Cyberspace, endless expanses. It’s the year 2021. These are the adventures of the Federal Office for Information Security (BSI), with its crew of over 1023 men and women since 30 years to explore new cyber risks, new artificial life (AI) and new protection in digitization through prevention, detection and response for State, economy and society. Only 600 Earth kilometers from Berlin, the BSI in Bonn and its President Arne Schönbohm penetrate cyber scenarios that no human has ever seen before .

Something like that could be the science fiction-inspired story of the BSI, which almost exactly 30 years, on 1.1. 1991 and that as a higher federal authority to the Federal Ministry of the Interior, Building and Home Affairs (BMI) is subordinate. The authority emerged from the Central Office for Security in Information Technology, whose predecessor authority was the Central Office for Encryption, which is subordinate to the Federal Intelligence Service – which gave the BSI many years of skepticism and mistrust.

The fact The fact that the BSI inevitably has a strong organizational proximity to intelligence services and investigative authorities through its connection to the BMI naturally means that parts of the community keep a certain distance again and again. Because the question always resonates as to whether this proximity to authorities – for which security gaps are not just a risk, but also an opportunity – is not rather harmful for IT security. In any case, this means that unfortunately not everyone pulls together with united strength.

One authority for everyone The focus not only on the state, but also on the economy and society in particular, is not always a matter of course for comparable authorities in other countries and is therefore a positive focus if you keep an eye on digitization and the effects on the German population as a whole. Even at the BSI it was not given from the start. In earlier times the authority saw itself as being responsible for other authorities and the administration. But especially when it comes to IT security, “safe islands” are not sufficient in view of the increasing networking.

Even if the BSI is – for an authority, quite young – age of 30 years is still subordinate to the BMI and therefore cannot act as independently, it can look back on some achievements. Perhaps now would be a good time for the Federal Ministry of the Interior to grant the IT security authority the independence it needs to once again significantly strengthen cyber resilience and cybersecurity in Germany.

On the positive achievements The authority certainly owns the BSI IT-Grundschutz, which has been updated and sometimes completely renovated over the years, which has created a framework with four BSI standards and the compendium that supports the establishment of an information security management system (ISMS) and is even internationally compatible ISO / IEC 27001 – certificate based on IT-Grundschutz maps.

The standards and the compendium with specific help and Security measures for the methodical protection of processes, people and IT system landscapes became a requirement for authorities and institutions, but they always remained freely available to everyone and were provided with regular information mation events. The community that has formed around the basic protection has also contributed its own content. This construct has been established and spread for many years as an aid for business and as a learning and knowledge base for interested private people.

Pioneer in matters of critical infrastructures The BSI has carried out initial field research for new technologies and IT infrastructure models such as cloud security or artificial intelligence and has been thinking about the issue of critical infrastructures for many years – long before they became part of an EU -wide legal requirement.

The networking concept in the sense of networking was implemented, among other things, with the Alliance for Cyber ​​Security, which serves as a permanent exchange platform. IT service and consulting companies, IT manufacturers and user companies from all areas work together in it to achieve the stated goal: to strengthen Germany’s resistance to cyber attacks. Not only the exchange of knowledge and experience, but also various materials and offers should help.

With BSI for citizens, opportunities were also created to inform society as such and to keep it up to date. The CERT Bund and the “Mobile Incident Response Team” are another pillar of prevention, but also of assistance with security-relevant incidents in authorities and companies.

Controversial future role These services are recognized, among other things, in the current draft of the IT Security Act 2.0, in which the authority has even more far-reaching tasks such as digital Consumer protection and an extensive increase in staff should receive. This means that the BSI will also be more closely involved in offensive issues, instead of acting predominantly defensively as before. This is also the aim of other points of the controversial and much discussed draft law: In the fight against botnets and insecure IoT devices, for example, the authority should be given the authority to access the insecure systems and change or delete data. The expansion to the “hacker authority” as well as the generally more offensive orientation of cybersecurity is criticized by network activists, security experts and many others.

The 30 – year of existence of the BSI on 2-3. February 2021 with the (corona-related digital) 17. German IT Security Congress and other ceremonial acts.

(ur)