Signal attacks: Political reality bites the IT admin
Successful phishing attacks on Signal show: Politics is not a corporation. The IT structures in the Bundestag are complex and limited by the free mandate.
(Image: In Green/Shutterstock.com)
That the recent phishing attacks on politicians, officials, journalists and other actors in the capital's bubble were partially successful may still be dismissed as self-inflicted. After all, no one had to fall for these phishing attempts. However, one problem remains, and the numerous “solutions” now being put forward do not address it either.
Among others, Julia Klöckner (CDU), who was reportedly affected, has since urgently recommended the messenger Wire to the MPs, which is available as an alternative on the Bundestag's official devices.
Wire – closed and federated
In fact, an adapted version of the messenger called “Wire Bund” has been tested by the Federal Office for Information Security (BSI) and found to be sufficiently secure to comply with the lowest level of classification in the Federal Republic of Germany. Wire Bund is approved up to the level “Verschlusssache – Nur für den Dienstgebrauch” (VS-NfD).
Wire Bund follows the principle of a closed user group: only authorized devices can be registered. Different instances can be federated to allow, for example, communication between the Bundestag and the BSI.
Other services are also being promoted as somehow better: Threema, which has been somewhat forgotten, is coming back into focus, Matrix and Element are in use by the Bundeswehr as “BWMessenger”, and "Bundesmessenger", a further development of these, could also attract more interest.
However, Klöckner's letter primarily shows what may be difficult to understand outside of Berlin's political circles: the President and the Bundestag administrators only have influence over the IT of the Bundestag administration (“Parlakom”) and its employees, but not over the MPs and parliamentary groups.
Furthermore, systems must reflect the logic of the federal administration and its security needs: secure communication takes place in encapsulated environments, what is classified as “VS-NfD” must be handled in separate systems. Signal, for example, cannot even be installed on official devices that follow the “Secure Inter-Network Architecture” (SINA) standard, as it has not been tested.
The Commission of the Council of Elders for Information Technology and Digitization (IuD-Kommission) of the German Bundestag is responsible for security standards. It emphasizes that it must be “considered that the IT landscape of the German Bundestag represents a networked system.” There are services for MPs, parliamentary committees, and the Bundestag administration, but the parliamentary groups operate “their own information technology due to their independent status.”
MPs and parliamentary groups are free
The Bundestag is a parliament of freely elected representatives. And this freedom, guaranteed by the Basic Law, also means: every MP is entitled to use their own IT. The IT of the parliamentary groups is also independent, although – after some bad experiences – it is often based on the main concepts of the house.
For everyone who looks at the Bundestag primarily through the lens of IT organization, a significant part of the problem becomes apparent here: people are supposed to be able to work interoperably within the “Bundestag” environment with different work tools according to different standards.
MPs enjoy a particularly high level of protection – including from the executive. While some might not have a problem with the domestic intelligence service scanning their inbox for threat prevention or the BSI effectively configuring a firewall, this might be unacceptable to others – as it would allow control of parliament, which is itself supposed to control the executive, i.e., the authorities.
Across organizational boundaries
A harmless example in terms of content helps to illustrate this: the Bundestag's agenda. It must be coordinated between the parliamentary groups, usually by the parliamentary managers. They have to liaise with parliamentary group staff and MPs. And because politics doesn't just happen in the Bundestag, other actors come into play. If a minister is to speak, their ministry must be involved. From the Bundestag's perspective, this is organizationally external. Ministers are often, but not always, also MPs.
Perhaps the most difficult part: the political parties and their apparatus – with party headquarters, federal managing directors, employees. The members of the presidium, in turn, may be state premiers, federal ministers, the President of the Bundestag, or parliamentary group leaders. Then, perhaps, employee wings or the SME group may need to be consulted.
A political party is not a state organization but a private association – and is not allowed to use services from federal authorities. For their party work, however, they are allowed to use their official devices and their software for non-state functions; otherwise, it would be a use of state resources for purposes for which they are not intended.
Moreover, politicians often have multiple roles: Friedrich Merz is Federal Chancellor, party leader, MP, and a co-opted member of the board of the CDU district association in Hochsauerland. As Chancellor, he must be able to communicate with the highest level of security. As an MP, he is free; the use of parliamentary IT and group services such as shared drives is subject to the respective rules for these. As party leader and board member of his local party association, he is formally a normal citizen.
All of these are reasons why a simple “solution” – “the admin” allows a “secure messenger” and controls the infrastructure – fails due to the multitude of organizational contexts. Which is why, in reality, the private end device is often the communication tool of choice. And since communication in politics often needs to be fast and across borders, there is hardly any available, scalable alternative for this.
Videos by heise
Between embarrassing involvement and openness
So it seems that the communication channels of politicians cannot be fully secured. The next phishing wave will come – and it could be even more sophisticated. It can happen to anyone. Which is why we must continue to think about security measures. This also includes the option that Signal should be able to deactivate accounts if the original owner shows signs of loss of control. The legitimate user would have to be able to notify the messenger operators. Signal, in turn, would have to be able to verify ownership of the account – at least as an optional offer when setting up an account.
The fact that a messenger like Signal is no longer seen as nerd stuff used by a few whistleblowers, but has reached politics, is actually positive. However, that users should also roughly understand what they are doing should have become clearer to many previously uninvolved people after the events of the past few weeks. And some communication discipline, i.e., thinking about what is shared with whom and when, is generally advisable.
Many names of those affected are not yet public, and very few publicly admit to having fallen for the phishing attack. Some are only noticed because accounts are unexpectedly removed from chat groups for other users, or it is pointed out offline that the account is now being operated from elsewhere.
Former BND Vice President Arndt Freytag von Loringhoven, for example, did it more wisely and deserves recognition for it: he decided that the embarrassment should be weighed less than the warning to those affected and has publicly commented on it several times. Because, from the normal IT world, this is good learning for politics: Data Breach Notifications are important for those indirectly affected.
(nie)
