Exclusive
Status: 13.10.2022 06:20 a.m
His proximity to a controversial lobby group and the process of certifying dubious software put BSI boss Schönbohm under pressure – his replacement is becoming more and more likely.
By Georg Heil and Daniel Laufer, rbb
Federal Minister of the Interior Nancy Faeser did not want to commit himself on Wednesday when she was asked whether BSI President Arne Schönbohm would be replaced. “I’m currently examining the events that were in the press over the weekend. I can’t say more about that today,” said the minister.
Schönbohm is under pressure for several reasons. It’s about the question of whether his agency might not have taken a warning from the Office for the Protection of the Constitution seriously enough. And he has been criticized for not keeping enough distance from a dubious club whose chairman is a personal friend. According to information from contrasts and time” According to the Federal Ministry of the Interior, Schönbohm’s days as head of the BSI are numbered.
Possible links to Russian intelligence
The current debate about Schönbohm picked up speed after the “ZDF Magazin Royale” in cooperation with the research platform Policy Networks Analytics reported on the company Protelion GmbH from Berlin, which had submitted one of its products to the BSI for certification. The company is linked to the Russian software group OAO InfoTeCS, which in turn is said to be linked to Russian secret services.
Protelion operated under the name Infotecs Security Software GmbH until March 2022. There were conflicts about the certification process because the Federal Office for the Protection of the Constitution warned the BSI about the company, but apparently did not get through to the BSI. Until it was expelled on October 10, 2022, Protelion GmbH was also a member of the “CyberSicherheitsrat Deutschland eV” (CSRD), an IT lobby association that was originally founded by Arne Schönbohm himself and his friend Hans-Wilhelm Dünn.
Club president maintained lively contacts to Russia
As early as 2019, joint research by the ARD political magazine Contrasts and the weekly newspaper “Die Zeit” showed that the president of the association and longtime confidante of Schönbohms Dünn maintains close contacts with Russia.
CSRD President Dünn took part in the 2018 presidential election in Russia as an “election observer” at the invitation of the Russian State Duma. In 2019, at a specialist conference in Garmisch-Patenkirchen, he spoke out in favor of closer German-Russian cooperation in the cyber area. The conference was organized by a Russian association for information security and, according to German security authorities, had a clear “intelligence service background”.
On the fringes of the conference, Dünn signed a letter of intent for cooperation with the Russian association. From the Russian side, the document was signed by Vladislav Sherstyuk. In the 1990s, the former KGB employee headed what was then the Russian intelligence agency FAPSI.
Ministry of the Interior did not want the association to be upgraded
The Federal Ministry of the Interior (BMI), to which the BSI is subordinate, had already made it clear in writing in 2015 that the controversial association CSRD should not be upgraded. Nevertheless, in 2019, Dünn published a joint photo of himself and Schönbohm on his Twitter account, which was taken at a trade fair. In addition, Schönbohm recently took part in a CSRD anniversary event. He had received approval from the BMI for this – but this is now classified as a mistake in the federal government.
According to research by “Zeit” and contrasts Hans-Wilhelm Dünn even came to the attention of German counterintelligence at times as part of a constitutional protection measure codenamed “Operation Steinbeis”. The intelligence officers observed a Russian businessman from Berlin, whom they believe to be an agent of the Russian intelligence service FSB. The man apparently maintained close contact with Dunn at times, but the operation was not directed against him. The “Operation Steinbeis” brought no usable evidence and was finally discontinued for legal reasons.
At the request of “time” and contrasts Dünn explained: “I am not aware that a counter-espionage operation is being carried out against a person I know. Since I do not know which person is involved in the suspicion you have expressed, I cannot provide any information on the current or future relationship If the suspicion expressed is verified, I would break off contact with the person concerned immediately.” The BfV did not want to comment on the “Steinbeis” operation.
In the former Russian interception intelligence service FAPSI worked after research by contrasts and “Zeit” also Andrey Chapachev, who founded OAO InfoTeCS in Russia in the early 1990s and had started his career with the KGB in 1982. Chapachev was after contrasts and “Zeit” research also temporarily managing director of the German company Infotecs Security Software GmbH.
Backdoor security software
Chapchaev’s OAO InfoTeCS was targeted by American intelligence agencies in the 1990s. At that time, a subsidiary of OAO InfoTeCS in the USA apparently tried to sell software to the US government. However, an analysis had shown that this apparently had a so-called back door, which gave unauthorized access to data. When an Irish subsidiary of OAO InfoTeCS wanted to sell encryption software to US secret services, the Americans apparently found such a back door, which they attributed to FAPSI.
US Secret Service warns the Office for the Protection of the Constitution
After research by contrasts and “The Time” a US secret service warned the Federal Office for the Protection of the Constitution (BfV) in 2017 about the corporate network around the Russian parent company. In 2019, the Office for the Protection of the Constitution noticed by chance on the BSI’s homepage that the German subsidiary wanted to have its ViPNet Crypto Core 2.0 software certified by the BSI. The BfV then made representations to the BSI, pointed out the security concerns and attempted to end the certification process. But the BfV did not initially get through to the BSI.
BSI referred to its own responsibility
The BSI is said to have referred to its test responsibility and that it was a technical test. In any case, the certification process continued – for almost two more years. The security concerns of the constitutional protectors were apparently not fully shared in the BSI. Only when the Office for the Protection of the Constitution involved the Federal Ministry of the Interior was the certification of the software rejected on March 13, 2021. Protelion lodged an objection to the “refusal of certification”, and the process is still ongoing today.
“It was a purely political decision by the BMI,” Protelion CEO Waclaw told Zeit contrasts. Dhe BSI did not find any weaknesses in the software. At the request of “Zeit” the Federal Office for the Protection of the Constitution wanted and contrasts not comment on the events. The BSI referred to the Federal Ministry of the Interior.
According to information from contrasts and “Die Zeit” were also topics yesterday in the secret parliamentary control committee of the Bundestag.
Cooperation: Andrea Becker, rbb