Permission for Hackback: Cabinet Paves the Way
The cabinet has paved the way for new powers: the Federal Criminal Police Office will be allowed to disrupt or destroy attackers' IT systems in the future.
(Image: bombermoon / Shutterstock.com)
The law to strengthen cybersecurity is a “milestone for Germany's security architecture,” said Federal Minister of the Interior Alexander Dobrindt (CSU). This is because it introduces “active cyber defense” as a “core component.” “We strike back; we neutralize the threat. If we are attacked, we will be able to disrupt the attackers and destroy their infrastructure.” Politically, this new authority for the Federal Criminal Police Office (Bundeskriminalamt) is justified by the changed security situation and the increased urgency.
“Active Cyber Defense” Should Not Be Hackback
It is controversial that, according to the federal government's intention, suspected attacker systems may be disabled or manipulated in the future for threat prevention. “Until now, we have reacted to attacks by trying to redirect them to harmless areas of the network,” explains Dobrindt. “That is effective, but so far it is the only form of active defense.” In the future, software and servers of attackers abroad will also be targeted, which in his view represents a qualitative difference. The measures envisaged are a necessary supplement to all other measures taken, such as hardening IT systems or legal obligations for more IT security, such as those under the NIS2 rules.
Critics see the regulation as granting the authority for hackback, whereby systems can be infiltrated at an early stage. However, since professional attackers regularly use third-party devices, the measures would not affect the perpetrators but third parties. Federal Minister of the Interior Alexander Dobrindt (CSU), however, considers this fear unfounded. The minister sees no danger of unintentionally crossing the boundaries of what is permissible under international law.
Videos by heise
Benchmark: Unattended Suitcase
Hackback is an indiscriminate retaliatory strike, whereas this is about concrete threat prevention by the Federal Criminal Police Office, the Federal Police, and the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik). Therefore, no amendment to the Basic Law is necessary, said the minister. “We are not randomly targeting servers, but it must be clear that the threat originates from this server structure.” Who exactly is behind the system is irrelevant for this. The minister draws an analogy: “If an unattended suitcase poses a threat, we intervene and do not first investigate who owns the suitcase.” However, it is often known today who the attacking devices can be attributed to.
From IoT devices to servers and hijacked cloud instances, the BKA will be able to intervene early in the future to prevent attacks such as DDoS attacks from the outset, for example, by identifying and neutralizing command & control servers.
Criticism from Civil Society
Following the plans for data retention, the implementation laws for digital evidence, and the data analysis and biometric internet comparison powers, this is already the third major package with which the black-red federal government intends to grant police and public prosecutors further powers. There is sharp criticism from civil society regarding parts of these plans, which are also to be passed by the Bundestag in rapid succession.
(wpl)
