The cybersecurity agenda of the Federal Ministry of the Interior and Home Affairs (BMI) for the 20th legislative period primarily envisions an expansion of the federal government's responsibility and the powers of the Federal Office for Information Security (BSI).
What benefits can this shift in competencies bring?
Jürgen Fritsche: The current structure of the cybersecurity architecture in Germany has been criticized for quite some time. However, based on the principles of federalism, this construct can no longer meet today's requirements in the age of digitalization.
At present, roughly speaking, several hundred actors, about 70 of them at federal level and about 160 at state level, are involved in a dense network of actors with numerous links at national and international level, e.g., to actors at EU level and other EU countries.
In addition to ministries at the federal and state level, these mainly include institutions that perform specific tasks and roles in the federal or state departments, such as CIO and CISO in the German federal states. The state offices for the protection of the constitution and IT service providers of the federal and state governments complete this rather long list. Together, they all form Germany's cybersecurity architecture, an interwoven web that is difficult to navigate.
It is obvious that such a construct, which is subject to the departmental sovereignties and legalities of federalism, cannot be controlled when it comes to proactive or reactive security in cyberspace. Responsibilities are not clear enough, decision-making and reporting channels are too long, and often lead nowhere. It is evident that important requirements in the area of cybersecurity, such as speed in detecting and responding to incidents, as well as the fastest possible mobilization of competent crisis response forces, cannot be implemented in this way. A transfer or bundling of competencies is therefore urgently needed.
What role does the Office for the Protection of the Constitution play in this?
Jürgen Fritsche: The policy-setting authority for national cybersecurity is the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik - BSI). In most German states, and also at the federal level, cyber defense is also located in the respective offices for the protection of the constitution. This was once decided on for reasons of economic protection and counterintelligence, when the defense against cyber risks was not yet as much in focus as it is today. In the offices for the protection of the constitution, the focus is on cyberattacks by foreign intelligence services or in the area of industrial espionage.
What concrete steps would help improve the current cybersecurity situation?
Jürgen Fritsche: If the focus is on a strong security architecture with the highest possible level of protection in Germany's cybersecurity, the investigation of the current state can hardly contribute to reassurance in view of the aforementioned network of actors in the current cybersecurity architecture. Rather, it is obvious to question the effectiveness and efficiency of the cybersecurity architecture and to make optimizations. However, due to the Basic Law (Grundgesetz), this cannot be done without changes to the legal situation. Improved controllability of the security architecture, combined with the bundling of competencies and a significant increase in the speed of response in the event of changing threat situations, would lead to a noticeable improvement.
What is additionally needed to strengthen defenses against cyberattacks?
Jürgen Fritsche: If the Federal Office for Information Security (BSI) is to be expanded into a central office in the federal-state relationship, all the conditions for this must first be created. Ultimately, this also includes significant adjustments in terms of competencies and staffing. At the federal and state levels, work must be done to meaningfully reduce the number of actors, while at the same time strengthening the areas of competence that can counteract the existing threats. This involves, on the one hand, improving staffing levels through effective partnerships with industry and, on the other, focusing the effectiveness of the security infrastructure on actual needs. This necessary process cannot be implemented in a few months, but will take many years.
What would the civilian cyber defense system (ZCAS) mentioned in the cybersecurity agenda need to look like, and what ideas would you give lawmakers about it?
Jürgen Fritsche: The aim of a civilian cyber defense system is to protect business and society from cyberattacks. It would need to have capabilities to intercept and, for example, redirect attacks on businesses. Such capabilities are already provided by civilian suppliers for certain types of cyberattacks, such as DDOS attacks. Better support from a ZCAS would be desirable here in the future.
Another conceivable capability would be to disrupt servers from which attacks originate. The dilemma here, however, is that aggressors usually use third-party servers belonging to uninvolved parties for the cyberattacks. A “counterattack” could then, to give a striking example, take down the servers of a hospital somewhere in the world, hitting uninvolved third parties. Therefore, this type of security must be thoroughly weighed before it is used. In addition, it should be noted that if international borders are crossed, such disruptive actions must be accompanied by diplomatic means.
However, there are many different types of cyberattacks, e.g., also infiltrating software into companies or critical infrastructures (CRITIS) to cause damage. A third capability would then be to provide rapid assistance from specialists as well as replacement infrastructure in the event of such security incidents.
