It’s a program for the next three years, and in parts it reads like a wish list. On Tuesday, Federal Interior Minister Nancy Faeser (SPD) presented her house’s cyber security agenda in Berlin. On 16 pages, it summarizes how the Federal Ministry of the Interior intends to ward off cyber threats, better protect critical infrastructure and reduce crime on the Internet.
Faeser wants to do this, as she had announced earlier, to strengthen the powers of the federal government and change the Basic Law. With the cyber security agenda, your house is “consciously planning a lot for this legislative period,” said Faeser. “But it is also necessary.”
In order to shorten cumbersome, federal information channels and to be able to act faster than before in the event of a crisis or serious cyber attacks, the Federal Office for Information Security (BSI) in particular is to be given new powers and become the digital central office. The responsibility for cyber security currently lies with the federal states, the BSI can only provide administrative assistance if necessary. In view of the growing threat, this is no longer up-to-date, the minister said on Tuesday in Berlin.
The length of Faeser’s cyber agenda reveals how critically the Federal Ministry of the Interior assesses the existing protection of state networks, but also that of company software or highly personal communication. Digital attacks, including those from abroad, are likely to “massively and permanently impair or even interrupt the functionality of our community and our economy,” it says.
Strengthening the cyber resilience of private and public infrastructures and security authorities, but also access to secure technology “cannot be postponed”, as the war in Ukraine made clear. Not only vital supply chains in the energy and food industries, but also the open, pluralistic society in cyberspace “must be protected,” said IT State Secretary Markus Richter.
Now it’s no secret that the Germans are regarded as digital late bloomers in international comparison and important structures or authorities as vulnerable. In addition, the Ukraine war has caused cyber attacks. However, the increase in malware caused by the war, the authors of which are suspected to be in Russia, turned out to be far less severe than the security authorities initially feared. Faeser’s presentation of a cyber agenda on Tuesday is likely to have another reason in addition to the Ukraine war: the minister was recently under pressure when it came to IT security.
Controversy over cybersecurity funding
The reason was the 100 billion euro package for the Bundeswehr, which the parties had been negotiating for weeks. One of the points of contention was the demand by the Greens that the special fund should also be used to finance civilian cyber security – i.e. that part of IT security that is not used for military reconnaissance but to protect power plants or hospitals, for example. The Greens failed with their funding proposal. But even the SPD interior minister, who now has to pay for the strengthening of cyber security from her own budget, temporarily got on the defensive during the negotiations. The Greens complained that Faeser was unable to name what their cyber defense strategy actually looked like – and what it cost.
Faeser was annoyed by the accusation, because the federal government had long had a cyber strategy. But now she has presented an agenda for fighting cybercrime, that of her own company. Concrete figures, such as the necessary increase in staff in authorities, are not found in the list of projects. However, Faeser emphasized on Tuesday that 115 million euros had already been made available this year in order to strengthen the networks. For the coming year, 300 million euros have been set in the budget. Overall, she assumes an investment requirement of 20 billion euros. “But we’re talking about a longer period of time.”
First of all, the Federal Ministry of the Interior now wants to bundle competencies in favor of the federal government. Because dozens of committees, hierarchical levels and authorities are currently slowing down important IT decisions in Germany, including the digitization of administration. In a crisis, this can be dangerous. The federal government’s communication should no longer take the form of administrative assistance, but stand on its own legal basis.
So far, the federal states have actually been responsible for averting danger
However, the project touches on federal sensitivities. So far, the federal states and their police have been responsible for averting danger. Depriving them of responsibilities could – similar to civil protection – cause lengthy disputes. Accordingly, Faeser’s agenda states cautiously that her house will “examine” the effectiveness of current responsibilities. However, the minister was optimistic. The problem awareness in the countries is high, the signals from there are “very positive”.
The plan is to introduce a central video conference system for the federal administration that meets the highest security requirements. A platform for the exchange of information on cyber attacks is to be created at the BSI. In addition, investments in so-called cyber resilience measures are to be promoted in small and medium-sized companies if they belong to “critical infrastructure” – i.e. to sectors such as transport, food, health, energy or water supply. The Federal Office for Information Security, which is subordinate to the Federal Ministry of the Interior, is also to become more independent.
However, it is also planned to fend off hacker attacks from abroad more actively than before. The Federal Minister of the Interior continues to reject so-called hackbacks, i.e. the aggressive destruction of opposing servers in the event of an attack: “Nobody wants that.” Nevertheless, it is possible to ramp up the defensive measures, for example by redirecting cyber attacks or by having the state ensure that servers are switched off. Criticism came promptly from the opposition. “How exactly should a foreign server be shut down without gaining control over it?” asked the Left Party’s digital expert, Anke Domscheit-Berg, on Twitter. The federal government has ruled out hackbacks in the coalition agreement. But Faeser has now described exactly such a scenario.
Faeser promises the Federal Office for the Protection of the Constitution the creation of a “comprehensive digitization strategy” and “improved powers to clarify technical issues in the event of cyber attacks by foreign powers”. The aim of combating sexualized violence more effectively and identifying perpetrators online is also part of the cyber agenda. To this end, the minister wants “the Federal Criminal Police Office to be strengthened in terms of personnel and technology” – but the agenda leaves it open to what extent.
The point that is likely to cause trouble in the coalition is also largely avoided. Faeser had announced that IP addresses would be saved in order to be able to identify abusers. FDP Justice Minister Marco Buschmann, however, strictly rejects this, and the Greens are also against it. Faeser’s cyberagenda only says vaguely that “digital investigative tools for the security authorities” would be expanded. Further debates can be expected.