Digital Trust and Cybersecurity
The security challenges of the 21st century are diverse and require interdisciplinary expertise to assess, evaluate and coordinate appropriate responses. The digitization of all aspects of life increases our dependence on secure ICT. While this creates new risks for governments and private companies, it poses a particular challenge to our critical infrastructures (CRITIS) and to overall trust in digital systems and services. Maintaining this trust in the delivery of digital services and the security of our critical infrastructure is vital to our societies, and their potential failure could lead to consequences ranging from economic loss and technological stagnation to prolonged supply shortages and significant disruptions to public safety and order.
These threats create an environment where constant vigilance is as essential as appropriate risk management to protect valuable assets such as personal data, intellectual property, public services, and many other components of the global digital ecosystem. Adequate protection against cyber threats requires the establishment of networks for streamlined crisis communication and collaboration among all relevant stakeholders to enhance the ability to respond in a timely and coordinated manner in the event of an emergency. By developing cybersecurity strategies that encompass technical, organizational, and cross-sector risk management, organizations can protect themselves against a wide range of potentially costly and difficult-to-mitigate risks, such as exploitation, theft, sabotage, and misuse.
As our economies and societies become more interdependent, the threat of unintended consequences from cyber-attacks is growing, exacerbated by the steady increase in cybercrime and deliberate decisions not to disclose vulnerabilities. Not only are digital assets increasingly at risk, but also the physical infrastructure on which the Internet is built, which consists of a network of undersea cables spanning several continents and relies on mutual trust and cooperation to assemble the necessary means to secure and maintain this common good. By implementing cybersecurity measures in the form of dedicated incident response teams, conducting regular risk assessments, implementing the latest security standards and recommendations (e.g. ISO/IEC 27001), and committing to responsible vulnerability disclosure, organizations can contribute to a safer cyberspace.
Because the cyber threat landscape is constantly evolving, cybersecurity is not a permanent state. Instead, organizations should strive for cyber resilience, which relies on following cybersecurity best practices while also allowing them to easily recover from cyber incidents. Promoting continuous, long-term cybersecurity must be based not only on strengthening individual organizations, but also on creating a resilient society, economy, and government that can adapt quickly, learn from mistakes, and recover quickly.
- October 9, 2023: Beyond 5G: The Need for Trusted and Secure Digital Infrastructure
- May 3, 2023: [ITSR.sys] Workshop: Was folgt aus NIS 2? Neue Pflichten für die IT-Sicherheit von KRITIS-Betreibern und Mittelstand
- December 8, 2022: [ITSR.sys] Ergebnispräsentation: Ein Modell für ein Allgemeines IT-Sicherheitsrecht – Bestandteile und Verwertungsmöglichkeiten
- October 31, 2022: NATO CCDCOE Cybersecurity of 5G Networks Report Launch - October 31
ITSR.sys Project: Systematizing German IT Security Law
The German Federal Ministry for Education and Research (BMBF) supports the systematization of the entire legal field of IT security
IT security requirements are part of a growing number of legal regulations. In addition to "general" regulations, there is also "sector-specific" IT security legislation, for example in the fields of telecommunications or banking. Additionally, there are "primary" IT security regulations, whose objectives are the classic protection goals of confidentiality, integrity and availability of the systems, as well as "secondary" regulations, in which the IT security objectives are intermediaries for certain objectives, such as tax secrecy or the security of transactions. In the future, regulations on IT security will encompass all areas of German and European law.
Together with Karlsruhe Institute of Technology, Digitial Society Institute's "ITSR.sys" project developed an approach for the systematization of the entire legal field of IT security. The aim was to create a model of a "general IT security law" that spans all areas, sectors and policy fields. "General IT Security Law", which serves as a basis for the systematic separation of general and sector-specific regulations and in this way contribute to the contribute to the consistency and coherence of the developing field of law. The project will be carried out in close cooperation with the stakeholders of IT security law in the economy, administration and science with funding from July 2020 to December 2022 provided by the Federal Ministry for Education and Research as part of the “HighTech Strategie 2025”. On the basis of an inventory of the existing legal regulations, cross-sectoral character and joint workshops with the organizations affected by IT security law affected organizations in different sectors, a model was developed that addresses three areas of regulation: the classification of systems in IT security law, appropriate risk assessment and the integration of technologies’ level of sophistication for determining adequate IT security measures. The model was critically analyzed with external stakeholders and applied on a trial basis in three sectors in order to realize an implementable solution.
