Federal parliament passes IT Security Act: a step towards secure IT?

 

Last Friday, 12 June 2015, the German federal parliament passed the IT Security Act which had been under debate for quite some time. The Act marks a significant stage in the federal government’s digital agenda. The Act’s objective is to introduce a regulatory framework for the field of IT security which, while steadily growing in importance, has so far hardly been touched by the legislator.

In principle, this is definitely a welcome objective, since there are two developments that can currently be observed in the digital world which significantly increase the threats in cyber space, confronting government, businesses and the general public alike with considerable challenges:

1. Processes and procedures in governmental work, businesses (key word: Industry 4.0) and daily life are becoming increasingly more dependent on technical information systems and thus susceptible to cyberattacks.

2. At the same time, cyberattacks tend to become ever more targeted, using technologically more sophisticated means.

How great these dangers actually are became strikingly obvious only recently with the successful hacker attacks against federal parliament’s own IT systems. Whether the IT Security Act in its present version is adequate and suitable to counter these dangers and to significantly enhance security of technical information systems in Germany (which is the objective formulated in the draft) may, however, legitimately be placed in doubt.

 

1. Structure and key elements of the Act

Other than what its title suggests, the IT Security Act strictly speaking does not introduce an IT security law of its own. Rather, the new Act actually amends certain existing laws, above all the Act on the Federal Office for Information Security (BSI Act), the Telemedia Act, the Telecommunications Act and the Energy Industry Law.

Basically, these amendments are as follows:

(i) BSI Act

• The draft at several places takes account of the objective to establish the Federal Office for Security in Information Technology (BSI) as the central supervisory authority for IT security.
• The new requirements stated in the BSI Act concern all “operators of critical infrastructures”. According to the (newly introduced) Section 2 (10) of the BSI Act, it is up to the Federal Ministry of Internal Affairs to determine in an ordinance specifically who are “operators of critical infrastructures”.
• The new Section 8b (4) of the BSI Act provides for a notification obligation for companies in case of substantial disruptions of their IT systems possibly affecting the “critical infrastructures”. Such notifications have to be made directly to the BSI. While pseudonymous data are considered sufficient in principle, identification by name is required where the “critical infrastructure” breaks down or is impaired.
• According to the new Section 8a (1), the affected businesses are obliged, within two years from entry into effect of the ordinance specifying “critical infrastructures”, “to take reasonable organisational and technical precautions for avoiding disruptions of the availability, integrity, authenticity and confidentiality of their technical information systems, components or processes”, taking account of the current state of technology.
• Industry associations (and “operators of critical infrastructures”) have the possibility, according to the new Section 8a (2) of the BSI Act, to suggest to the BSI security standards for their industries.
• Sec. 8a (3) of the BSI Act also provides for an obligation of companies to submit to the BSI at least every two years and additionally in case of identified security defects a survey of all security audits, reviews and certifications, including security defects found.
• Strikingly enough, it was only in the last revision of the draft that fines were introduced in the legislation at all. Section 14 of the BSI Act now provides for fines ranging between EUR 50,000.00 and EUR 100,000.00 for certain violations of the BSI Act, applying especially in case of inadequate IT security measures or where no notification is made in spite of an actual impairment of a “critical infrastructure”.
• It was possibly in view of the successful attack against the IT systems of the federal parliament itself that in the very last round of revisions an obligation for the BSI was incorporated to establish minimum standards for the security of the federal government’s own IT systems. Previously, the draft only provided for a “power” (rather than an obligation) of the BSI to develop such standards.

(ii) Telemedia Act

• A new Section 13 (7) has been added to the Telemedia Act imposing upon telemedia providers the obligation to comply with certain technical organisational measures.

(iii) Telecommunications Act

• The restated Section 109 of the Telecommunications Act imposes upon all operators of public telecommunications networks and publicly accessible telecommunications services the same obligations as for operators of “critical infrastructures”.
• The new Section 100 (1) of the Telecommunications Act gives telecommunications providers comprehensive powers to process traffic data of users (especially to store and collect these) as far as this serves to identify or remove impairments or faults of the telecommunications systems.

 

2. IT Security Act = secure IT?

Whether the IT Security Act in its present form is suitable to make a substantial contribution to improving IT security is questioned particularly by IT security experts. But the Act also meets with concerns under the aspects of data privacy law, as due to the amendment in Section 100 (1) of the Telecommunications Act it gives telecommunications providers considerable freedom to store data regarding users’ behaviour. There are fears that the much debated “data retention” (Vorratsdatenspeicherung) could thereby be introduced “through the backdoor”.

In addition, the IT Security Act contains a number of formulations and obligations the practical effects of which are unclear and therefore ultimately leave the BSI with considerable scope for interpretation.

• It is particularly striking that no specific requirements are set for the IT security measures to be taken, but that mention is only made of “easonable” measures. Although given the rapid technical development a flexible formulation certainly does make sense, it would nevertheless have been desirable to at least further describe the criteria, particularly while taking into consideration risk analyses and specifiable dangers. It is to be hoped that the industry associations will actually make use of the possibility of proposing industry-wide security standards, so as to at least create a certain degree of legal certainty.
• The IT Security Act also contains a number of other vague formulations. Overall, it can only be stated at this point that the Act, including from a legal perspective, in many areas leads to even more uncertainty rather than establishing legal comfort.
• It remains to be hoped that a uniform and feasible practice of supervision by the BSI will develop which the BSI will then communicate openly, i.e. comparable with the MaRisk in the field of banking supervision or the “Cloud Computing Guide” in the area of data privacy.

Lastly, it appears to be somewhat inappropriate for the IT Security Act to be passed at a time when the EU Directive on Network and Information Security (NIS) is already looming on the horizon. This ultimately means that as far as the NIS will contain any provisions which deviate from the IT Security Act, it will likely be necessary to revise the IT Security Act already shortly after its entry into force.