http://www.defenseone.com/ideas/2015/08/why-germanys-cybersecurity-law-isnt-working/119208/
BY SANDRO GAYCKEN
COUNCIL ON FOREIGN RELATIONS
AUGUST 18, 2015
This summer, Germany adopted a new law, known in German as the
IT-Sicherheitsgesetz, to regulate cybersecurity practices in the country.
The law requires a range of critical German industries establish a minimal
set of security measures, prove they’ve implemented them by conducting
security audits, identify a point of contact for IT-security incidents and
measures, and report severe hacking incidents to the federal IT-security
agency, the BSI (Bundesamt für Sicherheit in der Informationstechnik).
Failure to comply will result in sanctions and penalties. Specific
regulations apply to the telecommunications sector, which has to deploy
state of the art protection technologies and inform their customers if
they have been compromised. Other tailored regulations apply to nuclear
energy companies, which have to abide by a higher security standard.
Roughly 2000 companies are subject to the new law.
The government sought private sector input early on in the process of
conceptualizing the law—adhering to the silly idea of
multistakeholderism—but it hasn’t been helpful in heading off conflict.
German critical infrastructure operators have been very confrontational
and offered little support. Despite some compromises from the Ministry of
the Interior, which drafted the law, German industry continues to disagree
with most of its contents.
First, there are very few details to clarify what is meant by “minimal set
of security measures” and “state of the art security technology.” The
vagueness of the text is somewhat understandable. Whenever ministries
prescribed concrete technologies and detailed standards in the past, they
were mostly outdated when the law was finally enacted (or soon after
that), so some form of vagueness prevents this. But vagueness is
inherently problematic. Having government set open standards limits market
innovation as security companies will develop products to narrowly meet
the standards without considering alternatives that could improve
cybersecurity. Moreover, the IT security industry is still immature. It is
impossible to test and verify a product’s ultimate effectiveness and
efficiency, leading to vendors promising a broad variety of silver bullet
cybersecurity solutions—a promise that hardly lasts longer than the first
two hours of deployment.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
