Back once again with another bespoke translation for the A&N audience. Original source [A]
BSI = Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik)
IT baseline protection (IT-Grundschutz) is a methodology from the BSI for implementing computer security measures in organizations
I used to have quite a few dealings with IT baseline protection etc. back in the day.
The first time was around 1999, when I secured a nuclear power plant back then. They started with an official information request on whether we implemented the latest baseline protection handbook and so on and blah blah. Back then, I looked at it extensively and came to the conclusion that it was not usable (yet). Those were just a few nice ideas and run-off-the-mill recommendations, but not suitable for nuclear power plants, rather for curious clueless enterprises. Just a bit later, it got a push (and apparently more workload put into maintaining and expanding it) and became good and useful. It needed a few years in the beginning.
It still was and is a crazy - and always growing - bureaucratic piece of work, and in my work from 2003 to 2007 I even offered it as a service, to do it for companies, but stopped it because the required effort to keep up to date with the knowledge (and the tools) was enormous, all of that was quite expensive, the software was messy, and only a single client ever asked for a quote and immediately declined when he saw the prices. I once put in my own company into the software as a test. You very quickly reach crazy levels. You can really tell it's been created in a laboratory, in the real world the required effort quickly grows polynomially, if not exponentially. Basically, you need to document every individual room, in those rooms every single server, on those servers every single application, and then endlessly evaluate threats for everything and tick off action items. To then get certified whether you clicked on and implemented thousands of recommended measures. Bureaucracy on amphetamines and LSD at the same time.
Roughly 6, 7, or 8 years ago, I don't remember exactly, I had trouble with the baseline protection handbook again in a different professional context. Actually, I don't find it that bad, it's somewhat calcified and administrative-ish, but it's a tangible collection of measures that impresses third parties. I was thinking that you could fix the software problem in a relatively manageable amount of time (if everything doesn't have to immediately look perfect, polished, and pretty) as a Ruby-on-Rails application, because at the end it's not much more than filling out relational databases, input masks, and different kinds of report creation. I thought, that would be an idea, crafting that and putting it up as free open source on github and as a Docker container on dockerhub. Which - compared to other scary software that I've seen, which was laborious and unstable to set up and then only ran locally on one workstation, and terribly designed, incomprehensible - also had the nice advantage that you don't need to install it locally, but simply access it using the browser and then have it running somewhere on a server (or in a new fancy way using Kubernetes). A container with the app via pull, add a Postgres container, docker-compose around it - done. Installed in a minute, run it in the browser, child's play.
But, ah.
I first wanted to look into how you get the baseline protection handbook data to process it automatically. Threats, building blocks, measures, all that stuff which you need to populate the database with initially and occasionally for updates. So, not what the user writes about their store, but what the baseline protection handbook itself is describing. You can freely download it as an 800 page PDF handbook, but it's not machine-readable. The best alternative was that you could find all of that online on websites, but as HTML. I was considering and looking into downloading and parsing it using a website scraping software, but somehow that wasn't consistent either and apparently not allowed. I asked if there's a machine-readable version and received a stupid answer, something along the lines of only for contracted suppliers who offer commercial software products, blah blah blah.
Back then I already thought that the BSI is exactly the kind of bureaucratic dump I think it is. Everybody who would seriously act on an orderly duty of improving security in Germany and is already being paid for by tax money, so doesn't need to be commercial and make profit or cover its cost with revenue, would make it freely available so as many people as possible use it. It's the actual purpose and duty of the BSI to achieve as much security as possible and not to keep the expensively-made security measure catalogues as bureaucratic and impossible to access as possible. Because even if a small medium store that is completely meaningless for the state and the administration improves its security, it's a boon to everybody because another potential virus and hacker nest is being reduced. Every single shop that's less susceptible to malware, is harder to take over, can react to security incidents better, is a security benefit for the entire country.
Back then I thought, well, if they absolutely don't want it and block attempts to use their IT baseline protection - then we'll leave it at that. At some point you just sit there and shake your head because they make it so difficult for you while simultaneously grandstanding about security, and ultimately what you get is a fat handbook for manual reading and lousy software.
