The German Interior Ministry (BMI) wants to check whether manufacturers of 5G components are trustworthy to protect critical infrastructure from cyber attacks. For Social Democrat MP Falko Mohrs, this does not go far enough. He demands a political security check, fed with secret service information. EURACTIV Germany reports.
In the new draft of the IT security law, which has been made available to EURACTIV Germany, the BMI has tightened its criteria for 5G suppliers. In addition to the already planned technical certification and a trustworthiness declaration by manufacturers, the Ministry should also be able to audit this credibility.
It is the next step in the German 5G debate, which revolves around the question of whether Chinese manufacturers should be excluded from the German 5G expansion, with a focus on Huawei.
This is the demand of the US government, which fears that Huawei could use its 5G components to provide the Chinese state with access to critical infrastructure in other countries for espionage or cyber attacks.
Chancellor Angela Merkel (CDU) has always opposed the exclusion of individual providers by name, but has encountered resistance within her party, led by Norbert Röttgen, Chair of the Foreign Affairs Committee in the Bundestag.
In February, the Christian Democrats agreed that Huawei would not be excluded, but strict security criteria would apply to 5G manufacturers.
Monitoring is better
The draft from the CSU-led BMI shows what this could look like in reality. Not wanting rely on the manufacturer’s statement, the ministry will instead check itself whether manufacturers are trustworthy. If they are not, it can prohibit operators of critical infrastructure from using that manufacturer’s components.
Companies could be considered untrustworthy if they has given false information in a statement or does not support security checks, for example.
It is already sufficient if a component is theoretically suitable for misuse, unless manufacturers can prove that the potentially threatening feature has not been implemented or properly eliminated.
Missing political security audit
MP Falko Mohrs (SPD), who sits on the Bundestag digital committee, sees it as “a seemingly large, but unfortunately still blunt sword.”
While he welcomes the strengthening of the Federal Office for Information Security (BSI), the checks in the amended law are of a technical nature, even though the explanatory memorandum points out that technical risks can only be minimised.
There is no political assessment of manufacturers’ reliability particularly in relation to the governing system in their home countries. This assessment could be provided by the Federal Security Council (BSR), fed by information from the Federal Intelligence Service (BND).
Mohrs also thinks the existing draft still places too much trust in the manufacturers’ declarations, but believes that parts of the CDU/CSU are open to this idea of “political approval.”
While the Bundestag had originally planned to adopt the law before summer, Mohrs describes this as “virtually impossible.” So far only a draft bill has been presented, which still has to be approved by the cabinet. Only then can the deliberations begin in the Bundestag.
Security vulnerabilities can never be “technically ruled out completely”
His CSU colleague on the digital committee, Hansjörg Durz, also criticises the draft’s delay. “The Federal Government has put a great strain on the patience of us parliamentarians,” he told EURACTIV Germany.
The discussions must now move forward rapidly, because “we urgently need rules for the 5G expansion in Germany.”
Durz sees a need for improvement in the manufacturers’ declaration, particularly around ruling out potential misuse of their components. After all, “possible security vulnerabilities, especially in software products, cannot be completely ruled out technically, not by any manufacturer,” he says.
He also considers it “sensible and necessary” for the BMI to be able to remove already installed components if manufacturers prove to be untrustworthy ex-post.
However, it is necessary to weigh the damage caused by the sudden unavailability of the infrastructure. This must be in proportion to the security threat. For this reason, a “balanced setting of deadlines” is needed, says Durz.