The National Cyber Security Strategy was officially adopted in February 2011. The strategy is based upon 10 main objectives:
OB 1 Protection of critical information infrastructures
OB 2 Secure IT systems in Germany
OB 3 Strengthening IT security in the public administration
OB 4 National Cyber Response Centre
OB 5 National Cyber Security Council
OB 6 Effective crime control also in cyberspace
OB 7 Effective coordinated action to ensure cyber security in Europe and worldwide
OB 8 Use of reliable and trustworthy information technology
OB 9 Personnel development in federal authorities
OB 10Tools to respond to cyber attacks
The National Strategy also set up two federal cyber security entities:
- a National Cyber Response Centre which cooperates with the Federal Office for the Protection of the Constitution and the Federal Office of Civil Protection and Disaster Assistance, as well as federal police, intelligence, and customs agencies. Its main aim is to analyze cybersecurity incidents and provide recommendations for action to a newly established National Cyber Security Council on a regular basis and in response to specific incidents.
- a National Cyber Security Council responsible for implementation of the government’s cybersecurity strategy. The council will include representatives from the Federal Chancellery, Federal Foreign Office, a number of key ministries, including interior, defense, economics and technology, justice, finance, and education and research, as well as from the state governments.
National Cyber Security Strategy
|Year of adoption||The National Cyber Security Strategy was officially adopted in February 2011.|
|Updates and revisions||No updates or revision by now.|
|Implementation and monitoring||
One of the key provisions in the amendment of 2009 (“Act to Strengthen the Security of Federal Information Technology”) established the BSI as the central authority responsible for ensuring the security of the federal government’s information technology. When the law went into effect on 20 August 2009, the BSI became the central notification point for federal agencies on matters of IT security. Since then it collects information on security vulnerabilities and new attack methods that threaten the security of information technology, analyses them and issues situation reports.
Because of the potential for threats to spread rapidly from conventional IT systems to industrial systems, the 2015 amendment ( “Act to Increase the Security of Information Technology Systems”) placed particular emphasis on strengthening IT security for operators of critical infrastructures. Because they are equally indispensable for the common good and ever more dependent on IT, in future they are to maintain a minimum level of IT security and report IT security incidents to the BSI. For its part, the BSI collects all information relevant to defence against attacks on the IT security of critical infrastructures. This information is evaluated and referred to the operators and to the competent (supervisory)
The 2011 National Cyber Security Strategy has been implemented by the Minister of Interior.
In July 2015 Germany passed the IT Security Act affecting institutions listed as critical infrastructure (transpotation, health, water utilities,finance and insurance, telecommunications).
Germany has enacted specific legislation and regulation on cyber security through the following:
-Electronic Signature Act 2001(German language)
A National Cyber Response Centre has been set up in 2011. Members of this centre are different authorities such as The Federal Criminal Police Office (BKA), the Federal Police (BPOL), the Customs Criminological Office (ZKA), the Federal Intelligence Service (BND), the Bundeswehr and authorities supervising critical infrastructure operators.
UP KRITIS is a public-private collaborative initiative between critical infrastructure operators, their professional associations and the relevant government agencies. The aim of this cooperation is to maintain the supply of critical infrastructure services in Germany.
Current status: NIS Directive and national CERTs/CSIRTs
Computer security incident
response teams (CSIRTs)
CERT-BUND is the national accredited CERT for Germany. It provides information on risks and threats relating to the use of information technology and seeks out appropriate solutions. This work includes IT security testing and assessment of IT systems, including their development, in co-operation with industry.
CERT NRW (Computer Emergency Response Team Nordrhein-Westfalen) has been commissioned as a focal point for preventive and reactive measures related to security and availability incidents in IT systems by the Interior Ministry of North Rhine-Westphalia. It serves as an information interface between the authorities and institutions of the state administration, the technical expertise of IT.NRW and other German CERTs, in particular the federal and state governments as well as companies.
CERT-RLP depends organizationally to the highest authorities of the Rhineland-Palatinate state administration. Technically, this involves basically the appropriate subset of directly connected to the operated by the LDI nationwide RLP network organizational units.
CERTBw is responsible as the central service in the framework of the Cyber Defence for monitoring, maintaining and restoring the IT security in the Bundeswehr.
Bayern-CERT is primarily aimed at the authorities connected to the Bavarian Authority Network. It includes regular preventive security checks of central components (for example, penetration testing) as well as the advice of the security team and the Commissioner for IT security to the daily tasks of the Bayern-CERT.
Siemens-CERT is the central team for responding to potential security incidents and vulnerabilities related to Siemens products, solutions and services.
S-CERT is the computer emergency response team of the German Sparkassen-Finanzgruppe (Savings Banks Financial Group).
Deutsche Bank Cyber Threat Response Team
CSIRT-ECB (Computer Security Incident Response Team - European Central Bank)
ComCERT is the Computer Emergency Response Team for Commerzbank network and clients
RUS-CERT (Stuttgart University's Computer Emergency Response Team ) is responsible for the computer and network security in the Stuttgart University's IT infrastructure
KIT-CERT is the Computer Emergency Response Team for Karlsruhe Institute of Technology
DFN-CERT is the Computer Emergency Response Team of the German research network (DFN)
The National Cyber Security Strategy states that “Federal Government will regularly review whether the aims of the Cyber Security Strategy have been achieved under the overall control of the National Cyber Security Council and will adapt the strategies and measures to the given requirements and framework conditions.”
|Report an incident||
CERT-BUND Team Email - Main Phone +49 228 99 9582-222
CERTBw Team Email - Main Phone +49 2251 953 3110 - Emergency Phone +49 2251 953 3105
Siemens-CERT Team Email and Public PGP key
|Date of last WISER analysis||October 2016|