Berlin The first draft of a new IT security law was in circulation in Berlin more than a year ago. “Cyber attacks continue to pose great danger for the state, economy and society,” it said at the time, which spoke for a certain urgency of the project.
Still, nothing happened for months. The government was paralyzed by the dispute over the security criteria for the 5G network. There was a lot of noise between the ministries in particular over the question of whether Chinese technology providers such as Huawei may also equip the infrastructure for the fifth generation of mobile communications. The Federal Ministry of the Interior is now making a new attempt to settle the dispute.
It has sent a new version of the so-called IT Security Act 2.0 to the ministries involved, which contains an important concession to the Huawei critics: a review of the trustworthiness of 5G providers.
There will still be a need for discussion, but the Interior Ministry expects that the departmental coordination can be completed before the summer break. This would clear the way for one of the most important projects of Federal Minister of the Interior Horst Seehofer (CSU): the upgrading of German cyber defense.
With the reform, Seehofer draws lessons from the cyber attack with the WannaCry 2017 malware, as well as the attacks on the internal network of the Federal Foreign Office 2018 and the IT system of the Bundestag in 2015, which Russian hackers are suspected of.
“Although the total number of attacks is stagnating at a high level, they are becoming more and more sophisticated in terms of quality and therefore also more dangerous for all those affected,” says the Ministry of Interior’s hazard analysis.
IT security label for consumers
In order to be better armed in the future, the draft law provides for a substantial strengthening of the Federal Office for Information Security (BSI). The Bonn authority is to get 583 additional jobs and new skills.
“In order to counter cyber security incidents as a whole, the powers of the BSI to protect the federal administration are being expanded, for example with the creation of powers to detect malware to protect government networks,” the draft law says.
In addition, the BSI is to be expanded to include a department for consumer protection. Among other things, an IT security label is to be developed there. “This enables a well-founded purchase decision,” writes the Interior Ministry. Consumers should “be able to take IT security aspects into account in a simple way when choosing their IT products”.
The draft law excludes the topic of “active cyber defense”, ie the question of whether the state can react to cyber attacks with counter-attacks. The Interior Ministry has long been calling for the competencies of the security authorities to be expanded accordingly.
However, this would require an amendment to the Basic Law, as the responsibility so far lies with the federal states. It is unlikely that an agreement can be reached in this legislative period.
There is no clear statement in the draft law
The coalition welcomes the start of the departmental vote. “It is a good thing that the draft is finally available, since cybersecurity is a matter of the highest importance,” said Union parliamentary group vice-president Thorsten Frei. “Many aspects will now be discussed between the departments. Especially with a view to the 5G network. “
The SPD also sees considerable need for discussion here.
The Social Democrats had already agreed on security criteria last December that Chinese providers de facto exclude. “The bill is a step in the right direction, but many questions remain open,” said Falko Mohrs, 5G rapporteur for the SPD parliamentary group. From the perspective of the SPD, it is clear that providers who are subject to the influence of authoritarian states cannot be classified as trustworthy.
The draft law does not provide for such a definition. He only says that a purely technical review of critical components is not sufficient to assess the trustworthiness of a manufacturer and to guarantee the security of the networks.
“Neither component certification nor a review of security concepts” would offer “100% certainty that the manufacturers will not implement abusive access to hardware and software that enable sabotage or espionage,” the draft says. The Ministry of the Interior reserves a great deal of discretion.
German providers rely on Huawei despite warnings
While the departmental coordination is ongoing, the ministries involved do not want to make any official statements. But it is clear that controversial negotiations are imminent. It is unclear whether the government will really be able to agree on a cabinet design by the summer break.
The major German telecommunications providers have long lost patience. Despite all political warnings, Deutsche Telekom and Vodafone are relying on close cooperation with Huawei when expanding their networks.
They accept the risk that they will have to replace certain components later. The question of whether the proposed new regulations will result in Huawei being excluded from critical network areas has still not been answered.
According to the previous draft, the Ministry of Interior and the Economy have decided on the trustworthiness of 5G providers, which should not be acceptable for the Federal Foreign Office or the SPD parliamentary group. A compromise could be to instruct the secret meeting of the Federal Security Council to make the decision.
More: Huawei case: Ministry of the Interior wants to test the trustworthiness of 5G equipment suppliers. Read more here.