If decisive components for critical infrastructures (Kritis) are procured in Germany – for example for telecommunications networks – then certain producers can be excluded. However, that will only happen if the federal government unanimously resolves it. There is no provision for a single ministry to go it alone. This is based on the meanwhile third ministerial draft of the Federal Ministry of the Interior (BMI) for the reform of the IT security law.

Public interest and relevance to security policy According to the “Huawei clause” in the paper from Thursday published by the Kritis working group and the information lawyer Dennis-Kenji Kipker, Prohibit the use of a “critical component vis-à-vis the operator of the critical infrastructure” only within one month “in agreement with the relevant department” or issue relevant orders. The prerequisite for this is that such an exclusion is necessary due to overriding public interests and in particular security policy concerns of the Federal Republic of Germany. The operators have to await a corresponding decision.

The approval procedure outlined in Section 9b is complex. The use of critical components is initially subject to mandatory certification. The Federal Office for Information Security (BSI) is responsible here. The Federal Network Agency has already presented relevant provisions for critical telecommunications and data processing systems with a new draft of a security catalog.

Manufacturers must declare their trustworthiness In addition, a Kritis operator such as Deutsche Telekom, Vodafone or Telefónica must report the project to the BMI. The important technical components may only be used if manufacturers – in the case of 5G and other telecommunications networks, i.e. equipment suppliers such as Huawei, ZTE, Nokia or Ericsson – have made a declaration of their trustworthiness to the operator.

According to the plan, this guarantee statement extends to the entire supply chain of the manufacturer. It must show whether and how the producer “can adequately ensure that the critical component does not have any technical properties that are suitable” for improperly influencing “the security, integrity, availability or functionality of the critical infrastructure”. In particular, “sabotage, espionage or terrorism” should be ruled out. In plain language: there must be no back doors.

In order to adequately take account of such concerns, the guarantee declaration must, according to the reasoning, “also cover possible dangers and violations of certain duties that arise from the organizational structures “or possible other legal obligations of the manufacturer.

Right of participation of affected ministries The contents of the The Federal Ministry of the Interior should issue a declaration of trustworthiness by means of a general decree, since specific content is decisive for various Kritis sectors. In order to be able to take into account all relevant matters of the ministries, it will involve the ministries concerned at an early stage. Whoever has a say is based “on the critical infrastructure sector and the departmental responsibilities resulting from it”. For example, the Federal Ministry of Economics in the field of telecommunications is affected, and the Foreign Office when “public interests are affected due to foreign and security policy issues” “, which the Federal Chancellery joins the department head level. Such a structured exchange is necessary “in order to enable a comprehensive clarification of the facts” and preparation within the tight deadlines provided.

Operation of a component can be prohibited In addition, the “proactive” departments have a “suitable escalation mechanism” ready, according to the explanations. This is necessary for cases in which the working level cannot agree on a ban. Insofar as a dissent persists at ministerial level, “the Federal Government must promptly discuss the dispute with the aim of advancing an amicable decision”. If violations are found, it should also be possible “to prohibit the further operation of a component”.

In principle, the government and the coalition factions of the CDU / CSU and SPD now legally agreed to this after much dispute in the summer formulated procedure notified. The Huawei drops had been sucked, it was said at the time. The political trustworthiness test, which takes place in addition to a BSI certification, will be based on objective criteria. If none of the departments involved raise concerns, the approval has actually been granted. One does not want to bow to the pressure from the USA to exclude Huawei on a large scale and blanket.

Reservations against access by the manufacturer According to the draft, the Federal Ministry of the Interior considers the procedure to be indispensable, since “with the increasing IT complexity of the critical components used, a significant part of the controllability of the technology in the context of product maintenance (software updates, firmware updates, closing of Security gaps) remains with the manufacturer itself or with the further supply chain “. Neither component certification nor high technical security requirements adequately ensure “that the manufacturers do not implement any improper access to hardware and software”.

The comprehensive examination of remaining residual risks should be based on an objective, relevant assessment of the Manufacturer. According to the Federal Ministry of the Interior, the path taken will also serve to implement the recommendations of the EU’s “5G Toolbox”.

BSI will become Cyber ​​as planned Authority Otherwise the plan remains to upgrade the BSI to a powerful cyber authority with hacker powers. With 799 new places – instead of 583 planned in the second draft from May – and around 42, 9 million euros in personnel costs Office will become a key player in the fight against botnets, neglected devices in the Internet of Things or the spread of malware. One focus is consumer protection, a “voluntary IT security label” is to come.

The authority can “log data” including personal user information such as IP addresses, which are used in online communication between citizens and Federal administrative institutions as well as parliamentarians are incurred, in the future 12 save and evaluate for months. The two earlier drafts spoke of a year and a half.

In addition, there is internal “logging data” from all authorities in the form of records on the type of use of IT. This is intended to make it easier to identify widespread Trojans such as Emotet and complex attacks, often originating from secret services.

The Federal Ministry of the Interior has revised and expanded the regulations on fines. The maximum values ​​range – graded according to the severity of violations in different categories – from 100. 000 up to 20 Million Euros. As a consequence of the end of the Doxxing incident 799, a further reporting obligation is to be introduced in the Telemedia Act. Providers would therefore have to inform the Federal Criminal Police Office and, for example, provide inventory data and, if necessary, passwords of injured parties or suspects if they are aware of a major data leak. The tightening of the criminal law still planned by the BMI 2019 not only in this area are off the table for the time being.

Information about the storage period at the BSI corrected after it was adjusted again in the most recent draft.

(tiw)