The accusation is a serious one: Horst Seehofer's cabinet is demonstrating poor governance with its plan to adopt the controversial cybersecurity strategy in 2021 before the end of the legislative term. The last such strategy dates from 2016, so it could certainly use an update. However, more than 60 individuals, companies and associations from civil society and the business community are clearly criticizing the Interior Ministry's current draft in an open letter to the German government. Among the signatories are the digital policy think tanks D46 (SPD), Load (FDP) and Cnetz (CDU), the Internet industry association Eco and civil society players such as the Chaos Computer Club and Reporters Without Borders.
They call on the German government to "postpone the adoption of the cybersecurity strategy until the next legislature or at least cancel the expansion of powers for security authorities without replacement." Seehofer's current draft for the strategy includes allowing government collection of vulnerabilities. In addition, Germany is to push for the "development of technical and operational solutions for lawful access to content from encrypted communications" and "the circumvention of secure implementation of strong encryption." This refers to backdoors in actually secure messenger services that could be used by the authorities to read what is being said.
Both proposals are typical desires that Seehofer and other domestic politicians before him have been trying to push through for years. In a paper whose stated goal is cybersecurity in Germany, such measures have no place, say the signatories. There is "insufficient support in business and society" for the plans.
"There is no public safety without IT security"
Rainer Rehak, co-chair of the Forum InformatikerInnen für Frieden und gesellschaftliche Verantwortung, which also signed, considers the cybersecurity strategy to be labeling fraud. The paper reveals a very one-sided understanding of cybersecurity that focuses only on national security and not on the IT security of consumers or businesses, he said. Collateral damage to the economy and society would be accepted. "You sacrifice civil society and the economy to strengthen cyber defense," Rehak told the Süddeutsche Zeitung. Internal security, however, is more than police, he said. "There is no public security without IT security," Rehak said.
German providers of secure e-mail accounts such as Tutanota, Mailbox.org and Mail.de see themselves as potential victims of Seehofer's cybersecurity strategy. Government backdoors would pose a massive threat to their business model. In a statement, Tutanota co-founder Matthias Pfau wrote that Seehofer's strategy is blazingly dangerous for consumers and German businesses: "Any vulnerabilities in IT applications can and will be exploited by malicious attackers, (foreign) governments and for industrial espionage."
The open letter criticizes not only the content of the strategy, but in particular the planned date of adoption by the federal cabinet is hardly comprehensible. If everything goes as usual, the strategy should be adopted in August 2021. A new Bundestag will be elected in September 2021. It is quite possible that a new government will not even endorse parts of Seehofer's strategy. This would be particularly problematic in areas where the paper aims for tangible reforms. For example, controlling measures are to be integrated into the cybersecurity strategy for the first time. While this is welcome in principle, the open letter says. However, the obligations would no longer apply to those who adopt the strategy. The new federal government would then have to deal with this.
Image by Darwin Laganzon