 |
A Comparison of Critical Information Infrastructure Protection in the United States and Germany: An Institutional Perspective
| |
| | Unformatted Document Text:
While these concerns are legitimate, if self-interested, and could be resolved through clarification of existing rules, another reason for industry reluctance is much less benign. Industries that are subject to regulatory oversight, like telecommunications, are concerned that information provided to improve security might either trigger additional regulation, or even worse, might be used as incriminating evidence in other areas, e.g. antitrust laws. This concern implies that there are indeed areas where companies take advantage of gray legal zones or of lagging enforcement powers. The question is whether this reality should prevent vital improvements of security, and Congress decided that it should not. Instead, secrecy guarantees would be extended to voluntary declarations on infrastructure vulnerabilities. The problem is where to draw the line – is every information submitted under the national security exemption protected, or only the ones directly related to security, and who makes that decision?
V. Institutional Framework for CIIP in Germany
A. Legislative Framework
The emergence of critical information infrastructure protection as a federal policy field was clearly triggered by the PCCIP in 1997. Analogous to that report, critical infrastructures in Germany were defined as “organisations or institutions that are of (vital) importance for the polity, and whose failure or disruption cause sustained service problems or other dramatic consequences.“
29
While the pertinent sectors are identical to
the eight identified in the U.S. (telecommunications, energy supply (electricity, oil, and gas), banking, finance and insurance system, transportation and traffic control, health system (including food and water supply), emergency and recovery services, government and public administration (including police, customs and armed forces)), the emphasis in terms of effects is exclusively state-centered: “If individual infrastructures are subject to targeted disruption (information warfare, terror attacks etc.) or to failure of their information technology, a chain reaction of disruptions could be set off in other areas as well. Negative impacts on the internal safety and, in some cases, on the external security of Germany could be the result.” (ibid.) Hence, it is not surprising that two of the three major legislations implementing CIIP measures also have a strong internal security slant.
On 1 January 2002, a new law took effect, the “Gesetz zur Bekämpfung des internationalen Terrorismus” (Act to Combat International Terrorism”). It is essentially an update and expansion of existing provisions and laws concerning internal and external security. However, only a small portion is applicable to the protection of critical infrastructures. The “Sicherheitsüberprüfungsgesetz” (Security Check Act) for the first time regulates measures to background-check individuals who work in military or other sensitive installations like power plants and airports to prevent sabotage. Previously, only a general check of prior criminal convictions was required for non-civil service personnel.
The Act also extends the applicability of the “Energiesicherungsgesetz” (Energy Security
29
Source:
http://www.bsi.de/fachthem/kritis/kritis.htm
(translated by the author, CP.)
|
| | Authors: Pommerening, Christine. |
|
| |
|
|
While these concerns are legitimate, if self-interested, and could be resolved through
clarification of existing rules, another reason for industry reluctance is much less benign.
Industries that are subject to regulatory oversight, like telecommunications, are concerned
that information provided to improve security might either trigger additional regulation,
or even worse, might be used as incriminating evidence in other areas, e.g. antitrust laws.
This concern implies that there are indeed areas where companies take advantage of gray
legal zones or of lagging enforcement powers. The question is whether this reality should
prevent vital improvements of security, and Congress decided that it should not. Instead,
secrecy guarantees would be extended to voluntary declarations on infrastructure
vulnerabilities. The problem is where to draw the line – is every information submitted
under the national security exemption protected, or only the ones directly related to
security, and who makes that decision?
V. Institutional Framework for CIIP in Germany
A. Legislative Framework
The emergence of critical information infrastructure protection as a federal policy field
was clearly triggered by the PCCIP in 1997. Analogous to that report, critical
infrastructures in Germany were defined as “organisations or institutions that are of
(vital) importance for the polity, and whose failure or disruption cause sustained service
problems or other dramatic consequences.“
29
While the pertinent sectors are identical to
the eight identified in the U.S. (telecommunications, energy supply (electricity, oil, and
gas), banking, finance and insurance system, transportation and traffic control, health
system (including food and water supply), emergency and recovery services, government
and public administration (including police, customs and armed forces)), the emphasis in
terms of effects is exclusively state-centered: “If individual infrastructures are subject to
targeted disruption (information warfare, terror attacks etc.) or to failure of their
information technology, a chain reaction of disruptions could be set off in other areas as
well. Negative impacts on the internal safety and, in some cases, on the external security
of Germany could be the result.” (ibid.) Hence, it is not surprising that two of the three
major legislations implementing CIIP measures also have a strong internal security slant.
On 1 January 2002, a new law took effect, the “Gesetz zur Bekämpfung des
internationalen Terrorismus” (Act to Combat International Terrorism”). It is essentially
an update and expansion of existing provisions and laws concerning internal and external
security. However, only a small portion is applicable to the protection of critical
infrastructures. The “Sicherheitsüberprüfungsgesetz” (Security Check Act) for the first
time regulates measures to background-check individuals who work in military or other
sensitive installations like power plants and airports to prevent sabotage. Previously, only
a general check of prior criminal convictions was required for non-civil service
personnel.
The Act also extends the applicability of the “Energiesicherungsgesetz” (Energy Security
29
Source:
http://www.bsi.de/fachthem/kritis/kritis.htm
(translated by the author, CP.)
|
|
 Convention | | Convention is an application service for managing large or small academic conferences, annual meetings, and other types of events! | | Submission - Custom fields, multiple submission types, tracks, audio visual, multiple upload formats, automatic conversion to pdf. | | Review - Peer Review, Bulk reviewer assignment, bulk emails, ranking, z-score statistics, and multiple worksheets! | | Reports - Many standard and custom reports generated while you wait. Print programs with participant indexes, event grids, and more! | | Scheduling - Flexible and convenient grid scheduling within rooms and buildings. Conflict checking and advanced filtering. | | Communication - Bulk email tools to help your administrators send reminders and responses. Use form letters, a message center, and much more! | | Management - Search tools, duplicate people management, editing tools, submission transfers, many tools to manage a variety of conference management headaches! | | Click here for more information. |
|
|
|
| |
|
|
|
