Germany passes strict cyber-security law to protect ‘critical infrastructure’
In the wake of ever-increasing cyber-security threats, Germany has passed legislation ordering that over 2,000 essential service providers implement new minimum information security standards or face penalties if they fail to do so within two years.
The law passed its final hurdle in the upper house of the German parliament, the Bundesrat, on Friday after having passed the lower house in June.
The law will affect institutions listed as "critical infrastructure,” such as transportation, health, water utilities, telecommunications providers, as well as finance and insurance firms. It gives companies two years to introduce cyber security measures or face fines of up to €100,000 ($111,000).
The Bundesrat-approved IT security law obliges firms and federal agencies to certify for minimum cyber-security standards and obtain Federal Office of Information Security (BSI) clearance. The companies must also notify the Office of suspected cyber-attacks on their systems.
The new set of rules also obliges telecommunications providers to warn customers when their connection was abused, for example in a botnet attack, and store the traffic data for up to six months for investigative purposes, thus potentially violating privacy rights.
BSI will also be expanded to the international center for IT security. Its main task will be to evaluate the reports of possible cyber-violations in critical infrastructure. The Federal Intelligence Service (BND) will be allowed access to foreign data linking to malware signatures and malware traces.
In addition, the Federal Office for the Protection of the Constitution (BfV) will lend assistance to the BSI with assessing the potential impact of cyber-attacks on the accessibility of the critical infrastructure facilities, while the Office of Criminal Investigation (BKA) will be responsible for investigating such cyber-crimes as data spying, intercepting or manipulating.
The planned measures are an “important step” as IT security is “a central component of the public and internal security,” said Interior Minister Thomas de Maizière as cited by Der Spiegel.
The opposition meanwhile recommends that the government first implement their own IT security before forcing companies to do it. Last month it was revealed that hackers used German Chancellor Angela Merkel’s computer to spread Trojan malware during a recent cyber-attack on the German parliament, and that the virus , could still be active.
The data protection activists warn that the law surreptitiously allows spying on people’s communications as well as on everything they do in the Net, as it allows telecommunications providers to store the data about their clients’ actions in the internet.
“From a technical point of view, such measures cannot be justified,” Patrick Breyer, the Kiel’s parliament member from the Pirates Party, told DPA.
"The law would serve the idea of IT-security only in case when providers were allowed to gather as little data about their clients as possible,” he added, as quoted by Der Spiegel.
Critics of the law also argue that the new IT security law will drain German economy and will offer little in return. According to the latest study conducted by the high-tech association Bitkom, introducing security parameters will cost the German economy around €1.1 billion ($1.23 billion) per year.
In addition, the companies also complain that the government has not formulated a clear requirement of how severe the cyber-intrusion must be to fall under the reporting requirement. The companies also fear that information about hacker attacks might become public and will result in a negative impact on customers and shareholders.