Federal Government: IT Security in the Chancellery is Over-Classified
According to the executive branch, info on IT infrastructure in the Chancellery would endanger national interests. Attackers could get clues.
The Federal Chancellery in Berlin signals transparency. Architecturally.
(Image: Rico Markus/Shutterstock.com)
The German federal government considers the security of the Chancellery's ICT systems to be a state secret. It therefore refuses to disclose essential information about the IT security of the government headquarters. The government justifies this exceptional step in its now published response to a request from the AfD parliamentary group: All information on the subject touches upon such sensitive confidentiality interests that national interests outweigh the parliamentary right to information.
Even classifying the information as a classified document (VS) and depositing it with the Bundestag's security clearance office would be too risky, the Chancellery says. Because even a minor risk of disclosure cannot be accepted under any circumstances.
The IT security situation is "tense to critical". State actors and other criminals are professionalizing their methods and acting increasingly aggressively. The situation has been further exacerbated by Russia's war of aggression against Ukraine and the resulting increase in attacks on allies like Germany. The constantly growing complexity of the IT landscape and increasing networking also expand the attack surfaces.
Federal IT would be enormously endangered
The publication of details about the resilience and protective measures of the federal IT would significantly endanger it, writes the Chancellery. Information about, for example, the number, location, and equipment of data centers, the results of technical security checks, and the development of IT security departments could provide potential perpetrators with concrete clues about the protective measures used in the Chancellery. Especially with other government responses and using AI techniques, attackers would be able to specifically identify vulnerabilities and derive concrete attack vectors from them.
Videos by heise
Such a disclosure of the defense strategy would dramatically worsen the situation in terms of threat, attack surface, endangerment, and damage, the non-response states. This could "immediately jeopardize the ability of the federal government to act".
BSI is against Security by Obscurity
The Chancellery only provides individual operational details: All relevant data centers have emergency power supplies. The functionality of the Chancellery is secured by redundant systems.
Criticism from the Federal Court of Auditors is considered in a continuous improvement process. Currently, no positions in the IT security area are vacant. In general, the government sees the necessity to particularly protect the IT systems of the Chancellery, which is reflected in the draft for the implementation of the NIS 2 directive.
Security by Obscurity does not work as a primary or sole security strategy, according to experts, as it only slows down attackers for a short time at best. The Federal Office for Information Security (BSI) warns against it, as attackers use automated tools and regularly find vulnerabilities in hidden systems.
(ds)
