New German law to protect critical infrastructure, but has privacy caveats

News by Doug Drinkwater

The Bundescrat of Germany – the country's Federal Council – has passed new legislation to make its critical infrastructure more robust in the face of advancing cyber-attacks.

The new IT security law, passed last week, will affect more than 2,000 essential service providers across transportation, health, water, utilities, telecoms, financial services and insurance, forcing businesses operating in these sectors to implement more robust information security standards.

According to Russia Today, the new IT security law will push for firms and federal agencies to certify for cyber-security standards and obtain BSI clearance, whilst they will be expected to alert government bodies of suspected attacks against their systems.

Companies will be given a two-year timeline to adhere to these measures. Should they fail to do so, they will face fines up to €100,000.

Certain sectors will have additional tasks, with telecommunications providers required to warn customers when their connection has been abused. More controversially, they will also be required to store traffic data for up to six months for investigatory purposes. This is only slightly shortened on the expectations of the proposed Draft Data Communications Bill in the UK – or ‘Snooper's Charter' as named by privacy advocates.

The new law will also see BSI expand to the centre of IT security, where its main role will be to evaluate reports of cyber-attacks on the critical infrastructure. The Federal Intelligence Service (BND) will meanwhile be allowed access to foreign data linking to malware signatures and traces.

In addition, the Federal Office for the Protection of the Constitution (BfV) will lend assistance to the BSI with assessing the potential impact of cyber-attacks on the accessibility of the critical infrastructure facilities, while the Office of Criminal Investigation (BKA) will be responsible for investigating cyber-crimes like data spying, intercepting or manipulating.

The planned measures were described by interior minister Thomas de Maizière an “important step” as IT security is “a central component of the public and internal security”.  Maizière's comments were first reported by Der Spiegel.

Despite these changes, opposing political parties have urged Germany to improve its own IT security before forcing other firms to do it.

Last month, it was revealed that the German Parliament had been hit by a prolonged cyber-attack, possibly involving two Trojans and two different threat actors. At one point, it was claimed this was spread by the computer of German Chancellor Angela Merkel although that has since been disputed.

Merkel's iPhone was spied on by the NSA, as documented by Edward Snowden's leaks, with recent reports suggesting the American spy agency may have surveilled several German chancellors over the years.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews