Position Paper: Berlin, 31 March Legislative intentions to increase IT Security

Transcription

1 Position Paper: Berlin, 31 March 2014 Legislative intentions to increase IT Security eco the Association of the sees itself as lobbyist and supporter of all companies that are involved in the economic creation of value on or with the Internet. The association currently represents around 700 member organizations. This includes, among others, ISPs (Internet Service Providers), carriers, hard and software suppliers, content and service providers, and communication companies. eco is, as a result, the largest national Internet Provider Association in Europe. On the national and the international level, there have been and continue to be intentions to create further legal regulations with regard to IT Security. At the federal level, the Federal Ministry for the Interior presented a draft law on the increase in security of Information Technology systems on 5 March On 14 June 2013, a hearing on the topic took place, in which eco also took the opportunity to state its position. The legislative process for the draft of an IT Security Law was, however, not completed before the election for the 18 th term of the German Federal Parliament. At the European level, the EU Commission introduced a draft directive on measures for the guarantee of a collective high level of network and information security in February 2013, the legislative process of which can be completed after the election of the new European Parliament. In the coalition contract, the German Federal Government came to an agreement on the establishment of an IT Security law. In addition to this, the Federal Government secured numerous mandates and audit engagements with regard to IT Security in the coalition contract. The individual points: The Federal Government wants to advocate a European Cyber-Security strategy; the intention is to harmonize the framework conditions for IT Security at the European level, which is also supposed to apply to a standardization of IT Security. Minimum requirements would be created for the IT Security of critical infrastructure and a duty to report significant IT Security incidents. Offers for national and European routing would be examined. For Internet Service provider, a duty to notify would be introduced if evidence of malware or other abuses arises among their customers. Page 1 of 7

2 IT manufacturers and service providers would be liable for data protection or IT Security deficiencies in their products. European telecommunication providers would be obliged to encrypt their communication connections, at least within the EU. It would be ensured that European telecommunication providers are not permitted to forward their data to foreign secret service agencies. The Federal Government wants to advocate a strengthening of the transparency of the standardization committee and a stronger German participation in this and other international committees, especially those concerning Internet architecture and Internet Governance. The development of reliable IT and network infrastructure would be supported. IT and Telecommunication Security would be brought together. For this, the Federal Office for Information Security (BSI) would be strengthened in its tasks, competencies and resources, as the national IT Security authority. Certification for Cloud infrastructure and other securityrelevant systems and services is suggested. The further development and distribution of chip card readers, cryptography, D and other secure end-to-end encryption, along with trustworthy software, would be expanded. Against the backdrop of the new draft announced by the Federal Government and the agreements to that effect in the coalition contract, eco wishes to take the opportunity to present the position of the Internet industry: Summary of the Positions: Avoid unilateral national actions, observe responsibilities, establish European and international standards. Clear legal definitions are necessary, in order to ensure legal certainty. Risk-based determination of scope in accordance with existing industry-specific obligations. No expansion of the existing duty to report for operators of telecommunication networks and services. No expansion of the liability of telemedia service providers. Page 2 of 7

3 Voluntary, encrypted and anonymous reporting, on the basis of existing exchange of information. Notification of customers by Internet Service Providers of evidence of malware can be expedient if it is undertaken voluntarily. However, rigid, bureaucratic duty of notification is rejected by the Internet industry as ineffective and unfeasible. Legal obligations for regional routing should be examined critically and in detail for its usefulness. Determine industry-specific minimum requirements through self-regulation. Support end-to-end encryption. I. General Information Avoid unilateral national actions, observe responsibilities IT Security has been an essential topic for years for the Internet industry. In Germany there is a higher than average level of security in comparison to other countries. This can essentially be attributed to partnership projects between industry and the state at the national and European levels, and to initiatives from the Internet industry. However, the responsibility for a high level of IT Security is, as with all security issues, a task for the whole society. Therefore, in the center of the Federal Government s plans should be the state s own obligation to protect and its own responsibility for the maintenance of IT Security, offensives for research, development and education in the area of IT Security, and the raising of the civil society s awareness of the issue of IT Security. The surveillance scandal surrounding the revelations about the activities of the NSA demonstrates that IT Security means not only national, but also international responsibility, and that the Internet industry, despite all the efforts to create a high level of IT Security, have their limits set by politics. In addition, IT Security in the age of ubiquitous networks can not be guaranteed through national regulation and/or regionally limited protection measures. IT Security requires, rather, international regulations and standards and cross-border protection measures. With regard to the European legislative intentions for a directive on measures to ensure a common high level of network and information security (NIS Directive), there must be agreement and the interlocking of responsibilities and regulations. Any idea of Germany taking unilateral action that does not contribute to legal clarity should be fundamentally re-thought by the Federal Government. Page 3 of 7

