Manuel “HonkHase” Atug is the founder and spokesperson of the independent AG KRITIS, which is committed to protecting critical infrastructures.
This is because the BMI and the Federal Government hardly listen and hardly want to accept suggestions for improvement. Fortunately, however, the BRH did not let up and, after several largely ignored statements with around 42 tips to the BMI, finally escalated the audit results in mid-September 2024. In its report to the Budget Committee and the Interior Committee of the Bundestag, the BRH makes it clear that the government draft of the NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG) neither creates adequate cyber security nor can it be expected to be used sensibly with taxpayers’ money.
“A patchwork quilt” that puts everyone at risk
The fact that the BMI also violated the Joint Rules of Procedure of the Federal Ministries (GGO) in its cabinet submission of the draft is the smallest point in the BRH’s list of shortcomings. The BMI should therefore have pointed out the dissenting opinion and the points of criticism of the BRH, but does not mention them at all.
The poor style in the formalities can also be found in what the NIS2UmsuCG is supposed to achieve in terms of content. The BRH is not at a loss for clear words that could easily come from the engine room of the KRITIS working group. The Federal Government is in danger of “failing to achieve its goal of improving information and cyber security.” Already known deficits would not be addressed and key points for cyber security would not be addressed even after multiple departmental consultations. And as important regulations are not intended to be uniformly binding for the entire federal administration, the law threatens to become a “patchwork quilt” that puts everyone involved at risk. The NIS2UmsuCG thus falls far short of the goals it has set itself.
On November 5, renowned IT law and security experts will explain which companies are affected by NIS2, what exactly NIS2 and the German NIS2 Implementation Act require and which measures need to be implemented and by what deadlines. Other topics include the interaction of NIS2 with established security concepts such as ISO 27001 and IT baseline protection, the impact of the directive on incident response and the significance of NIS2 for suppliers and service providers. There will be plenty of room for questions from participants.
Further information and registration at: https://nis2.heise.de
Gentle treatment for the federal administration
In case you just heard a loud clap: That was the resounding and apparently much-needed slap in the face. Let’s go into a little more detail.
According to a cabinet resolution from 2017, the IT baseline protection developed by the Federal Office for Information Security (BSI) would actually be mandatory for the federal administration. Unfortunately, this was never made legally binding. As a result, the federal government was stunned to discover that, despite the cabinet resolution, the IT security level of the federal authorities has not improved significantly lately.
However, instead of making IT baseline protection legally binding for all federal authorities, the current draft bill for the implementation of NIS2 restricts the obligation only to federal ministries and the Federal Chancellery. The BRH states – and I quote with relish: “In a networked federal administration, this is neither appropriate nor reasonable in comparison to the strict legal obligations of commercial enterprises.”
Swiss cheese with holes as a role model?
In fact, the NIS2UmsuCG contains several provisions that make it possible to exempt entire federal institutions or parts thereof from the protection requirements. The Federal Foreign Office is even included as an explicit exception. People with a long-term memory might scratch their heads: Weren’t they already the target of a successful cyberattack a few years ago? But never mind, let’s keep it up.
And why do we need so many exceptions? Neither I nor the BRH can explain that to you. The latter refers to its own audit findings and those of the BSI on the IT security of federal administration data centers, which “emphatically” confirm the deficits. How the federal government intends to increase the level of security in the federal administration across the board with this Swiss cheese of exemptions remains “unclear”, and not only for the BRH.
Admittedly: It would also be difficult to find arguments for this. On the one hand, even small and medium-sized companies with 50 or more employees must implement the NIS2UmsuCG cybersecurity requirements. On the other hand, subordinate federal authorities, some of which employ several thousand people, such as the customs administration, do not have to implement anything at all. And while operators of critical infrastructures will have to submit proof of cybersecurity to the BSI every three years in the future, nothing comparable is planned for federal authorities.
A federal CISO that must and must not do anything
It is also unlikely that the position of Coordinator for Information Security – also known as CISO – in the business world, provided for in the draft will improve matters. This is because it is merely a matter of establishing the position. The tasks and powers are not even regulated. It is not only the BRH that is puzzled as to how someone in this position is supposed to be effective across departments.
The BMI justifies this by pointing out that the federal government is already working on presenting a concept for the Federal CISO. Unfortunately, it has not succeeded in agreeing on such a joint concept within five months, counters the BRH. This simply “does not do justice” to the threat situation in the federal administration. Touché.
You have to be clear about this: We’re not just talking about an office catching ransomware and suffering manageable financial damage. We are talking about the entire public administration and therefore about the security of all citizens and their trust in the state.
Cyber aid organization to the rescue
It is not only the BRH’s brave campaigners who see the maintenance of state functions as being at risk, especially in crisis situations. Many municipalities and districts have already experienced extensive and prolonged outages of central IT services. The considerable conceptual and technical deficits in the security of IT infrastructures in the federal authorities, to which the BRH refers, do not bode well.
The federal administration must therefore urgently eliminate the existing deficiencies. And an NIS2 implementation worthy of the name should definitely make progress. But what if it fails to do so? Then, as the BRH and BSI say, it is no longer a question of whether there will be a widespread failure. It’s just a question of when this will happen and how extensive all these major cyber incidents will be.
But perhaps the THW’s cyber aid organization will be established by then. Volunteer digital helpers will then be able to be deployed and provide assistance when the bit values start to drop by the dozen.
(mki)
Don’t miss any news – follow us on
Facebook,
LinkedIn or
Mastodon.
This article was originally published in
German.
It was translated with technical assistance and editorially reviewed before publication.
Source link : http://www.bing.com/news/apiclick.aspx?ref=FexRss&aid=&tid=66f65350258b43e19d7a4b5be6fc17b8&url=https%3A%2F%2Fwww.heise.de%2Fen%2Fnews%2FOpinion-A-resounding-slap-in-the-face-for-the-desolate-NIS-2-implementation-9954659.html&c=3569101351834579250&mkt=de-de
Author :
Publish date : 2024-09-26 23:00:00
Copyright for syndicated content belongs to the linked Source.