- Nils Brinker, Research Associate and Project Lead, DSI
German Ecosystem for Trustworthy IT
The Cyberagency (Agentur für Innovation in der Cybersicherheit GmbH) is affiliated with the Federal Ministries of Defense (BMVg) and the Interior (BMI) on an interdepartmental basis and is in public ownership. The agency is tasked with harnessing key technologies and innovations to improve Germany's internal and external security against cyberattacks.
DSI conducted research on the development of a German ecosystem for Trustworthy IT. The project focused on providing an overview over the evaluation and development of community building approaches to open development of secure base IT, considering the role of innovation agencies.The results of our research have been published by the Cyberagency and can be accessed here [in German].
- Prof. Dr. Christoph Thiel, Former Senior Researcher and Program Lead, Digital Society Institute Berlin, ESMT Berlin
- Lilly Schmidt, Research Associate, Digital Society Institute Berlin, ESMT Berlin
Berlin Senate Department for the Interior and Sports: research project on cyber security of critical infrastructures
Berlin's critical infrastuctures are interrelated and a vulnerable goal for cyberattacks
The digitization of all areas of life increases our dependence on secure ICT. This can particularly create risks for our critical infrastructures (CRITIS). For our societies, they are of vital importance, and their failure could lead to lasting supply bottlenecks or significant disruptions to public safety and order. Especially in a major city like Berlin, CRITIS are highly vulnerable. Failures in one area, can affect others.
For this reason, the DSI was conducting a comprehensive research project on the cyber security of critical infrastructures (CRITIS) on behalf of Berlin’s Interior Senate. Through hosting of several dialogue workshops, we identified risks and dependencies besides analysing them. In collaboration with the Senate and critical infrastructure providers, based on the ISO 27000-series, Lola Attenberger developed a model for an Urban-Cyber-Risk-Analysis (UCR). This model is a pioneer model, aiming to function as a basis for an international standard to improve local cyber crisis prevention. The model entails in addition to technical and organizational risks, cross-sectoral risks on the meta-level. Furthermore, the workshops served the purpose to establish networks for streamlined crisis communication and cooperation among the invited stakeholders, a process supported scientifically by DSI through modelling information and communication relationships. In this way, the project aimed at connecting the relevant actors in order to increase resilience of Berlin's CRITIS against cyberattacks and to improve the reactive abilities in a promptly and coordinated manner in case of emergencies.
- Lola Attenberger, Former Researcher & Project Lead, Digital Society Institute Berlin, ESMT Berlin
- Nils Brinker, Research Associate & Project Lead, Digital Society Institute Berlin, ESMT
TÜV Nord AG: Industrial Cyber Security
TÜV Nord supported a research project on industrial and embedded information technology (IT) security with a research grant from August 2016 to July 2020.
In the project, we examined and evaluated methods for the management of information security risks, as well as broader industrial cyber security, digital policy and innovation issues. The project focused on the management of converging IT security and safety risks in industrial environments as well as on processes to evaluate and certify IT security.
IT is now an inherent part of safety-critical systems whose failure can lead to severe damage of property or the environment, or even the loss of human life. Hence, systems controlling the provision of critical services like electricity and water, industrial production processes, or health and automotive systems now depend on the reliable functioning of the IT components and networks they are connected to.
- Isabel Skierka-Canton, Researcher, Digital Society Institute Berlin, ESMT Berlin
DCSO GmbH: Public Private Partnerships on Cybersecurity in Germany
Together with the German Cyber Security Organization GmbH (DCSO), the Digital Society Institute has been assessing existing PPPs in the realm of cybersecurity in Germany in order to find a way to advance the system of public-private cybersecurity governance.
After an exhaustive stocktaking and systematization of current initiatives that involve both governmental and private stakeholders, the project evaluated the present cybersecurity infrastructure in Germany. In particular focusing on the perspective of business stakeholders, valuable input was provided through an intensive working relationship with a research group consisting of representatives of eight leading German companies (Allianz, BASF, Bayer, Bertelsmann, Daimler, E.ON, Siemens, and Volkswagen) over the course of the project.
On the basis of the results of this evaluation phase, and with a comparative view towards cybersecurity governance models in the United States, the United Kingdom, and Israel, the project resulted in an annotated and consolidated list of 12 forward-looking yet workable and realistic proposals for the future advancement of the public-private cybersecurity architecture in Germany.
- Martin Schallbruch, Former Director, Digital Society Institute, ESMT Berlin
- Dr. Henning Lahmann, Former Senior Researcher, Digital Society Institute, ESMT Berlin