How does a modern country function without electricity, telephones, the Internet and the flow of capital?
The answer is not at all.
After simulating the consequences of a large-scale power outage, the Office of Technology Assessment at the German Bundestag concluded: “It would be difficult to prevent a collapse of the entire society.”
Security experts have long warned that the consequences of a cyber attack on critical infrastructure could be devastating. Policymakers are now taking such warnings seriously and reacting to the potential threat. On Tuesday, German Interior Minister Thomas de Maizière unveiled his new cyber security law to the public. Handelsblatt has obtained a draft of the document. Mr. de Maizière’s goal is to make “Germany’s IT systems and digital infrastructure the world’s most secure.”
Mr. de Maizière, a member of the center-right Christian Democratic Union, wants to compel infrastructure operators to achieve high standards to protect their IT systems within two years. They will also be required to report “impairments of their information technology systems” to the Federal Office for Information Security, known as the BIS by its German acronym, so as to provide government agencies with an overview of the situation and improve their ability to react to cyber attacks.
The business community sharply opposes the law, especially its reporting requirement. Companies fear that it could harm their image if hacker attacks on their systems are publicized, and they want the reporting to be anonymous. They have also cautioned against the substantial bureaucratic cost of a large volume of reports. In a study for the Federation of German Industries (BDI), consulting firm KPMG estimates the additional burden on companies at more than €1 billion ($1.34 billion).
Mr. de Maizière has at least partially addressed the business community’s concerns. Only when an attack leads “to the breakdown or impairment of critical infrastructure” will companies be required to identify themselves when reporting the problem to the BIS. On the other hand, if the networks being attacked are still functional, an anonymous report to authorities is sufficient.
The business community sharply opposes the law, especially its reporting requirement. Companies fear that it could harm their image if hacker attacks on their systems are publicized, and they want the reporting to be anonymous.
BDI expert Matthias Wachter praised the government for its “substantial improvement” of the draft legislation, but he also said the government should apply a trustee model to introduce the “general option of making reports anonymous.”
The draft law does not spell out which companies would be affected by the new rules. It does list a number of sectors, including energy and IT, as well as transportation, healthcare, water, nutrition and finance. But whether the reporting mandate will apply only to major energy utilities like Eon and RWE, or smaller providers as well, will only be determined in a separate provision.
Because of this, it is still unclear how many companies the new rules will affect, and what they will cost the economy as a whole. Although the KMPG estimate put the number at more than 18,000, the interior minister has indicated that it aims to target a much smaller group of businesses.
Mr. de Maizière is also accommodating industry on another key issue: Instead of imposing fixed security standards on companies, the government will require individual sectors to develop their own criteria. Mr. Wachter welcomed the decision, saying that it “accommodates the unique aspects of individual sectors.” However, the concepts will still require the seal of approval from the government security office. Companies will also be required to demonstrate to the Bonn-based agency at least once every two years that they have had their systems tested.
Government-owned infrastructure operators are generally exempted from the new requirements. Mr. de Maizière thereby managed to avoid lengthy decision-making processes in the Bundesrat, the legislative body that represents Germany’s 16 states. This is important, because municipalities own many of the operators. Business leaders are critical of the exemption.
“The government is the largest operator of critical infrastructure operations, which is why the reporting requirements and security standards should also apply to government-run operations,” said Marc Bachmann of the German Association for Information Technology, Telecommunications and New Media.
For Mr. de Maizière, it was more important to have the new law come into force quickly. After discussions with other ministries, the law is expected to be ratified by the Bundestag in early 2015, when it will become the first major project of the government’s “digital agenda”. Chancellor Angela Merkel’s cabinet is expected to approve the government’s platform on Wednesday, after which Economics Minister Sigmar Gabriel and Infrastructure Minister Alexander Dobrindt will join Mr. de Maizière in presenting it to the public.
Translated by Christopher Sultan