An Information Security Community
Whether it's good or not that a government is trying to define a cyber security strategy that encompasses private, public, military and intelligence services including federal police, offices for civil defense and disaster assistance, as well as the European Union, European Commission, Nato and last not least the UN - well I'll let you decide on that.
But let's just see what's really in there. And I am not really much interested in the fact that the word "cyber" appears over 60 times in there, excluding the front page, TOC and attached glossary. I am more interested in what new approach to information security is in there, if any - and I am promising to not let this become a rant or sarcastic post. Really.
Maybe let's start with the intentions and goals for that new cyber security strategy: "The Cyber Security Strategy is intended to improve the framework conditions in that area" (the area of cyber security).
Well okay, so it'll be interesting to see how exactly the strategy is trying to achieve that.
IT Threat Assessment
The part "IT threat assessment" is something I can mostly agree with. But one sentence attracted my attention, though:
"[..]the cyber security situation will remain critical in the future [..]". So the current situation is critical? What does that mean? Without ranting and being cynical I guess this is just one of those un-words that are being used or misused quite often.
Is there any real tangible meaning behind that? I don't think so.
This part is about shared responsibilities of private and public organizations as well as the need for international cooperation.
It's further stating that common minimum standards are needed as well as tighter cooperation of law enforcement authorities.
Basic Principles of the Cyber Security Strategy
Some commonplace stuff here like security measures need a comprehensive approach without hampering the opportunities and utilization of cyberspace. But then comes a very interesting part:
"The Cyber Security Strategy mainly focuses on civilian approaches and measures. They are complemented by measures taken by the Bundeswehr (German army) to protect its capabilities and measures based on mandates to make cyber security a part of Germany's preventive security strategy."
I am wondering what that is supposed to be meaning in detail. It then goes on:
"This includes cooperation not only in the United Nations, but also in the EU, the Council of Europe, NATO, the G8, the OSCE and other multinational organizations."
Strategic Objectives and Measures
The text now introduces the ten strategic areas which the Federal Government will specifically focus on:
1. Protection of critical information infrastructures
Again, the text goes on about intensified information sharing and closer coordination. It also mentions something about "legal commitments to enhance the binding nature of the plan for critical infrastructure protection (CIP)".[The CIP or German KRITIS is a plan that has already been around for a while.
So I guess this will become another regulatory standard or law like SOX, HIPPA and the like. I think this could actually be a good thing, if it doesn't end in mindless compliance checkboxing but rather controls and procedures that guarantee survivability of critical infrastructure throuhout a crisis.
2. Secure IT systems in Germany
More about collaboration and information and advice, joint initiatives...
And then "Furthermore we will examine whether providers may have to assume greater responsibility and make sure that a basic collection of appropriate security products and services are made available to users by providers.
This is a part that makes my toenails curl upwards. It's not saying it directly but it reminds me of the Aussies recent push to make antivirus and firewalls mandatory. I think that would be a very bad idea and I am only saying it in this moderate way because I promised not to rant. What gives me the creeps even more is the following sentence:
"We want to provide specific incentives and funds for basic security functions certified by the state (e.g. electronic proof of identity or De-mail) to be used by the vast majority of citizens."
It's mentioning incentives but I fear that things could rapidly become mandatory, e.g. the use of electronic proof of identity.
If people really take what the government is offering and shops and providers begin to support the use of these electronic IDs (like the chip in the new Personalausweis), then we could very soon have a German internet that you can only use if you authenticate with your personal ID every time. And when it comes to state certified security functions - have a look at De-mail (the "De stands for .de like in "Deuschland" and not for "de-" like in de-functional or de-publicise, just to make this clear. Still not being cynical or ranting). De-mail is a government sponsored service that promises reliable, confidential and authenticated E-Mail. But since the encryption is not end-to-end it will never be able to stand up to these promises.
So here comes the question if these are not things where the government should better keep its hands off. Discuss!
3. Strengthening IT security in the public administration
Further enhancements are promised and a bold statement follows:
"State authorites have to serve as role models for data security."
