The Federal Ministry of the Interior (BMI) is planning a turning point in the German security architecture. A 648-page draft bill for reforming intelligence law provides for a fundamental reorganization of the previous legal powers of the Federal Office for the Protection of the Constitution (BfV) and the Federal Intelligence Service (BND) as well as the connections between the two institutions.
Read more after the ad
Behind this lies a comprehensive digital upgrade: domestic and foreign secret services are to become independent actors in the cyber-operational area with expanded hacking powers. At the same time, the Federal Office for Information Security (BSI) threatens to become a digital supplier for the spies.
The Ministry of the Interior justifies its reform plan with an increased threat situation. The operational capabilities of the services would have to be adapted to the digital world. A new early warning system and the expansion of secret online searches are intended to close “protection gaps”.
Critics see this as the well-known pattern of security policy legislation: far-reaching surveillance powers are presented as an alternative answer to a permanent threat, while digital freedom rights continue to come under pressure.
Basis for hackbacks and zero-day exploits
The change of course becomes clear, for example, in the “active” protective measures. In the future, agents will be allowed to intervene in ongoing cyber attacks under certain conditions if other authorities such as the police cannot act in time.
As an example, the BMI cites the case where a service has already infiltrated an attacker’s infrastructure and discovered a malicious program there. He should then be allowed to launch countermeasures immediately instead of letting the attack continue. Opponents speak of a legal basis for state hackbacks that blur the line between defensive intelligence and offensive countermeasures.
The new regulation of the relationship between the BSI and BND is of particular importance. The planned Section 10 Paragraph 2 of the BND Act is intended to re-regulate the transmission obligations of public authorities. For the BMI, for example, the hurdle set in the BSI Act for transmission to the BND is only too high if it is of “significant importance for the Federal Republic”.
Read more after the ad
In the future, the BSI will transmit security-relevant findings to the BND in the early phases of an attack, sometimes automatically. The reason for this is that, thanks to its controversial strategic telecommunications intelligence, the foreign service can place individual incidents in a global context and thus identify dangers earlier.
Vulnerability management for spies
Dealing with IT vulnerabilities is explosive here. According to the draft, the BSI should pass on knowledge about the technical functionality of discovered security gaps to the BND immediately and, if possible, automatically. According to the BMI, this would provide a significant operational advantage, especially in the case of zero-days – security gaps without an available manufacturer patch.
The justification for the law states that the period until a vulnerability is closed can be used for “important work” by the BND. Time-delaying processes would significantly reduce applicability.
This would put the BSI in a conflict of objectives that is difficult to resolve. Instead of closing security gaps as quickly as possible, as the traffic light coalition planned, the time until an update is made available is deliberately taken into account for secret service purposes.
Limited range control
To compensate for the expanded powers, the house of Alexander Dobrindt (CSU) refers to greater constitutional control. The responsibilities are to be pooled in the Independent Control Council (UKCouncil), which could exercise judicial-like prior supervision in the future. But its options remained limited.
The initiative also marks a significant expansion of cyber capabilities financially. At least 40 million euros in one-off costs and 35 million euros annually are earmarked for the BND. The Office for the Protection of the Constitution estimates around 94 million euros for converting IT structures and ongoing operating costs of around 269 million euros.
Parallel to the upgrade, the BSI’s original protective function towards the state, business and citizens would take a back seat. The draft law is intended to pave the way for two significantly more powerful cyber intelligence services, whose far-reaching interventions would only be subject to limited review. The bill must next go through the federal cabinet. The Chancellery is already having similar considerations.
(vbr)
