The Federal Office for Information Security (BSI) deals with all issues relating to IT security in the information society. The BSI's goal is to facilitate and promote the secure use of information and communication technology in our society. The BSI was formed on 1 January 1991 and is part of the Federal Ministry of the Interior.

The scope of the BSI is defined by the Act on the Federal Office for Information Security (BSI Act -- BSIG). The BSI's objective is to preventively promote information and cyber security to enable and advance the secure use of information and communication technology in society. The BSI provides support to ensure the issue of IT security is treated seriously in government, business and society and implemented independently.

For example, the BSI develops practice-oriented minimum standards and target group-oriented recommendations for action on IT and Internet security to support users in avoiding risks.

The BSI is also responsible for the protection of Federal IT systems. This concerns the defence against viruses, trojan attacks and other technical threats against federal computers and networks. The BSI reports on this to the Committee on Internal Affairs of the German Bundestag once a year.

The BSI's functions also include:

• Protecting the federal government's networks, including detection and defence against attacks on government networks
• Testing, certification and accreditation of IT products and services
• Warning about malware or security vulnerabilities in IT products and services
• IT security consulting for the federal administration and other target groups
• Providing information and raising citizen awareness on the topic of IT and Internet security
• Developing uniform and binding IT security standards
• Developing cryptographic systems for federal IT

The target audiences of the BSI include

• Public administration at the federal, state, and municipal level
• Industrial companies
• Academic and research institutions
• Private users

The BSI provides advice and expertise to public authorities in Germany on request. In accordance with the BSI Act (Section 3 (1) Sent. 2, No. 13 of the BSIG), one of the tasks of the BSI is to support the Federal Intelligence Service (BND) in the execution of its legal tasks in order to prevent or research activities that are directed at IT security or that use IT. The BSI advises the BND with regard to issues such as information security and protection of classified information, particularly in relation to the protection of BND networks.

Since communication and information networks do not stop at borders, this makes international cooperative action essential. Adopted in February 2011, the German Government's Cyber Security Strategy views the protection of cyberspace as an existential question for the 21st century, with close cooperation in Europe and around the world being a fundamental part of addressing it successfully. As such, the Cyber Security Strategy forms the most important frame of reference for the BSI's international engagement.

The BSI meets the global challenge of information security both with active participation in various bodies as well as with bilateral and multilateral cooperation with other countries. In European and international contexts, the BSI is considered to be a competent and strategic partner in the field of information security. Accordingly, its engagement worldwide is therefore shaped by its role as an internationally recognised centre of excellence for IT security and a national IT security authority.

The BSI's international activities are oriented on its domain expertise, and take place in the EU and NATO, within the regulatory and standardisation environment, and as part of bilateral and multilateral partnerships. Within the scope of its international engagement, the BSI also maintains contact with important international telecommunications companies and manufacturers of information and communication systems, and is also represented in a number of relevant industrial consortia.

A part of its work related to prevention, the BSI regularly engages in discussions with other public authorities inside and outside the EU with regard to technical issues relating to IT security and Internet security. In the context of the NATO alliance, the BSI works with the public authorities responsible for technical issues relating to the protection of computer systems. This includes the United States National Security Agency (NSA), which is responsible for IT security in addition to its role as an intelligence agency. This partnership encompasses only preventative aspects of cyber security in accordance with the tasks and competences of the BSI under the BSI Act.

The federal government adopted the Cyber Security Strategy for Germany in February 2011. The aim of the Cyber Security Strategy is to ensure cyber security at a level commensurate with the importance and sensitivity of networked information infrastructures, without compromising the opportunities and benefits of cyberspace. The core elements of the Strategy are to protect IT systems in Germany, particularly in the field of critical Infrastructure; to increase citizens' awareness of IT security; to establish a National Cyber Response Centre; and to set up a National Cyber Security Council. The Strategy primarily consists of preventive and reactive protective measures, but it also covers ways of strengthening IT security in the public sector; making use of reliable and trustworthy information technology; effectively fighting crime even when it is committed in cyberspace; and taking effective coordinated action to ensure cyber security throughout Europe and worldwide.

'Government networks' refers to the communications infrastructure for reliable and confidential voice and data communication between the highest federal authorities and constitutional bodies in Germany. The IVBB Berlin-Bonn Information Network (IVBB) for electronic information, communication and transaction services provides this infrastructure and facilitates internal communication between the federal authorities. It has been expanded with the addition of the IVBV Federal Administration Information Network (IVBV), which federal authorities are connected to nationwide.

