What do energy, health, transport, water, food, telecommunications, finance and administration have in common? The failure of one or several of these infrastructures has severe consequences for the public good. Protecting these infrastructures requires a combination of legal, technical and corporate approaches. How complex and also how acute this issue really is for critical infrastructure companies became clear during the booked-up parliamentary evening held by BBH in Berlin on 4 November 2019 under the auspices of Member of the Bundestag Bernd Westphal.

“Digitalisation and cybercrime are closely interwoven”, stated BBH partner Prof. Dr. Ines Zenke already in her opening address at the parliamentary evening which she hosted for the 13th time on behalf of BBH. “Digitalisation is the inadvertent catalyst and unfortunately also a fertile breeding ground for cybercrime, as is shown by the current crime statistics.” The legislator is right in imposing specific cybersecurity requirements on critical infrastructure companies already at this stage. With the draft bill for the IT Security Act 2.0 (IT-Sicherheitsgesetz 2.0), the scope of application is now to be significantly extended once again, which – apart from the indisputable fact that cybersecurity is a top-level issue and vital for every company– indeed raises questions. This is because the draft Act also provides that the media and cultural sector, the arms industry and the companies listed in the Prime Standard segment are to be included in the group of critical infrastructures. This, as is also clearly intended by the authors of the draft bill, would cover the major part of the German economy: “In order to be regarded a critical infrastructure, one no longer needs to be a critical infrastructure.” Borussia Dortmund, the supplier of dog food for the German shepherd dog and the umbilical cord blood bank Vita 34 would all become critical infrastructures as they are subject to sec. 48 of the Exchange Rules and Regulations for the Frankfurt Stock Exchange and thus count as economically important companies. “Considering the powers the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI) will be given in the future, the question has to be asked why the state is allowed to interfere with the self-determination, freedom and data protection of non-critical infrastructure companies to such an extent. It is not immediately clear why the public good should be endangered if the football club BVB organises its cybersecurity measures without the BSI. The legislator will have to make adjustments to avoid throwing out the baby with the bathwater. This also includes preparing in the best possible way those infrastructures that are really critical for cybersecurity.”

A failure of critical infrastructures may have catastrophic consequences, Peter Henzler, Vice-President of the Federal Criminal Police Office (Bundeskriminalamt – BKA) warned. He pointed out that critical infrastructure companies are obliged to report cyberattacks to the BSI but not to prosecution authorities. He therefore called on the companies to give the Federal Criminal Police Office the opportunity to investigate cyberattacks. His overview of the cyber scene showed that customised malware is now available which targets and exploits minimal security vulnerabilities and may inflict great damage. What is known as ‘crime as a service’ can be used by people without own IT skills to commit cybercrimes by ‘ordering’ the respective service on the Internet. Such attacks may also be carried out e.g. via the supply chain targeting the company indirectly by infecting the suppliers. It is therefore necessary to create an interdisciplinary network to combat cybercrime effectively. Alongside the National Cyber Defence Centre (Nationales Cyber-Abwehrzentrum – Cyber-AZ), the G4C is such a platform bringing together economic stakeholders and the security authorities.

Bernhard Witthaut’s speech focused on the prevention of cybercrimes. According to the President of the Office for the Protection of the Constitution of Lower Saxony (Niedersächsischer Verfassungschutz), companies have an insufficient safety culture. Apart from the technical prerequisites, it is also the human factor which due to ignorance or carelessness makes cyberattacks possible in the first place. Senior management must lead the way and address this issue, i.e. by way of employee training programmes, the development of emergency plans and supervision of routines to increase readiness.

Thus it became clear that cybersecurity is not a niche topic to be dealt with by a subordinate corporate department, but a central topic for the executive management and board level. Because it is the top-level managers who must make sure within the framework of compliance that their company is primed and ready to deal with cybercrime activities and fit to respond accordingly. And it is they who are also held accountable if this is not the case.

That IT security is driven by compliance was also confirmed by Hendrik Heyn, managing director of Xiting GmbH. He believes that the implementation of effective security concepts is ultimately a competitive advantage for the company.

Let’s get back to the critical infrastructures: Alongside the BSI, the Federal Network Agency (Bundesnetzagentur – BNetzA) is also responsible for IT security issues. To achieve a higher security level in the energy sector, the regulatory authority developed its catalogue of IT security requirements, which is still open for consultation until the end of November. However, Vice-President Dr. Wilhelm Eschweiler stressed at the parliamentary evening that the Federal Network Agency is an “authority applying the law”. He therefore referred the question of whether the Chinese technology group Huawei would be allowed to enter the German 5G market back to the policymakers.

According to Member of the Bundestag Alexander Müller, spokesperson of the Defence Committee, one must generally ask oneself how closely a company and the government should be intertwined. The boundaries in this respect were fluid. Member of the Bundestag Bernd Westphal said that Europe had not managed to develop its own expertise in this field. If one were to exclude Huawei, this would indeed have an adverse effect on Germany as a business location. He advocated for establishing adequate security standards instead.

Dr. Götz Brühl, managing director of Stadtwerke Rosenheim, could give a first-hand account of how imminent a cyberattack in the energy industry is. A recent hacker attack was targeted precisely at crippling the machine control system of the municipal utility company. Particularly dangerous were ‘dormant’ attacks where hackers lie low for a couple of months inside the systems, only to emerge at a later stage to first encrypt the backups and then cripple the system. If a network is compromised and subsequently collapses, it could take weeks to get everything back up and running normally. “During this time, the staff must operate the system manually!” said Götz Brühl.

What is the situation like at the authorities? Do we have adequate measures in place in Germany to stop cyberattacks and investigate cybercrimes? Member of the Bundestag Alexander Müller is not so sure about that and criticised the fragmented cybersecurity structure. It is true that the Cyber Defence Centre combines resources from the BSI, the Federal Criminal Police Office, the Federal Police Force, the Federal Office for the Protection of the Constitution, the Bundesnachrichtendienst (the foreign intelligence service of Germany), the German Armed Forces, The Federal Office of Civil Protection and Disaster Assistance, the Customs Criminal Office and the supervising bodies responsible for operators of critical infrastructures. Still, Peter Henzler and Bernhard Witthaut reject the allegation of disputes over competence, stating that the individual authorities had a clearly defined set of responsibilities and permanent points of contact.

After the concluding speech by Joachim Weide, owner of Operatis Business Technology Consulting UG, the guests of the parliamentary evening were, however, on the same page and agreed with the advice offered by the speakers: Be vigilant and take cautiousness, awareness, networking and cybersecurity seriously. Ines Zenke summed it up as follows: Take care of your data! – And once again: cybersecurity is a top-level issue!

With the friendly assistance/cooperation of
DELL Technologies, Xiting GmbH, G4C German Competence Centre against Cybercrime e. V., Rubicon GmbH, Operatis Business Technology Consulting UG

Becker Büttner Held is a leading provider of advisory services for energy and infrastructure companies and their customers. Energy and supply companies, particularly public utilities, municipalities and local authorities, industrial companies and international groups are among its core clients. BBH advises these and many other companies and organisations in all legal and tax matters and also assists them with business and strategic advice.

Contact:           

Prof. Dr. Ines Zenke
Lawyer, Partner
phone +49 (0)30 611 28 40-179
ines.zenke@bbh-online.de

Visit Becker Büttner Held at www.bbh-online.de, www.derenergieblog.de or twitter.com/BBH_online.