Too many cooks spoil the broth?

Jan-Peter Kleinhans (Projektleiter IT-Sicherheit im Internet der Dinge, SNV) and Isabel Skierka (Non-Resident Fellow, GPPI) host a session at 4SICS – Stockholm international summit on cyber-security in SCADA and Industrial Control Systems. 4SICS is an annual summit that gather the most important ICS/SCADA cyber security stakeholders across critical industries (i.e. energy, oil & gas, water, transportation and smartgrid etc).

What role do the military and security agencies play in the protection of civilian national critical infrastructure (NCI)?

Germany is one of the first countries in Europe that has passed an IT Security bill last year. The law establishes mandatory security standards and reporting requirements for critical infrastructure operators. But a year into the adoption of the law, it is unclear who is actually responsible in which context for protecting national critical infrastructure against cyber attacks. The institution primarily mandated to supervise the implementation of the law and for collecting incident information is the civilian Federal Office for Information Security (BSI). At the same time, the secret service (BfV) and the foreign intelligence service (BND) have been mandated to protect NCI against espionage. To add to the confusion about who protects critical infrastructure when and how comes the new cyber security strategy of the Ministry of Defense, which also claims a key role for the German military (Bundeswehr) to protect our NCI with no further specifications about the ‘division of work’ between actors to protect NCI.

In a nutshell: almost every governmental institution involved in cyber security in Germany is responsible for NCI security - not to mention the private critical infrastructure operators themselves.

This issue is not limited to Germany since the upcoming European Union Network Information Security (NIS) Directive will set similarly broad standards for every EU member state which will transpose these requirements each individually within their national context.

Looking at NCI and the protection against cyber-attacks from our position as policy researchers, we ask ourselves – does this make sense? Who is and should be responsible for what?

We would first like to provide some insights from Germany on how politicians and policy makers look at NCI and how the role of intelligence agencies and of the military compares to that of the civilian BSI. On this basis, we’d like to discuss with the NCI experts from different countries in the audience how they perceive this growing involvement from intelligence agencies and military into the NCI sector. What is the good, the bad, how can we work towards a division of power that actually fulfills the goal of protecting network and information security?