IT Security Act: Major update on the way
SECURITY INSIGHTS | June 17, 2020
The IT Security Act is to receive a major update to adapt the catalog of requirements and also the BSI itself to the current threat situation. At its core, the current draft law for the IT-SIG 2.0 provides for an active protective function of the BSI for the state, the economy and the population.
The IT Security Act (IT-SiG) has now been in force since July 2015 and represents a regulatory requirement for information security in companies, organizations and public authorities. The IT Security Act is a complex article law that affects many different contents and, in addition to the BSI Act, also amends and supplements the Energy Industry Act, the Telemedia Act, the Telecommunications Act and other laws. The regulatory work is aimed at nothing less "than making Germany's IT systems and digital infrastructures the most secure in the world"¹.
The IT Security Act focuses on securing critical infrastructures (KRITIS), which supply the German population with basic goods and are thus centrally responsible for the economic and social well-being of our society. According to the German Federal Office for Information Security (BSI), operators of critical infrastructures are companies in the fields of energy and water supply, healthcare, the food industry, finance and insurance, IT and telecommunications, as well as transport and traffic. Furthermore, the IT Security Act is intended to contribute to a general improvement in cybersecurity among companies, public authorities and the country's citizens.
In its current form, the Act serves as an important guidepost for cybersecurity in German society. However, due to technological developments and a constantly changing threat situation, the IT Security Act must also be regularly adapted and updated to meet current requirements.
For this reason, the Ministry of the Interior has presented a draft bill (as of May 7, 2020) for a revised IT Security Act (IT-SiG 2.0), which among other things is intended to expand the responsibilities and powers of the BSI and direct more specific requirements to KRITIS operators. The draft also provides for a significant increase in the BSI's staff of more than 580 positions. The new areas of responsibility require additional capacities in Bonn.
You will find a summary of all the main changes in the IT Security Act below. However, the specific measures to be taken by the BSI and the CRITIS operators will only become clear when the text of the law is finally adopted, which is not expected before the end of 2020.
With the IT-SiG 2.0, the Ministry of the Interior is pursuing a comprehensive approach that includes "measures to protect society or citizens, to strengthen the state or protect public information technology and for a resilient economy." To this goal, the BSI must be restructured into a proactive cybersecurity authority that identifies and closes relevant security gaps in the systems of business and society, according to the draft. To do this, the BSI should keep an eye out on the Internet for vulnerable or unsecured devices (IoT / IIoT / ICS) and notify affected companies and users when they are found.
In addition, the IT-SiG 2.0 would also give the BSI powers to install gap-filling software. In this way, the authority is able, for example, to take active action against botnets and remove malware from the affected devices. To combat botnets, the law also provides for the use of sinkhole servers that prevent communication between bots and the command-and-control (C&C) servers behind them.
In the draft IT Security Act 2.0, the fines for cybersecurity violations are based on the European General Data Protection Regulation (GDPR). Accordingly, serious violations can be punished with fines of up to 20 million euros or up to 4 percent of the total annual company revenue generated worldwide in the previous fiscal year - whichever is higher. The previous range of penalties includes fines of a maximum of 100,000 euros per violation.
The revised IT Security Act also aims to give criminal investigation authorities more powers to actively combat cybercriminals and criminal platforms on the darknet. In future, for example, investigators will also be permitted to take over and continue digital identities to uncover criminal acts.
Until now, such investigative methods have required the express consent of the account holder, who hands over the access data for the account in question. In addition, according to the bill, a takeover of online accounts would also be possible if authorities obtained the login information as part of investigative measures and searches.
The bill is also intended to simplify the fight against illegal marketplaces on the darknet. In doing so, the Ministry of the Interior aims to criminalize the operators of such platforms, which provide a purposeful environment for the commission of crimes - regardless of any specific involvement in individual criminal acts.
Waste disposal is now to be added to the already defined critical infrastructures in IT-SiG 2.0. According to the draft law, it is imperative to ensure the proper disposal and recycling of municipal waste due to the increasing risk of epidemics and environmental pollution. The failure of waste management would pose an immediate and long-term health threat to the population.
Not directly included in the KRITIS sectors, but nevertheless to be treated according to the same criteria, are also the "companies in special public interest." These include, for example, the defense industry, the culture and media sector, and companies of significant economic importance.
Another new feature is the so-called overall plan for response measures, which must be drawn up in coordination with the Federal Office of Civil Protection and Disaster Assistance (BBK) and the relevant federal supervisory authority. The plan is intended to enable all parties involved in the event of attacks and severe failures to quickly initiate coordinated responses to maintain supplies to the population and society or to restore them as quickly as possible. The current draft states that the plan that has been drawn up will be constantly "reviewed and, if necessary, adapted, taking into account findings from crises that have been managed in the area of information technology security as well as changes in the state of the art and the legal situation".
In addition, the draft law specifically stipulates the use of SIEM solutions (Security Incident & Event Management Systems), which are required for reliable attack detection. The data collected with the systems must be transmitted to the responsible authorities for protection against attacks and for criminal prosecution.
The draft IT Security Act 2.0 also includes regulations for digital consumer protection. For example, a label for the IT security of products is to be introduced for manufacturers and providers. This would give consumers a simple way to check whether the manufacturer or its product complies with the current standards for IT security and data protection. Compliance with these standards is to be checked by the BSI at regular intervals. However, the draft does not stipulate any obligation for manufacturers to use the IT security mark. Meanwhile, the mark consists of two components, the manufacturer's declaration and accompanying security information from the BSI.