Berlin In the traffic light coalition, an extension of the powers for the Federal Office for Information Security (BSI) is being discussed in order to better protect the so-called critical infrastructure (Kritis) against authoritarian states such as China. The considerations are aimed at changing the nature of the authority’s tasks in such a way that geopolitical risks will have to be taken more into account in future when certifying IT technology from foreign manufacturers such as Huawei.
The deputy head of the Greens parliamentary group, Konstantin von Notz, justified this by saying that the installation of components in digital infrastructures must meet the highest security standards due to the “great importance for our social coexistence”. “In order to be able to specifically assess dangerous situations, legal, security policy and geostrategic aspects must be taken into account in the official inspections in addition to technical considerations,” he told the Handelsblatt. “This is the only way we can finally counteract the massive dangers consistently.”
The SPD foreign politician Metin Hakverdi also thinks it is necessary to reconsider the BSI’s previous test procedure. “It’s not enough to just carry out a type of inspection for the critical infrastructure,” Hakverdi told Handelsblatt. “In the future, a geopolitical evaluation must also play a central role as a criterion.”
The reason for the considerations are the efforts of the Interior Ministry of Department Head Nancy Faeser (SPD) to significantly improve the protection of critical infrastructures in Germany. For this purpose, the BSI is to be expanded into a central office for cyber security that will help the federal states to close security gaps. According to the traffic light politicians, however, there is also room for improvement in the authority itself.
It’s about how the BSI deals with security-relevant components from the Chinese companies Huawei and ZTE, which are installed on a large scale in German mobile networks. The tasks of Germany’s top cyber security authority also include the testing and certification of IT products. The BSI only certified a 5G component from ZTE as secure at the end of January.
USA bans Huawei devices from the market
Last year, the USA warned against network technology from ZTE and Huawei and banned the approval of new devices. Behind this is the concern that China could use 5G technology to engage in espionage. Huawei always rejected the allegations. In fact, so far neither espionage nor sabotage could be clearly proven. Huawei emphasizes that it meets the highest security standards and is not under the influence of “any external organizations or persons in its actions”.
>> Read also: Government plans to ban Huawei and ZTE in the German network
The Vice President of the Federal Office for the Protection of the Constitution, Sinan Selen, on the other hand, sees Huawei or ZTE as companies “that are very heavily influenced by the state” and warned: “I don’t have the impression that the crown jewels of our economy are protected well enough.”
The federal government is aware of the problem. “Both companies are under the control of the Chinese Communist Party at various levels,” according to a government response to a parliamentary question published at the end of March.
The SPD member of the Bundestag, Hakverdi, therefore advises taking a look at the USA. “It has long been realized here that China is a geopolitical rival. That flows into every evaluation, big and small,” explained Hakverdi. This is not the case everywhere in Germany, and that is also the problem at the BSI. “That’s why we have to adapt our legal and structural toolbox and give geopolitics more weight,” said the SPD politician. “That means: The test criteria of the BSI must be expanded.”
The FDP domestic politician Manuel Höferlin sees no need for this. If there are doubts about the trustworthiness of a provider during an examination, he expects the Federal Ministry of the Interior to “exclude them from the market with legal certainty”, Höferlin told the Handelsblatt. “There is no need for a new test criterion, because geopolitics is already covered in the current legal situation with the aspect of public order and security in Germany.”
For the CDU security politician Roderich Kiesewetter, it falls short of just starting with test criteria. “Rather, geopolitical considerations must be included in all security-related decisions,” he said. This also applies, for example, to investment commitments or economic cooperation.
Expert is critical of additional test criteria for the BSI
Sven Herpig from the New Responsibility Foundation (SNV), a think tank for digital policy, also pointed out the existing legal options. “While the BSI is responsible for the technical assessment, other security authorities are providing intelligence,” he explained. Ministries such as the Foreign Office or the Economics Department could also make assessments based on their expertise. This means that the geopolitical assessment is carried out by other competent authorities.
>> Read also: Comment – The dependence of large German corporations on China is damaging the Federal Republic
At the same time, according to Herpig, the Kaspersky warning shows that the BSI is already taking geopolitical aspects into account. Against the background of the Russian war of aggression against Ukraine in March 2022, the BSI recommended replacing anti-virus software from Kaspersky with alternative products. There is a significant risk of “a successful IT attack” in which a Russian manufacturer could be a tool or actively involved against its will.
Hakverdi still sees an urgent need for action. “We are so vulnerable in infrastructure that we have to make progress very quickly,” he said. “Imagine if we had a dispute with China, which is about economic sanctions. In the worst case, we could get into real difficulties in some areas,” the SPD politician pointed out. “For example, if Beijing were to paralyze our critical infrastructure and thus our country using installed technology from Chinese manufacturers.”
Two things are important for the Green politician von Notz – “how the integrity of our critical infrastructure can be guaranteed and at the same time we make ourselves less dependent on technologies from authoritarian states”. His parliamentary group is therefore committed to a “prioritized adoption” of the “Kritis umbrella law” in order to consistently implement the urgently needed change of course. The law aims to achieve better protection of key sectors.
As a first step, the government wants to eliminate weaknesses in the existing legal requirements in order to be able to push back the use of Chinese technology in German telecommunications networks. These regulations are then to be extended to other areas of critical infrastructure as part of the “Kritis umbrella law”. A corresponding draft law should be available by the summer.
More: Germany’s top cyber security authority uses Huawei technology itself