Federal Minister of the Interior Nancy Faeser (SPD) has proposed an amendment to the Basic Law to make the Federal Office for Information Security (BSI), which reports to her office, the central office for combating cyberattacks on targets in Germany. A similar structure already exists at the Federal Criminal Police Office (BKA) and the Federal Office for the Protection of the Constitution, which work closely with the respective state authorities.

Responsibility for cyber security in Germany currently still lies with the federal states, which is why the BSI has only been able to provide administrative assistance so far, the minister said in Berlin on Tuesday. In view of the increased threat, this is no longer appropriate. The federal states are "overwhelmed" with this task in the long term. She had also received very positive signals from the federal states regarding her proposal to amend the Basic Law. In order to amend the Basic Law, the coalition government in the Bundestag would also need votes from the opposition, as this requires a two-thirds majority.

Attacks on government agencies on the rise

Over the past two years, several cyberattacks on hospitals and government agencies have caused major problems. Overall, the number of known attacks has increased. As a result of the cyberattack on the district administration, a state of emergency was declared in the district of Anhalt-Bitterfeld on July 9, 2021. Several servers had been infected with so-called ransomware. This encrypts data. After paying a ransom, the data was supposed to be released again. The district refused to pay the money and was then unable to provide a number of services.

FDP parliamentary group deputy leader Konstantin Kuhle warned that the BSI's task profile must be clearly outlined and its independence strengthened before the Basic Law is amended. "This also includes the establishment of a functioning vulnerability management system for all security authorities." This involves security gaps in hardware and software that are deliberately not closed so that government agencies can secretly gain access to cell phones and other means of communication for the purpose of reconnaissance or investigations into serious crimes.

In view of the Russian war of aggression against Ukraine, the Federal Ministry of the Interior also presented further measures for greater cyber security. These include the introduction of a central video conferencing system for the federal administration that meets the highest security requirements. A platform for companies to exchange information on cyber attacks is to be created at the BSI.

Promotion of cyber resilience measures for SMEs

In addition, investments in so-called cyber resilience measures are to be promoted for small and medium-sized enterprises if they belong to "critical infrastructure" - from sectors such as transport, food, health, energy and water supply. Faeser has also set herself the task of modernizing the IT infrastructure of the Federal Office for the Protection of the Constitution. It is also to be given more powers to "clarify technical matters in the event of cyber attacks by foreign powers".

However, there is a need for coordination in the area of cyber security not only with the federal states, but also within the federal government. Transport Minister Volker Wissing (FDP) is responsible for digital affairs. With the Cyber and Information Space Command, there is an organizational unit within the Bundeswehr to defend against cyber attacks. "We will always have to have an interface with the BMVg (Federal Ministry of Defense)," said Faeser. The war in Ukraine in particular has shown how external and internal security are linked.

The coalition agreement between the SPD, Greens and FDP provides for a new law in which regulations for the protection of critical infrastructure are to be bundled. This must be implemented as quickly as possible, said Konstantin von Notz, deputy parliamentary leader of the Greens. "There is also an urgent need for coordination with the strategies currently being developed by other houses."

Alexander Throm (CDU), spokesperson for domestic affairs in the CDU/CSU parliamentary group, said that the new cyber security agenda leaves crucial questions unanswered - for example, what specific powers the Federal Criminal Police Office, the Federal Office for the Protection of the Constitution and the Federal Police should be given to defend against cyber attacks. "There is also no concept for active cyber defense that is aimed at preventing cyber attacks." A corresponding concept had failed during the term of office of Faeser's predecessor Horst Seehofer (CSU) due to opposition from the SPD.

Uniform federal process for deletion procedures

Another focus of Faeser's cyber security agenda is to be measures aimed at preventing the dissemination of criminal content on the internet - in particular depictions of child sexual abuse. To this end, a nationwide coordinated reporting and deletion process is to be established by the BKA. At EU level, Faeser wants to advocate for a legal framework to prevent the dissemination of such depictions. A deletion procedure coordinated by the BKA could "ensure that such images disappear from the internet more quickly", explained the industry association Bitkom.

"The dangers in cyberspace are constantly increasing," said SPD interior politician Uli Grötsch. It is therefore good that Faeser wants to "take more effective action against cybercrime". According to the BKA, the police registered 146,363 cybercrime offenses nationwide last year - an increase of more than 12% compared to the previous year.