On July 12, 2022, German Federal Minister of the Interior Faeser presented the new federal cybersecurity agenda for the current legislative period. Key points are new responsibilities for security authorities, a stronger role for the federal government in the cybersecurity architecture, defense against cybercrime, and protection of the state and critical infrastructure. Many voices from research and industry have already expressed concerns about the lack of details on the stronger role of the Federal Office for Information Security (BSI). Here, we would like to address what we consider to be important points that directly affect the resilience of the German economy and infrastructure.
Strengthening the Cyber Resilience of Critical Infrastructure
The agenda presented proposes broad financial support for innovation, an increase in risk awareness, as well as a faster response to cyber threats through closer ties to authorities. This should further improve and strengthen existing processes. In our view, however, these measures are too reactive; instead, proactive measures need to be taken. There is no need for blind subsidies, but rather grants for concrete measures and stricter legal minimum standards for IT security to minimize attacks on critical infrastructure.
An important factor here is fragile supply chain security. German critical infrastructure is heavily dependent on non-European suppliers. It is not enough to only certify these manufacturers with regard to security criteria; measures must be taken to reduce the blind trust in the components supplied. Here, IT security research has already developed numerous approaches for isolating such components. These measures would make attacks more difficult and shorten response times much more than closer communication with authorities.
Strengthening Digital Sovereignty in Cybersecurity
Digital sovereignty is addressed late in the agenda, but it is actually the core issue of this decade. Proposals in the agenda range from stronger (contract) research funding to increased auditing capabilities of suppliers by the BSI. But research funding alone is not enough – many of the trust issues with third-party software are already mature research areas. In our view, the actual problem is the lack of transfer and integration of the research solutions. The proposed solution also heavily relies on vendor certification, but modern software is so complex that supplier reviews are unrealistic. This inevitably leads to loss of control, security gaps or spy attacks that can only be discovered far too late.
Especially in the area of 5G/6G, these trust problems can only be solved if the platform software, i.e., the all-controlling software environment, is developed and produced in Europe. Mobile network operators should provide and fully control this platform software for the third-party hardware themselves. Proprietary services and drivers from the hardware manufacturer can then run on it within the set limits. Research approaches to isolate and monitor such third-party software have been around for more than a decade. The clearly defined OpenRAN interfaces can provide an important basis for implementing this separation of responsibilities. Such a separation of responsibilities strengthens German and European sovereignty without renouncing previous non-European suppliers, as these are not replaceable in the near future due to a lack of European competitiveness and globalized supply chains.