Creating a smart and secure digital space where information security is guaranteed is a society-wide, intergenerational project. The framework conditions are not only heavily influenced by technical innovations, but also by political, economic and cultural developments. Back in February 2017, the "Digital Society: Smart & Secure" project saw representatives from civil society, culture, science, businesses and administration come together to discuss issues relating to a secure information society.

On 28 and 29 June 2017, these representatives met again in Berlin to develop a series of strategic recommendations, thus contributing towards the broader debate and ultimately helping to build a more secure information society. These representatives now present the public with the following recommendations:

The government's duty to protect also applies in the digital world, and it must therefore distribute responsibility to those who are in a position to change things. All sections of society must be involved in shaping this duty of protection. All relevant stakeholders need to play their part in a collaborative effort to ensure a minimum level of IT security.

The government should be making IT security tougher, especially in the interests of citizens, but also to strengthen democratic processes and safeguard fundamental rights. This includes laws and regulations that are applied and implemented. At the same time, it is essential to establish "soft" measures at the levels of education and research.

The government must continue to develop and enforce the regulatory and legal framework. Manufacturers and suppliers of products that use IT must be held adequately accountable. Currently, the responsibility for IT security is placed unduly on users. Although users should not be entirely relieved of this responsibility, their involvement should be limited to a reasonable extent.

We should be striving to involve civil society more intensively and promote democratic cultures. This will require new experimental scope for testing and developing IT security solutions. Existing structures, processes and results should be visible and effective.

The aim here is not only to boost the level of IT security on an individual basis, but also across our entire IT infrastructure. We need incentives that encourage providers, users and the government to invest more in IT security. One key governing factor here is liability. However, a differentiated approach must be taken when it comes to assessing who is liable for what - depending on product categories and roles (users, manufacturers, operators). This requires normative regulations and standards that
reflect reasonable requirements for IT security. In this context, liability claims, e.g. culminating in damages or fines, are not an end in themselves, but rather a means of ensuring a higher level of security. Steps must also be taken to ensure that this liability is enforceable.

1. The government must itself set an example with regard to IT security; its task is to play a coordinating (not dominating!) role at the touchpoints between the different areas of society.
2. Germany also carries a certain responsibility in the international community. Any promising initiatives should therefore be launched and promoted on an EUand international level.
3. We demand basic digital education for all, including the non-technical facets of society. The education system must be adapted to align with this requirement within the next five years. By then, the training for disseminators in all groups of society must be completed.
4. We demand legally binding standards for security and privacy by design and by default for all IT products. This means that devices must be shipped and preconfigured in a secure condition, with providers switching to a "privacy by default" approach to protect privacy.
5. We call upon the government to regulate communications platforms (e.g. Facebook) with the aim of establishing open standards, to enable users to easily switch providers (data portability) and therefore improve competition.
6. We call for critical infrastructures to be designed in such a way that they remain functional in the event of a digital technology failure.
7. We call for processes that develop minimum security requirements in IT systems. These minimum requirements shall serve as the basis for labelling and certification. We have observed that the existing standardisation processes used by companies and governments are not sufficient for this purpose. The process of developing minimum requirements must be open, transparent and independently financed; it must also involve all relevant stakeholders fairly and to an equal extent and ensure that they are provided with any financial support required to participate.
8. We call for mandatory certification to be established for IT systems based on these minimum requirements, initially for particularly sensitive areas.
9. For areas where certification is not required, we demand mandatory labelling for IT systems. To this end, a simple and user-friendly labelling system must be developed that reflects the extent to which security requirements are met or not met, e.g. in the form of a minimum maintenance period (expiration date) or a traffic light system.

10. We call for appropriate product liability provisions to encourage manufacturers to implement these requirements.

    • To enforce product liability, we demand that the relevant public authorities are provided with adequate organisational and personnel resources.
    • Among other factors, it is important to ensure that the security updates required under the product liability are not accompanied by any qualitative changes that users may object to (e.g. unwanted data transfer).
11. We call upon the government to continuously monitor the issue of liability and IT security in order to identify and implement possibilities that have not yet been considered.
12. We need security technology to be standardised and simple in terms of operability.
13. The government should be continuously supporting research with a view to improving security in the digital world in the long term.
14. We welcome the fact that researchers are focussing on the technical and social impact of artificial intelligence and algorithms.

The recommendations report was prepared during the think tank workshop attended by representatives of the following organisations:

• Amnesty International - Sektion der Bundesrepublik Deutschland (Section of the Federal Republic of Germany) e.V.
• Federal Office for Information Security (BSI)
• Bundesverband Informationswirtschaft,Telekommunikation und neue Medien (German Association for Information Technology, Telecommunications and New Media) e.V. (Bitkom)
• Deutsches Institut für Vertrauen und Sicherheit im Internet (German Institute for Trust and Security on the Internet) (DIVSI)
• FFT Düsseldorf, Forum Freies Theater (Forum Free Theatre) e.V.
• Forum of Computer Scientists and IT Professionals for Peace and Social Responsibility e.V. (FifF)
• Freiburger Institut für angewandte Sozialwissenschaft (Freiburg Institute for Applied Social Science) e.V. (FIFAS)
• Initiative gegen Totalüberwachung (Initiative against total surveillance) e.V.
• State Criminal Police Office of North Rhine-Westphalia (LKA NRW)
• Philipp Kalweit IT Security Consulting
• Praemandatum GmbH
• Stiftung Neue Verantwortung (New Responsibility Foundation) e.V. (SNV)
• German Institute for International and Security Affairs (SWP)
• Consumer Association of North Rhine-Westphalia (VZ-NRW) e.V. e.V.