A ZCAS would likely be bolstered by a strong partner network of civilian consulting firms to provide cyber defense against attacks on the business location as needed. In addition, industry would be required to take its "homework" seriously in terms of cyber defense and information security, and would be motivated to operate using professional IT data centers that offer appropriate standards. A good basis for this has already been created with the IT Security Act (IT-Sicherheitsgesetz) version 2.0. However, the general increase in the resilience of IT infrastructures must continue to be pursued with high priority.
Are the specialists needed for this even available? How and where can they be found or qualified?
Jürgen Fritsche: The quick answer is: These specialists don't exist (yet). So they have to be found and trained. The focus of this task will probably be left to industry partners who are already doing this professionally and in line with demand. However, one should keep in mind that training cybersecurity specialists is a lengthy and cost-intensive process.
It will probably be years before the legal framework is created and the organizational structure is implemented. Doesn't the German government's initiative come much too late?
Jürgen Fritsche: The process is coming too late, that's clear. But we can't bury our heads in the sand now; we have to start creating these competencies quickly and in a focused manner. In doing so, existing knowledge holders must be used as effectively as possible, and they must be enabled to pass on the necessary knowledge to up-and-coming specialists. The best way to do this is to group them together them in competence centers that are maintained by industry and made available as needed.
In your view, are there possible measures at political level that could achieve a significant improvement in government cyber defenses more quickly?
Jürgen Fritsche: First, clarification of tasks, responsibilities and accountabilities is required. Some measures have already been initiated to this end. However, the clear definition of areas of responsibility is still difficult and causes considerable friction. First and foremost, therefore, it is important to adapt the legal situation, because the current constitution is designed for decentralized political responsibility (federalism). The trick is to achieve greater effectiveness with fewer actors, despite federalism. To do this, some dearly held resentments would have to be abandoned and joint action would have to be taken in the future in the sense of an effective, overarching cybersecurity architecture. To answer with a political phrase: “There should be a jolt through the cybersecurity architecture.”
What is the agenda in the area of critical infrastructures or what regulatory changes can be expected in this regard?
Jürgen Fritsche: Strengthening the cyber resilience of federal agencies, as well as state, civil, and critical infrastructures is necessary, which is another reason why modernizing the cybersecurity architecture is essential.
In the area of critical infrastructures (CRITIS), support is provided for investments for cyber resilience measures in SMEs belonging to the CRITIS sector. Likewise, the establishment of awareness and cyber resilience projects offered by the BSI and external service providers. A major focus is on addressing the security of IT supply chains in the context of statutory CRITIS regulation and establishing sector-specific CERTs for CRITIS operators, including linking them to the BSI Situation Center.
CERT stands for Computer Emergency Response Team, in which IT specialists and security experts work to resolve specific security incidents. The term CSIRT (Computer Security Incident Response Team) is often used synonymously. In the area of CRITIS, therefore, much has already been set in motion, and with the IT Security Act 2.0, which encompasses further sectors and infrastructures, an effective instrument is available for permanently increasing resistance to current and future threats.
Regardless of the cybersecurity agenda, what can companies and organizations do today for their own cyber defense?
Jürgen Fritsche: The threat of cyber risks should be the top priority in every company's corporate risk assessment. After assessing the individual risk situation, management must design a cybersecurity strategy and introduce an appropriate ISMS (Information Security Management System). The necessary financial and human resources must be made available for this.
In the area of IT, efforts must be made to implement the state-of-the-art, because outdated and unmaintained IT systems are still the main gateway for attackers whose actions can then have an unnoticed and long-lasting effect on both the company's own operations and those of its affiliated partners. The professionalization of IT operations and support from professional IT service providers complement these measures.
In addition, it is important to keep internal processes in focus and to initiate any necessary optimization in this area in good time. All the key departments in the company or organization need to know in advance what exactly needs to be done in the event of a cyberattack so that no unnecessary time is lost on coordination processes and responsibilities in the event of an emergency. After all, there is no time for these formalities in acute crisis situations; in the event of an emergency, the tried-and-tested process flows must be in place. That is why, in addition to the aforementioned establishment of Information Security Management Systems (ISMS) and the analysis of cyber risks, crisis simulations and, for example, the introduction of emergency manuals are also part of the task list that can be worked on in advance.
