With the echoes of the NSA surveillance scandal still ringing in people’s ears, and against a backdrop of German and European moves to reform IT Security legislation, eco has produced a Position Paper on IT Security. The paper calls for legal clarity, an avoidance of unilateral action and the establishment of European standards.
No unilateral action: International regulations and standards and cross-border protection measures
With the European Parliament election just around the corner, eco maintains that IT Security requires international regulations and standards and cross-border protection measures. With regard to the European legislative intentions for a directive on measures to ensure a common high level of network and information security (NIS Directive), there must be agreement and the interlocking of responsibilities and regulations. In this context, the German Federal Government should re-assess any idea of Germany taking unilateral action that does not contribute to legal clarity. IT Security in the age of ubiquitous networks can not be guaranteed through national regulation and/or regionally limited protection measures.
Clear legal definitions are necessary
According to the Position Paper, legal clarity and legal security are fundamental to the health of the Internet industry. With this in mind, the intentions stipulated in the German Federal Government’s coalition contract need to be critically analyzed. While eco welcomes in principle the intentions of the Federal Government to support industry in the raising of IT Security, and supports the setting of legal regulations for the area critical infrastructure, care needs to be taken to clearly define this critical infrastructure in law, and clear legal specifications are necessary with regard to minimum requirements for the maintenance of IT Security. Also necessary is a precise definition of the elements of an offense which will trigger the duty to report. A practical definition of a “significant IT Security incident” needs to be found.
No expansion of obligation to report
However, the eco Position Paper on IT Security takes an exceptionally critical view of the expansion of the duty to report for the operators of publically accessible telecommunication services, over and above the currently existing obligations. With regard to the goal to create a better overview of the IT Security situation, which the legislative authority is seeking to achieve with these legal obligations, voluntary reporting is sufficient for the purpose, and is a less intrusive, milder means. eco also rejects a legal obligation to report for Internet providers if evidence of malware or other abuses arises among their customers. The intended duty of notification laid out in the draft law presented by the Federal Ministry for the Interior on 5 March 2013 would, on this extensive scale, be particularly difficult for small and medium-sized providers to fulfill.
eco further rejects an expansion of the technical responsibility for the protection of ICT systems to all providers in the application area of the Telemedia law (TMG) that are operating on a professional level. In the draft from 5 March 2013, the group of people affected is too broadly defined and too indefinite. The justified concern over the growing dissemination of malware through telemedia services must not lead to the unlimited responsibility of telemedia providers for the technical infrastructure.
Voluntary, anonymous and encrypted reporting
eco is of the opinion that the existing voluntary information system, which today consists of a network of public and private CERTs, with the involvement of the Federal Office for Information Security and institutions like the Alliance for Cybersecurity and the Advanced Cyber Defense Center, should be expanded and supported. In order to protect company data, reporting should be anonymous and encrypted, which will make an effective and, above all, trustworthy information exchange possible. It is also necessary to examine the legality of data protection and competition law permissions, to ensure or to clarify that the forwarding of information does not incur an increased risk of liability.
Support end-to-end encryption
eco rejects as neither practicable nor constructive a legal obligation for telecommunication network operators to encrypt individual communication paths. In contrast, the support of secure end-to-end encryption is a sensible approach to the raising of IT Security, specifically as it would require an increase in effort on the part of many threat-scenarios, from common criminals through to secret services. Here it should be taken into account that in the implementation of end-to-end security, the end-devices, which are under the control of the user, must be incorporated. Overall, eco sees it as desirable that the transmission of unencrypted data reduces, but rejects on principle a legal obligation for this.
Limit the activities of secret services and security agencies
At the European and international levels, eco calls for the Federal Government to advocate for the enactment of an agreement which mandatorily controls the authority and the limits of the activities of secret services and security agencies, and the enforcing of liability and obligations of ICT companies through these agencies. This also concerns especially the handling of cross-border data retention and data processing.