Germany's authorities should at least report security breaches
Federal authorities are to report known security vulnerabilities to the BSI. The "Huawei clause" will be significantly expanded.
(Image: dpa, Oliver Berg)
Federal authorities are to report IT security vulnerabilities to the Federal Office for Information Security (BSI) as soon as they become aware of them and "insofar as this does not conflict with other statutory regulations". The SPD and Green negotiators who remained in the coalition following the departure of the FDP have agreed on this regulation. This is to be included in the BSI Act, paragraph 43, in a new paragraph 6.
The draft is available online at heise. The traffic light coalition started with the promise in the coalition agreement to strengthen IT security. According to the agreement, the state should "not buy or keep open any security gaps", but "always strive to close them as quickly as possible" under the leadership of a more independent BSI. At the same time, the intervention thresholds for surveillance software such as state Trojans should be raised and the existing powers of the police should be restricted.
Videos by heise
However, a working group of interior politicians from the coalition parties and the Federal Ministry of the Interior (BMI) failed to reach a common denominator on the issue of vulnerability management for months. It was not until the spring that there was hope of an agreement. Before the summer break, the three parliamentary groups actually came to an agreement, but the way the BMI subsequently formulated the compromise was particularly offensive to the Greens and the Liberals in view of too many backdoors for the exploitation of vulnerabilities by security authorities.
No comprehensive statistics
As part of its draft for the implementation of the EU Network and Information Security Directive, known as NIS2, the German government then proposed a section 43 (5) in the BSI Act. This does not go as far as the additional paragraph 6 now agreed by the SPD and the Greens. According to the government's approach, vulnerabilities only have to be reported if information about them is "important for the fulfillment of tasks or for the security of federal communications technology". There is also a range of exceptions, which even refer to "confidentiality or agreements with third parties".
There is not even supposed to be any useful data on the extent of the problem: The Federal Intelligence Service (BND) and the Federal Office for the Protection of the Constitution (BfV) are to be exempt from the requirement to keep annual statistics on known security breaches.
No "non-transparent" disclosure of security gaps
According to the red-green agreement, the more far-reaching paragraph 6 is to be added. However, this compromise is only a reporting obligation and therefore does not generally rule out the possibility of security authorities deliberately keeping gaps open in order to use them to install state Trojans on third-party devices, for example. In 2021, the Federal Constitutional Court called on legislators to regulate how government agencies deal with vulnerabilities in order to realize the fundamental right to confidentiality and integrity of IT systems.
The Greens would have preferred a formulation "that prioritizes general IT security in Germany", Konstantin von Notz, deputy leader of the parliamentary group, and his colleague Misbah Khan, who was involved in the negotiations, told heise online. However, more was not possible with the SPD. Nevertheless, the compromise "would lead to a significant improvement compared to the status quo: It is important that the legislator sets out a clear line for dealing with vulnerabilities known to the state."
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier eine externe Umfrage (Opinary GmbH) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (Opinary GmbH) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
The previously practiced non-transparent keeping open of vulnerabilities on the basis of simple administrative regulations, which threatened to cause major economic and security policy damage, would no longer be possible. Comprehensive exceptions to this principle have been averted.