4 II. In Detail 1. On the suggestion to create binding minimum requirements for the IT Security of critical infrastructure, and the obligation to report substantial IT Security incidents. With regard to the continuously growing and new challenges in the maintenance of IT Security and the high dependence of German industry on a functioning IT infrastructure, eco welcomes in principle the intentions of the Federal Government to support industry in the raising of IT Security. Legal regulations for the area KRITIS can provide added support. In particular, the potential danger of an outage warrants the far-reaching obligations for operators. Clear legal definitions It is necessary to have a clear legal definition of KRITIS. The defining criteria for critical infrastructure should be set in law, with regard to the consequences for those affected. In addition, clear legal specifications are necessary with regard to minimum requirements for the maintenance of IT Security. Also necessary is a precise definition of the elements of an offence which will trigger the duty to report. A practical definition of a significant IT Security incident needs to be found. The scope should be crosssector, oriented at the security risk for the provider or service provider, in accordance with existing sector-specific security specifications. No expansion of the existing duty to report for operators of telecommunication networks and services. An increase in legal obligations alone will not lead to higher security. The currently occurring exchange of information on security incidents is necessary, and is in the best interests of the entire Internet industry. New duties to report would therefore need to be practicable and economically feasible. The Internet industry takes an exceptionally critical view of the expansion of the duty to report for the operators of publically accessible telecommunication services, over and above the existing obligation to report disruptions with considerable impact on the operation of the network or on the provision of services ( 109 Abs. 5 S.1 TKG), or that involve the violation of the protection of personal data ( 109a Abs. 1 TKG). With regard to the goal to create a better overview of the IT Security situation, which the legislative authority is seeking to achieve with these legal obligations, a legal obligation to report all IT Security incidents that could lead to an interruption of the availability or to unauthorized access to the user s systems 1 is not necessary and, as a result, not justified. While the existing obligation to report violations of the protection of personal data is justified on the grounds of the subject of protection, namely the privacy of the affected person, such legal obligations for all IT Security incidents is unnecessary, with regard to the purpose of the regulation, which is the Federal Government s gaining of 1 As applied in the draft for an IT Security law from 5 March 2013 Page 4 of 7

