Bundestag passed IT Security Act 2.023. April 2021
Bundestag passed IT Security Act 2.0
The second law to increase the security of information technology systems (IT Security Act 2.0) passed today in the Bundestag continues to be sharply criticized. For numerous opponents of this law, one thing is certain: the Federal Office for Information Security (BSI) is to be upgraded to a powerful cyber authority with hacking powers. With 799 new posts costing 74.24 million euros in personnel, the office is to become a major player in the fight against botnets, neglected devices on the Internet of Things and spreaders of malware. A positive response is not
We answer the most important questions.
Why do we need this law? In response, German Interior Minister Horst Seehofer (CSU) stated, “The threat in cyberspace is very high,” and the attacks are getting smarter and smarter, and the damage is getting worse. “We have to adapt our protection mechanisms.”
What is the IT security law 2.0? It regulates how critical infrastructure operators (CRITIS) keep their IT security measures up to date. It also significantly strengthens the powers of the BSI (German Federal Office for Internet Security).
Which companies and organizations are affected? All companies and organizations that are rated as operators of critical infrastructures. These are organizations and facilities that are important to the state because their failure could result in lasting supply bottlenecks or public safety can no longer be guaranteed.
In Germany, these include the following companies and organizations:
– Energy: electricity, gas, mineral oil, district heating
– Health: hospitals, pharmaceuticals and vaccines, research facilities
– State and administration: administration, judiciary, emergency response (disaster control) and parliament
– Food: food industry, food trade
– Transport and traffic: aviation, maritime and inland shipping, rail transport, road transport and logistics
– Finance and insurance: Banks, stock exchanges, insurance companies, financial service providers
– Information technology: telecommunications, information technology
– Media and culture: broadcasting, press, cultural assets and symbolic buildings
– Water: water supply, wastewater disposal
What are the consequences for companies and organizations? Operators of critical infrastructures are required to deploy systems to detect attacks. So-called intrusion detection systems (IDS) are algorithm-based systems and software that uses log files to detect and specify attacks on a system. Via a contact person known to the BSI (also: functional mailbox), the KRITIS member must report unusual disruptions and other sources of risk. Companies are also required to develop response plans and preventive measures in the event of a massive supply disruption. The system security of the KRITIS operators must be audited accordingly and proven to the BSI every two years.
Who criticizes what?
Bitkom: The IT Security Act 2.0 creates a combination of technical certification machinery and political-regulatory discretion with questionable added value for IT security. Legal, planning and investment uncertainties are accepted as collateral damage, especially with a view to 5G network expansion. This will damage the future viability of the location.
Mario Brandenburg. The technology policy spokesman and chairman of the Digital Agenda Committee of the Free Democrats in the German Bundestag: “We as Free Democrats and many experts have long been calling for an independent BSI that is not controlled by the BMI. This is the only way to establish a powerful, trustworthy and secure authority. We also call for a mandatory IT security certificate at the European level and reject the ill-conceived and bureaucracy-promoting German go-it-alone approach.”
Klaus Landefeld, deputy chairman of eco, complains: “Political interests are being put before IT security here. Why are companies required to meticulously report security incidents to the BSI, but government agencies are allowed to withhold important security information from companies? Who monitors the monitors when the federal government clearly encourages state hacking?” Landefeld says the IT Security Act 2.0 should not be seen in isolation. He sees this law as part of the trend toward even more surveillance cravings. Another example of this, he says, is the planned BND law.
Manuel Atuf of the Critical Infrastructure Working Group expressed a similar view. He criticized the complete “lack of strategy and purpose in the entire process.” Atuf went on to criticize the fact that the opportunity to make the BSI independent had been missed. Now the office is no more than a “stooge of the security authorities and intelligence services”.
The government factions of the CDU/CSU and SPD voted in favor of the reform. The opposition was united against it, but its motions did not find a majority.