The cybersecurity agenda seamlessly continues the old Seehofer policy. A critical look at hackbacks, vulnerability management, and impractical politics.
It could have been so nice: A new government will be formed at the end of 2021 – that alone is good news for the security situation of the people in germany. The coalition agreement sounds promising: people and their civil rights, their freedom and their need for protection are the focus of every security policy consideration. After years and almost decades of pessimism, there is finally a ray of hope: the measures that protect us all in the digital age should be evidence-based and, above all, sustainable!
A comment by Caroline Krohn…
…and Manuel Atug
AG Sustainable Digitization (AGND)
The Working Group on Sustainable Digitization (AGND) is a group of independent experts dealing with the long-term consequences of digitization. The social component of sustainability is placed in the foreground in the analyses, publications, lectures and projects. The core requirement of this working group is to avoid technical debts to future generations and to enforce security by design in all institutions and systems. Initiating responsible measures in the digital transformation and carrying them out conscientiously, i.e. operationalizing them, is both a technical and an ethical task. The two IT security experts Caroline Krohn and Manuel Atug recently founded the AGND and it is currently being set up. Further information, dates and publications will follow soon on the website and via YouTube.
Website of the Working Group on Sustainable Digitization (AGND) – under construction
The monitoring accounts contained therein are to be made in 2023. According to her, in the future the curtailment of civil rights through extended powers of the state and its security authorities should be brought into proportion to the basic rights of the individual; it will be the basis of all future security laws. Before that – as is expressly stated in the coalition agreement – no new security laws, i.e. no new encroachments on fundamental rights, will be passed. So far, so hopeful.
The cybersecurity agenda: Seehofern with the watering can
You have to give Federal Interior Minister Nancy Faeser credit for one thing: she was offered the post at very short notice. It was therefore not to be expected that she dealt with the coalition agreement before her appointment. Apparently your employees were so farsighted that there would be no place for them in the new federal government. They will have been surprised that they were allowed to linger in their functions. What’s more, they even have a free hand to seamlessly continue the old Seehofer policy and pour it into the new cybersecurity agenda – which Minister Faeser then willingly presented.
Sustainability, i.e. avoiding human and civil rights debts towards future generations, is not part of this agenda. On the contrary: the security authorities are to be given even more powers and need fear even less that they will be scaled back. The level of danger is written even higher, more money is to be spent on surveillance measures using the watering can principle, and civil society is to be heard even less: this agenda stipulates dystopian conditions.
Ultimately, whether hackback means “switching off other servers with state funds” or an “aggressive counterattack”, it cannot prevent or reverse the damage caused by a successful attack. It remains a digital retaliatory strike, which AG KRITIS, an independent association of security experts with special expertise in the field of critical infrastructures, among others, sees as a dangerous measure. The association for liberal network policy LOAD eV also aptly formulates that it is a matter of “a deliberate misleading of the public”.
Procrastinating vulnerability management instead of a solution
The agenda continues to speak of “vulnerability management”. Instead of fixing weak points, the state should manage them, i.e. administer them. This is particularly necessary when they are used to make the encryption systems of smartphones, messengers, business IT systems and many more insecure – in order to exploit these uncertainties for investigations. Vulnerabilities that are kept open do not help to secure Germany digitally. In a government cybersecurity agenda, they seem all the more alienating.
In principle, one could be happy about the establishment of the principle “Security by Design And by Default”, which the federal administration is striving for. However, this becomes a buzzword if there are no legally binding obligations behind it. The last two federal governments have already used this wording without actually implementing anything. Apparently, the security authorities and the ministry still do not understand what is required for security in cyberspace.
The legal scholar and professor of IT security law Dennis-Kenji Kipker also leaves a good hair on the agenda with regard to active cyber defense. With the planned strengthening of ZITiS, he sees a weakening of cyber security, since the offensive measures ultimately compromise the systems. The chat control mentioned in a nutshell takes cybersecurity ad absurdum because of the associated mass surveillance of the confidential communication of all EU citizens. Apparently, the EU Commission and the Seehofer-inclined substructure in the BMI should be pacified here – Interior Minister Faeser herself recently spoke out clearly against this.
Concentrate on the essentials: think of human protection from the point of view of the individual
It is not only appropriate, but absolutely necessary to ensure that people in the digital age in Germany, Europe and the world can lead their lives independently. This means that the state guarantees human protection – through better encryption, by enforcing security-by-design in all developments and through privacy-by-design in all digital products and processes. A well thought-out stabilization of the digital infrastructure and increasing the resilience of critical infrastructures is the basic requirement for this. Geopolitical fantasies of power, on the other hand – regardless of whether they are internal or external – no longer belong in security concepts in the 21st century. The focus on stabilization – even without blockchain, hackback, state trojans and AI – is not fancy and does not glitter, but it is indispensable and the only sensible thing to do.
Statements by Foreign Minister Annalena Baerbock last weekend are encouraging. She writes on Twitter: “The principles of international law must apply when defending against cyber attacks from abroad. This includes a right to self-defence, but also the principle of proportionality and never retaliatory attacks.”
Baerbock also calls for internal and external security to be clarified together. This statement gives hope that the Federal Ministry of the Interior’s cyber security agenda has not yet had its final say. Security needs to be thought through. Human protection must be thought of from the individual point of view.