Federal Office for Security in Information Technology
Federal Office for Information Security
|position||Higher federal authority|
|Business area||Federal Ministry of the Interior, Building and Home Affairs|
|founding||January 1, 1991|
|predecessor||Central office for encryption|
|Vice President||Gerhard Schabhüser|
|Budget volume||163.26 million EUR (2020)|
The Federal Office for Information Security ( BSI ) is a federal authority in the division of the Federal Ministry of the Interior, for construction and home with headquarters in Bonn , the questions of IT security is responsible. The guiding principle of the BSI is: "As the federal cyber security authority, the BSI shapes information security in digitization through prevention, detection and reaction for the state, business and society." The number of positions at the BSI has doubled between 2016 and 2019 to almost 1,290 positions . For 2020, further positions are planned for the BSI in the federal budget, so that the number of positions will be around 1,430.
The BSI was founded in 1991 and emerged from the Central Office for Security in Information Technology (ZSI) , whose predecessor authority was the Central Office for Encryption (ZfCh) , which is subordinate to the Federal Intelligence Service (BND) . The mathematician Otto Leiberich , who has been with the Federal Intelligence Service since 1957 and there most recently head of the Central Office for Encryption, was the first President of the BSI.
After Otto Leiberich left, Dirk Henze was appointed the new BSI President with effect from January 1, 1993. He was followed in March 2003 by Udo Helmbrecht . Michael Hange then took office as President on October 16, 2009 and was released into retirement on December 11, 2015.
Since February 18, 2016, the former President of the Cyber Security Council Germany e. V. Arne Schönbohm the President of the Office. In the run-up to his appointment, his appointment was criticized. Gerhard Schabhüser was appointed Vice President of the BSI with effect from January 1, 2017.
According to the coalition agreement of the parties to the federal government of February 2018, the scope of duties of the Federal Office will be expanded. It provides advice to small and medium-sized companies and is being expanded as a national cybersecurity authority. This includes central certification and standardization for IT and cyber security. The BSI is also given additional tasks in the area of digital consumer protection.
In order to meet the space requirements of a growing authority, the BSI is planning to build a new service property in Bonn. The Federal Office, which is currently spread over five locations in the city, is to be bundled in a new building near Bonn's Rheinaue meadows. The new location is designed for 950 people.
For cooperation with the federal states, the BSI has established a national liaison system with contacts in the cities of Hamburg, Wiesbaden, Bonn, Stuttgart and Dresden. In 2017 the BSI set up a liaison office in Wiesbaden On February 5, 2019, the BSI opened a liaison office for the North Region in Hamburg. With its presence in Hamburg, the cyber security authority is expanding its range of information and support for companies, authorities, municipalities and other institutions in northern Germany. The liaison office serves authorities, companies and other institutions in the federal states of Bremen, Hamburg, Mecklenburg-Western Pomerania, Lower Saxony, Saxony-Anhalt and Schleswig-Holstein as a point of contact for questions about the BSI and the topic of cyber security. On July 11, 2019, the letter of intent was signed that a second location of the Federal Office for Information Security (BSI) with 200 jobs will be built in Freital near Dresden . For the East region in Saxony, the direct exchange is to be facilitated and the accessibility of the BSI on site improved. The second office of the BSI at the Freital location was opened on December 11, 2019 by the Saxon Interior Minister Roland Wöller , the Freital Mayor Uwe Rumberg and BSI President Arne Schönbohm.
Tasks and departments
The area of responsibility of the BSI is determined by the law on the Federal Office for Information Security (BSI law). The aim of the BSI is the preventive promotion of information and cyber security in order to enable and promote the secure use of information and communication technology in the state, economy and society. For example, the BSI develops practice-oriented minimum standards and target group-specific recommendations for action on IT and Internet security in order to support users in avoiding risks.
The BSI is also responsible for protecting federal IT systems. This is about the defense against cyber attacks and other technical threats against the IT systems and networks of the federal administration. The BSI reports on this once a year to the Interior Committee of the German Bundestag.
