If crucial components for critical infrastructures (Kritis) are procured in Germany – for example for telecommunications networks – then certain producers can be excluded. However, that will only happen if the federal government unanimously resolves it. There is no provision for a single ministry to go it alone. This is based on what is now the third draft bill by the Federal Ministry of the Interior (BMI) for the reform of the IT Security Act.
Public interest and security policy importance
According to the “Huawei clause” in Thursday’s paper, the BMI can that the AG Kritis and the information lawyer Dennis-Kenji Kipker have publishedprohibit the use of a “critical component towards the operator of the critical infrastructure” within one month only “in agreement with the relevant department” or issue relevant orders. The prerequisite for this is that such an exclusion is necessary due to overriding public interests and, in particular, security policy concerns of the Federal Republic of Germany. The operators have to wait for a corresponding decision.
The approval process outlined in Section 9b is complex. The use of critical components is initially subject to mandatory certification. The Federal Office for Information Security (BSI) is responsible here. The Federal Network Agency has already presented relevant requirements for critical telecommunications and data processing systems with a new draft for a security catalog.
Manufacturers have to declare their trustworthiness
In addition, a Kritis operator such as Deutsche Telekom, Vodafone or Telefónica must report the project to the BMI. The important technical components may only be used if manufacturers – in the case of 5G and other telecommunications networks, i.e. suppliers such as Huawei, ZTE, Nokia or Ericsson – have given the operator a declaration of their trustworthiness.
This warranty statement extends according to the plan to the entire supply chain of the manufacturer. It must show whether and how the producer can “adequately ensure that the critical component has no technical properties that are suitable” to improperly affect “the security, integrity, availability or functionality of the critical infrastructure”. In particular, “sabotage, espionage or terrorism” should be ruled out. In plain language: there shouldn’t be any back doors.
In order to adequately take account of such concerns, the guarantee declaration must, according to the reasoning, “also cover possible dangers and violations of certain obligations to act that result from the organizational structures” or possible other legal obligations of the manufacturer.
The ministries concerned have a say
The Federal Ministry of the Interior should specify the contents of the declaration of trustworthiness by means of a general decree, since specific contents are decisive for various Kritis sectors. In order to be able to take into account all relevant matters of the ministries, it will involve the ministries concerned at an early stage. Anyone who has a say is based “on the critical infrastructure sector and the departmental responsibilities resulting from it”. For example, the Federal Ministry of Economics in the area of telecommunications is affected and the Foreign Office when “public interests are affected due to foreign and security policy issues”.
In addition, there will be an ongoing and regular “inter-ministerial jour fixe”, at which the Federal Chancellery will join the department head. Such a structured exchange is necessary “in order to enable a comprehensive clarification of the facts” and preparation within the tight deadlines.
Operation of a component can be prohibited
In addition, the “proactive” departments have a “suitable escalation mechanism” ready, according to the explanations. This is necessary for cases in which the working level cannot agree on a ban. Insofar as there is still a dissent at ministerial level, “the Federal Government must promptly discuss the dispute with the aim of advancing an amicable decision.” If violations are found, it should also be possible to “prohibit further operation of a component”.
In principle, the government and the coalition factions of the CDU / CSU and SPD agreed on this now legally formulated procedure after a lot of dispute in the summer. The Huawei drops had been sucked, it was said at the time. The political trustworthiness test, which takes place in addition to a BSI certification, will be based on objective criteria. If none of the departments involved raise concerns, the approval has actually been granted. One does not want to bow to the pressure from the USA to exclude Huawei on a large scale and across the board.
Reservations against access by the manufacturer
According to the draft, the Federal Ministry of the Interior considers the procedure to be indispensable, since with “increasing IT complexity of the critical components used, a significant part of the controllability of the technology within the scope of product maintenance (software updates, firmware updates, closing of security gaps) by the manufacturer himself or by others Supply chain remains “. Neither component certification nor high technical security requirements adequately ensured “that the manufacturers did not implement any improper access to hardware and software”.
The comprehensive examination of remaining residual risks should be carried out through an objective, relevant assessment of the manufacturer. According to the Federal Ministry of the Interior, the chosen path also serves to implement the recommendations of the EU’s “5G Toolbox”.
As planned, the BSI will become a cyber authority
Otherwise, the plan remains to upgrade the BSI to a powerful cyber authority with hacking powers. With 799 new jobs – instead of 583 planned in the second draft from May – and around 56.9 million euros in personnel costs, the office is to become a key player in the fight against botnets, neglected devices in the Internet of Things and the spread of malware. One focus is consumer protection, a “voluntary IT security label” is to come.
The authority will be able to save and evaluate “log data” including personal user information such as IP addresses that arise during online communication between citizens and federal administrative institutions and parliamentarians for 18 months. In addition, there are internal “logging data” from all authorities in the form of records about the type of use of IT. This should make it easier to identify widespread Trojans such as Emotet as well as complex attacks, often originating from secret services.
The Federal Ministry of the Interior has revised and expanded the regulations on fines. The maximum values range – graded according to the severity of violations in various categories – from 100,000 to 20 million euros. As a consequence of the Doxxing incident at the end of 2018, a further reporting obligation is to be introduced in the Telemedia Act. Providers would therefore have to inform the Federal Criminal Police Office and, for example, provide inventory data and, if necessary, passwords of injured parties or suspects if they are aware of a major data leak. The tightening of criminal law not only in this area planned by the Federal Ministry of the Interior in 2019 are off the table for the time being.