Cybersecurity: "It's neck or nothing"

The challenge for companies when it comes to cyber security is huge, says Martin Wansleben, Managing Director of the German Chamber of Industry and Commerce (DIHK). However, the sum of bureaucratic challenges leads to overload for companies and the acceptance of sensible measures is also at risk. Companies are left with a fatal impression: "The state is playing hard to get. Isn't security a fundamental government task?" Many SMEs still rely on the principle of hope. Yet it is clear: "Without cyber security there can be no digitalization, without digitalization there can be no increase in productivity." And that determines the country's economic performance.

If war capability is the goal, cybersecurity is the first priority and other regulations such as the Supply Chain Act must then be deprioritized. "When it comes to security, it really is all about the sausage," says Wansleben. Karl-Sebastian Schulte, Managing Director of the German Confederation of Skilled Crafts (ZDH), argues similarly with regard to the financial possibilities of companies: "If the state has tight budgets, this process has already started at least two years earlier in industry."

Plattner wants cooperation instead of sanctions

The industry's criticism was explicitly not directed at the Federal Office for Information Security (BSI). Its President Claudia Plattner called for more commitment in Berlin. "We can't afford it when billions of euros flow out of our country," she said, referring to the economic consequences and ransomware payments. "We cannot afford to allow ourselves to be divided by disinformation. And we can't afford to allow know-how to be extracted for nothing." Allowing sabotage is also unacceptable, warns Plattner.

For this reason, the new EU regulations NIS2 and the Cyber Resilience Act, which she sees as twins, must be brought to life in practice. Companies would achieve significant improvements in IT security with modern methods, such as the consistent use of a software bill of materials (BOM). "How many manufacturers really know which libraries are installed in which versions in their products?" asks Plattner with a view to software supply chains.

The BSI wants to focus primarily on cooperation for the NIS2 application, the BSI President announces. The interest from companies is huge – the authority had to find a new webinar solution to meet this demand. Addressing 29,000 companies individually would be impossible. "So far, we haven't planned to increase the number of jobs for the implementation of NIS2," explains Plattner. "We can't continue as before," said the BSI President, referring to the more than six-fold increase in the number of companies and authorities covered by the KRITIS requirements, which the BSI is supposed to monitor, advise and also support in an emergency.

Federal Ministry of the Interior warns against excessive criticism of regulations

The BSI's NIS2 Checker has already been used 36,000 times, reveals Friederike Dahns, Head of the Cyber and Information Security Department at the Federal Ministry of the Interior. At the same time, she warns against making sweeping judgments about rules. Getting upset is legitimate, but: "There are many, many powers out there that no longer make their rules by democratic consensus. They wouldn't ask any of you before passing a law to report vulnerabilities, to carry out penetration tests, to nationalize companies." Before her new role at the Ministry of the Interior, Dahns was also responsible for counterintelligence. She takes the company representatives to task: "For years in counterintelligence, I saw you all being attacked every day. In every possible way. And how you, helpless and powerless, rightly demanded that the German state protect you, including with a good set of rules."

To achieve this, the NIS2 Implementation and Cybersecurity Strengthening Act is intended to define the legal framework more precisely. Tomorrow, the German Bundestag will discuss it at first reading. He sees a need to adapt the legal framework beyond the current legislation, says State Secretary of the Ministry of the Interior Markus Richter -- especially regarding federalism: "It is crucial that we know Who responds to which attack with which competence." According to Richter, today it is primarily a question of which authority is responsible when an incident occurs.

(mma)