Now how's that? I am of course somewhat skeptical that they will be able to fulfill that role, but this statement is something I missed so far. We should all remind them on that when the shit hits the fan. (OOOPS, just a slip) ;-)
4. National Cyber Response Center
This is the first thing that is really new to me. The NCRC shall be the hub for "coordination of protection and response measures for IT incidents. It will report to the Federal Office for Information Security (BSI) and cooperate directly with the Federal Office for the Protection of the Constitution (BfV) and the Federal Office of Civil Protection and Disaster Assistance (BKK). [...]"
It goes on about how all the other police and intelligence agencies shall be involved on the basis of cooperation agreements.
I have very mixed feelings about all that. Either it doesn't work out anyway because there are so many drawbacks for sharing information with these entities, or it leads to the exact opposite where more and more data is being shared and where the whole system becomes a catalyzer for ever more hysteria and extended competences and authority for police and intelligence agencies. I'd rather have more money for more training and education and really skilled personnel and more cooperation between existing CERTs. There are still so many things we can do and must do before even thinking about another agency or institution. Instead of fearing tomorrows super elite James Bond style advanced persistent threat, we should maybe first educate our staff detecting and dealing with social engineering attacks and close the holes that could've already been closed years ago. Or in other words:
1.) buy windows and doors
2.) build them in
3.) close them
4.) lock them
5.) engage a security guard
6.) train the security guard
7.) check if doors, windows, locks and guard work effectively and efficiently
8.) you may now begin thinking about the APT
I don't really believe that we are already at point 8.
I rather think that we have done some of 1 through 6, but only partly and very incomplete.
5. National Cyber Security Council
This will comprise representatives from various federal departments and will be headed by the Federal Government Commissioner for IT. Representatives from academia are also mentioned as optional entities involved, if needed.
The text is only mentioning something about coordination, politics at the strategic level of cyber security.
Nothing very concrete here, either.
6. Effective crime control also in cyberspace
This part is merely repeating the demand for "strengthening" the "capabilities of law enforcement agencies, the Federal Office for Information Security and the private sector in combating cyber crime, also with regard to protection against espionage..."
I again will try not to rant and not to become cynical but in the past this call for strengthening and "better tools" ultimately meant that the governments wants total surveillance and total control, leading to a Orwellian society.
The Bundestrojaner (trojan software to be used by the police), Anlasslose Vorratsdatenspeicherung (data retention) and the scanning of car license plates are only three examples. And the "global harmonization in criminal law" as well as the mixture of private, public, police, intelligence agencies and military on a local and global scale conjure many other fears as well.
It could be that as a hacker or activist you could not only land on a no-fly list, but also on a no-internet list, very soon.
Or even worse - a list of "terrorists". In some nation states hacking falls under terrorist law.
7. Effective coordinated action to ensure cyber security in Europe and worldwide
More about coordination and cooperation, about an international code for state conduct in cyberspace and intensifying anti-botnet activities.
8. Use of reliable and trustworthy information technology
Intensified research on IT security...competences...development. More commonplaces.
9. Personnel development in federal authorities
Well here it finally says something about more training and more about cooperation.
Additional staff is good, but highly qualified staff would be even better. Have a look at the salaries for IT people in the public sector and you'll see that they cannot compete with those in the private sector. Hard to get the good talent, this way.
10. Tools to respond to cyber attacks
Yes, tools are needed. But which tools that could be, the text says nothing about.
But what's really good is that it says there that permanent exercise is needed.
I am hoping that this not only means the escalation and information sharing but also the hardcore operational security and forensic stuff. Procedures for disaster recovery, incident handling and response, malware analysis.
I think it is safe to say that most organizations in both public or private sector have way to go in these terms.
Again, as I stated above, let's please begin at the beginning and fix the things that need to be fixed before building something new around it.
If you have read this whole article, I honestly thank you very much! I just don't know myself if I have waisted my time writing that or if I you have waisted your time reading it. But I think in these times it's more important than ever to really read and dissect what politics is doing and planning. I am sure there are many things between the lines that escaped me so far. Let me know if you detected any interesting stuff in there and please discuss the topic and let me know what you think about it.
As for all blogposts, tweets and everything I write on the internet the opinions expressed here represent my own and not those of my employer.