In view of the incidents, Interior Minister Nancy Faeser (SPD) assured that the protection of critical infrastructures had “top priority”. The security authorities are taking “additional protective measures” where necessary, the minister told the “Süddeutsche Zeitung”. “For example, we have increased the protection of maritime infrastructures by significantly increasing the presence of the federal police at sea.” Faeser announced the key points for a so-called “Kritis umbrella law” this year.
The Greens in particular have been calling for such a law for some time, which should also regulate questions of IT security. An “umbrella law” was agreed in the coalition agreement between the SPD, the Greens and the FDP. “Today, the law is more urgent than ever and must be implemented immediately,” says the Greens’ motion.
Top jobs of the day
Find the best jobs now and
be notified by email.
Critical infrastructure includes facilities from the energy, transport, water, food, state and administration, health, information technology and telecommunications sectors. Some experts have doubts as to whether these partly state-run, partly privately run facilities are adequately protected in Germany. The debate on this was fueled by the explosions on the Baltic Sea pipelines and the sabotage attack on the railway’s communications system.
Criticism of Interior Minister Faeser’s cyber security agenda
The Greens do not name any possible originators of these attacks, but point out the temporal connection between the events. “They aim to further unsettle our society in a time marked by crises,” the Greens explain in their motion. In addition, the incidents represented a new quality in their effects and exploited both digital and physical vulnerabilities in the critical infrastructure. “The damage that has occurred shows us that even relatively simple disruptive actions, such as cutting through the cables during the attacks on the train, can have a major impact.”
>> Read here: Concern about blackouts due to sabotage: Municipalities are demanding a national emergency power reserve
As a consequence, the Greens consider short-term protective measures to be necessary. “The federal and state police forces must pay more attention to important facilities and, for example, communication hubs,” says the emergency motion. To do this, they must be provided with the appropriate resources. In addition, counter-intelligence must be reorganized and, if necessary, strengthened.
“And we need new structures to detect and defend against hybrid threats,” the application continues. According to the Greens, cooperation in institutions such as the National Cyber Defense Center must be based on “clear legal requirements”. The party rules out active cyber defense. That means: The Greens refuse to allow German security authorities to carry out cyber counterattacks, so-called hackbacks.
In this context, the Greens are critical of the cyber security agenda recently presented by Interior Minister Faeser. So far, the plans have not lived up to the claim of improving the protection of critical infrastructures. Therefore, the national security strategy, which is currently being developed under the auspices of the Federal Foreign Office, is particularly important. The Greens hope that the strategy will take into account aspects such as closing security gaps in IT systems and cyber foreign policy.
Kritis umbrella law is intended to close gaps in protection
The current requirements for critical infrastructures, which are primarily formulated in the context of IT security legislation, do not go far enough for the Greens.
For example, the thresholds set in the Kritis Ordinance, above which public institutions or companies are considered critical infrastructure, are “sometimes set so high that even large operators of critical facilities fall through the cracks”. These gaps urgently need to be closed.
>> Read here: Six German companies affected: Cyber attacks on European energy companies are increasing
The Kritis umbrella law is intended to serve this purpose. The federal government will also implement the currently negotiated EU directive on the resilience of critical facilities nationally, said a spokesman for the Federal Ministry of the Interior.
The law and the directive would formulate minimum requirements for measures that the operators of critical facilities would have to take in order to be comprehensively prepared for dangers such as natural disasters, terrorism, sabotage or human error. In addition, “a reporting system for security incidents and reporting obligations for infrastructure operators and the EU member states will be established”.
More: “The threat is growing” – How endangered is the critical infrastructure in Germany