Who will be responsible for cyber security in the future, and what measures are appropriate to ensure it? The German Federal Ministry of the Interior (BMI) today presented its cybersecurity agenda. It certainly offers a lot of fuel for the fire.
Federal Minister of the Interior Nancy Faeser (SPD) has proposed an amendment to the Basic Law to make the Federal Office for Information Security (BSI), which is under her authority, a central agency. A similar structure already exists at the Federal Criminal Police Office (BKA) and the Federal Office for the Protection of the Constitution, which works closely with the respective state authorities.
The responsibility for cybersecurity currently still lies with the states, so the BSI has so far only been able to provide administrative assistance, the minister said in Berlin on Tuesday. In view of the growing threat, this is no longer appropriate. In the long term, the states are “overburdened” with this task. She said that she had received very positive signals from the states regarding her proposal to amend the Basic Law. For an amendment to the Basic Law, the “traffic light” government in the Bundestag would also need votes from the opposition because a two-thirds majority is required for this.
The number of attacks rises significantly
In the past two years, several cyberattacks on hospitals and government agencies had caused major problems. Overall, the number of attacks that became known increased. FDP parliamentary group vice chairman Konstantin Kuhle warned that the BSI’s task profile must be clearly outlined and its independence strengthened before any amendment to the Basic Law. “This also includes the establishment of a functioning vulnerability management for all security agencies.” This involves security gaps in hardware and software that are deliberately not closed so that government agencies can secretly gain access to cell phones and other means of communication for reconnaissance or investigations into serious crimes.
Information sharing platform
In light of Russia’s war of aggression against Ukraine, the Federal Ministry of the Interior also presented further measures for greater cybersecurity. These include the introduction of a central video conferencing system for the federal administration. At the BSI, a platform is to be created for companies to exchange information on cyber attacks.
In addition, investments in so-called cyber resilience measures are to be promoted among small and medium-sized enterprises if they belong to the “critical infrastructure” – from sectors such as transport, food, health, energy, and water supply. Faeser has also set her sights on modernizing the IT infrastructure of the Federal Office for the Protection of the Constitution. It is also to be given more powers to “clarify technical matters in the event of cyberattacks by foreign powers.”
Need for coordination
However, there is a need for coordination in the area of cyber security not only with the states but also within the federal government. Transport Minister Volker Wissing (FDP) is responsible for digital affairs. With the Cyber and Information Space Command, there is an organizational unit in the Bundeswehr for defending against cyber attacks. “We will always have to have the interface with the BMVg (Federal Ministry of Defense),” Faeser said. She said the war in Ukraine in particular, showed how external and internal security are interrelated.
The coalition agreement between the SPD, the Greens and the FDP provides for a new law in which regulations for the protection of critical infrastructure are to be bundled. This must be implemented as quickly as possible, said Green Party deputy leader Konstantin von Notz. “There is also an urgent need for coordination with the strategies currently being developed by other houses.”
Alexander Throm (CDU), the domestic policy spokesman for the CDU/CSU parliamentary group, said the new cybersecurity agenda leaves crucial questions unanswered – for example, what specific powers the Federal Criminal Police Office, the Federal Office for the Protection of the Constitution and the Federal Police should be given to defend against cyberattacks. “Also missing is a concept for active cyber defense, which is directed against cyber attack in a danger-preventing manner.” Such a concept had failed during the term of Faeser’s predecessor Horst Seehofer (CSU), due to opposition from the SPD.
Reactions to the cybersecurity agenda are ambivalent. On the one hand, the industry association Bitkom welcomes “the fact that the German government is resolutely tackling the issue of increasing cybersecurity and modernizing the investigative work of the authorities. Among other things, we take a positive view of the fact that the Federal Criminal Police Office is to be given a coordinating, central role in reporting and deletion processes for misrepresentations on the Internet in the future.” Bitkom also takes a positive view of the planned amendment to the German Basic Law to strengthen the BSI, but calls for a more measured approach on a number of other points: “However, we are critical of the fact that, in order to achieve a supposed increase in security, there is a desire to deviate from the requirements of the coalition agreement and to intervene more strongly in the privacy of citizens in the future: there must be no dissolution of end-to-end encryption for digital communications. This would interfere too deeply and disproportionately with the fundamental right to protected communication. Moreover, the planned increased use of artificial intelligence by police forces must first be intensively examined, and in doing so, must necessarily comply with the requirements of the European Union’s AI Act and the coalition agreement.”
The Eco Association takes a similar line. “Eco sees the strengthening of the resilience of digital infrastructures and the strengthening of an independent role for the BSI as important factors for more trust in the state as an actor in cyber security policy. The exchange of information between industry and the administration urgently needs to be improved so that existing security gaps can be closed as quickly as possible. Closer and targeted cooperation between all stakeholders, such as the state, the user economy, the provider economy and research in the field of cyber security technologies, will help to jointly master the mammoth task of cyber security for all. The association is critical of the planned regulations on vulnerability management, but also of the planned expansion of state powers to investigate technical matters, which could possibly include means that are problematic from our points of view, such as state Trojans or hackbacks.”
Prof .Dr. Dennis-Kenji Kipker, professor of IT security law, classifies the cybersecurity agenda as “unconvincing.” In an effort to apparently find the lowest political denominator, the “formulations remain vague and cloistered, inviting coffee-table talk but not concrete improvements in cybersecurity.” He concludes that “in general, we in Germany should think about a reorganization of competencies and responsibilities in cybersecurity.