National IT security: CDU Economic Council meets on "Cybernation Germany"

Contents

Cybernation: this is the term that Claudia Plattner, President of the German Federal Office for Information Security (BSI), has been using for almost two years to call for greater awareness of cyber security and digitalization issues. The idea: as many state and private players, institutions, and levels as possible should address the issue of cyber security together. When she took office, Plattner reported that it was by no means self-evident in government circles that cyber security is also a matter of national security.

At a two-day event with representatives from politics and business in Berlin, the Economic Council of the CDU now embraced this idea – an association that some observers consider to be the current leading think tank for CDU economic policy. Cybersecurity is not a purely technical discipline but also a question of location and trust, explains Astrid Hamke, President of the Economic Council. She sees economic opportunities: “Innovation in security technology can become a real export hit.” The panelists at the Waldorf Astoria Hotel left no doubt that politics also plays a key role in this.

Cybersecurity companies too small for politics

There is already a relevant cyber security industry in Germany today. However, as Torsten Henn from Secunet describes, it often plays in the middleweight class at best. With 1,100 employees, an annual turnover of 400 million euros, and a stock market value of around 1.4 billion euros, his company is simply too small from a political perspective to be perceived as a relevant player in terms of industrial policy.

The fact that the state plays a key role both as a customer and as a regulator characterized parts of the discussion. “Many ambitious projects have also failed because we were unable to generate the buying power in time,” reported Iris Plöger, who is responsible for digital issues at the Federation of German Industries. The state also plays a role here, particularly when it comes to the requirement for digital sovereignty.

CDU member of parliament Henri Schmidt defined this briefly as follows: “Everything must be done to avoid a vendor lock-in.” However, the 300,000 Microsoft Office users in the federal administration “will only be kicked out when I have an equivalent.” However, despite all efforts such as OpenDesk, this has not yet happened, according to Schmidt. For now, the economy and administration seem to be dependent on US providers. They are trying to address these concerns—with encapsulated and multi-layered security mechanisms or, like Amazon with its European Cloud, with a complete and infrastructurally independent spin-off of its cloud services.

Ambition level not yet defined

The extent of the discrepancy between the ambition to become a “cyber nation” and the reality is also evident in government plans on the subject. The implementation of the NIS2 Directive for operators of critical infrastructures is just one of several upcoming key decisions. The new federal government has many plans, but despite the coalition agreement, many of the responsibility issues and regulatory projects have not been defined.

The “level of ambition” therefore needs to be discussed, according to Friederike Dahns, head of the department responsible for cyber security at the Federal Ministry of the Interior. If this were defined, it would also be possible to convince the finance minister. The black-red federal government has resolved to create “tangibly more security”. But the level of threat is higher than the head of the BMI department has ever experienced in 25 years of security policy.

But nobody really knows exactly how high. This is because there is as yet no complete, centralized cyber situation picture, as representatives from the authorities and companies confirmed at the event. This is not only due to the law but also to certain authority cultures, stated BND Vice President Dag Baehr with a Lord of the Rings reference: “We tend to sit—'My'darling!' – like Gollum on our knowledge.” At least this is something that ministries and subordinate authorities would like to change.

Detection mechanisms should also be further strengthened, says Friederike Dahns. But the goal is greater: Interior Minister Alexander Dobrindt (CSU) had spoken out in favor of a “cybershield”. Dahns, who is responsible for this, explained that this should be an “automated attack defense” in which attack patterns are first detected and then fended off with active scanning in the networks. The participants did not reveal exactly what this would look like beyond the infrastructure of the authorities. However, it was reported by participants: They were investigating the possibility of making the technologies and services used by the federal government available to third parties in the future.

However, it is likely to be a few days before this kind of automatic national defense is available. Norbert Pohlmann, Chairman of Teletrust and IT security professor, emphasized that the new cyber capability plans could also endanger the cyber nation. He called on the German government to ensure that IT security mechanisms are not compromised – by weakening encryption, for example.

Warnings of uncontrolled growth

In the background of many plans is whether the current proliferation of IT responsibilities across departments and authorities threatens to accelerate further considering the debt brake exception made for the cyber security sector. There has been criticism for years, for example, from the Federal Audit Office: little effect for excessive statements. “We keep doing the same thing – and expect different results,” warned Sven Herpig from the NGO Interface, for example: posts and millions are promised, and the result is that the threat level remains high.

The conference of the Economic Council brought together many stakeholders. The CDU-affiliated association intends to write down what solutions could look like in a paper in the coming months, which will be discussed further in a confidential setting at the conference.

(mho)