Why Germany’s Cybersecurity Law Isn’t Working

[InfoSec News <alerts () infosecnews org>]

http://www.defenseone.com/ideas/2015/08/why-germanys-cybersecurity-law-isnt-working/119208/

BY SANDRO GAYCKEN
COUNCIL ON FOREIGN RELATIONS
AUGUST 18, 2015

This summer, Germany adopted a new law, known in German as the 
IT-Sicherheitsgesetz, to regulate cybersecurity practices in the country. 
The law requires a range of critical German industries establish a minimal 
set of security measures, prove they’ve implemented them by conducting 
security audits, identify a point of contact for IT-security incidents and 
measures, and report severe hacking incidents to the federal IT-security 
agency, the BSI (Bundesamt für Sicherheit in der Informationstechnik). 
Failure to comply will result in sanctions and penalties. Specific 
regulations apply to the telecommunications sector, which has to deploy 
state of the art protection technologies and inform their customers if 
they have been compromised. Other tailored regulations apply to nuclear 
energy companies, which have to abide by a higher security standard. 
Roughly 2000 companies are subject to the new law.

The government sought private sector input early on in the process of 
conceptualizing the law—adhering to the silly idea of 
multistakeholderism—but it hasn’t been helpful in heading off conflict. 
German critical infrastructure operators have been very confrontational 
and offered little support. Despite some compromises from the Ministry of 
the Interior, which drafted the law, German industry continues to disagree 
with most of its contents.

First, there are very few details to clarify what is meant by “minimal set 
of security measures” and “state of the art security technology.” The 
vagueness of the text is somewhat understandable. Whenever ministries 
prescribed concrete technologies and detailed standards in the past, they 
were mostly outdated when the law was finally enacted (or soon after 
that), so some form of vagueness prevents this. But vagueness is 
inherently problematic. Having government set open standards limits market 
innovation as security companies will develop products to narrowly meet 
the standards without considering alternatives that could improve 
cybersecurity. Moreover, the IT security industry is still immature. It is 
impossible to test and verify a product’s ultimate effectiveness and 
efficiency, leading to vendors promising a broad variety of silver bullet 
cybersecurity solutions—a promise that hardly lasts longer than the first 
two hours of deployment.

[...]

--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/