heise PlusAbo
Anzeige

Inconsistent cyber security standards: municipalities without a clear strategy

There are currently still many deficiencies in the IT security of local authorities. A study sheds light on the shortcomings and possible measures.

listen Print view
Highly distorted image of a finger on a keyboard, with a digital exclamation mark in the foreground

(Image: janews/Shutterstock.com)

4 min. read
Security
By
Contents

The current state of municipal cybersecurity in Germany is worrying. This is the conclusion of the study “Deficits, requirements and measures: Municipal cybersecurity put to the test” by Dr. Tilmann Dittrich and Prof. Dennis-Kenji Kipker and IT security provider NordPass. Kipker cites “a mixture of careless digitalization, a lack of uniform cybersecurity standards in Germany, a significant delay in the reaction of politicians and thus legislators, especially in the federal states” as the reason for the current situation. Many local authorities also lack the money and personnel to implement the measures required for cybersecurity.

Legal requirements are confusing and incomplete

The General Data Protection Regulation (GDPR) and the Federal Office for Information Security (BSI) in particular provide a framework and set out requirements for the “availability, confidentiality and integrity of data and IT”. However, these are “limited in their scope of application and by no means cover the entirety of municipal cyber risks”. The municipalities' organizational precautions are currently inadequate and are “reinforced by a confusing mixture of state, federal, and EU legal requirements”.

The IT security laws of the federal states and the planned exceptions to the EU's NIS2 regulation would not change this. The security requirements of the Online Access Act also only affect selected administrative services. The authors conclude that there is no uniform and clear cybersecurity strategy. At state level, Baden-WĂĽrttemberg, Hesse, Saxony, Saarland, Bavaria, Lower Saxony and Rhineland-Palatinate have adopted regulations on cybersecurity in local authorities. Some states have already appointed state CISOs who are responsible for IT security.

Recommendations for action

According to the authors, responsibility for cybersecurity lies with the management level of the municipalities, who should be trained and establish IT security standards as well as a risk management system that goes beyond this. Municipalities should also appoint a CISO and a team of experts. Outsourcing to IT service providers should also be carried out in accordance with clear cybersecurity requirements. Finally, Kipker and Dittrich recommend an emergency plan and regular training.

Videos by heise

The latest BSI situation report revealed that up to six million residents were affected by ransomware attacks on local authorities between June 2022 and June 2023. This led “not only to considerable operational restrictions”, but also to the restriction of basic administrative services. According to the report, ransom money has only been paid once in recent years – 490 euros in Bitcoin in 2016 following a crypto Trojan attack on a municipality in Dettelbach. Ransomware attacks occur disproportionately often in municipalities.

Municipalities not prepared

Situation reports from federal states, such as Hesse, are also listed as examples. According to these reports, 21 cyberattacks on Hessian municipalities were reported voluntarily last year, although in most cases these were harmless and did not result in data leaks or system failures. The cyberattack on the district of Bitterfeld was cited as a serious example. Four days after the attack, Bitterfeld declared a state of emergency. Another serious attack occurred at the end of 2023 on SĂĽdwestfalen IT, which was also listed in the BSI situation report.

According to the authors of the study, all areas of life in which digitalization takes place are at risk from cyber incidents. Critical areas such as hospitals are particularly attractive to cyber criminals, as there is high pressure to pay. This is partly because operations can be disrupted by the cyberattack or because of the sensitive healthcare data.

When asked about the situation in other countries at the presentation of the study, Kipker replied that in other countries such as Croatia or Greece, the state supports the countries in implementing a cybersecurity infrastructure. According to Dittrich, federalism is a problem in Germany.

(mack)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten