Federal Network Agency tightens security for telecom providers
The new security catalog for operators of telecommunications systems introduces "potential hazards". Strict rules apply when there is a high public interest.
Mobile communication mast: special significance of 5G networks
(Image: Jan Hrezik / Shutterstock.com)
Increased security regulations are coming for operators of telecommunications and data processing systems. The Federal Network Agency published the draft of a new requirements catalog on Monday and submitted it for consultation. The basis for the comprehensive amendment is Paragraph 167 of the Telecommunications Act (TKG). With this step, the regulatory authority wants to adapt the catalog to the TKG amendment of 2021 and the current state of the art. The goal is to tighten the protective measures of telecommunications service providers against current threats and new, technology-driven potential hazards, also in light of the years-long Huawei debate.
A significant innovation is the expansion of the addressees due to the revised definition of telecommunications services according to Paragraph 3 TKG. Providers of number-independent interpersonal communication services – messenger services such as WhatsApp, Signal or Threema – are included. These will therefore have to take appropriate precautions to protect telecommunications secrecy and personal data in the future.
To keep the measures proportionate, the authority divides the obligated parties into three levels of potential hazards, which in turn are associated with a specific requirement profile. An increased risk of hazard exists if there is an "outstanding importance for the common good". Corresponding operators must comply with the intended full protective measures. A "normal" or "elevated" potential hazard is assumed if providers have fewer than ten employees and an annual turnover of less than two million euros, or have an insignificant "importance for the common good".
Government can ban critical components
The core of the tightening is the treatment of 5G networks, which represent a central new potential hazard and are generally assigned to the elevated potential hazard. The regulator justifies this by stating that 5G networks represent the future backbone of digitized economies, connect billions of systems, and process sensitive information in critical infrastructures (Kritis).
Operators of a public 5G mobile network will therefore have to meet additional specific security requirements. According to the draft, they will be obliged, for example, to define critical functions and associated components for the Federal Office for Information Security (BSI) within the meaning of the law and to have these components certified.
According to the legally enshrined "Huawei clause", the federal government can prohibit the use of "critical components" if there are "foreseeable impairments to public safety and order". Manufacturers must provide a declaration of guarantee.
Videos by heise
Huawei clause is being implemented
The planned 5G special regulations also include requirements for diversity in the supply chain and network construction to reduce systemic risks. In addition, specific measures are to be taken to protect the identity and privacy of participants, and to ensure the confidentiality and integrity of user and signaling data. Special protective measures against attacks on a virtual network architecture and when using cloud services are also included.
In Annex C, the Federal Network Agency specifies the technical requirements for packet-switched networks, the connection of which to the Internet poses a significant hazard potential. The measures cover current cyber threats such as DDoS attacks, as well as requirements for implementing DNSSEC (DNS Security Extensions) and protection mechanisms against cache poisoning. Inter-domain routing security is also to be increased through measures to secure BGP routing (Border Gateway Protocol). The authority wants to prevent the transmission of false routing information and to prevent data traffic with forged source IP addresses. Further regulations for protection against malware and for defense against spam and phishing are also included.
In essence, the draft represents the technical and regulatory implementation of the political decision to significantly increase the security of German 5G networks. At the same time, the risks that could emanate from components from non-trustworthy states such as China are to be reduced.
Stable data connection "vital"
"Due to the changing threat situation, it is understandable that the security catalog is being reviewed," explained Sven Knapp, head of the Berlin office of the Federal Association for Broadband Communication (Breko), to heise online. "Telecommunications providers bear a great security responsibility, as stable data connections are vital in many areas." Even regarding the current geopolitical situation, operators are already investing increasingly in IT and network security on their own initiative.
In accordance with the legal requirements, the regulator prepared the document together with the BSI and the Federal Commissioner for Data Protection, Louisa Specht-Riemenschneider. Manufacturers and associations can comment on it until December 19 before the regulations are finalized.
(vbr)
