Nord Stream Leaks: Who Protects Critical Infrastructure?

The explosions on the Nord Stream pipelines have shown that the critical infrastructure is indispensable and highly vulnerable. But who is actually responsible for protection?

The Baltic Sea is almost no longer bubbling. Hardly any gas is escaping from the two Nord Stream pipelines, which were apparently damaged by four explosions near the Danish island of Bornholm last week, Danish and Swedish authorities said on Sunday. Soon the leaks in the pipes will be inspected more closely and the investigation of the incident will begin. However, there is little doubt that it was sabotage.

Pipes are spied on by secret services

The explosions of the two pipelines in the Baltic Sea have suddenly highlighted the vulnerability of critical infrastructure in the sea. In the past, there have been repeated warnings that the tubes and in particular the fiber optic cables on the sea floor, which are of great importance for communication and energy supply, are hardly protected against attacks and have also been spied on by the military and secret services for a long time.

Within the federal government, there was initially some ambiguity last week: who is actually responsible for protecting such infrastructure on the high seas? And what protective measures are possible and useful? At the request of the WDR, a government spokesman said that the federal government was “overall concerned with the events surrounding the accident on the Baltic Sea pipelines Nord Stream 1 and Nord Stream 2”.

Bundeswehr, federal police and BND in action

This statement in turn raises the question: If everyone is involved, who is ultimately responsible? The Bundeswehr first sent the mine diver task boat “Bad Rappenau” to search the pipelines for further damage. The federal police announced increased controls on the German coast. And the Federal Intelligence Service (BND) is also supposed to help clarify the pipeline explosions. In the past, the service had warned of possible underwater sabotage of data cables.

So far, mainly operators in the obligation

There has been much discussion in recent years about the protection of critical infrastructure from cyber attacks and minimum standards for IT security. Above all, the operators of the infrastructure were made to take certain protective measures. Suddenly, however, it is not about hackers and computer viruses, but about physical attacks on an area of ​​critical infrastructure that is essential for the supply of energy or the Internet. Possibly acts of military sabotage and de facto acts of war.

How should operators protect themselves from such dangers and what protection does the state have in this case? And what if the operator himself is suspected of having carried out the destruction? When it comes to these issues, the responsibilities within the German authorities are by no means as clear as one might assume. Critical infrastructures, or KRITIS for short, are defined as “organizations or facilities of major importance to the state community, the failure or impairment of which would result in lasting supply bottlenecks, significant disruptions to public safety or other dramatic consequences”. These are, for example, the electricity and drinking water supply, food production, healthcare, telecommunications or the transport and traffic sector.

More than 500 companies belong to KRITIS

More than 500 companies currently belong to the KRITIS sectors. They have to take certain, strict measures to protect their facilities and are in contact with the Federal Ministry of the Interior or subordinate authorities such as the Federal Office for Civil Protection and Disaster Assistance (BBK) or the Federal Office for Information Security (BSI).

Which services belong to KRITIS has so far been announced by the so-called KRITIS regulation of the BSI. Surprisingly, this infrastructure, which requires special protection, does not include the data cables that also run along the German coast and ensure the Internet supply. According to the Federal Ministry of the Interior, the operators are initially responsible for their protection.

95 percent of all data is transmitted via cable

Between 400 and 500 data cables currently span the globe and ensure that communication systems are networked, as around 95 percent of all data is now transmitted in this way. The cables are laid, operated and maintained almost exclusively by private companies. In addition, there are only about a dozen special ships worldwide that can be used to lay new cables or carry out repair work.

A study commissioned by the EU Parliament on “Security Threats to Undersea Communication Cables and Infrastructure – Consequences for the EU” was published in June. In it, the authors warned of the vulnerability of data cables on the seabed and suggested that the EU member states carry out their own risk assessments, establish and network technical monitoring systems and better coordinate the protection of the facilities.

According to the coalition agreement, a law is to come

In Germany, a KRITIS umbrella law, which according to the federal government’s coalition agreement should be launched, could help. The Greens in particular have been calling for such a law for some time, which should not only regulate IT security, but also the physical protection of critical infrastructure. In July, Federal Interior Minister Nancy Faeser (SPD) announced that she would soon present key points to the cabinet. So far this has not happened.