It was the relocation of the German Bundestag and federal government to Berlin that led to the IVBB being set up. The aim was to support government functions based on a division of labour between Berlin and Bonn via modern and secure information and communications technology. The IVBB began operating before government institutions and administrative bodies relocated in January 1999. The Information Network is vitally important, especially for federal authorities with offices in several locations. The Bundestag, Bundesrat, Federal Chancellery and Federal Ministries, Germany's Supreme Audit Institution and security agencies in Berlin, Bonn and other locations are all users of the IVBB.

According to Section 3 (1) No. 1 of the BSI Act, averting threats to the federal government's IT is a core task of the Federal Office for Information Security. Since its formation, the BSI has fulfilled its duty to protect the federal administration networks. When the government network (Berlin-Bonn Information Network, IVBB) was created in the course of the government's move to Berlin, the BSI was given overall responsibility for the IT security concept.

End-to-end encrypted communications and a very robust, redundant architecture are the most important measures to protect the central government. Efforts are also undertaken to ensure regulated and reliable operations. Close links between the networks of the Germany's federal states and municipalities are also being established, alongside permanent improvements in the security set-up of the networks. The BSI's measures to protect the government networks are subject to continuous review, further development and adaptation to the dynamic threat situation.

The BSI detects cyber attacks on the government networks on a daily basis; it responds by providing the affected organisations with warnings, immediate safeguards and concrete assistance and recommendations for action. The National IT Situation Centre and the CERT-Bund (Computer Emergency Response Team for Federal Authorities), which is part of the same department of the BSI, are responsible for initiating these measures. The Situation Centre is required to have a reliable picture of the current IT security situation at all times so it can quickly and competently assess the need for action and the options available in the event of IT security incidents that affect both government and business. CERT-Bund is tasked with assessing cyber security information, identifying IT security incidents, assisting in their containment to minimise impact and helping to restore normal operations.

In view of technical progress and the dynamic threat landscape, in which government networks are subjected to targeted daily threats, it is essential to expand and develop networks and their security on a continuous basis. In the 'Federal Government networks' project, the two central, interdepartmental government networks IVBB (Berlin-Bonn Information Network) and IVBV (Federal Administration Information Network) are therefore being relocated to a powerful and secure joint network infrastructure. On the basis of this joint infrastructure, public authorities can then network their offices securely and in accordance with requirements, as well as communicate across public authorities and offer IT processes or use these processes themselves. The objective is to establish a joint infrastructure for the Federal Administration over the long term.

The BSI gives users in a range of target groups recommendations and advice on how to use mobile communication devices safely. For example, this user information on the BSI website is intended for private users. The BSI also has publications aimed at professional users working in government and business.

In terms of mobile communications in the federal administration, the protection needs of the information to be communicated are paramount when selecting appropriate mobile devices. If the information does not require special protection, then federal administration employees can largely use a device of their choosing. Where mobile communications have higher protection needs, the federal administration has access to particular solutions that the BSI has approved or recommended for certain tasks.

Within the framework of working groups, committees and cooperations, there is a trusting exchange of information and experience as well as a transfer of know-how between partners and the BSI. These include the UP KRITIS committeesexchange of information with government and industry via the BSI's National IT Situation Centre, preventive and reactive cooperation of the CERT-Bund computer emergency team with other national and international CERT associations, and cooperation with partners within the Alliance for Cyber Security. This information is supplemented by the continuous observation and evaluation of generally accessible sources of information such as news sites and blogs from the Internet. In addition, the BSI operates a number of data protection-compliant sensors that analyse the availability and integrity of government networks.

With regard to the government networks, the BSI was given the authority under Section 5 of the BSI Act in 2009 to collect and evaluate protocol data as well as data accruing at the interfaces of the federal government's communication technology in order to defend against malware and threats to the federal government's communication technology, taking the necessary protection mechanisms into account. It is also authorised to remove malware or prevent it from functioning. On the basis of this authority, the BSI operates a malware prevention system (SPS) to prevent unwanted access from government networks to infected websites, as well as a malware detection system (SES).

The Federal Ministry of the Interior (BMI) provides expert oversight of the BSI. Its IT staff is responsible for the BMI's collected tasks relating to IT strategy, IT and network policy, IT security and the e-government.

The National Cyber Response Centre (Cyber-AZ) makes recommendations regularly as well as event-based to the National Cyber Security Council (Cyber-SR). The BSI also briefs the Federal Commissioner for Data Protection and Freedom of Information (BfDI) once per year in accordance with Section 5 (9) of the BSI Act. The internal committee of the German Federal Parliament is briefed once per year regarding the application of Section 5 of the BSI Act.

