Breach Alert

With Spying in Focus, Germany Pushing for Company Hacking Alerts

  • Why it matters

    Why it matters

    Security experts have warned a major cyber attack could potentially cripple German society. To ensure that doesn’t happen, the German government has unveiled a new cyber security law.

  • Facts


    • A draft of the new law was presented Tuesday, but new rules are not expected to come into force until early 2015.
    • Companies fear the potentially adverse effects of a legal requirement to report major cyber attacks on their public image.
    • The new rules could cost German companies more than €1 billion.
  • Audio


  • Pdf

Thomas de Maziere, German interior minister, at a 2013 event in Munich. Source DPA


How does a modern country function without electricity, telephones, the Internet and the flow of capital?

The answer is not at all.

After simulating the consequences of a large-scale power outage, the Office of Technology Assessment at the German Bundestag concluded: “It would be difficult to prevent a collapse of the entire society.”

Security experts have long warned that the consequences of a cyber attack on critical infrastructure could be devastating. Policymakers are now taking such warnings seriously and reacting to the potential threat. On Tuesday, German Interior Minister Thomas de Maizière unveiled his new cyber security law to the public. Handelsblatt has obtained a draft of the document. Mr. de Maizière’s goal is to make “Germany’s IT systems and digital infrastructure the world’s most secure.”

Mr. de Maizière, a member of the center-right Christian Democratic Union, wants to compel infrastructure operators to achieve high standards to protect their IT systems within two years. They will also be required to report “impairments of their information technology systems” to the Federal Office for Information Security, known as the BIS by its German acronym, so as to provide government agencies with an overview of the situation and improve their ability to react to cyber attacks.

The business community sharply opposes the law, especially its reporting requirement. Companies fear that it could harm their image if hacker attacks on their systems are publicized, and they want the reporting to be anonymous. They have also cautioned against the substantial bureaucratic cost of a large volume of reports. In a study for the Federation of German Industries (BDI), consulting firm KPMG estimates the additional burden on companies at more than €1 billion ($1.34 billion).

Mr. de Maizière has at least partially addressed the business community’s concerns. Only when an attack leads “to the breakdown or impairment of critical infrastructure” will companies be required to identify themselves when reporting the problem to the BIS. On the other hand, if the networks being attacked are still functional, an anonymous report to authorities is sufficient.

Want to keep reading?

Subscribe now or log in to read our coverage of Europe’s leading economy.