The Second Act to Increase the Security of Information Technology Systems (IT Security Act 2.0) – passed by the German Federal Cabinet in December 2020, shortly before the new year – is intended to regulate, among other things, the protection of the federal administration and critical infrastructures (CRITIS), as well as consumer protection and companies of special public interest.
Within this framework, the German Federal Office for Information Security (BSI) is to be given further powers to comprehensively monitor IT companies. At the same time, however, the BSI is to be allowed to withhold important security information from the public.
eco – Association of the Internet Industry criticises this plan as disproportionate and damaging to general trust in IT systems.
“The IT Security Act 2.0 could have provided a meaningful legal framework to effectively combat cyber crime and increase the security of digital infrastructures,” says eco’s Vice-Chair Klaus Landefeld. “Instead, concerns about the authorities’ wishes come to the fore when technology can by general decree be classified as untrustworthy, and its use largely prohibited.”
Thus, the new law not only wants to oblige operators of critical infrastructures, but also a large number of other companies, to comprehensively document IT security vulnerabilities. However, who specifically falls under the newly introduced category of “companies of special public interest” has thus far not even been conclusively defined. Landefeld: “For companies, this leads to even greater planning insecurity and legal uncertainty.”
Landefeld: “Who monitors those doing the monitoring?”
Conversely, the new law allows the BSI to withhold information about security vulnerabilities, provided it is obliged to maintain confidentiality vis-à-vis security authorities. This gives state actors incentives to keep software vulnerabilities secret in order to obtain further information about them or potentially to exploit them for their own purposes.
This, in turn, creates gateways for cyber criminals and industrial espionage; it significantly weakens overall IT security. The BSI can also have data traffic redirected to servers designated by it, it can feign attacks on IT systems itself and, in the course of this, it can also penetrate these systems.
Landefeld: “Here, political interests are being put before IT security. Why are companies obliged to meticulously report security incidents to the BSI, but state authorities are allowed to withhold important security information from companies? Who monitors those doing the monitoring when the German federal government clearly encourages state hacking? The trend towards this is clear, as can already be seen in the planned German Federal Intelligence Service Act (BND-Act). In fact, the German Federal Intelligence Service (BND) is allowed to monitor 99.9 per cent of all worldwide data traffic and to penetrate computer systems almost at will. If policymakers do not want to completely gamble away trust in digital communication and services, they must now pull the ripcord and rethink the value system of a digital society.”
A public hearing on the IT Security Act 2.0 is scheduled for Monday, 1 March, in the German parliament, the Bundestag, and will be held live from 2 pm. Already in the run-up, the Association of the Internet Industry had criticised the fact that participation in the legislative process by affected companies, associations and private users was hardly possible: At the end of last year, after almost two years of waiting, the German Federal Ministry of the Interior presented a draft bill on the IT Security Act – of just under 100 pages in length – and allowed a period of just 26 hours for comments. Furthermore, eco has already previously warned policy-makers against hasty national regulation before the conclusion of the revision of the NIS Directive at the European level, which was also presented in December.