autonomous driving or medical support. Based on a catalogue of security requirements, the BSI will therefore check and certify 5G hardware and software for their security. By means of technical security requirements for 5G networks we will ensure the confidentiality, integrity and availability of communication. Important aspects are for instance a well-implemented end-to-end encryption or the redundancy of network components. CSE: The BSI seems more involved in the area of secure certification than are national cyber security agencies in other European states. If that’s correct, can you explain why this is the case? AS: In cooperation with partner organisations from other EU member states, the BSI is putting significant efforts into cyber security certification. Certification helps to raise the bar for attackers. It demands a common minimum degree of security. It enables regulations and procurement to make use of measurable minimum requirements for products and services. It also further enables industry to sell security based on an independent assessment of their offers. It is one of the motors of innovation in the realm of IT security – as security often does not sell by itself. When we mandate the usage of IT for every citizen, we need to make sure it fulfils highest standards to protect private information. The most prominent examples are the German ID card and the German passport, but other areas like Smart Energy, Smart Home, Mobile Security, and Industry 4.0 add to the variety of engagement. CSE: Can certification play a role in the security of critical infrastructure? AS: Yes, it can. The understanding of this importance is commonly shared in Europe, which is reflected by the EU Cybersecurity Act that recently came into force. From our perspective, the most relevant part of this regulation sets up a European Cybersecurity Certification Framework to harmonise certification in Europe and to strengthen the European Digital Single Market. By this we expect consumers, industry, and public administration to benefit from an overall boost to available and effective security. CSE: The world of enterprise IT and information security is subject to a range of recent legislation, such as the General Data Protection Regulation (GDPR) and the Directive on Security of Network and Information Systems (NIS Directive). Do you see evidence that GDPR, in
CEOs used to think that IT experts would prevent, or at least decelerate, organisational decisions. particular, has positively changed how Europe’s senior executives now approach organisational cyber security strategies? AS: Many organisations were afraid of, or even irritated, by the new laws, although in most cases it was consensus that these regulations were necessary. From our point of view, there won’t be privacy without data security. So GDPR has fostered the introduction of further securityactions in various organisations. But we should not really regard security as a duty. It can also be a chance and competitive advantage. In the future, demand for products and solutions, which include contemporary protection measures, will be higher than for those which do not. CSE: As nation states undertake cyber attacks against politico-economic rivals, to what extent do you see European organisations being caught in the ‘crossfire’? AS: Well, I cannot answer that from a political point of view. Speaking in terms of cyber security, European organisations need to be aware of and cope with the risks of digitisation and protect themselves as optimally as they can, regardless of the identity of a possible attacker. The BSI provides a wide range of information and support to the companies to enhance their levels of cyber security.
ACCREDITATION Words | James Hayes Photography | BSI
73
