Open source providers: BSI sows uncertainty in politics and business

Contents

A simple headline is fueling the debate on digital sovereignty: 60 signatories from around the Open Source Business Alliance (OSBA) emphasize in an open letter that digital sovereignty is possible for Germany and Europe. The German press agency dpa had previously reported that digital sovereignty was unattainable for BSI President Claudia Plattner for the time being, a statement that she had already clearly rejected. Now Plattner is following up and also reacting to the OSBA's open letter.

This makes it clear that the signatories want to invest strategically in the development of open software alternatives and make the expansion of open source alternatives a priority. Furthermore, the "strategic decisions of today will determine whether we are further behind American or Chinese tech giants in five years' time, or whether we have caught up and made significant parts of our digital infrastructure more independent and resilient."

Everyone wants open source

Plattner agrees with these statements, at least in part. The BSI also wants to make open source strong and develop it strategically. Consequently, the BSI's own Open Source Program Office (OSPO) was founded this year. The BSI also wants to help eliminate existing deficits in the use of open source. These include the product life cycle and security. With regard to the latter, Plattner refers to the introduction of the xz vulnerability.

The accusation that "Claudia Plattner [...] as President of the Federal Office for Information Security [should] be one of the strongest advocates of open source software and speak out in favor of the expansion of digitally sovereign alternatives instead of sowing uncertainty in politics and business with her sweeping statements" is therefore clearly rejected by the defendant. However, it cannot unreservedly agree with the OSBA's statement that "powerful and proven open source solutions [already] exist today in key areas".

Specifically, the letter refers to the areas of "cloud, low-code, communication and collaboration, BPM, AI and many more." Plattner replies: "Digital dependencies are not just about the technologies you mentioned. Let's take a look at the operating systems of mobile devices, network technologies or components in the energy sector, for example. The list could go on and on. Unfortunately, there are some areas in which we cannot rely entirely on national or European solutions as things stand today."

Three points of digital sovereignty

Consequently, she relies on digital sovereignty, which can be divided into three areas: Firstly, digital technologies that people simply want to buy in and use "out of the box". Secondly, digital technologies in which global excellence from national or European sources is sought. And thirdly, non-European technologies that can continue to be used for the time being and can be technically secured in advance in such a way that control over data and management is maintained. The latter is to be implemented with a control layer principle with as many manufacturers as possible.

However, Plattner sees the biggest – also financial – commitment explicitly in the second point. However, she does not see the BSI's task as being to make procurement decisions, but rather to focus on the cyber security factor. The BSI must assess this in existing products, support their development and set requirements and make adjustments. This would strengthen the European market and the local digital industry and at the same time adapt non-European products so that they can be used securely.

The extent to which the signatories around the OSBA will follow this argument is at least questionable – however, they insist that Plattner's "statement [that] US companies [are] 'ten years ahead' in terms of investment [...] repeats a marketing narrative in this sweeping way". This is "often used [...] with the aim of deterring business and administration from purchasing European solutions". Furthermore, this "argument [...] is often used politically as a justification to postpone urgently needed procurement and investment decisions".

The signatories make it unmistakably clear that they see themselves technically on a par with international competitors: "In reality, many dependencies could be reduced in the short term if politicians were to specifically consider and promote existing solutions from Europe in tenders." At the same time, they make it clear which factor they see as the biggest sticking point. The public sector must invest specifically in open source software. Federal Minister Dr. Wildberger wanted to make open source and open standards the guiding principle in the federal government's IT architecture – The same applies to the coalition agreement.

The BSI and award criteria

The companies surrounding the OSBA are therefore not interested in complete independence from non-European providers at – but in the procurement practices of public authorities. The fact that, as Plattner explains, resilience primarily means having options – and that this explicitly includes cooperation with international manufacturers, among other things, may in practice not result in a decision by the BSI to award contracts to non-European providers. However, it does mean that they are approved by the BSI. Its critics, on the other hand, insist that "practicable criteria for such procurement [which actually reduces dependencies, editor's note] are available; as companies and associations of the digital economy and civil society, we have been making concrete proposals on this for years."

At least the OSBA can now emphatically present these criteria to the BSI President: Plattner is inviting the signatories of the letter and wants to enter into "an open, constructive exchange" with them. After all, they are pursuing a common goal: "To make Germany and Europe digitally secure, sovereign and successful!"

The OSBA's open letter can be found here. Claudia Plattner's response is available to the iX editorial team.

(fo)