According to the objectives of the German Digital Agenda, Germany should become a leading location for IT security, but there is a need for action in the improvement of the IT security situation, particularly in the area of critical infrastructure. However, how this challenge should most effectively be met, on a political and legislative level, is a point of contention between the Internet industry, the Federal Government and the Opposition – this is the gist of the first eco polITalk for 2015, which took place in Berlin at the beginning of March. With the title “NIS Directive and IT Security Act – Harmonized Standards or European Patchwork?”, the event formed a platform for over 70 representatives from industry, research and politics to discuss the current developments and challenges in the Federal and European legislative processes taking place on IT security. In the discussion moderated by Stefan Krempel, with participants Martin Schallbruch, Chief Information Officer for the German Ministry for the Interior, Konstantin von Notz, Parliamentarian and Network Policy Speaker for the faction Bündnis 90/Greens and Oliver Süme, eco Director of Policy and Law, the focus was essentially on three questions: Firstly, what would be the consequences for the Internet industry of the varying approaches at the national and European level? Secondly, is planning and legal certainty guaranteed for companies? And thirdly, what role does the topic encryption play for a successful security strategy?
Threat of European patchwork
Süme and von Notz jointly criticized the strategy of the Federal Government, who plan to pass their IT Security Act independently of the planned European NIS Directive by this summer. “National haste is in every sense inconsistent with a harmonization of the forthcoming legislation. Even though it is in principle desirable for Germany to lead the way in the area of IT security, this approach will inevitably lead to considerable legal uncertainty for the affected companies,” said Oliver Süme. National unilateral action would not be constructive either for Germany or for any other member state. The first signs of a trend towards a European patchwork carpet have already made themselves evident – not only Germany, but also Austria, Finland, Belgium and Great Britain are planning their own IT security laws.
Von Notz also felt that there was a lack of an appropriate status-quo analysis of the security situation in Germany, which, in his opinion, should have been undertaken before the formulation of the IT Security Act, in order to “define the diffuse term Cybersecurity” more clearly, among other things.
Martin Schallbruch, IT authority in the German Federal Ministry of the Interior, rejected these accusations. The Federal Government, he said, was not only observing the discussion in Brussels, but it was also exerting significant influence over the legislative process for a European NIS Directive, so that there could be harmony between the national and European legislation.
Industry should be included in defining unclear legal terms
Süme sees above all open questions in the still unclarified legal terminology in the current proposed legislation. He said it remains unclear which companies would fall under the definition of “critical infrastructure” in the future. Here, he said, it must not come down to isolated solutions. The design of the duty to report and the setting of minimum standards also remained undefined. Von Notz also criticized the fact that the law would only obligate companies, while government authorities, also vulnerable to cyber attacks, would not fall under the scope of the law. For the unclarified definition points, Schallbruch referred to the planned regulation which should be prepared in a “cooperative approach” together with the industry as a follow-up to the act. The IT security of the Federal Authorities, he said, was already sufficiently regulated in the implementation plan to guarantee the IT security of the Federal Administration (UP Bund). However, for the state authorities and municipalities the Bund has no jurisdiction.
Clear commitment to encryption without backdoors
The third key question in the discussion related to the role that encryption plays for IT security, and how the Federal Government is dealing with this issue. In relation to this, von Notz spoke of a “schizophrenic” discussion. In his opinion, one can not on the one hand demand stringent precautions from companies, and on the other hand support backdoors in encryption and thus breathe life into the “black market for vulnerabilities”.
Schallbruch admitted openly that on this topic he was in two minds.
As such, the Federal Government clearly advocates strong encryption without backdoors, but at the same time the security agencies would need to have the possibility to gain access to communication for the purposes of prosecution, and would need the legal authority to crack simple encryption.
The draft of the IT Security Act from the Federal Government is expected to undergo its first reading in Federal Parliament in the next two weeks and the new act should be passed before the summer break. Parallel to this at the European level, the notification procedure is underway for the IT Security Act, which, in all likelihood, will be concluded by 18 March.
See all photos of the eco polITalks here.
