IT security: Business is afraid of the new hacker law

display

German industry is sounding the alarm about the planned Cyber ​​Security Act.

The draft law for the so-called IT Security Act 2.0 (IT-SiG 2.0) is to be discussed in the Bundestag on Thursday.

For the first time, not only operators of so-called critical infrastructure such as power plants are to be obliged to take strict security precautions against hacker attacks, but also other important German companies.

The industry therefore fears massive additional bureaucratic burdens and an obligation to disclose encryption methods and algorithms.

The main reason for the alarm mood can already be found in Section 2 of the planned law.

This defines who belongs to the so-called “companies in the special public interest”, to which the strict obligations of the law should apply.

The Interior Ministry alone should not determine who is particularly important

We are not only talking about the manufacturers of particularly sensitive products, such as armaments companies, but also about those who "are among the largest companies in Germany in terms of their domestic added value and are therefore of considerable economic importance for the Federal Republic of Germany".

display

The text of the law lacks clearer criteria; instead, the Federal Ministry of the Interior should only determine by ordinance after the law has been passed, which indicators are used to decide which companies are on the list and which are not.

"We assume that automobile manufacturers and numerous suppliers and thus important parts of German industry are affected by additional requirements and restrictions," said Hildegard Müller, President of the Association of the Automotive Industry (VDA), WELT.

"Because companies need long-term clarity about the scope and scope of the law, in our opinion the 'special economic interest' must not be defined by a ministry alone." Within the legislative process in parliament.

Especially since a large number of companies could be affected.

From industry circles it was said that in the discussion, for example, the Top 100 list of the largest German companies by the Monopolies Commission should be used as a benchmark.

In the future, the state could stipulate the security measures that must be used to ward off cyber attacks for all companies that are declared to be economically important by ordinance.

The Federal Office for Information Security (BSI) is to be upgraded to a supervisory authority.

Companies have to check applicants themselves

display

Other associations also share the carmaker's criticism.

The Federal Association of German Industry (BDI) described the draft as "very critical and in large parts urgently in need of revision" in a statement at the beginning of December.

The planned law often intervenes too far in business processes and contains unjustifiably extensive information obligations.

Behind closed doors, the criticism in the industry is sometimes even clearer: not even China interferes so heavily in the security architecture of its companies, says a representative.

But then he would rather not be quoted by name.

"We all need IT security, but the IT-SiG 2.0 would inadmissibly and completely inappropriately restrict entrepreneurial freedoms," said VDA President Müller.

In addition to the lack of a definition of the companies concerned, there are two main points that the car manufacturers criticize.

In an earlier draft of the law, it was planned that companies would be able to have important employees who are at key points for corporate IT security checked in advance by the security authorities.

This would have prevented hackers from getting support from inside the company.

display

"Unfortunately, this tried and tested practice of security checks is no longer provided for in the current amendment to the law," criticized Müller.

Instead, companies now have to check themselves whether new employees could pose a potential threat to IT security.

However, the corporations do not have the necessary funds to, for example, examine the applicants' environment.

Müller warns of considerable disadvantages for Germany as a business location

To compensate for this, the Federal Ministry of the Interior is aiming for "the greatest possible direct control over IT infrastructures in the economy," said Müller.

It is the second central point of criticism.

In fact, the draft law requires large companies to disclose to the BSI at least every two years how they protect their IT systems from attacks.

Hacker attacks and other IT security disruptions must also be reported immediately.

In order for the authority to be able to control whether the companies are adequately protecting themselves, the companies may also have to disclose extremely sensitive data such as their encryption methods and algorithms to the BSI in the future.

On the basis of this notification, the BSI should also be able to order which additional measures the company must take for its own protection. "Instructions on specific security technologies and security measures to be used must not exclude innovations and new procedures," warns Müller. Otherwise the ability to innovate will be thwarted. "That would be associated with considerable disadvantages for Germany as a business location."