The tasks of the BSI also include:
- Protection of federal networks, detection and defense against attacks on government networks
- Testing, certification and accreditation of IT products and services
- Warning of malware or security gaps in IT products and services
- IT security advice for the federal administration and other target groups
- Information and awareness-raising of citizens on the subject of IT and Internet security (digital consumer protection)
- Information and sensitization of the economy for the topic of IT and Internet security
- Development of uniform and binding IT security standards
- Development of cryptosystems for federal IT
A new organizational structure of the BSI came into force on April 15, 2019, which takes into account the new requirements and the increase in the number of staff at the BSI. With tasks in the field of digital consumer protection or certification and standardization as well as in the design of secure digitization in the energy transition, in the healthcare sector or with the new 5G mobile communications standard, the BSI fulfills an important cross-sectional function as a central competence center for cyber security. With the new organizational structure, the BSI is divided into eight departments, including seven specialist departments and one department for administrative tasks. The specialist departments are each divided into up to three specialist areas. A special feature is the new TK department, in which the technical competence centers of the BSI are brought together. The presentations in this department deal with topics such as artificial intelligence, the security of industrial control systems, cloud computing, secure 5G infrastructures, emission security or the analysis of hardware and software products. In addition, there is a management staff divided into three staff areas.
- TK Department - Technical Competence Centers: Head: Thomas Caspers
- FB TK 1 - IT systems
- FB TK 2 - IT infrastructures
- KM department - crypto technology and IT management: Head: Günther Welsch
- FB KM 1 - Approval and provision of VS and IT security systems
- FB KM 2 - Specifications, development and testing of crypto, VS and IT security systems
- FB KM 3 - IT Management
- OC - Operational Cyber Security Department: Head: Dirk Häger
- FB OC 1 - detection
- FB OC 2 response
- SZ department - standardization and certification: Head: NN
- FB SZ 1 - standardization, principles of certification, supervision
- FB SZ 2 - certification procedure
- Department DI - Cyber Security in Digitization and for Electronic Identities: Head: Bernd Kowalski
- FB DI 1 - Cyber security for electronic identities
- FB DI 2 - Cyber security in digitization
- BL Department - Advice for federal, state and local authorities: Head: Horst Samsel
- FB BL 1 - Information security advice and privacy protection
- FB BL 2 - Customer Management and Law
- FB BL 3 - Information security of the consolidated federal data centers and networks
- WG department - Cyber security for business and society: Head: NN
- FB WG 1 - Critical Infrastructures
- FB WG 2 - Economy and Society
- Department Z - Central Tasks: Head: Jörg Pieper
- Recruitment and development
- Personnel care
- Internal service
- Awarding and project support
- Property and confidentiality protection
Until 2017, the BSI published the IT-Grundschutz Catalogs , which contained recommendations for standard protection measures for typical IT systems. The earlier IT-Grundschutz Catalogs were converted to the new IT-Grundschutz Compendium as part of the modernization of the IT-Grundschutz. The modernization of the IT-Grundschutz was completed in October 2017. After the fundamental revision of the entire methodology, the new IT-Grundschutz offers beginners and advanced users a modular and flexible method for increasing information security in authorities and companies. New offers specifically address small and medium-sized companies and authorities. IT-Grundschutz has existed for 25 years and is a method, instruction, recommendation and standard in one. It can be used by all institutions that want to secure their IT systems and data networks and thus their business or administrative processes according to the state of the art in times of digitization. In 1994 the BSI first published IT security recommendations under the name IT-Grundschutz.
The BSI is the central certification body for the security of IT systems in Germany ( computer and data security , data protection ). Testing and certification is possible in relation to the standards of the IT Baseline Protection Manual , the Green Paper , ITSEC and the Common Criteria . The fees of the BSI according to BSI law - for example for certification according to Common Criteria, are set out in the BMI's Special Fees Ordinance. The Federal Statistical Office calculates the fees.
The BSI is the national authority in the field of cryptography, which creates recommendations and technical guidelines for cryptographic procedures and is involved in the development of international crypto standards.