That entire affair was so perfectly German: Infinitely compartmentalized, administratively uncompromising and delusional, recursively self-cyclical, and then they don't want you to use it because they want to prevent someone from using it without having a contract with them, copyrights and so on. So ministerial. Every reasonable person with a serious desire for that stuff to be used would have put it up on the website for free, offered it in all possible formats, and wrote on top of that "Here, take it! It's for you, you've paid for it already!" But no, not only is that stuff overly complicated, even the access to it is.
Just now I read in a magazine that the BSI had noticed something in the meantime and now, after over 30 years of baseline protection, they got the idea to publish the baseline protection catalogue in a machine-readable way as JSON and via GIT as a download.
My goodness, I just thought, they're getting this idea damn early. Now that the Russians are attacking again. Now they are getting this idea.
Until I read two pieces of information at the end of the article.
The launch for IT baseline protection++ is to be on 1.1.2026. Oh dear, more than a year in the future.
And that they aren't doing it voluntarily or out of their own volition, but the NIS2UmsuCG [the German law for implementing the European NIS2 and strengthening cyber security] forced the BSI to rework and overhaul it.
Goodness me...
Sometimes I think, if only I had become a gardener. But when you look at how many regulations and prohibitions they have, they haven't got it any easier either. In my floor of the student dormitory, there was a chemist. Actually a highly gifted chemist, but mentally he didn't survive the academic craziness, at the end of his studies he snapped and got into the nut house for a few months. I met him two, three years later in the city and asked him how he's doing. The nut house doctors examined him and had him retrained as a gardener, that would be better for him. Trees, bushes, and flowers were said to be better and healthier for him than the academics. They don't say as much stupid stuff. And the air is fresher and better than in chemistry, better for the brain. Now he's got completely scratched hands, but other than that, he's doing a lot better, everything is fine and he is happy. Since then, whenever I'm dealing with this insanity of IT security, I occasionally get the thought that gardener would maybe have been better.
A buddy, also a computer scientist, also doing IT security, casually said that he's quitting, throwing in the towel, and going to New Zealand to farm sheep. Until I have seen in a New Zealand sheep farming museum what an administrative burden that is and how much they work with computer-based facilities and told him about it.
BSI = Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik)
IT baseline protection (IT-Grundschutz) is a methodology from the BSI for implementing computer security measures in organizations
"IT baseline protection++"
BSI at a turtle's pace.I used to have quite a few dealings with IT baseline protection etc. back in the day.
The first time was around 1999, when I secured a nuclear power plant back then. They started with an official information request on whether we implemented the latest baseline protection handbook and so on and blah blah. Back then, I looked at it extensively and came to the conclusion that it was not usable (yet). Those were just a few nice ideas and run-off-the-mill recommendations, but not suitable for nuclear power plants, rather for curious clueless enterprises. Just a bit later, it got a push (and apparently more workload put into maintaining and expanding it) and became good and useful. It needed a few years in the beginning.
It still was and is a crazy - and always growing - bureaucratic piece of work, and in my work from 2003 to 2007 I even offered it as a service, to do it for companies, but stopped it because the required effort to keep up to date with the knowledge (and the tools) was enormous, all of that was quite expensive, the software was messy, and only a single client ever asked for a quote and immediately declined when he saw the prices. I once put in my own company into the software as a test. You very quickly reach crazy levels. You can really tell it's been created in a laboratory, in the real world the required effort quickly grows polynomially, if not exponentially. Basically, you need to document every individual room, in those rooms every single server, on those servers every single application, and then endlessly evaluate threats for everything and tick off action items. To then get certified whether you clicked on and implemented thousands of recommended measures. Bureaucracy on amphetamines and LSD at the same time.
Roughly 6, 7, or 8 years ago, I don't remember exactly, I had trouble with the baseline protection handbook again in a different professional context. Actually, I don't find it that bad, it's somewhat calcified and administrative-ish, but it's a tangible collection of measures that impresses third parties. I was thinking that you could fix the software problem in a relatively manageable amount of time (if everything doesn't have to immediately look perfect, polished, and pretty) as a Ruby-on-Rails application, because at the end it's not much more than filling out relational databases, input masks, and different kinds of report creation. I thought, that would be an idea, crafting that and putting it up as free open source on github and as a Docker container on dockerhub. Which - compared to other scary software that I've seen, which was laborious and unstable to set up and then only ran locally on one workstation, and terribly designed, incomprehensible - also had the nice advantage that you don't need to install it locally, but simply access it using the browser and then have it running somewhere on a server (or in a new fancy way using Kubernetes). A container with the app via pull, add a Postgres container, docker-compose around it - done. Installed in a minute, run it in the browser, child's play.
