Many companies have fallen victim to cyber attacks. (Photo: Yingyaipumi – stock.adobe.com)
Cybersecurity has now become a serious problem for industry. According to VDMA, ransomware attacks sometimes cost companies over a million euros a day. Production often has to stand still for up to eight weeks after such an attack. meet in the process Such attacks target not only companies that have not taken any security measures, but also companies that have an existing cybersecurity infrastructure.
In a recent survey by the Bavarian Business Association and IW Cologne, 30 percent of those polled said cybercrime was a serious threat. This puts cyber attacks on a par with the pandemic (33%). Only the availability of raw materials (36 percent), an increase in structural costs (42 percent) and the failure of critical infrastructure (46 percent) are seen by more companies as a risk.
This week, Interior Minister Nancy Faeser unveiled the cybersecurity agenda. We will explain to you what it is all about and how industry and business reacted to it.
This is behind the cybersecurity agenda
Faeser proposed an amendment to the Basic Law. The reason: at the moment, responsibility for cybersecurity still rests with the Länder. The Federal Information Security Authority (BSI) could only provide “administrative assistance”. That should change now. Faeser would like BSI to become the focal point in the fight against cyber attacks. The purpose of the agenda is to create an efficient and clear division of tasks in the cybersecurity architecture. The Federal Interior Minister explained when presenting her plans that the Länder were overwhelmed by this task in the long run. Amending the Basic Law requires a two-thirds majority. This means that the traffic light coalition would also need votes from the opposition.
He also wants to make some changes and modernization. For example, a central videoconferencing system for the federal administration is to be introduced, meeting the highest security requirements.
Important for the industry: A platform for the exchange of information on cyber attacks for companies is to be created at BSI. In addition, investments in the so-called Cyber resilience measures are to be promoted in small and medium-sized enterprises if they belong to “critical infrastructure” – ie in sectors such as transport, food, health, energy and water supply.
VDMA calls for more support in supply chains
VDMA is disappointed with the presentation of the cybersecurity agenda. While the threat to industrial SMEs is high, there is often a lack of adequate support from responsible authorities, especially the Federal Office of Information Security (BSI), led by the Ministry of the Interior, says Claus Oetter, managing director of VDMA Software and Digitalization in a press release. The association complains that the federal police work structure also makes it difficult to fight cybercriminals.
Therefore, VDMA counted primarily on wider support and promotion of resilience in the supply chain. “Unfortunately, the agenda fails to meet this requirement,” said Oetter.
First of all, the association strongly criticizes the interpretation of who belongs to the critical infrastructure. In the past, VDMA member firms were denied support on the grounds that they were not operators of critical infrastructure. VDMA explains: “It is the machine and plant manufacturers whose products and services are essential to critical services – drinking water, electricity or heat supply.”
Steffen Zimmermann, head of the Competence Center for Industrial Security at VDMA, believes that, when providing active support, continue to focus solely on critical infrastructure. Today, broader support for cyber resilience in the critical supply chain would be the right approach to making the image of the German authorities responsible for “IT security in Germany” a reality, he explains.
Small and medium-sized companies should become an important player and nationwide The Industrial Relief provided by BSI must be legally anchored. “Companies also need this trustworthy, independent partner not only to protect against cyber attacks but also to help during and after cyber attacks,” says Zimmermann. “BSI can and wants to do this as the largest European cybersecurity authority, the Ministry of the Interior must provide a legal basis for it.”
Bitkom: Agenda needs more judgment
Bitkom digital association sees positive things, but also criticizes the program. The association considers it important to strengthen the BSI and will become the central point of contact. This way, you can respond more effectively to a worsening emergency.
Bitkom CEO Achim Berg criticizes that there will be more interference in people’s privacy in the future. “There should be no end-to-end encryption solution in digital communication,” he explains. In addition to determination, a cybersecurity program also requires more evaluation. It is important that the announced cybersecurity strategy is implemented immediately and not put on the background. The implementation of the measures presented must be quickly identified and critical issues clarified.
Does Germany need an information security director?
Tim Berghoff, IT security evangelist at software development company G Data, also took the floor. “This so-called cybersecurity program – forgive my sarcasm – is another slap in the face for those who value a thoughtful, evidence-based, and long-term approach to improving security,” he says.
The German Trade Association (HDE) explains that it remains questionable to what extent the speeding up of security without a nationwide An information security director (CISO) is possible. According to the association, as the overarching coordinator at the strategic level, this should create direct visibility of the information security topic, combine the federal government’s information security management, but also support the operational implementation of IT security requirements.
Stephan Tromp, HDE’s deputy managing director, criticizes the discussed active cyber defense, the so-called hackbacks: “We should prioritize the protection of the state and companies and use the limited resources available to do so. Building an attack infrastructure is complex and time consuming. ” Hackers can also quickly move their infrastructure to other servers and botnets, especially if counter-attacks are expected. Overall, the association considers the measures presented to be an important step in the fight against cyberattacks and cyberespionage against German companies.
“The exchange of information between business and administration requires urgent improvement so that the existing security gaps can be removed as soon as possible” – says prof. dr hab. Norbert Pohlmann, head of IT security at the Internet Industry Association. Closer and more targeted collaboration between all stakeholders, such as the state, the user economy, the supplier economy, and cybersecurity technology research, will help to solve the gigantic cybersecurity task for all.
“At the same time, however, we would also like to point out that parts of the agenda presented are currently too vague and must therefore be critically analyzed,” continued Pohlmann. For example mentioned the planned extension of the state’s powers to clarify technical issues.