In mid-2017, the BSI set up a competence center to bundle the BSI's activities in the field of artificial intelligence and machine learning.
According to the BSI Act, the authority, as the central reporting office for IT security, stores all log data that is generated during online communication between citizens and federal administrative institutions .
When the law to increase the security of information technology systems (IT Security Act) came into force in July 2015, the tasks and powers of the BSI were expanded ( Federal Law Gazette I, p. 1324 ). According to BSI Act, operators of critical infrastructures must implement state-of-the-art IT security and regularly demonstrate compliance with the BSI. If security deficiencies are discovered, the BSI may order their removal in agreement with the supervisory authorities. In addition, the BSI will be the central reporting point for IT security in critical infrastructures in accordance with Section 8b BSIG. The operators must report significant IT disruptions to the BSI if they can affect the availability of critical services. If notifiable IT disruptions occur at a KRITIS operator, the BSI may, if necessary, also oblige the manufacturers of the relevant IT products and systems to cooperate. In addition, according to Section 7a, the BSI is granted the authority to examine IT products for security in order to perform its tasks.
In order to support the states and municipalities, federal and EU authorities as well as companies, think tanks and decision-makers in society, the BSI has been building liaison systems with liaison persons in Wiesbaden, Berlin, Stuttgart, Hamburg and Brussels in a pilot process since the beginning of 2017. The liaison officers provide an overview of the BSI's offers on site and provide advice and support if required.
National Cyber Defense Center
The National Cyber Defense Center (Cyber-AZ), which started on April 1, 2011 , is a cooperation facility of German authorities at federal level to defend against electronic attacks on IT infrastructures in the Federal Republic of Germany and its economy. The Cyber Defense Center (Cyber-AZ) is a core element of the cyber security strategy adopted by the federal government in 2011. The Cyber-AZ is intended to optimize operational cooperation and coordinate protective and defense measures. This is done on the basis of a holistic approach that brings together the various threats in cyberspace: cyber espionage, cyber spying, cyber terrorism and cyber crime. The goal: quick exchange of information, quick assessments and specific recommendations for action derived from them. Just as the threat situation has changed since 2011, so has the Cyber-AZ. It developed from a pure information hub to a central cooperation platform for IT security authorities. There was criticism of the center from the Federal Audit Office, the audit office believes that the Cyber-AZ is "not suitable for bundling the responsibilities and capabilities distributed across the administrative landscape in the defense against attacks from cyber space." Bodies reacts and initiates an evaluation and further development process in Cyber-AZ. The BSI sent the results of this process to the questioner in July and September 2016 in response to an IFG request from the blog Netzpolitik.org, who made them publicly available on the fragdenstaat.de platform.
Alliance for Cyber Security
The Alliance for Cyber Security is an initiative of the Federal Office for Information Security, which was founded in 2012 in cooperation with the Federal Association for Information Technology, Telecommunications and New Media eV (Bitkom) and was thus able to celebrate its fifth anniversary in 2017. As an association of all important players in the field of cyber security in Germany, the alliance aims to provide up-to-date and valid information on threats in cyber space. The initiative also supports the exchange of information and experience between the participants. The Alliance for Cyber Security now includes more than 4,000 institutions, including almost 100 partner companies and 45 multipliers. Participation is free and can generally be requested by any German institution. Since 2012, the Alliance for Cyber Security has been able to offer hundreds of expert contributions and, on average, an event every fifth day on a wide variety of IT security topics free of charge for its participants. In future, the dialogue with various industries, such as the chemical industry and the automotive industry, is to be intensified. In addition, cooperation with other cyber security initiatives is to be intensified in order to further expand the network of companies, authorities and institutions. In particular, the small and medium-sized companies, which often have special know-how worth protecting, are increasingly the focus of the Alliance for Cyber Security.
