Insufficient answers: AG KRITIS analyzes party positions on IT security

Contents

On the occasion of the early federal elections, the KRITIS working group analyzed the parties' positions on cybersecurity based on election test stones and also asked all of them. “Regrettably, the democratic parties did not answer our inquiry in terms of content, but referred to a cross-party consensus according to which election test stones are only accepted and answered by 30 non-transparently selected organizations. We criticize this approach,” says the KRITIS working group. Only the Sahra Wagenknecht Alliance responded directly to the specific questions on IT security, resilience, and crisis preparedness.

The questions ranged from the parties' stance on exemptions in the “state and administration” sector regarding the legislation implementing the NIS2 directive and in the KRITIS umbrella law, to the reform of criminal computer law to provide legal certainty for volunteer IT security researchers.

Another focus of the questions was on the personnel and competence requirements in the IT sector within the state and its administration. The parties were asked how they intend to promote personnel development and skills training and what their position is on a reform of the collective wage agreement for the public sector (TVÖD), which would bring the salary levels of IT specialists closer to the market economy reality.

Independence of the BSI?

The issue of the independence of the Federal Office for Information Security (BSI) will also be addressed. The parties were asked to present their concepts for implementing this goal. The parties were also asked for their assessment of whether Germany has sufficient coping capacities for major incidents caused by cyber incidents. They were also asked to explain their position on the implementation of the “Cyber Relief Organization” concept and the feasibility study currently underway at the Federal Agency for Technical Relief (THW).

Due to the lack of answers, the KRITIS working group attempted to answer its questions to the parties based on their election manifestos. Among other things, it emerged that the SPD is planning a KRITIS umbrella law for nationwide and cross-sectoral requirements for the protection of critical infrastructures. It also wants to strengthen the links between local authorities, federal states, the federal government and operators as well as the powers of the security authorities. The BSW is calling for effective cybersecurity and uniform IT security standards, with a particular focus on smaller municipalities and specialized institutions at state level. The FDP emphasizes protection against foreign influence, the principle of “security by design” and calls for liability for security gaps as well as structured vulnerability management.

The AfD is calling for a federal strategy for digital sovereignty with open-source technologies and federally owned hardware and software. The CDU/CSU is planning a federal digital ministry to bundle responsibilities. The Greens and the Left Party have not made any concrete statements on this topic. The CDU/CSU wants to establish the BSI as the third pillar of the cybersecurity architecture alongside the Federal Office for the Protection of the Constitution and the Federal Criminal Police Office under the leadership of the Ministry of the Interior. The SPD plans to expand it into a central office with increased powers to combat cybercrime. The Greens are calling for a law to strengthen cybersecurity and a more independent role for the BSI. The Left Party and the BSW also support the independence of the BSI, although the BSW is calling for it to be upgraded to a supreme federal authority with parliamentary oversight and warns of conflicts of interest due to its dependence on the Federal Ministry of the Interior.

Skills shortage and administration

According to its election manifesto, the SPD is committed to nationwide home office, job sharing, part-time models, permanent positions and lifelong learning as a basis. The BSW emphasizes fair pay, lateral entry opportunities and flexible working conditions. The CDU/CSU plans to use AI for more efficient administration and competitive salaries. The FDP announces exceptions to the ban on better employment for highly qualified specialists according to the SPRIND model. The Greens focus on modernization, automation and downsizing the ministerial administration. The Left emphasizes cooperation with trade unions and adequately financed public budgets.

Changes to the hacking paragraph

The Greens want to implement the European directive on cybersecurity with minimal bureaucracy and create legal certainty for security researchers. The Left Party calls for the decriminalization of IT security research, rejects state Trojans and chat controls, and wants to close security loopholes without exception. The BSW criticizes the current regulation on “intent to identify a security vulnerability” due to problems of proof and calls for clear standards for IT security researchers.

Cyber defense and civil protection

The CDU/CSU plans to dovetail civilian and military capabilities, as well as regular cyber exercises at all levels of government. The AfD is calling for offensive cyber capabilities for the Bundeswehr. The BSW emphasizes the expansion of civilian civil protection, the role of the KRITIS working group and the connection to the THW for synergy effects. The Greens, for example, focus on modern cyber assistance and a warning infrastructure. The FDP rejects state Trojans and calls for orderly vulnerability management and the development of expertise in software and hardware. The parties differ particularly in their emphasis between security aspects and freedom and data protection rights.

Although the parties recognize the importance of cybersecurity, the approaches to solutions vary and leave a lot to be desired overall, according to AG KRITIS: “It is high time that responsibility is taken for the security of supply for the population,” says AG KRITIS spokesperson Manuel Atug. The KRITIS working group is therefore calling for the “implementation of a strictly defensive cybersecurity strategy in all municipalities, federal states and the federal government as a preventive measure, as well as the creation of real coping capacities to quickly restore supplies to the population in the event of a major incident caused by cyber incidents”.

(mack)