Federal Audit Office: Security level of federal IT "inadequate"
Federal Audit Office report criticizes IT security: Few government data centers meet even minimum standards, exposing shortcomings in federal infrastructure.
(Image: LongQuattro/Shutterstock.com)
The security of federal IT is in a poor state, according to a confidential report by the Federal Audit Office, as reported in Der Spiegel. According to the report, less than ten percent of the 100 federal data centers meet the minimum standards, and in many cases not even emergency power is guaranteed. The security level of the data centers is "inadequate" overall, according to the auditors.
Another factor is that critical IT services are often not geo-redundant, i.e. not based on infrastructure in more than one location. Without such resilience, core state functions such as social services could not be maintained in the event of a crisis, the auditors warned in their report to the Bundestag's budget committee, according to Der Spiegel. Their conclusion: "The federal government's IT is not prepared for the current threats." The federal government should therefore "realign the entire cyber security strategy".
Jungle of responsibilities
The Bundesrechnungshof has identified a "jungle of institutions and responsibilities" for cyber security as a problem factor. There are currently 77 state authorities and institutions, and the number of players has been growing steadily for years. At the same time, however, the Court of Audit's audits found "a lack of or insufficient cooperation" between all of these institutions.
Among other things, the audit authority questioned the national cyber defense center founded in 2011. There is no evidence that it provides any added value. In any case, it "has not yet lived up to the expectations raised by its name".
Success of the cyber security strategy "unclear"
Furthermore, the auditors do not have a good opinion of the Federal Ministry of the Interior's cybersecurity strategy. This was presented in 2021 by the then Federal Minister of the Interior Horst Seehofer (CSU) and expanded by his successor Nancy Faeser (SPD).
Existing deficits had not been analyzed, nor had the federal government determined the personnel and expenditure requirements. It was "unclear" whether the strategy had contributed anything to improving the German security situation.
The auditors are calling on the new German government to analyze and streamline the existing cybersecurity architecture. The government should "centrally control" its measures and ensure better expenditure controlling. Billions in investments made possible by the exemptions in the debt brake should also benefit cybersecurity – However, the Court of Auditors warns that "more money" does not automatically lead to more security.
Ministries "essentially" agree
Statements from the Federal Ministry of the Interior and the newly established Ministry for Digital and State Modernization at the request of the iX editorial team are still pending. According to Der Spiegel, both ministries "essentially agreed" with the finding of a lack of crisis resilience in preliminary statements, which are part of the ACA report. The many distributed responsibilities criticized by the Court of Audit are also due to European requirements. And the criticized cyber defence center is a cooperation platform without powers, but one that is to be "further developed".
Videos by heise
The Federal Audit Office merely confirmed that a corresponding advisory report had been submitted to the Budget Committee of the German Bundestag. As this was a classified matter "for official use only", no further comments could be made.
(axk)
