Commentary on the cyber security agenda: From glossy story to national drama
Two years after presenting a cyber security agenda, the German government has become bogged down in its implementation, says Dennis-Kenji Kipker.
(Image: your / Shutterstock.com)
In summer 2022, Federal Minister of the Interior Faeser presented the national cybersecurity agenda. It makes good reading, because politically it is intended to achieve a "strong security architecture and the highest possible level of protection in cyber security". But now, two years later, there is unfortunately not much left of the high-gloss work with picture agency graphics and lots of colorful symbols.
Of the 47 projects planned in the agenda, only four have actually been implemented so far. This is according to an answer from the Federal Ministry of the Interior to a question from Anke Domscheit-Berg (Left Party) in the Digital Committee, which is available to heise online. According to this, eleven of the projects have been postponed for the time being – i.e. have not yet been started –, the rest are still being implemented, without it being clear at what stage.
No trifles, but the future of digitalization
In terms of content, this is not just about trivialities, but about central key issues for Germany as a digital location. Without cyber security, there can be no trust in technology, and without trust in technology, there can be no sensible digitalization. The cybersecurity agenda therefore talks about expanding the BSI into a central office in the federal-state relationship and making the authority more independent.
In addition, there are to be improved powers to investigate cyber attacks by foreign powers and to improve the BKA's investigative capabilities in cyberspace. The ZITiS is to be given a legal basis, investments are to be made in quantum computing for cyber-secure government communication and the principle of "security by design" is to be promoted in the federal administration. However, it is not just about public institutions, but also about how we can optimize the cyber protection of SMEs that belong to the KRITIS sector.
Splitting hairs instead of pragmatism
These topics are really big issues that cannot be dealt with from one month to the next, but we have been talking about several of the key topics for years; about the independence of the BSI, the legal positioning of the ZITiS or the reform of German computer criminal law - keyword: hacker paragraph. These are all issues that should have been tackled politically a long time ago, even before Faeser's agenda.
But instead of a pragmatic approach to cyber security, we are confronted with political demands, theses, speculations and hair-splitting, which are not intended to promote the issue, but merely the political and media discourse on it. The German government is not unimportant when it comes to cyber security, it just seems incapable of deciding clear-cut issues in favor of cyber security.
Cybersecurity has long since ceased to be just public security
In fact, the national cyber security agenda itself is the problem. This is because the federal government has placed itself in a decision-making dilemma by making it purely a matter of domestic policy: it cannot make decisions in favor of cybersecurity, no matter how pertinent they might be, if this might somehow conflict with the interests of public security now or in the future. What we therefore urgently need in this country is a national rethink on cybersecurity: cybersecurity, like digitalization, is a cross-departmental, cross-cutting issue.
The political view that cybersecurity is solely a BMI issue dates back to the 1980s, when digitalization was primarily a "state task", and is completely outdated in today's world. And while people in Berlin continue to spin on their own axis in this decision-making dilemma and continue to debate politically, the facts have long since been established elsewhere, as the threat from cyberspace is not new, but has long been real for the economy, state and society.
Acting now instead of debating
Cybersecurity is therefore neither an end in itself nor an abstract subject for political discussion, but rather the state's responsibility to guarantee security, which is enshrined in constitutional law. It must also fulfill this responsibility in terms of content, above all beyond colourful brochures and flowery political announcements. If the German government does not catch up soon, this will be more dangerous than ever, especially in these times, because if there is one thing we do not need at the moment, it is cybersecurity on paper.
(mack)