As America continues to consider legislation for improving cybersecurity, the actions of other Western nations may (or may not) be of influence and interest. I recently received a management summary of the proposed German IT security legislation being drafted by the government. [In Germany, more so than in the US, government proposals come from the executive and are likely to be adopted by the parliament.]. Naturally, the base text is in German, but this English language summary is quite informative and reflects a much more regulatory approach than many in America are considering:
German Ministry of the Interior
Content of Main Regulations to Improve IT SecurityOperators of critical infrastructure are required to meet minimum IT security standards: Operators of major critical infrastructure shall take IT security measures in accordance with the state of the art and ensure compliance therewith. Sectors may develop internal standards which the Federal Office for Information Security (BSI) recognizes as a concretization of the statutory commitment.
Operators of critical infrastructure are required to report significant IT security incidents: Operators of major critical infrastructure shall immediately report to the BSI any IT security incidents having implications for security of supply or public safety through channels established for that purpose. Only in this way can the Office for Information Security create a valid national situation report and support the operators in overcoming the incident.
Telecom providers are required to meet minimum IT security standards: Providers shall ensure IT security in accordance with the state of the art, not only as in the past to protect confidentiality and privacy of personal data but also to guard against unauthorized intrusions in the infrastructure, in order to improve the resilience of the networks as a whole and thus to ensure their availability.
Telecom providers are required to report significant IT security incidents: Providers shall immediately report IT security incidents that could lead to a disruption in availability or unauthorized access to user systems. Beyond the existing reporting requirement in case of a breach of personal data privacy, providers responsible for the backbone of the information society will thus be able to contribute to a valid and complete situation report.
Telecom providers are obligated to inform users of malware and provide technical support tools to identify and remove it: The prescribed information shall enable the user himself to take measures against the malware. The providers must furthermore provide users with easy-to-use security tools that can be used to prevent and eliminate disruptions emanating from the concerned user’s infected system.
Providers of telemedia services are required to meet minimum IT security standards: To reduce the spread of malware via telemedia, providers who offer telemedia services commercially and for remuneration are obligated to implement recognized protective measures to improve IT security to a reasonable degree.
The Federal Office for Information Security is required to report annually: The envisaged annual report and its publication are intended to further sensitize the public to the issue of IT security, which, in light of the fact that numerous successful IT intrusions could have been prevented by using standard tools, is particularly important.