Opinion: 77 people responsible – but no fuel for the emergency diesel generator

The words used by the German Federal Audit Office in a recently leaked internal report on federal cybersecurity are harsh but necessary: "The federal government's IT is not adequately protected. Budgetary resources alone cannot ensure cybersecurity."

An opinion by Kornelius Kindermann

Kornelius Kindermann is an iX editor and focuses on the topics of e-government, security and identity management as well as IT law.

This is followed by one slap in the face after another in a report that makes not only IT specialists' hair stand on end. Not even ten percent of the more than one hundred data centers distributed throughout Germany on which the federal government's IT is based meet the minimum standards for crisis.

At least as far as we know, because the information available is already inadequate: the BSI, which is responsible for checking the security of government data centers, lacks inspectors. Only 20 of 112 inspector positions are filled, with just three covering the entire country. The fact that some data centers do not even have enough fuel for the required emergency power supply is therefore only the tip of the iceberg. It is not even entirely clear how many of the IT pillars are in poor condition.

However, this is not the most important finding of the Federal Audit Office's report; it would be too simplistic to just shake our heads at the lack of redundancy, fuel canisters, and inspectors. The core of the report is that you are putting the cart before the horse.

The federal government's third cybersecurity strategy was not based on an analysis of the deficits. Instead of identifying problems that needed to be resolved, the federal government created numerous institutions that are all somehow responsible for cybersecurity. Now, the cybersecurity architecture is characterized by a "jungle of institutions and responsibilities."

Another damning verdict: necessary toughness. The Federal Audit Office now counts a total of 77 institutions at the federal level that have a say in IT security. However, they do not have a common database, nor do they communicate with each other to any great extent. The graphic compiled by Dr. Sven Herpig and Frederic Dutke at cybersicherheitsarchitektur.de gives an idea of the excessive number of responsibilities.

And while the Interior and Digital Ministries "essentially agree" with the conclusion that there are clearly too many players involved, they are once again passing the buck to higher authorities. Many of the institutions that have been created are required by EU regulations. While this sounds perfectly reasonable (the EU institutions form the large block in the upper third of the chart), it also seems like an admission that effective implementation has been botched – see the current NIS2.

In this case, the fish has not one but many heads, none of which smell very good anymore. If there are more security authorities than security controllers, then something is wrong. Anyone who wants to can dig into their own experience to see how willing they would be to push forward a project involving 77 parties and no uniform database. Digital Minister Wildberger recently put it aptly in an interview with Tagesthemen: "Scale everything back a bit so that oxygen can get in again." That would make sense. And a little more fuel for the emergency generator, please.

This commentary is the editorial from the new iX 8/2025, which will be published on July 25.

(kki)