But, ah.
I first wanted to look into how you get the baseline protection handbook data to process it automatically. Threats, building blocks, measures, all that stuff which you need to populate the database with initially and occasionally for updates. So, not what the user writes about their store, but what the baseline protection handbook itself is describing. You can freely download it as an 800 page PDF handbook, but it's not machine-readable. The best alternative was that you could find all of that online on websites, but as HTML. I was considering and looking into downloading and parsing it using a website scraping software, but somehow that wasn't consistent either and apparently not allowed. I asked if there's a machine-readable version and received a stupid answer, something along the lines of only for contracted suppliers who offer commercial software products, blah blah blah.
Back then I already thought that the BSI is exactly the kind of bureaucratic dump I think it is. Everybody who would seriously act on an orderly duty of improving security in Germany and is already being paid for by tax money, so doesn't need to be commercial and make profit or cover its cost with revenue, would make it freely available so as many people as possible use it. It's the actual purpose and duty of the BSI to achieve as much security as possible and not to keep the expensively-made security measure catalogues as bureaucratic and impossible to access as possible. Because even if a small medium store that is completely meaningless for the state and the administration improves its security, it's a boon to everybody because another potential virus and hacker nest is being reduced. Every single shop that's less susceptible to malware, is harder to take over, can react to security incidents better, is a security benefit for the entire country.
Back then I thought, well, if they absolutely don't want it and block attempts to use their IT baseline protection - then we'll leave it at that. At some point you just sit there and shake your head because they make it so difficult for you while simultaneously grandstanding about security, and ultimately what you get is a fat handbook for manual reading and lousy software.
That entire affair was so perfectly German: Infinitely compartmentalized, administratively uncompromising and delusional, recursively self-cyclical, and then they don't want you to use it because they want to prevent someone from using it without having a contract with them, copyrights and so on. So ministerial. Every reasonable person with a serious desire for that stuff to be used would have put it up on the website for free, offered it in all possible formats, and wrote on top of that "Here, take it! It's for you, you've paid for it already!" But no, not only is that stuff overly complicated, even the access to it is.
Just now I read in a magazine that the BSI had noticed something in the meantime and now, after over 30 years of baseline protection, they got the idea to publish the baseline protection catalogue in a machine-readable way as JSON and via GIT as a download.
My goodness, I just thought, they're getting this idea damn early. Now that the Russians are attacking again. Now they are getting this idea.
Until I read two pieces of information at the end of the article.
The launch for IT baseline protection++ is to be on 1.1.2026. Oh dear, more than a year in the future.
And that they aren't doing it voluntarily or out of their own volition, but the NIS2UmsuCG [the German law for implementing the European NIS2 and strengthening cyber security] forced the BSI to rework and overhaul it.
Goodness me...
Sometimes I think, if only I had become a gardener. But when you look at how many regulations and prohibitions they have, they haven't got it any easier either. In my floor of the student dormitory, there was a chemist. Actually a highly gifted chemist, but mentally he didn't survive the academic craziness, at the end of his studies he snapped and got into the nut house for a few months. I met him two, three years later in the city and asked him how he's doing. The nut house doctors examined him and had him retrained as a gardener, that would be better for him. Trees, bushes, and flowers were said to be better and healthier for him than the academics. They don't say as much stupid stuff. And the air is fresher and better than in chemistry, better for the brain. Now he's got completely scratched hands, but other than that, he's doing a lot better, everything is fine and he is happy. Since then, whenever I'm dealing with this insanity of IT security, I occasionally get the thought that gardener would maybe have been better.
A buddy, also a computer scientist, also doing IT security, casually said that he's quitting, throwing in the towel, and going to New Zealand to farm sheep. Until I have seen in a New Zealand sheep farming museum what an administrative burden that is and how much they work with computer-based facilities and told him about it.
