New German cybersecurity guidelines harbour even more surveillance and centralised powers
The Federal Cabinet today approved the new “Cybersecurity Strategy for Germany”. The draft, prepared by the Federal Ministry of the Interior, is to be in place for five years and replaces the previous version from 2016. The document describes four different guidelines. Cybersecurity is to be understood as a joint task of the state, business, science and society. Associations as well as citizens themselves should also find “common answers” to cyber threats. Under the heading “Digital Sovereignty”, the Federal Government wants to invest more in research and develop cyber security into a quality feature “Made in Germany”.
According to the paper, the authorities are observing a significant increase in cyber attacks, which are often accompanied by extortion, fraud, insults or “disinformation”. In the area of cybercrime, so-called ransomware is increasingly being used to block data or entire systems. Distributed denial of service (DDoS) attacks are also widespread, with which servers and networks are overloaded and thus paralysed. The Ministry of the Interior cites state-motivated attacks, such as cyber espionage or cyber sabotage, as further dangers.
Finally, the Federal Government warns of “hybrid threats”. The term has been in vogue since the Crimean crisis in 2014 and refers to disguised state attacks or actions by non-state actors acting on behalf of or in the interests of other governments. Their cyberattacks could, for example, spread “discredit or disinformation” in order to damage a country’s economy.
The guidelines, which are not very concrete, are formulated in 44 “strategic objectives”. Many of them sound harmless or sensible, such as promoting digital literacy among citizens or making security solutions user-friendly. In essence, however, the cybersecurity strategy is a hodgepodge for even more surveillance and centralised competences.
For example, the Federal Office for Information Security (BSI) is to be given “well-equipped operational units” to detect and combat cyber attacks. The Federal Criminal Police Office (BKA) is to intensify its “prosecution in cyberspace” and become a central service provider also for the federal states. The secret services will also be given more power and their “advance reconnaissance” will be strengthened. They will also be responsible for so-called attribution, i.e. naming the authors of an attack.
Measures against secure communication are particularly restrictive. In order for police and intelligence services to be able to access messenger services, providers such as Signal, Telegram or WhatsApp are to weaken their encryption and hand over content on request.
Finally, the document also regulates the exploitation of faulty software. For the use of state Trojans, the authorities need so-called zero-day vulnerabilities, which then act as a backdoor to computers or phones of targeted persons. For the first time, the cyber security strategy takes a uniform approach to this nationwide.