Author: Gerhard Walter, Editor, Solutions by HANDELSBLATT MEDIA GROUP GMBH
- the importance of, and dangers to, corporate IT security
- liability risks in the event of a cyber attack
- current legislation in China, the Chinese Cybersecurity Law and the new Chinese Cryptography Law
In terms of data security and digital sovereignty, what needs to happen for Germany to keep pace globally and preserve its digital sovereignty?
We need to create Incentives at an early stage, and define specifications that will ensure more data security across the board. Compared to other countries around the world, we’re actually doing fairly well. And the EU General Data Protection Regulation has definitely made a contribution by defining important requirements such as privacy by design, and data protection through tech design. Increasingly, German and EU companies see data security as a unique selling point – an investment that doesn’t just cost money, but also yields benefits for products and services. German and EU legislation is moving more and more in this direction – for example with the EU Cybersecurity Act or IT-SiG 2.0, which explicitly includes requirements for promoting digital security for consumers. So as I said, we are on the right track. But as the debates on 5G cellphone technology suppliers show, we still have a long way to go. Laws cannot solve everything, which is why we need more hardware and software development in Germany and the EU.
What are the biggest current dangers for corporate IT security?
From the technical viewpoint you always have multiple, diverse threat scenarios that are tailored to different companies. That makes it hard to say which dangers are generally biggest. But one important point is that currently, many companies aren’t paying enough attention to updating their operating systems. By that I mean providing updates, not installing updates. In future, the longevity and durability of products or services will increasingly depend on regular updates – particularly in data security. There’s still a lot of room for improvement at the moment. Take Android smart phones, for example, where support is discontinued almost completely after just a few years.
What are the liability risks when third parties gain illegal access to sensitive data during a cyber attack?
The liability risks are manifold. And under civil law, liability risks can also exist without a contractual relationship between the parties because legally, data security can now be seen as part of the due diligence that applies to every company. On top of that, laws obviously also define administrative sanctions if, for example, the BSI Act for KRITIS or the EU GDPR are violated when personal data is processed. So in theory any company can be affected. But the economic repercussions from data breaches are even more serious than the legal consequences. After all, which company does not process (sensitive) personal data too these days? Customer awareness for IT security is growing all the time, and nobody wants to entrust their data to an insecure manufacturer or service provider.
What are the effects of current legislation in China, the Chinese cybersecurity law and the new Chinese cryptography law on Germany and Europe?
A few years ago, companies could still say they only needed to observe national legislation, or at the most EU legislation. But global supply chains and data flows have changed that fundamentally. And increasingly that affects not just big corporations, but also SMEs that do international business – for example in the People’s Republic of China. The laws you mentioned have a wide-ranging impact on German companies too. For example in terms of data protection, or transnational data transfers, which products you can sell and use in China, and how your own IT needs to be set up on site. Often, the language barrier and differing understandings of legislation create additional access hurdles to Chinese IT law.
Do you use the German government’s Corona app?
I do, but I don’t install it on every device. The app’s source code was published and verified, but the interfaces to Google and Apple are important too. They’re an integral part of the app’s functionality, so in that sense they’re still a black box. So when I travel for work, for example, I take the app with me; in private, my smart phone stays off.
Dr Dennis-Kenji Kipker is Scientific Director of the IGMR at the University of Bremen, Director of the European Academy for Freedom of Information and Data Protection (EAID) in Berlin, and Managing Director of Certavo GmbH – international compliance management. He has authored numerous publications on cybersecurity and data protection, and is sole editor of the Cybersecurity Legal Handbook (published by Beck Verlag). In addition to research stays in Tokyo, Moscow, Nice, Dar es Salaam, Jerusalem, Beijing and Los Angeles, Dr Kipker has also worked widely as a consultant and assessor, including for the Max Planck Society, the German Society for International Cooperation, the Federal Ministry of Economics, the Federal Ministry of Finance and the Federal Ministry of Defence.