After revelations about Schoenbohm and Biden's executive order, we need a clear line on data protection more than ever.
The scandal surrounding Federal Office for Information Security (BSI) president Arne Schoenbohm and the discussions surrounding Joe Bidens´s executive order on the data protection agreement with the EU are two new pieces of extremely worrying news from the IT security world. Not all the details are yet available in either case, and the news is changing at a rapid pace. And yet it can be said that both processes reveal fundamental problems with data security and data protection in Germany that cannot be remedied with minor adjustments in one direction or the other. Instead, it´s time to fundamentally reorganize data privacy and data security in Germany.
Four central requirements for a reorganization emerge:
1. Data protection and security are technical issues and must be regulated by a technical department!
An institution that is so ensure data security in Germany must test and recommend the best technical solutions and measures, detached from political influence. There must be no entanglement of interests in the process. The case of Schoenbohm and his relations with the association "Cyber Security Council Germany e.V." is a prime example of how things should not be done. The fact that the head of a federal authority responsible for IT security in Germany is linked to an association with unclear goals that also wants to give the impression of highly official function in its name is an outrage. Moreover, an institution like the BSI must operate at the cutting edge of technology. The fact that this is not the case is demonstrated, for example, by the BSI´s awarding of IT security seals. Such seals can only be applied for in the categories of broadband routers, e-mail services and smart consumer devices. As if cloud computing, virtualization or edge computing etc. did not even exist. The BSI seems to be decades behind in terms of technology.
2. We need a reliable seal of approval for general IT solutions and IT security solutions!
Companies and public authorities need a reliable seal that confirms that they can use certain applications and IT security solutions without hesitation. At the moment, the reliability of such certifications is as poor as that of the numerous organic seals in the food industry. Currently, certifications are issued either by a kind of self-report to an independent organization such as the BSI or by membership in an association or industry association. None of these supposed seals of approval have any more value than, for example, stating when entering the USA that one is not planning a terrorist attack during one´s stay. There are even cases of companies receiving or retaining such certifications that have made the headlines, for example, by laundering money for Russia or other illegal business. It is not acceptable that any toaster in Germany is tested and certified more thoroughly and reliably than IT security products that protect our critical infrastructures.
Criteria that must be minimally included in a thorough, independent review include, for example:
- Development location Germany: to what extent are there really no parties involved in the development that are not subject to German jurisdiction?
- Source code review: The source code must be disclosed and not just reviewed to see if it contains technical errors.The software supply chain, i.e. the origin of individual components, must also be checked.
- The software must be subjected to in-depth penetration tests.
- The supplier company itself must be checked for interconnections. Are there (personnel) links with dubious organizations or powers that are not to be trusted? Does the company supply products to countries with which we are at cyber war? etc.?
Incidentally, such verification must not end with certification. Any subsequent violation of the award criteria must result in withdrawal of the seal of approval.
3. Data security and data protection must work better together and need more competencies!
Data security and data protection must work hand in hand, especially in the current situation of a cyber war. Data protection authorities have often proven to be overwhelmed or inconsistent in recent times. The clowning around of the data protection authorities in the use of MS 365 has just made this clear once again. Even when data protection officials were consistent enough to prohibit the use of MS 365 in schools, they were unable to offer technically adequate alternatives. Moreover, violations remained and remain largely unpunished.
4. We need clear rules - now!
We are now in the umpteenth round of the discussion about protecting European data from unauthorized access by US authorities. Companies do not know which measures they have to take or which (cloud) solutions they are allowed to use. As long as they do not receive clear guidelines and do not have to fear any consequences, they act according to the motto "business as usual". Thus. Joe Biden´s Executive Order on the data protection agreement with the EU is just another episode of the political soap opera in which only a bogus solution to an urgent problem is presented. The crucial question to the Executive Order is: when is surveillance, i.e. access to data of European citizens or companies, "proportionate"? As privacy activist Max Schrems noted in a statement, the EU and the US have different views on what is proportionate. It is an illusion that data of European citizens and companies could be secured with such woolly formulations. We should not put up with this new episode of the transatlantic data protection soap opera. The EU Commission must finally provide clarity here.
Insofar as this document contains legal explanations, recommendations and advice, these represent nonbinding information without any guarantee for completeness and correctness. In this respect, it does not constitute legal advice and Eperi GmbH does not claim to represent or even replace such legal advice.