data and information security in the country and within the EU, drafting a revised German IT Security Act to clamp down on foreign surveillance activities by ‘securing core areas of its digital infrastructure'. It hopes the act will also provide a blueprint for EU regulation.
“We are currently drafting an ordinance with specific rules for the infrastructures vital to our society,” Klaus Vitt, the newly appointed chief information officer of the Federal Government and State Secretary at the Federal Government Commission for Information Technology, told delegates at ISSE in Berlin last night.
Vitt's appointment to the new role earlier this year reflects the intention of the Federal Minister of the Interior to make cyber-security a ‘high priority', along with the revision of its legal framework to improve the security of IT services in the country.The initial framework for action is the country's IT Security Act, which went into effect on 25 July 2015.
Vitt explained that the regulations require authorities to meet tougher standards and report cyber-attacks to BSI (the Federal Office for Information Security). The new law is intended to help detect malware inside networks quicker than before by sharing information on attacks, and will give a greater role in setting minimum standards to the Federal Commission for Information Technology.
He added: “The rules for four of the seven sectors covered by the act: energy, water, food and ICT are to be finished by spring next year. The remaining sectors – transport, health, finance and insurance, will be finished by the end of next year.
“Each sector will have two years to comply with the new standards and reporting requirements, so by the end of 2018 we will have implemented all these acts throughout Germany.”
Vitt then when on to explain some of the ramifications and future direction of the legislation, telling delegates: “But this is only a first step. We must expand our efforts to include our digital sovereignty.
“Regarding Digital sovereignty – the IT industry and government are currently discussing how to make information technology not only secure, but also trustworthy.
“We will only be able to take advantage of the economic and social potential of the digital revolution if we can trust the security and integrity of our IT systems. Trustworthy IT is central to digitising the processes and products of government and industry in Germany. I know it will not be possible to develop digital sovereignty in all areas of IT. We'll have to focus on core areas and key technologies. “
This will include doing everything possible to evaluate the IT products that the country wants to see used. “The Federal government can no longer stand by and watch when highly sensitive IT, which is relevant for security and fundamental rights in Germany, is controlled by countries outside the European Union. We must secure core areas of our digital infrastructure. I am therefore in favour of expanding, as far as the European Law allows, the ability to (intervene) in foreign investments via the foreign trade act. With this in mind, we will closely monitor the sale of German companies specialised in IT security, and step on the brakes if it is necessary.”
Vitt also told his audience of security specialists that he also expects the global players in the IT industry to cooperate with the German and European IT industry saying: “For example, we must be able to incorporate domestic IT security components into operating systems and communication components, not only for critical infrastructure, but also for the new digital infrastructure. In the Federal Administration for example, we want to use encryption systems developed in Germany with commercially available operating systems. And collaborations such as the Deutsche Cyber Security Organisation, a competence centre and service provider for German industry are important for increasing our expertise in technological systems and reducing our dependency on foreign companies.”
He went on to explain how Germany would like to see the EU take a similar stance, saying: “But this will not be enough and others will look beyond our home borders. The Federal Government is actively involved in new negotiation on the EU Network and Information Security Directive. This directive addresses the issue of IT security at the European level, which our IT Security Act governs at the national level.
“So our IT Security Act is a blueprint for the German position in the current negotiations in Brussels. Germany is taking a leading role here, and I believe the other member states also agree with our positions on key items. On TTIP, (Transatlantic Trade and Investment Partnership – an EU/US treaty whose terms are currently under negotiation), the Federal Minister for the interior is working to make sure that the high European standards for data protection and IT security are not undermined by products from outside of the EU.”
There have been large anti-TTIP demonstrations in Germany last month and Vitt suggested that the intensive public discussion of TTIP shows that the digital framework sought by Germany will be effective only if it is planned by European, and if possible, international measures, forming the EU's digital strategy for the single market.
However the strategy only mentioned IT and cyber security in passing, so, Vitt explained, the Federal Minister of the Interior is working to ensure that IT and cyber-security have a central role in this strategy. “For the digital single market to succeed, Europe-wide measures are needed to protect the availability, the integrity and trustworthiness of IT systems in the digital infrastructure. We also want to make sure that reform of rules for telecommunication and internet services pays sufficient attention to IT security issues,” added Vitt, concluding that the Federal Government will present more at the National IT Summit next week.
SCMagazineUK.com asked Vitt whether these moves were protectionist. Vitt told SC: “It's not really protectionist. With regard to encryption, we would like to have the elements in our own hands as an addition to commercial operating systems. There are discussions on the No-Spy clause , and there are a lot of US companies that have a problem signing the No-Spy clause in contracts. So we have to think about what we can do in the future. We would like to protect our information and our data so that we can get an interface to encrypt our information with our keys, with our technology. That's not protectionist, it's very open cooperation.”
When asked by SC what was the perceived threat that led to these moves, and whether the move to domestic controlled encryption was simply to give German authorities backdoors to access its citizens' data, Vitt replied: “No, we are not looking for backdoors.
“The cyber-areas will become more and more professional in the future and we have to ensure that our systems and applications are secure enough, and there are no backdoors in the system components. We cannot close all these backdoors, but we can encrypt information, so that we can (try to) protect every German installation from cyber attack.”
One Bavarian delegate told SC, he felt that Vitt was overstating the need for 'separate' IT security develpment, while a UK delegate said he would like the UK to take the same approach.
Vitt earlier explained that 58 percent of German companies are aware that they have been attacked by cyber-criminals in the last year and in 50 percent of cases the attack was successful. Looking at 248 institutions who were victims, 180 involved malware, 220 included social engineering, and in 54 percent of cases improper staff behaviour was a factor, while in 36 percent of cases there had been a failure to install patches.