The Bundestag has this on Thursday Critical Infrastructure Protection Act decided. The “Kritis Umbrella Act” is intended to restrict public information about critical infrastructure and to protect it better in the future. Manuel Atug from the Chaos Computer Club (CCC), on the other hand, speaks of a “giant simulation of security”.
The law obliges energy suppliers, hospitals and the Air and freight transportto develop stricter security concepts and emergency plans. A system is also planned to report attacks centrally. If the rules are violated, the companies or responsible municipalities should pay fines. The aim is to have uniform minimum requirements in order to avoid technical weak points and to protect critical infrastructure, for example with fences or access restrictions. This also includes risk analyzes and resilience plans. The aim is to provide better protection against sabotage, terrorist attacks and the consequences of natural events.
Protection from transparency
The law is also intended to restrict access to public data. These would make attacks and spying attempts by actors at home and abroad easier. Interior Minister Alexander Dobrindt referred to this Arson attack in Berlinwhich led to a widespread power outage. In the coalition’s opinion, the protection of critical infrastructure and its resilience take priority over the desire for transparency.
Green party deputy and security expert Konstantin von Notz said the topic had been unused for a long time. “We expressly welcome the fact that we are finally getting off the ground.” At the same time, the changes fell far short of expectations. “They come way too late and are poorly crafted.” Uniform protection is not achieved in this way. There is no sign of a real overall strategy or a comprehensive security offensive.
There is a need for an “urgently necessary reform of the law of the intelligence services” as well as “improved drone defense” and a “change to the basic law in the defense of IT attacks“Continues von Notz.
Data is overrated
There is also criticism from IT experts. During the legislative process, the Critical Infrastructure Working Group criticized the fact that the minimum requirements should not come into force until 2030. This is “endangering the state and grossly negligent”. It is also unclear how and when the requirements will be checked. “A lack of law enforcement is therefore systemically embedded.”
Restricting access to public data does not help against sabotage, said taz Manuel Atug from the Chaos Computer Club (CCC). Saboteurs were not deterred by the fact that the data was not on the Internet. “You can see where power lines, hospitals or power plants are located on every map and when taking a walk.”
On the other hand, the risk of accidents increases, “if, for example, excavators hit secret cables during construction work,” says Atug. To prevent this, a lot of requests would have to be made to authorities during construction work and repairs, which in turn would lead to a lot of delays.
In order to protect the population and the critical infrastructure during natural events like those in the Ahr Valley, “redundancy and protective walls as well as good emergency and replacement supplies for the population are needed in the event of a crisis”. Redundancy means, for example, that there is more than one cable to continue to supply the company with power in the event of a power outage.