Skip to main content

Cyber security and the global threat: what can regulation achieve?

Cyber security and the global threat: what can regulation achieve?

Sixth Annual Freshfields Petersberg Regulation Conference April 2014, Petersberg/Königswinter, Germany

Summary

The conference focused on developments in regulatory and competition law in the energy, infrastructure and telecommunications/IT industries. The closing panel workshop dealt with planned cyber security legislation in Europe, with a focus on Germany.

The panel members were:

  • Thomas Tschersich, Head of IT Security at Deutsche Telekom; 
  • Michael Hange, President of Germany’s Federal Office for Security in Information Technology (BSI); and
  • Frank Rieger, one of the speakers of the Chaos Computer Club, Eu-rope’s biggest association of hackers.

Freshfields partners Klaus Beucher and Professor Norbert Nolte moderated the discussion.

The need for more simplicity and transparency

‘We need greater transparency and communication about possible means of defending ourselves from cyber-attack,’ said Thomas Tschersich, whose remarks referred both to proposed EU cyber security legislation and to public criticism of the draft legislation and directives. 

In Thomas’s view, regulations such as the EU’s NIS Directive (which covers network and information security) need greater emphasis on simplicity of encryption techniques and on feasible, incremental steps towards enhanced security. ‘Furthermore, hardware and software manufacturers, not just their enterprise customers, have to be included in a liability regime under the directive,’ he added.

Frank Rieger argued for a definition of standards, in the absence of which a battle of expert opinions about the meaning of ‘state-of-the-art technology’ (as a criterion for the required level of security) would be inevitable. 

In his view, however, the fundamental problem is that there has historically been a lack of sufficient technical expertise to ensure secure programming and configuration. ‘Governments must support secure software by subsidising the training of IT experts,’ he said. 

Michael Hange argued that regulation should lead to a strengthening of agencies such as the BSI, the concrete definition of minimum requirements for IT security (as opposed to a general state-of-the-art description) and liability rules for violations by both manufacturers and users. Thomas Tschersich argued for ‘crash tests‘ to reveal flaws in software and hardware and also stressed that cyber security standards would need to be defined. 

Home-grown standards for ‘technological sovereignty’ 

The panel discussed whether the European ITC industry could develop ‘technological sovereignty’ in the form of independent, home-grown standard technologies. 

Thomas Tschersich identified the reasons why technological sovereignty had been lost, namely that liberalisation has reduced prices in the telecoms sector, meaning the capital necessary to invest in the build-up of secure structures is ‘missing’. Frank Rieger pointed to Germany’s lack of cyber security experts as another cause for concern.

For Michael Hange, technological sovereignty should be a goal of cyber-policy in Europe. While in his view a ‘European Google’ is not possible, Europe could play a leading role in the global development of IT security technology. The GSM mobile communications standard of the 1980s, largely a European product, could serve as a model. Europe already has a leading role in some areas such as biometrics, but standardisation and certification continue to be largely dominated by the US and China.  

Incentives for businesses

When asked what provides the greatest incentive for enhanced cyber security, Michael Hange pointed to liability rules for businesses that provide CEOs with a clear cost benefit. ‘I almost prefer the term “responsibility” instead of “liability”,’ he said. In addition, everyone in the IT industry must understand their own responsibility: ‘When a data center provider says that they are not responsible for the security of those parts that have been rented out to a third party, something is wrong,’ he said.

‘We need uniform regulation throughout the entire industry,’ Thomas Tschersisch added. For example, it is unclear why a telecommunications operator that provides VoIP services is subject to telecommunications regulation, while an over-the-top (OTT) VoIP provider is not subject to the same regulation.

In closing, Michael Hange said: ‘Cyber-crime is an attractive business. Profit is high, the risk of discovery is low, the investment required is small and perpe-trators remain anonymous. In this situation, we all have to increase our risk awareness.’