UP KRITIS is a public-private cooperation between operators of critical infrastructures (KRITIS), their associations and the responsible government agencies such as the BSI. It addresses eight of the nine critical infrastructure sectors. The “State and Administration” sector is covered by the UP BUND and activities at the state and local level. The aim of the UP KRITIS cooperation is to maintain the supply of services to critical infrastructures in Germany. All organizations based in Germany that operate critical infrastructures in Germany, national professional and industry associations from the KRITIS sectors and the responsible authorities can participate in UP KRITIS upon request.
BSI for citizens
The tasks of the BSI include informing and sensitizing citizens for the safe use of information technology, mobile communication media and the Internet. The BSI therefore offers an Internet offering specially tailored for citizens. On the website, the topics and information relating to IT and Internet security are dealt with in such a way that they are also understandable for technical laypeople. In addition to pure information, the BSI also offers specific and implementable recommendations for action, for example on topics such as email encryption, smartphone security, online banking, cloud computing or social networks. Private users can also contact the BSI by phone or email with their questions about IT and Internet security. In addition, the BSI offers the “Bürger-CERT”, a free warning and information service that quickly and competently informs citizens and small businesses about weak points, security gaps and other risks and provides specific assistance. The planned IT Security Act 2.0 should also assign consumer protection competencies to the BSI.
Civil servants and collective bargaining employees , if they are used by the Federal Office for Information Security, receive a job allowance of currently (as of 2019) 96.63 to 193.27 euros in accordance with Annex I (to Section 20, Paragraph 2, Clause 1) of the Federal Salary Act. depending on their salary or salary group.
- Chiasmus : encryption software for Windows and Linux
- Libelle : an undisclosed, symmetrical encryption method
- Gpg4win : A free tool for encrypting and advanced signing of emails (developed on behalf of the "Gpg4win Initiative")
- Secure Mobile Communication : Security Recommendations for Public Service
- BSI website for citizens: Security recommendations for private users
- The BSI regularly publishes studies, guidelines, information sheets and brochures on the subject of IT security. Some of these documents are offered for free download. In addition to these general publications, the BSI has been using the <kes> magazine as an official organ since 1993 .
- In mid-January 2014 there were reports about the theft of millions of Internet user data in Germany. The Federal Office had been aware of this incident since December 2013. The BSI set up a website, according to which it checked whether there were any concerns. At the beginning of April 2014, another data theft became known, in which 21 million e-mail addresses were spied, of which around three million were affected in Germany. The affected e-mail addresses could be checked again on a website of the Federal Office.
- The BSI publishes the report on the IT security situation in Germany every year . The BSI's management report describes and analyzes the current IT security situation, the causes of cyber attacks and the attack methods and methods used, also using specific examples and incidents. Derived from this, the management report deals with possible solutions for improving IT security in Germany. The management report for 2019 was presented to the public on October 17, 2019 at the Federal Press Conference by Federal Interior Minister Horst Seehofer and BSI President Arne Schönbohm.
- Twice a year, the BSI publishes the BSI magazine , which prepares and presents current topics of digitization and cyber security in an understandable way, even for laypeople.
- Updated information on the BSI website . Accessed April 30, 2020.
- Bundeshaushalt.de: www.Bundeshaushalt.de. Accessed April 30, 2020 .
- BSI - The mission statement of the Federal Office for Information Security. In: www.bsi.bund.de. Retrieved January 9, 2017 .
- Budget Act 2020. (PDF) In: bundeshaushalt.de. Retrieved February 20, 2020 .
- BSI Annual Report 2003: History , accessed on June 25, 2016 (PDF, 6MB)
- Michael Hange's curriculum vitae on bsi.bund.de
- BSI President Hange retires on bsi.bund.de December 11, 2015
- BMI press release: New President of the BSI takes up service ( Memento from February 17, 2016 in the Internet Archive ) December 17, 2015
- IT security: Arne Schönbohm's entry into the BSI is delayed In: Welt Online . 15th February 2016.
- Federal Government Cyber Clown Arne Schönbohm appoints BSI President. In: Netzpolitik.org . 17th February 2016.
