heise PlusAbo
Anzeige

BSI on Cybersecurity: Stably Insecure

The current BSI situation report reveals glaring problems – while the responsible minister hopes for the effectiveness of new measures.

listen Print view
Abstract,Glowing,Particle,Wavy,Surface,With,Germany,Flag,German,Flag

(Image: muhammadtoqeer/Shutterstock.com)

7 min. read
By
Contents

The presentation of the so-called situation report has been a firm fixture in the Berlin calendar for years. Traditionally, the Federal Minister of the Interior and the President of the Federal Office for Information Security (BSI) present the state of IT security and the measures intended to help with the problems.

The main message Federal Minister of the Interior Alexander Dobrindt (CSU) brought this time: The BSI and its president are doing important work. “We have plans to significantly strengthen the BSI,” says the superior of BSI President Claudia Plattner. The budget of the Bonn-based authority is set to increase by 65 percent next year. This is partly due to new responsibilities: With the Cyber Resilience Act, the BSI will become a market surveillance authority for the first time.

In the future, the BSI will be responsible for IT security in networked products, from small consumer devices to components used in critical infrastructures. The BSI will also have significantly more responsibilities in 2026—because with the upcoming adoption of the NIS2 Implementation Act, around 30,000 positions will be subject to extended IT security requirements. Audit powers, consulting, and incident response are to be handled by the BSI. The BSI will also be responsible for cybersecurity for the federal administration, the so-called CISO Bund.

Security problems in the federal administration

Federal Minister of the Interior Alexander Dobrindt clearly states that the situation requires more action. One threat lies in “attacks by state-controlled groups that are geopolitically positioned, and Germany is one of the top targets in the area of cyberattacks,” said the Interior Minister – after the USA, India, and Japan, it is the fourth most relevant target. And the federal administration provides a good target for this; the BSI situation report shows: “In the current reporting period, software that has already reached the end of its life cycle is still sporadically used—in less than 10 percent of IP addresses.” With the role of CISO, a stricter approach by the BSI could become possible here. “Here you go, Ms. Plattner,” says Minister Alexander Dobrindt, passing the question on when asked about Windows 10 in the federal administration. She points to the possibilities of extending the lifespan but also to the necessity for new approaches.

Videos by heise

Overall, the update behavior is clearly in need of improvement. “Attack surfaces that are still insufficiently protected,” such as 30,000 vulnerable Microsoft Exchange servers, have been identified by the BSI, reports Plattner. In March 2024, there were only 17,000 known to the BSI. Every day, 119 new vulnerabilities come to the authority's attention. The good news from Claudia Plattner's perspective: The resilience of critical infrastructures is gradually increasing, albeit with a lot of room for improvement. “We are making progress,” said the BSI President, who has been in office since mid-2023. Attackers are specifically looking for loopholes: “The last to be bitten by the dogs.” Recently, there have been repeated problems with software that is actually supposed to ensure security, for example, from VPN providers.

No hackback, only destruction of attack infrastructure

To prevent this as well, Alexander Dobrindt wants security authorities to intervene as early as possible. What he is planning is not a hackback. It is about creating “new powers for the security authorities” that also enable us “to take the infrastructure of attackers offline, to disrupt it, to destroy it.” This should also be possible if the attackers are located outside the Federal Republic. “This is not a hackback,” says Dobrindt. It is about disruption and destruction in the course of threat prevention. Whether the affected party on the other side will see it the same way remains to be seen for now. Since the responsibility for this will likely not lie with the BSI, it plays a more immediate role in other authorities. However, the Bonn-based authority would then probably have to deal with reactions to this “active cyber defense.”

Webinar: NIS-2 is coming – Implementing legally compliant IT security

heise security is organizing a webinar on NIS-2 on December 10th, which will not only explain who is specifically affected by NIS-2, but also what the directive means for a company in practice.

The BSI report again highlights that geopolitical tensions have an impact down to the product level. It states, for example, that “concepts for the cyber-secure implementation of tenant electricity models, energy sharing, charging infrastructures, as well as for self-consumption optimization and flexible storage utilization must be developed together with the industry and involved authorities and implemented according to the state of the art”—because many individual objects networked via the cloud do not automatically lead to something being classified as critical infrastructure.

Critical legislation and decentralized criticality

This fundamental problem affects not only energy supply products but also, for example, cars and security technology such as video cameras. Certification alone can hardly solve this problem, as many products regularly need to receive updates—also in terms of IT security—as Claudia Plattner describes in the morning:

“For many products, we don't need to talk about backdoors, but about front doors.” Products from China are increasingly in focus, says Plattner. “In addition, the manufacturer collects this data that you produce on this device on a server,” warns Interior Minister Alexander Dobrindt. “Access to this can be possible from various sources.” How relevant this is is often not immediately foreseeable, says Dobrindt; only in the combination does it become a issue, for example in the protection of critical infrastructure. “Often, the malicious assumption one can have is not that far from reality.”

But what is the consequence of this? For Claudia Plattner, the concept of control layers is crucial, with which the inflow and outflow of data can be controlled and, if necessary, operational capability can be ensured independently of the provider. It depends heavily on the individual components, which is why the focus is now on them, explained Alexander Dobrindt about the current approach; in critical infrastructures, there could be positive lists in certain areas.

Dobrindt does not expect a ban on Chinese cars

The further procedure will be more precisely specified by the new NIS2 rules, which the Bundestag is to pass this week. But this, in turn, will only apply to specific critical infrastructures. Could a consequence of the discussion ultimately be an operating ban, for example for Chinese cars? “No, I don't expect that,” says Alexander Dobrindt this morning in Berlin.

What the NIS2 law brings in only one respect, but the opposition would like: “To avoid serious conflicts of interest, it remains absolutely necessary to make at least parts of the BSI independent,” demand Jeanne Dillschneider and Konstantin von Notz from the Greens. How the independence of the authority is ensured at critical points of its activity when political wishes and technical assessments clash has already been the subject of discussions in the past.

Read also

(wpl)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten