BSI alarm report: Call for an independent Federal Institute for IT Security

In its current situation report on IT security, the Federal Office for Information Security (BSI) identified weaknesses in hardware and software as one of the greatest dangers. The office does not mention the fact that secret services and law enforcement authorities sometimes deliberately leave such security gaps open and – also according to the revised cybersecurity strategy of the federal government – are allowed to use them for the use of state Trojans.

After the BSI has declared “Red Alert” – at least in some areas – experts from science, politics and industry discuss what can be done better and how the authority, which is growing in importance, should be set up. “If security gaps are deliberately left open, then it is only a matter of time before they are maliciously exploited,” warns the Wuppertal professor for IT security and cryptography, Tibor Jager. Hoping that only the “good guys” would find a weak point was “completely naive and unrealistic”: “In this respect, every gap left open is a ticking time bomb.”

Too often, legal politicians take the view that national security interests have priority over IT security, explained the Bremen professor for IT security law Dennis-Kenji Kipker to the Science Media Center. With this justification, ever more extensive powers of intervention would be created. “It should have been known for a long time that online access to IT systems in particular must meet the highest constitutional requirements and can therefore legitimately only be considered in absolute exceptional cases.”

The current balancing act “in no way does justice to this principle,” complains Kipker. For a very small number of potential interventions, the state is currently keeping open the option of “weakening countless IT systems across the board through inconsistent handling of security gaps”. It should not be “that authorities under the aegis of the Federal Ministry of the Interior should on the one hand promote IT security, but on the other hand actively undermine it”. It would only be consistent to provide for an immediate reporting obligation to those affected for all security gaps that have become known to the state and not to take advantage of weak points to consciously compromise IT systems.

Martin Schallbruch, director of the Digital Society Institute at the European School of Management and Technology (ESMT), believes that the entire preparation of serious crimes is increasingly taking place via encrypted communication. An important instrument for this is “the intrusion into the computer systems of such suspected criminals”. To do this, tools are used “which are necessarily based on security gaps”. In this respect, the state has a legitimate interest in using such weak points.

In addition, it is important to protect citizens and companies from cyber attacks and to close security gaps, knows the former IT director in the Federal Ministry of the Interior (BMI). If the state became aware of particularly serious weaknesses, “they must be closed quickly by informing the manufacturer”. However, this does not apply to every loophole used by investigators and agents.

According to Schallbruch, the fact that authorities are subordinated to a ministry – as with the BSI to the BMI – serves “to ensure a democratically legitimized control of the administration with the help of the political responsibility of the government and control by the parliament”. At the BSI, for example, this does not affect its statutory mandate. For example, it has to report security gaps to the manufacturer “and must not hold them back”.

Nonetheless, the public has “an interest in advice on IT security issues that is independent of government and politics,” explains the future head of the Govdigital cooperative, which specializes in digital administrative services. As in the area of ​​food safety, this could be organized “by setting up a federal institute for IT security that is independent of instructions”. This should provide scientific advice, but have no operational powers and impose no fines.

Sebastian Golla, junior professor for criminology, criminal law and security research in the digital age in Bochum, demands that “the existing confused system of state institutions for the protection of IT security as a whole must be critically evaluated”. The BSI, which emerged from an agency of the Federal Intelligence Service, could not take over all tasks related to the provision of IT security. It has received numerous new powers in recent years. When dealing with weak points, however, it would be better to “commission institutions to control areas of security and intelligence services that are sensitive to fundamental rights”.

The unchanged high level of danger in Germany in the IT sector makes it clear that a “stringently conceived IT security strategy” must finally be implemented, emphasized the technology policy spokesman for the FDP parliamentary group, Mario Brandenburg. In order to be able to react more agile to dangerous situations in the future, a comprehensive reporting obligation for discovered security gaps is necessary. Furthermore, “a really independent advisory” BSI is needed.

The Green parliamentary group deputy Konstantin von Notz has also been calling for “real proactive measures” for more IT security for years: “These include, among other things, a renouncement of state trading in security loopholes, end-to-end encryption and the strengthening of independent supervisory structures. ” Norbert Pohlmann from the eco-Verband der Internetwirtschaft emphasized: “Both the private sector and the public sector must give IT security the highest priority even more intensively than before and think along in all IT projects at all times.”


To home page