The European Commission should “walk the walk” and use strong encryption to protect its computer networks against hackers instead of pushing member states to adopt controversial new legislation, the head of Germany’s cybersecurity agency has said.
Arne Schönbohm, the director of Germany’s Federal Office for Information Security (BSI), lashed out at the Commission for not being transparent about the technology it uses to prevent cybersecurity breaches.
He also criticised a Commission proposal to overhaul the EU’s cybersecurity rules, including a controversial plan for a system to certify the security level of software and hardware products. The bill is still in negotiations.
Schönbohm said the Commission would be better off staffing up security teams tasked with protecting its internal systems against hackers instead of bossing around member states that oppose the draft legislation.
“They shouldn’t try to tell others how to move forward appropriately if this is not their focus. That’s not right,” Schönbohm told EURACTIV in an interview at BSI’s office in Bonn.
He said it would be helpful if the Commission would “spearhead information security on their own, as a very good example. Not just doing exercises”.
“But how well are their mobile devices encrypted within the European Commission? How are they protecting the European Parliament? These are areas where they could not just talk the talk but really walk the walk”.
A spokeswoman for the Commission’s directorate for IT security, DG Digit, said the office does not disclose the number of staff working on preventing cybersecurity attacks.
Schönbohm said he does not suspect that the Commission is poorly prepared to respond to attacks but argued it should share more information with member states about the kind of encryption technologies it uses to secure communication.
“We see how many attacks we are facing day by day just within the German government. I think there are lots and lots of attacks also on the networks of the European Commission and of the European Parliament. This is normal,” Schönbohm said.
But he warned that “if you don’t have the right [security] systems, you don’t see them”.
BSI has had its hands full with cybersecurity breaches in German government offices. German media reported in February that hackers had broken into the federal government’s network, and attackers have hit the Bundestag several times in the last few years.
No need for the Commission’s new cybersecurity certification plans
Schönbohm argues the Commission’s proposal to create a new EU system for certification would be slow and inefficient. Instead, he wants to expand a smaller, voluntary group, known as SOG-IS, which agrees on common certification for a small selection of technology products, like digital ID cards. So far, 14 EU countries have joined the group.
The Commission’s proposal would apply to all member states. The EU executive argues the legislation will make it easier for companies to receive security certification in one EU country, and have it recognised across the bloc. They would not need to seek similar guarantees in multiple member states.
The Commission has also touted lower costs for firms as another benefit of the bill. It does not require companies to certify products in order to sell them in the EU—the system is supposed to help firms avoid expensive application processes in different national systems.
The proposal also includes a dig at BSI: it singles out the agency’s comparatively expensive process for companies to receive certification for smart energy meters.
Schönbohm described the Commission’s announcement in September of a centralised EU system as surprising, “like thunder coming out of the sky”. He predicted it would not be approved, at least not in its entirety.
“The member states are against it. We are living in a legal world, the European Commission is not a spaceship that can do what it likes to do”.
Schönbohm is not involved in legal negotiations over the proposal but the cybersecurity agency from the EU’s biggest member state has considerable sway over the file.
Angelika Niebler, the German centre-right MEP who is leading the Parliament’s discussions on the bill, told EURACTIV that BSI has “excellent know-how and expertise in the field of IT security and certification” and, along with France’s agency ANSSI, “can be a role model for Europe in cybersecurity”.
The legislation can only take effect after it is approved in three-way negotiations between the European Parliament, the Commission and national governments.
One diplomat involved in negotiations said France and Germany are steering the member states’ discussions.
“Both have very developed systems nationally, a very clear view of how it functions on a day-to-day basis, and want to keep the European framework as close to this as possible,” the source said.
Within the next few weeks, BSI will announce a new certification system for internet routers sold in Germany. Schönbohm said the new ranking system for products’ security level could be a template for other European countries.
“Regarding information security, it’s our task to move forward urgently. And sometimes it’s very slow at the European level,” he said.
After the new security system for routers, the agency plans to introduce more cybersecurity certification tailored to other smart home devices that are connected to the internet.
Security is “a task of the member states”
Schönbohm’s main criticism of the Commission’s proposal is that it is inefficient. He also slammed the plan to give the Athens-based EU cybersecurity agency ENISA control over drafting the criteria for hardware and software certification as “burning of money”.
The Commission wants to give the small, 84-person agency a budget increase and 40 new employees. Schönbohm said that is not enough to take control of EU-wide certification and pointed out that BSI’s certification department has 150 experts on staff.
Schönbohm said that instead of having ENISA in charge of any new system, its experts would be better off coordinating cybersecurity exercises and leading a year-old network that was created to improve communication between member states’ national agencies. As part of that network, national authorities monitor their own countries for security breaches and report suspicious activity to ENISA.
Still, he was not concerned that BSI could lose control over what criteria are used to approve certification if the Commission’s proposal is approved.
Some national agencies contact each other first before sending information to ENISA. Schönbohm said he spoke on the phone with his counterparts in other big member states, including the British and French cybersecurity agencies, after the massive WannaCry and NotPetya attacks swept several member states last year. He later sent a report to ENISA.
“Everybody has to deal with his own level of information security,” Schönbohm said.
“it is a task of the member states.”