Germany’s draft security law has been a work in progress for about two years. Delayed by wrangling within the country’s ruling coalition, one of the main bones of contention has been how to politically determine that a vendor is trustworthy. While the draft law does not purport to be targeting any one company, it is hard not to see a connection to Huawei, the global telecommunication networks behemoth. The United States, Britain, France, and several other countries have already explicitly or implicitly banned Huawei. So the draft IT security law will certainly determine whether Huawei can continue to operate in Germany and in what way. For Germany, it’s a dilemma between strengthening relations with the world’s rapidly rising superpower China or adopting a more hawkish approach towards Beijing. But the China/Huawei question is not all there is to Germany’s draft IT security law.
Background
In March 2019, Germany’s interior ministry proposed a new cybersecurity bill dubbed IT Security Act 2.0. Germany was keen on taking a leading cybersecurity role in Europe. The draft law was a follow-up to the country’s comprehensive IT security law passed in 2015. It was amended in 2017 to conform with an EU directive on securing information and network systems.
The draft IT Security Act 2.0 acknowledges that attacks are growing in quality, sophistication, and impact. Cyberattacks, cybercrimes, and cyber espionage continue to pose a threat to individuals, society, businesses, and the state.
Overarching objective
The IT Security Act 2.0 has multiple objectives. It aims to protect Germany’s position as a leader in IT security. The draft law seeks to close loopholes in existing IT security laws as well as expand the scope of the current regulatory framework. It amends a number of existing laws, including primary statutes governing cybersecurity, telecommunications providers, web hosting providers, e-commerce, online media, and the country’s criminal code.
Key aspects of the draft law
There are five main elements of the draft IT security law.
1. Consumer protection
The draft law is geared toward a more holistic approach to cybersecurity. In this regard, it appends digital consumer protection as an additional responsibility for the Federal Office for Information Security (BSI). It also introduces an IT security label that is intended to give digital consumers greater transparency over the security-relevant characteristics of IT products.
2. Extending BSI mandate
The draft law equips the BSI with additional competencies to be the conformity assessing body on all matters of IT security. It also extends the BSI’s investigation and warning authority. These extended authorities include the following:
- Screening, technical investigation, and safety evaluation of IT products in the market, such as smart TVs and routers.
- Authority to request inventory data from telecoms service providers. This is to help identify the targets or victims of cyberattacks while offering effective defensive support against the attacks.
- Detecting and evaluating IT infrastructure security risks as well as cyber-infection attempts. This would be achieved by, for instance, establishing active honeypots or performing port scans.
- Authority to develop appropriate crisis response plans while involving the relevant stakeholders.
- Analyzing and collecting data on malware, vulnerabilities, and other cybersecurity risks.
- Extended data evaluation and processing of pseudonymized data from telecommunication infrastructure of Germany’s federal authorities. Such log information may be stored for no more than 18 months. Nevertheless, access to any data older than three months should only be permitted and possible if there are signs of an attack.
- Expanded controlling and monitoring of the German federal authorities’ communication technology and components to identify any risks early. The BSI also has the authority to assess the interfaces of any third parties that interact with the federal authorities’ communication technology.
3. New categories, additional sectors, and redefined core components
The draft law extends the list of critical infrastructure market sectors (KRITIS) by including waste management to the existing ones of energy, transportation, financial services, health care, food, and IT/telecommunications. It also now explicitly encompasses the IT products used in both the operation of critical infrastructure as well as the processing and storage of infrastructure data.
The bill expands the Federal Office for Information Security Act (BSIG) into two new entities — special public interest infrastructures and cyber-critical operators.
Special public interest infrastructures
Special public interest infrastructure covers companies in the defense, media, and cultural sectors and companies with considerable economic significance.
Cyber-critical operators
Cyber-critical operators are those businesses that do not have significant importance on their own and thus cannot be categorized as special public interest infrastructure. However, they are deemed cyber-critical because a disruption in their systems and processes would cause the impairment or failure of critical infrastructure. That is thanks to their interconnection with critical infrastructure.
4. Additional responsibilities on providers, manufacturers, and KRITIS operators
Entities classified as special public interest infrastructure will be required to comply with the same technical, organization, and reporting responsibilities of KRITIS operators. The BSI will also have the power to impose these requirements on cyber-critical companies on a case-by-case basis.
For instance, KRITIS operators are obliged to install technical controls that can detect attacks on their IT systems. They also have to register with the BSI and appoint a contact point for ease of communication. Manufacturers of IT products and KRITIS core components must report any known malfunctions to the BSI as soon as possible.
Declaration of trustworthiness
Manufacturers of KRITIS core components also have to make a ‘declaration of trustworthiness’ that covers their entire supply chain. KRITIS operators will be limited to purchase from such manufacturers only. This declaration is the German Federal Government’s attempt at shifting security assessment from a technical viewpoint to a geostrategic level. The minimum requirements for this will be established by the interior ministry.
Cybersecurity incident response
As regards the existing telecommunications act, amendments will impose comprehensive obligations on telecommunications service providers covering the deletion, reporting, and provision of inventory data in the wake of a cybersecurity incident.
They must inform the Federal Criminal Police Office (BKA) if the information has been disclosed or transmitted to third parties unlawfully or if their service is used to illegally publish or pass data obtained without the requisite permission. Service providers are also required to block the unlawful disclosure or collection of personal data or industrial secrets.
5. New data protection criminal offenses as well as stricter penalties
The draft law introduces new data protection offenses coupled with stricter penalties. It addresses gaps in current laws as regards criminal liability in IT-related crimes. It introduces new qualifications for IT-related offenses and cybercrime investigation tools.
Borrowing from the EU’s General Data Protection Regulation (GDPR), it significantly increases potential penalties and applicable fines. Fines may be up to 20 million euros or four percent of the organization’s global turnover.
Germany IT security law: Still a work in progress
Germany’s IT security draft law is still in progress, so its final form will have to wait until there is the requisite consensus. There may be new provisions and removal of existing sections. One thing’s for sure though — the law will lead to considerable additional costs for the affected companies.
Featured image: Pixabay
