In Germany’s new 5G security criteria, SPD sees a “blunt sword”

The German Minister of the Interior, Horst Seehofer (CSU), would like to see more competences for the BMI in the inspection of 5G manufacturers. [EPA-EFE | Omer Messinger]

The German Interior Ministry (BMI) wants to check whether manufacturers of 5G components are trustworthy to protect critical infrastructure from cyber attacks. For Social Democrat MP Falko Mohrs, this does not go far enough. He demands a political security check, fed with secret service information. EURACTIV Germany reports.

In the new draft of the IT security law, which has been made available to EURACTIV Germany, the BMI has tightened its criteria for 5G suppliers. In addition to the already planned technical certification and a trustworthiness declaration by manufacturers, the Ministry should also be able to audit this credibility.

It is the next step in the German 5G debate, which revolves around the question of whether Chinese manufacturers should be excluded from the German 5G expansion,  with a focus on Huawei.

This is the demand of the US government, which fears that Huawei could use its 5G components to provide the Chinese state with access to critical infrastructure in other countries for espionage or cyber attacks.

Chancellor Angela Merkel (CDU) has always opposed the exclusion of individual providers by name, but has encountered resistance within her party, led by Norbert Röttgen, Chair of the Foreign Affairs Committee in the Bundestag.

In February, the Christian Democrats agreed that Huawei would not be excluded, but strict security criteria would apply to 5G manufacturers.

Huawei shouldn't be getting its hopes up for German 5G expansion just yet

Although the CDU and CSU did not explicitly decide on the exclusion of Huawei, their position paper provided exclusion criteria that could nonetheless apply to the Chinese telecom giant. The ball is now in the court of the coalition partners, the Social Democratic Party (SPD). EURACTIV Germany reports.


Monitoring is better

The draft from the CSU-led BMI shows what this could look like in reality. Not wanting rely on the manufacturer’s statement, the ministry will instead check itself whether manufacturers are trustworthy. If they are not, it can prohibit operators of critical infrastructure from using that manufacturer’s components.

Companies could be considered untrustworthy if they has given false information in a  statement or does not support security checks, for example.

It is already sufficient if a component is theoretically suitable for misuse, unless manufacturers can prove that the potentially threatening feature has not been implemented or properly eliminated.

Vestager urges EU member states not to backtrack on 5G

The European Commission’s Vice-President for Digital, Margrethe Vestager, has urged EU telecoms ministers to “limit as much as possible” any delays to their 5G spectrum assignments, amid the current challenges to the industry brought on by the coronavirus crisis.

Missing political security audit

MP Falko Mohrs (SPD), who sits on the Bundestag digital committee, sees it as “a seemingly large, but unfortunately still blunt sword.”

While he welcomes the strengthening of the Federal Office for Information Security (BSI), the checks in the amended law are of a technical nature, even though the explanatory memorandum points out that technical risks can only be minimised.

There is no political assessment of manufacturers’ reliability particularly in relation to the governing system in their home countries. This assessment could be provided by the Federal Security Council (BSR), fed by information from the Federal Intelligence Service (BND).

Mohrs also thinks the existing draft still places too much trust in the manufacturers’ declarations, but believes that parts of the CDU/CSU are open to this idea of “political approval.”

While the Bundestag had originally planned to adopt the law before summer, Mohrs describes this as “virtually impossible.” So far only a draft bill has been presented, which still has to be approved by the cabinet. Only then can the deliberations begin in the Bundestag.

Borrell: China 'expressed their concerns' over disinformation leak

Chinese officials have “expressed their concerns” over the leak of a draft internal publication on disinformation, the EU’s diplomatic chief Joseph Borrell confirmed on Thursday (30 April).

Security vulnerabilities can never be “technically ruled out completely”

His CSU colleague on the digital committee, Hansjörg Durz, also criticises the draft’s delay. “The Federal Government has put a great strain on the patience of us parliamentarians,” he told EURACTIV Germany.

The discussions must now move forward rapidly, because “we urgently need rules for the 5G expansion in Germany.”

Durz sees a need for improvement in the manufacturers’ declaration, particularly around ruling out potential misuse of their components. After all, “possible security vulnerabilities, especially in software products, cannot be completely ruled out technically, not by any manufacturer,” he says.

He also considers it “sensible and necessary” for the BMI to be able to remove already installed components if manufacturers prove to be untrustworthy ex-post.

However, it is necessary to weigh the damage caused by the sudden unavailability of the infrastructure. This must be in proportion to the security threat. For this reason, a “balanced setting of deadlines” is needed, says Durz.

Subscribe to our newsletters