Federal Interior Minister Horst Seehofer is making a new attempt to enforce the heavily controversial state hackbacks on online attacks with the help of an amendment to the Basic Law. It is important to the CSU politician to create the appropriate “federal means for defending against cyber attacks”. So far, the states are responsible for this. Major hacker attacks, however, “often represent a cross-border threat and often have an international dimension”.
Draft cybersecurity strategy with a short response time
The requirement for the instrument is part of one Draft “Cybersecurity Strategy 2021”published by the Federal Ministry of the Interior (BMI) on Wednesday. Associations, civil society organizers and other interested parties are also asking the department to comment on the 128-page paper by June 16. Short reaction times to complex projects had already led to protests during the work on the IT Security Act 2.0.
For a digital counter-attack “extremely high technical expertise is required for reactions, which can effectively only be built up in a few places in Germany”, Seehofer advertises for his plan. The previous division of responsibilities “does not do justice to the current and foreseeable further worsening threat situation in the cyber sector”. Relevant dangers can thus “not be effectively countered permanently”.
Extended legislative and administrative competence
The Federal Ministry of the Interior is therefore striving to “anchor in the Basic Law an expanded legislative and administrative competence of the federal government to ward off dangers emanating from particularly serious and significant cyber attacks on information technology systems and networks”. Building on this, it should be clarified “whether new or supplemented tasks and powers” are required from federal authorities.
In general, the minister is already proposing to design and network “the technical-operational units” of the Federal Office for Information Security (BSI) in a future-proof manner and to improve cooperation with the federal states. Furthermore, aspects of cybersecurity in the context of national and alliance defense as well as other options for reacting to threats in the cyber and information space by the Bundeswehr “taking legal issues into account” are to be examined and specified.
Legitimate access to data in plain text
At the same time, the Ministry of the Interior wants to enforce the principle “Security through encryption and security despite encryption”, which it has already anchored at EU level, nationally. “More and more communication channels and data storage services are secured by end-to-end encryption,” it says. In principle, this is good for “privacy and the security of communication”.
At the same time, however, the security authorities are to be given the opportunity to have legitimate access to data in clear text “for legitimate and clearly defined purposes in the context of combating serious and / or organized crime, child pornography and terrorism – including in the digital world uphold the rule of law “. The previously established “compensation measures” such as source telecommunications monitoring and secret online searches are limited to individual cases “because of the operational and technical challenges in practice”.
According to Seehofer, “new approaches to unencrypted access to originally encrypted communication content are required” so that the police can fully fulfill their statutory duties. To this end, technical and operational solutions for lawful access to content in plain text are to be developed “initially in close coordination with the service providers, other relevant stakeholders and all responsible authorities. Opponents warn of a massive attack on secure encryption.
Germany in focus “advanced attack techniques”
The Federal Ministry of the Interior also wants to increase the level of cybersecurity through a “strengthened preliminary investigation” by the secret services. Since Germany is in the focus of “advanced attack techniques” by state hackers from abroad, “both the technical and the professional skills of the federal intelligence services” must be strengthened.
The Bundestag has just passed a law that allows all federal and state secret services to use state Trojans for the source TKÜ plus with access to stored messages. Service providers at network level are obliged to support the agents in installing the malware on target systems and to redirect data traffic. In addition, the federal police will be allowed to use the federal Trojan for the source TKÜ in the future.
“Responsible handling of 0-day vulnerabilities and exploits”
Seehofer now wants to fill these legal regulations with life and consistently expand the chosen path. However, experts have long warned that the authorities have to exploit security loopholes to use state Trojans and that cybercriminals and foreign secret services can also go through the gates that have been opened. Following this course in a security strategy is such a tightrope walk. Sven Herpig of the New Responsibility Foundation described the fact that the Federal Ministry of the Interior advertised participation in the consultation with the image of a Trojan horse as a “sheer mockery”.
At a hearing, the President of the Federal Office for the Protection of the Constitution, Thomas Haldenwang, recently assured that exploits for previously unknown security gaps (zero days) played no role, at least for his agency. “Existing gaps” would be exploited. Seehofer now wants to promote a “responsible handling of 0-day vulnerabilities and exploits”.
Seehofer wants to expand the state hacker station in Zitis
“The use of 0-day vulnerabilities for the purposes of intelligence clarification, hazard prevention and criminal prosecution is currently carried out in accordance with the internal authority requirements applicable to the respective security authority,” says the paper. In order to improve this process, a weak point management process is being worked on “on a balanced cross-agency strategy” for dealing with security gaps for the law enforcement and security authorities.
The key point is “the risk assessment between the risk potential” especially of zero days “in the case of temporary exploitation by the security and law enforcement authorities” and the forecast benefits for their work, explains the BMI. Security experts and opposition politicians, on the other hand, have long appealed to the government to report any security gaps discovered by public authorities to the manufacturers and to have them closed.
Seehofer also intends to expand the state hacker station in Zitis and thus increase “the digital sovereignty of the security authorities”. It is to be strategically realigned “in order to be able to act on its own in the future” and to reduce the often existing “great dependencies, especially on non-European countries” in the case of surveillance solutions. The Zitis will therefore be put in a position to “develop, evaluate and make centrally available” appropriate tools and methods. Commercial products should be “tested as thoroughly as possible” in advance.
“Frontal attack on the integrity and confidentiality of digital communication”
Despite the multitude of proposals with which the IT security of elections, artificial intelligence or electronic identities should also be strengthened, the actual “cyber threat situation” is missing in the draft. It is “still in progress”.
Manuel Atug, spokesman for the Kritis working group, accused the BMI of showing a “fundamentally shifted understanding of cyber resilience and defensive action in cyberspace” with the initiative. There is “only security through encryption for civil society, business and critical infrastructures”. The electrical engineering association VDE complained about the key points for the strategythat the aforementioned “Security by Design” approach excludes the “breaking of end-to-end encrypted communication channels”. The Green parliamentary deputy Konstantin von Notz warned of a “frontal attack on the integrity and confidentiality of digital communication” when the “legally unregulated” Zitis was set up.
A different line than the BMI calls for the EU Parliament in a resolution adopted on Thursday on the EU Commission’s draft for a European cybersecurity strategy. It advertises in it for a stronger use against online threats. Networked products and associated services, including the supply chains, should be designed to be secure and resistant to IT security incidents. Any weaknesses discovered must be eliminated quickly, emphasize the MEPs. The EU should arm itself for disinformation campaigns and cyberattacks on infrastructure, economic processes and democratic institutions.