- A new departure for Europe A new dynamic for Germany - A new cohesion for our country , Handelsblatt , February 7, 2018, lines 1907ff. and 1974ff., accessed on February 8, 2018
- BSI builds on circus meadow. In: http://www.general-anzeiger-bonn.de . Retrieved November 27, 2018 .
- BSI on site - the liaison system. In: www.bsi.bund.de. Retrieved February 5, 2019 .
- Cyber security authority opens office in Hamburg. In: www.abendblatt.de. Retrieved February 5, 2019 .
- The Federal Minister of the Interior for Building and Home Affairs, Horst Seehofer, and the State Minister of the Interior of the Free State of Saxony, Roland Wöller, signed a corresponding joint declaration of intent. At the same time, the federal government and the state of Saxony will strengthen their cooperation in the field of cyber and information security in the future. Press release: Second location of the federal authority BSI will be built in Freital on July 11, 2019
- Branch of the federal authority BSI is to be located near Dresden . In: Dresdner Latest News , July 1, 2019.
- BSI opens second office in Freital / Saxony. In: www.bsi.bund.de. Retrieved December 13, 2019 .
- Benjamin Stiebel: BSI receives location in Saarbrücken. Official review , November 18, 2019, accessed on May 24, 2020 .
- BSI - questions and answers on the tasks and topics of the BSI. In: www.bsi.bund.de. Retrieved January 11, 2017 .
-  As of May 2, 2019
- The new IT-Grundschutz: modernization successfully completed. Retrieved November 23, 2017 .
- BMIBGebV - Special Fee Ordinance of the Federal Ministry of the Interior, for Building and Home Affairs for individually attributable public services in its area of responsibility. Retrieved April 12, 2020 .
- Haider et al .: Determination of cost-covering fee rates - methodology and application . In: Federal Statistical Office (Ed.): Economy and Statistics . No. 5 . Wiesbaden 2019 ( destatis.de [PDF]).
- BSI wins two disciplines of the CHES 2018 Challenge with methods of artificial intelligence. Retrieved November 23, 2018 .
- Strategic position of the BSI on Free Software. Retrieved March 30, 2017 .
- Bundestag passes new BSI law , Heise online , June 19, 2009.
- BSI - New Regulations of the IT Security Act. (No longer available online.) April 11, 2016, archived from the original on April 11, 2016 ; Retrieved April 11, 2016 .
- BSI on site - the liaison system. November 27, 2018, accessed November 27, 2018 .
- BSI - Cyber Defense Center - Cyber Defense Center. In: www.bsi.bund.de. Retrieved January 9, 2017 .
- Tax millions away: National cyber defense is a ghost authority. Deutsche Wirtschaftsnachrichten, June 7, 2014, accessed on November 15, 2014 .
- Auditors consider cyber defense center “not justified”. Süddeutsche Zeitung, June 7, 2014, accessed on November 15, 2014 .
- Evaluations of the National Cyber Defense Center (Cyber-AZ). Retrieved November 23, 2017 .
- Anniversary: 5 years of Alliance for Cyber Security. In: www.allianz-fuer-cybersicherheit.de. Retrieved November 23, 2017 .
- Kritis - home page. In: www.kritis.bund.de. Retrieved January 11, 2017 .
- BSI - questions and answers on the tasks and topics of the BSI. In: www.bsi.bund.de. Retrieved January 11, 2017 .
- Citizen CERT. Retrieved November 23, 2017 .
- Seehofer discovers consumer protection. Retrieved December 15, 2019 .
- BSI studies
- BR interview with BSI President Michael Hange ( Memento from February 1, 2014 in the Internet Archive ), January 22, 2014.
- Sicherheitstest.bsi.de/#email , January 22, 2014.
- Another data theft - BSI warns Internet users. In: test.de. April 7, 2014, accessed April 9, 2014.
- BSI management report on IT security. In: www.bsi.bund.de. Retrieved November 23, 2017 .
- Report on the state of IT security presented. In: bsi.bund.de. Retrieved December 13, 2019 .
- BSI magazine. In: www.bsi.bund.de. Retrieved January 9, 2017 .