Communication and information technology has become indispensable in many areas of our life and work today. However, along with the opportunities inherent in this development, the risks have also grown considerably, with more and more sensitive data entrusted to information technology. The smooth functioning of key areas of society depends on the reliability and security of information technology. To minimise the risks associated with the use of information technology, security functions must be an integral part of information technology today.

However, the technical functioning of IT products and systems is no longer transparent to large numbers of users. Yet trust in information technology can only develop if users can rely on its application. This applies to the security of data in particular. One way to create transparency with regard to the security features of IT products is to have IT products and systems tested, evaluated and certified according to uniform criteria by independent testing bodies recognised by the BSI.

The objectivity and uniformity of the tests as well as their impartiality are guaranteed by the BSI. The BSI is also significantly involved in the development of the security criteria. After applying for certification to the BSI, the technical evaluation of a product is usually carried out by test bodies accredited and licensed by the BSI, which the applicant can freely choose and commission to carry out the test procedure. In addition to the BSI, the testing bodies are available for consultation on all aspects of the procedure.

With the help of certification, providers of IT products and services can comprehensibly demonstrate the security level of their offerings. Users of certified IT products and solutions can assess for which areas of application the IT products and services are suitable and what contribution the users themselves must make in order to achieve the required level of information security when using these products and solutions.

According to Section 7 of the Federal Office for Information Security Act (BSI-Gesetz), the BSI has the authority to issue warnings concerning vulnerabilities in information technology products and services as well as malware. These warnings can be directed to the affected parties or issued publicly (via the media, for example). A warning of this type may also state that the BSI advises against using certain products and solutions until the vulnerability in question has been resolved. In all cases, the manufacturers of the products and services concerned are always notified before the warning is published.

A public warning is only issued if there are sufficient indications that threats to IT security are originating from the product concerned. The BSI treats this authority with the utmost respect, because a public warning from the BSI about a specific product may have serious financial consequences for the affected company.

The BSI acts as an advisor to the business community and supports companies of all sizes and from all sectors in questions relating to IT and information security.

At federal level, the BSI is also responsible for the protection of critical information infrastructures (KRITIS).
Beyond its advisory function, the BSI works with the business community in multiple ways. It has established long-term collaboration in terms of certification, for example. By independently reviewing IT products and services, the BSI offers manufacturers an opportunity to ensure transparency and greater trust in terms of the IT security features of their products and offerings (see: Who does the BSI report to?).

In terms of creating minimum standards, too, the BSI has declared its objective to develop and implement practical specifications and recommendations on IT security in cooperation with the business community.

The Alliance for Cyber Security established by the BSI and BITKOM in 2012 is a further example of cooperative and constructive collaboration between the government, business and science. As an association of all the important players in the field of cyber security in Germany, the Alliance aims at increasing cyber security in Germany and strengthening Germany's resistance against cyber attacks. The Alliance for Cyber Security is building up an extensive knowledge base for this purpose and supports the exchange of information and experience.

Modern societies are dependent on reliable critical infrastructure. Disruptions and failures in the energy supply, for example, or in the areas of mobility, communications and emergency and rescue services, can cause significant damage to the economy and have a direct impact on large parts of the population. 'Critical infrastructure' (KRITIS) refers to facilities of major importance for society whose failure or impairment would cause a sustained shortage of supplies, significant disruptions to public order, safety and security or other dramatic consequences. In the KRITIS field, the BSI is particularly focused on IT threats, or in other words, the protection of critical information infrastructure.

An important task of the BSI is to provide information and raise the awareness of citizens to ensure secure handling of information technology, mobile communications and the Internet. Despite all the positive opportunities it affords, dealing with IT and the Internet also involves risks that need to be minimised. Knowing about the risks is the first step towards overcoming them.

The BSI therefore offers an Internet service on its website that is specially tailored to the needs of citizens. Diverse topics and information on the subject of IT and Internet security are presented on the website in a way that makes them accessible to members of the public who are not experts. In addition to providing information, the BSI also offers concrete and practicable recommendations for action, for example on topics such as e-mail encryption, smartphone security, online banking, cloud computing or social networks.

Private users can also contact the BSI by telephone or e-mail with their questions on IT and Internet security topics.

Enquiries are treated in complete confidence. No personal data or other information is passed on to third parties.

In addition, the BSI offers a free warning and information service called 'Bürger-CERT' (Citizens' CERT), which quickly and competently informs citizens and small businesses about vulnerabilities, security gaps and other risks, in addition to providing concrete assistance.