Criticism of conflict over IT security: Berlin MPs angry with BVG and Ramona Pop – Berlin

In the dispute between the BVG and the Federal Office for Information Security (BSI), which has been smoldering since 2018, there are now critical voices from the House of Representatives.  The  behavior of the BVG and its chairman of the supervisory board, Senator for Economic Affairs Ramona Pop (Greens), “endangers the safety of our local public transport,” said the chairman of the CDU parliamentary group, Burkard Dregger, on Wednesday the Tagesspiegel.

 The  SPD MP Jörg Stroedter complains, “It is unacceptable that the dispute has been going on for so long and the parliamentarians only find out about it from the newspaper”. Stroedter heads the “Investment Management and Controlling” subcommittee, which deals with companies in the State of Berlin. “We are a control committee”, emphasized Stroedter, “we have to be informed”.

 The  Tagesspiegel reported on Wednesday that, despite the high risk of hacker attacks, the BVG has been refusing to recognize the Federal Office’s statutory right to all information about the status of IT security in local public transport since 2018.

 The  Federal Office relies on the BSI Act and an ordinance. According to this, transport companies with more than 125 million passengers per year are classified as “critical infrastructure”.

 The  companies must regularly prove to the Federal Office that they are equipping their IT systems against disruptions.

 The  BVG claims, however, that it only has 30 million passengers “as natural persons” per year. On the BVG website, however, there are more than a billion passengers. In 2018 and 2019, the BVG only hesitantly – and without recognizing a legal obligation – submitted material on four traffic control and monitoring systems to the Federal Office.

 The  information is not enough

But the documents are not enough for the BSI. In November 2019, the Federal Office sent the BVG an order to comply with legal obligations.

 The  BVG objected. In October 2020, the business law firm Taylor Wessing filed a lawsuit against the BSI on behalf of the BVG at the Cologne Administrative Court.

 The  trial could take a year, the court says.

 The  dispute also worries the Federal Ministry of the Interior. It is responsible for the BSI. “Due to the BVG’s pension, we regret the company’s position,” said a spokesman.

 The  criticism from the CDU and SPD is also directed specifically against economics senator Pop. As the chairwoman of the supervisory board, she is legally responsible for the BVG. Pop does not even begin to meet its control responsibility, said Dregger. He called on Pop to “promptly arrange for the BVG to place itself under the supervision of the competent BSI and to submit all reports requested from there”.

[Wenn Sie alle aktuellen Nachrichten live auf Ihr Handy haben wollen, empfehlen wir Ihnen unsere runderneuerte App, die Sie hier für Apple- und Android-Geräte herunterladen können.]

It is obvious “that the BVG falls under the definition of ‘critical infrastructure’ and is therefore subject to the supervision of the BSI”.

 The  CDU politician warned that it was “about the safety of passengers and not about vanity”. Cyber ​​attacks on the BVG control systems “can not only lead to long-term train cancellations, but also to life-threatening rail accidents”.

 The  action of the Senate was “maximally unhappy”, said the chairman of the FDP parliamentary group, Sebastian Czaja. Pop is responsible for “urging the BVG and all companies in the critical infrastructure to arm themselves as best as possible against cyberattacks” and to use the competence of the BSI. MPs from the Greens, Left Party and AfD, whom the Tagesspiegel had asked for an opinion, did not answer.

Pop: “We expect the BVG to secure and protect its critical infrastructure in accordance with the standards.”

BVG spokeswoman Petra Nelken reacted tightly to the allegations from the SPD, CDU and FDP. “Let me emphasize once again that the BVG naturally looks after, monitors and protects all of its critical infrastructures in a highly professional manner”, emailed Nelken. That was it on the subject. Until the decision of the court, no further comments would be made, wrote Nelken.

SPD man Stroedter will follow up on BVG and Pop. He will write to both of them to get a “clarification”, said Stroedter.

Senator for Economic Affairs Ramona Pop said on Wednesday, “Of course, the BVG is also required to report to the MPs, especially the subcommittee that does not meet in public”. A quick clarification of the BVG with the BSI is necessary in order to remove ambiguities from the past. “We expect the BVG to secure and protect its critical infrastructure in accordance with the standards.”