How does a modern country function without electricity, telephones, the Internet and the flow of capital?
The answer is not at all.
After simulating the consequences of a large-scale power outage, the Office of Technology Assessment at the German Bundestag concluded: “It would be difficult to prevent a collapse of the entire society.”
Security experts have long warned that the consequences of a cyber attack on critical infrastructure could be devastating. Policymakers are now taking such warnings seriously and reacting to the potential threat. On Tuesday, German Interior Minister Thomas de Maizière unveiled his new cyber security law to the public. Handelsblatt has obtained a draft of the document. Mr. de Maizière’s goal is to make “Germany’s IT systems and digital infrastructure the world’s most secure.”
Mr. de Maizière, a member of the center-right Christian Democratic Union, wants to compel infrastructure operators to achieve high standards to protect their IT systems within two years. They will also be required to report “impairments of their information technology systems” to the Federal Office for Information Security, known as the BIS by its German acronym, so as to provide government agencies with an overview of the situation and improve their ability to react to cyber attacks.
The business community sharply opposes the law, especially its reporting requirement. Companies fear that it could harm their image if hacker attacks on their systems are publicized, and they want the reporting to be anonymous. They have also cautioned against the substantial bureaucratic cost of a large volume of reports. In a study for the Federation of German Industries (BDI), consulting firm KPMG estimates the additional burden on companies at more than €1 billion ($1.34 billion).
Mr. de Maizière has at least partially addressed the business community’s concerns. Only when an attack leads “to the breakdown or impairment of critical infrastructure” will companies be required to identify themselves when reporting the problem to the BIS. On the other hand, if the networks being attacked are still functional, an anonymous report to authorities is sufficient.