The accusation weighs heavily: Bad governance proves Horst Seehofer’s house with the plan to pass the controversial cybersecurity strategy 2021 in the cabinet before the end of the legislature. The last such strategy dates from 2016, so it could use an update. But more than 60 individuals, companies and associations from civil society and business clearly criticize the current draft of the interior ministry in an open letter to the federal government. The signatories include the digital-political think tanks D46 (SPD), Load (FDP) and Cnetz (CDU), the Association of the Internet Industry Eco and civil society actors such as the Chaos Computer Club and Reporters Without Borders.
They call on the federal government to “postpone the adoption of the cybersecurity strategy to the next legislature or at least to cancel the expansion of the powers of the security authorities without replacement.” Seehofer’s current draft for the strategy provides, among other things, to allow a state collection of vulnerabilities. In addition, Germany is to promote the “development of technical and operational solutions for lawful access to content from encrypted communication” and “bypassing the secure implementation of strong encryption”. What is meant are somewhat cryptic back doors in actually secure messenger services that authorities could use to read along.
Both proposals are typical desires that Seehofer and other domestic politicians before him have been trying to enforce for years. In a paper whose declared aim is cybersecurity in Germany, such measures would have lost nothing, say the signatories. There is “insufficient support in business and society” for the plans.
“There is no public security without IT security”
Rainer Rehak, the co-chair of the Forum Computer Scientists for Peace and Social Responsibility, which also signed, believes the cybersecurity strategy is fraudulent. The paper reveals a very one-sided understanding of cybersecurity that only focuses on national security and not on the IT security of consumers or companies. Collateral damage to the economy and society would be accepted. “You sacrifice civil society and the economy to strengthen cyber defense,” Rehak said Süddeutsche Zeitung. Internal security is more than just police. “There is no public security without IT security,” said Rehak.
German providers of secure e-mail accounts such as Tutanota, Mailbox.org and Mail.de see themselves as possible victims of Seehofer’s cybersecurity strategy. State back doors would massively threaten their business model. In a statement, Tutanota co-founder Matthias Pfau wrote that Seehofer’s strategy was extremely dangerous for consumers and German companies: “Any weak points in IT applications can and will be exploited by malicious attackers, (foreign) governments and for industrial espionage.”
The open letter not only criticizes the content of the strategy, in particular the planned date of adoption by the federal cabinet is hardly comprehensible. If everything goes as usual, the strategy should be adopted in August 2021. A new Bundestag will be elected in September 2021. It is quite possible that a new government will not endorse parts of Seehofer’s strategy at all. This is particularly problematic where the paper strives for tangible reforms. For the first time, controlling measures are to be integrated into the cybersecurity strategy. The open letter says that this is generally to be welcomed. However, the duties no longer apply to those adopting the strategy. The new federal government would have to deal with that first.