The federal government's „cybersecurity strategy“ is naive and dangerous.

The German federal government has recently published a strategy paper on cybersecurity. Its declared purpose is to improve the security of citizens and businesses in the country, and to equip law enforcement authorities for the digital challenges of the 21st century. However, experts have criticized the suggestions as dangerous and simplistic. People have only until Wednesday 16 June to send their comments and feedback to the federal department of interior affairs. Doing so might perhaps help avoid the worst outcomes but time is very short indeed.

Government fails again on the issue of cybersecurity

The document currently has 128 pages and is entitled „Cybersicherheitsstrategie für Deutschland 2021“ (Cybersecurity strategy for Germany 2021). It can be downloaded as a PDF here (in German only).

People may submit their thoughts using another PDF document, which invites feedback and comments on each of the individual chapters. The goal is straightforward: more efficient law enforcement, especially on the Internet. The department for interior affairs thinks it necessary to be able to „crack“ secure encryption mechanisms in order to put criminals under surveillance. Furthermore, new plans are to be developed and organizations set up whose purpose it will be to deliberately hide and obscure information about existing software bugs, security vulnerabilities, and potential backdoors. That way, developers will unlikely fix these problems so that the authorities can exploit them for their own purposes. While addressing the problems would clearly improve software security, this is not desired by the legislature, as doing so could mean not just criminal actors might be shut out but investigators as well.

This so-called „verantwortliches Schwachstellenmanagement” (responsible vulnerability management), as detailed in section 8.3.8 of the draft, clearly indicates the intention of state actors to keep citizens in the dark about security loopholes for the purpose of facilitating unfettered surveillance. However, the end does not always justify the means, even in cases where authorities justifiably require access (e.g., for investigations of serious crimes). Critics say it is incredibly naive to assume that criminals won’t find and actively use any backdoors to computer systems that are deliberately not getting fixed. The whole approach is flawed in that it opens the gates for all kinds of attackers, and because it is conducive to criminal activity rather than preventing it, with wide-ranging societal implications. The state would negligently fail in one of its core duties: To protect its citizens, authorities, and businesses from criminals.

The planned circumvention of encryption mechanisms

Similarly controversial is another idea about maintaining security both through the use of encryption and also by working around encryption (Section 8.3.9). This approach is not new and has been repeatedly criticized for absence of technical expertise and also a blatant lack of respect for the constitutional rights of citizens. The paper's characterization of the much-criticized IT bills of 2021 as “appropriate measures to adjust to technological progress” (Section 8.3.14) presents a thinly veiled attempt to further tighten laws that are likely already unconstitutional in their current form. (For example, lawful telecommunications interception, or the recent G-10 bill).

The express objective of this cybersecurity strategy is to develop technical and operative solutions for lawful access to encrypted communication contents. From our perspective, this is a direct attack not only on e-mail encryption mechanisms and so, on our customers' right to privacy. Without there being any pressing need, the government risks eroding the integrity and confidentiality of our data, as well as the peoples' trust in the constitutional state, law enforcement, intelligence services, and democracy in general.

Security for citizens or for intelligence services?

Even IT experts don't seem to be able to find anything positive in the current strategy paper: Manuel Atug, speaker of the independent working group for the improvement of IT security and resilience of critical infrastructures (AG KRITIS), went on Twitter to denounce the paper as „völlig defekt“ (entirely defective) and „ein trauriges Bild für Deutschland“ (Germany cutting a bad figure). There is no explanation of any fundamental cyberthreat situation in the draft. However, wouldn't this be a basic requirement before anyone even starts calling for the expansion of surveillance measures?

Atug criticizes those who think that state-sponsored „Trojan horses“ and back-hacking (the cyber-attacking of hackers) are appropriate measures for active defense. He also points at the obvious conflict between the objective of achieving digital sovereignty and collaborating with organizations such as „ZITiS“, who are close to the intelligence services and act as a commercial enterprise in the development and purchase of security vulnerabilities. He says the proponents of such measures have a totally warped perception of what cybersecurity is. Further, Atug explains that encryption is the only feasible way for civil society, businesses, and critical infrastructures to maintain their security, while any approach trying to circumvent or disable encryption is exclusively of interest to law enforcement and intelligence services.

In light of this, we hope many of our citizens will participate and send their comments and feedback on this cybersecurity strategy paper.

Author: Markus Feilner