“The Federal Government and the Federal Ministry of the Interior are always striving to implement the EU NIS2 Directive within the scope of possibilities given to them.” This may be a working reference issued by the Federal Audit Office (BRH) for the federal government and specifically the Federal Ministry of the Interior (BMI). The ministry’s unwillingness to learn and stubborn behavior are criticized at every turn.
Advertisement
Manuel “Honchez” Atag is the founder and spokesperson of the independent AG Critis, which is committed to the protection of critical infrastructure.
BMI and the federal government hardly listen and hardly want to accept suggestions for improvement. Fortunately, BRH did not give up and, after several largely ignored statements with approximately 42 reports to BMI, finally brought forward the trial results to mid-September 2024. In its reports to the Budget Committee and the Internal Committee of the Bundestag, the BRH made it clear that The government draft of the NIS 2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) neither creates adequate cybersecurity nor can be expected to be a sensible use of taxpayers’ money.
“A Patchwork Quilt” That Puts Everyone in Danger
The fact that BMI also violates the General Rules of Procedure of Federal Ministries (GGOs) while presenting the draft to the Cabinet is the smallest point in the list of BRH’s shortcomings. So BMI should have pointed out the different opinions and criticisms of BRH, but they are not mentioned at all.
The poor style in formalities can also be found in what NIS2UmsuCG achieves in terms of content. BRH is not short of articulate words that could easily come from the engine room of AG Kritis. The federal government risks “missing its goal of improving information and cybersecurity.” Even after several departmental coordination, already known deficiencies will not be addressed and key points for cyber security will not be addressed. And because important rules are not intended to be uniformly binding on the entire federal administration, the law risks becoming a “patchwork quilt” that endangers everyone involved. NIS2UmsuCG is far behind the targets it has set.
Federal Council insists on IP data retention heise online
On November 5, renowned IT law and security experts will explain which companies are affected by NIS2, what exactly NIS2 and the German NIS2 Implementation Act require and which measures should be implemented and with what time frame. Other topics include the interaction of NIS2 with established security concepts such as ISO 27001 and IT-Grundschutz, the impact of the Directive on incident response and the importance of NIS2 for suppliers and service providers. There is enough space for questions from the participants.
More information and registration here: https://nis2.heise.de
Benevolent behavior towards federal administration
If you just heard a juicy slap: That was a solid and clearly much needed slap in the face. Let’s explore in a little more detail.
In fact, according to a 2017 Cabinet decision, IT baseline security developed by the Federal Bureau of Information Security (BSI) will be mandatory for the federal administration. Unfortunately, it was never made legally binding. And so the federal government was surprised to learn that despite the Cabinet decision, the IT security level of federal authorities has not improved significantly in recent years.
However, rather than making basic IT security legally mandatory for all federal authorities, the current draft bill for NIS2 implementation limits the obligation only to federal ministries and the Federal Chancellor. BRH says – and I happily quote: “In a networked federal administration, it is neither fair nor reasonable to impose strict legal obligations on commercial enterprises.”
Swiss Hole Cheese as a role model?
Rather, NIS2UmsuCG contains a number of rules that make it possible to exclude entire federal institutions or parts of them from security requirements. The Foreign Office is also included as an explicit exception. People with long-term memories may be left scratching their heads: weren’t they the target of a successful cyberattack just a few years ago? But it doesn’t matter, so keep going.
And why are so many exceptions needed? Neither I nor BRH can explain this to you. The latter refers to its own audit findings and BSI’s findings on the IT security of federal administration data centers, which “strongly” confirm the losses. It’s “unclear” how the federal government intends to use this Swiss hole thing of exceptions to increase the level of security across the entire federal administration, and not just for BRH.
Admittedly, finding logic would also be difficult. On the one hand, small and medium-sized companies with 50 or more employees must already implement the NIS2UmsuCG requirements for cybersecurity. And on the other hand, subordinate federal authorities, sometimes with several thousand employees, such as the Customs Administration, do not have to enforce anything. And while operators of critical infrastructure will have to submit cybersecurity evidence to the BSI every three years in the future, nothing comparable is planned for federal authorities either.
A federal CISO who doesn’t have to do anything and isn’t allowed to
It should also not be expected that the position of coordinator for information security – also known in the business as CISO – as envisaged in the draft, will improve anything. Because it’s just about setting the status quo. There is no regulation of functions and powers. It is not just BRH who is confused about how a person in this position should be effective in different departments.
By way of justification, BMI states that the federal government is already in the process of introducing a CISO concept to the federal government. Unfortunately, they did not manage to agree on such a common concept within five months, protested the BRH. This simply “does not do justice” to the state of threat in the federal administration. Touch.
You have to be clear: this isn’t just about one office catching ransomware and causing manageable financial damage. We are talking about the entire public administration and hence the security of all citizens and their trust in the state.
Cyber Relief Organization to the rescue
Not only the brave fighters of the BRH see the maintenance of state functions at risk, especially in crisis situations. Many municipalities and districts already have widespread and long-standing failures of central IT services. The significant ideological and technical deficiencies in IT infrastructure security in federal authorities that BRH cites do not bode well.
The federal administration should immediately address the existing deficiencies. And true to the name, the NIS2 implementation should definitely carry it forward. But what if this does not happen? Then, as BRH and BSI say, there is no question now whether there will be a massive failure or not. But when will this happen and how widespread will all these major cyber losses be?
But perhaps by then a cyber relief organization will be established in THW. Volunteer digital assistants can come in handy and provide assistance if bit values are flipped in rows.
(axk)
Supreme Court in Brazil rejects lifting of X ban