5 better information about the current IT Security situation. Voluntary reporting is sufficient for the purpose, and is a less intrusive, milder means. Voluntary, anonymous and encrypted reporting eco is of the opinion that the existing voluntary information system, which today consists of a network of public and private CERTs, with the involvement of the BSI and institutions like the Alliance for Cybersecurity and the Advanced Cyber Defence Center, should be expanded and supported. In order to protect company data, reporting should be anonymous and encrypted, which will make an effective and, above all, trustworthy information exchange possible. Legally secure exchange of information It is also necessary to examine the legality of data protection and competition law permissions, to ensure or to clarify that the forwarding of information does not incur an increased risk of liability. Reporting should also not be allowed to be connected to higher operative or technical security risks. 2. On the deliberations with regard to legal obligations for regional routing of data traffic The multifaceted deliberation for regional routing of the data traffic must be examined in detail and critically by the Federal Government, on the grounds of the complexity of the questions related to the discussion. Decisive criteria of such an examination should be its practicability and implementability, taking into account the realities of the network infrastructure. In particular, this should take into account the related technical, legal and economic implications and consequences. Due to the effects on all companies that are involved in the creation of economic value on or with the Internet, eco sees it as their task to encourage a more objective discussion on the topic, and to provide an informed basis. To achieve this, eco will initiate a direct dialog and exchange between those involved. The goal of the discussion should be to make an appraisal with regard to the technical and economic implementability of this issue, and to present this in writing. With this, eco wants to provide a constructive contribution, to give the existing discussion a broader foundation, and to make the discussion more objective. 3. On the suggestion to introduce a duty to notify for Internet providers if evidence of malware or other abuses arises among their customers eco rejects a legal obligation for the telecommunications providers to inform such users of disturbances originating from their data processing systems. The intended duty of notification laid out in the draft from 5 March 2013 emerged as a universal consultancy project which, on this extensive scale, will be an obligation that particularly small and medium-sized providers will not be able to fulfill. A restriction to technically possible and reasonable cases would also not be suitable, as this would not limit with sufficient legal certainty the provider s obligation to act. Page 5 of 7

6 eco also rejects an expansion of the technical responsibility for the protection of ICT systems to all providers in the application area of the Telemedia law (TMG) that are operating on a professional level. In the draft from 5 March 2013, the group of people affected is, with regard to the variety of offers from telemedia services, too broadly defined and too indefinite. Here, the sovereignty over the ICT service alone could be a starting point. The justified concern over the growing dissemination of malware through telemedia services must not lead to the unlimited responsibility of telemedia providers for the technical infrastructure. The Internet industry finds at the very least questionable the justification contained in the draft law from 5 March 2013 that legal terms like reasonableness allow flexible adjustment through case law. Before the industry and the courts are forced into long and costly legal proceedings, it would be preferable to develop more precise regulations. Support existing activities eco advocates, rather, that existing activities of the industry, such as the Anti-Botnet Advisory Center, the Initiative-S and the Advanced Cyber Defence Center be further supported and networked. The initiatives have resulted in a significant reduction in the number of infected computers of private users. Self-regulatory initiatives are based on the practical experience of the industry and are, unlike legal regulations, capable of bringing measures to those places where they seem most necessary. Unclear legal obligations do not automatically lead to better results. On the suggestion to expand the liability of IT producers and service providers eco is critical of the Federal Government s proclamation contained within the coalition contract of their desire to expand the liability of IT manufacturers and service providers. With regard to the assumption of a liability-gap in this area, which forms the basis for the proclamation, eco would like to point to the legal obligations for liability which exist alone as a result of the legal relations between supplier and user, and to the Product Liability Act (Produkthaftungsgesetz). With regard to an expansion of the liability of telecommunications providers, we refer to the remarks under Point On the suggestion for a legal obligation for TC operators for the encryption of their communications connections Here, it is firstly necessary to differentiate between the encryption of individual communication paths and an end-to-end encryption of the entire communication path. We reject as neither practicable nor constructive a legal obligation for TC network operators to encrypt individual communication paths. In contrast, the support of secure end-to-end encryption is a sensible approach to the raising of IT Security, specifically because of the increase in the effort required for many threat-scenarios, from common Page 6 of 7

7 criminals through to secret services. Here it should be taken into account that in the implementation of end-to-end security, the end-devices, which are under the control of the user, must be incorporated. Overall, it is to be desired that the transmission of unencrypted data will reduce. However, we reject on principle legal obligation for this. The focus of the Federal Government in such intentions should rather be the support of practical end-to-end encryption, encryption services and encryption applications, in particular for users. Overall, it is necessary to encourage the awareness for IT Security within the entire society. 5. On the suggestion to guarantee the non-forwarding to European secret services At the European and international levels, the Federal Government must advocate for the enactment of an agreement which mandatorily controls the authority and the limits of the activities of secret services and security agencies and the enforcing of liability and obligations of ICT companies through these agencies. This also concerns especially the handling of cross-border data retention and data processing. Page 7 of 7