Food for Thought: "Digital Sovereignty" – making Germany future-proof?
Digitisation poses a number of challenges to the ability of German security authorities to act, writes Wilfried Karl, Director of the Central Office for Information Technology in the Security Sector (ZITiS).
The Federal Association for Information Technology, Telecommunications and New Media e. V. (Bitkom) warned in a position paper as early as in 2015 that digital sovereignty will determine Germany's future viability. Bitkom President at the time Prof. Dieter Kempf then proclaimed: "We must restore our digital capacity to act. The digital revolution depends on digital sovereignty for Germany and Europe."
But what does digital sovereignty mean? Digital sovereignty has many facets. One is the security of transport routes, in which the verifiable cybersecurity of transport infrastructure plays a significant role. Another aspect is an industrial base capable of offering secure and innovative products. This is only possible, however, if the education system manages to train skilled engineers, mathematicians and computer scientists and, in addition, an appropriate legal framework and regulations promote innovations.
At this point, I would like to highlight one issue that is enormously important for the future viability of the security authorities and thus for Germany's sovereignty: closer cooperation between industry, authorities, institutes and universities. To this end, sufficient industrial capabilities must be available. According to a 2018 study by US Cybersecurity Ventures, 358 of the top 500 cybersecurity companies are located in the US, 42 in Israel and 23 in the UK. Germany appears in the list with only 6 (!) companies.
Why is the list so dominated by the US? Why the disproportionate representation of Israel? A look at other countries that are doing a better job can help. The US government has always understood how to involve the private sector very closely in research and development. It also has a long-standing strategy of predominantly looking to domestic markets and companies when it comes to national security projects. According to Bitkom, German companies invested significantly more in information security in 2018, with hardware, software and services for cybersecurity generating a total turnover of 4.1 billion euros – an increase of 9 percent. In contrast, the United States Department of Defense alone has a cybersecurity budget of approximately 8.5 billion US dollars.
Start-ups and innovation centres in the United States are not only supported in their development. There, venture capital or government contracts are awarded to bold, young companies. And existing companies are awarded contracts for innovative ideas. Another important point: In Israel, as in the US, it is common for staff to switch from one authority to another as well as between authorities and the private sector. This kind of staff exchange still is a rare occurence in Germany, however – certainly between the authorities and the industry, but even among authorities themselves. This is old thinking and inhibits the future viability of the country, as it leads to less exchange of expertise. All sides ultimately benefit from an easier exchange of experts between industry and authorities.
Innovation requires a sufficient amount of well-trained personnel. Central, overarching research and development organisations such as the Central Office for Information Technology in the Security Sector (ZITiS) can help to make more targeted use of personnel and make use of synergies through the interdisciplinary cooperation of experts. ZITiS intends to use research institutes and industrial contractors for the best possible fulfilment of its own tasks, which is why the centre is located in an outstanding research location for information and communication technology: the Munich region. To train the personnel needed, there must be suitable training facilities that teach the necessary curriculum. Other countries have already embarked on this path. In the US, so-called "Centers for Academic Excellence in Cyber Operations" have existed for many years. These numerous universities have introduced corresponding degree courses and provide targeted training for personnel who later on ensure the future viability of the security authorities.
The German Federal Government's cybersecurity strategy consists of two major pillars. On the one hand, the securing of the capabilities for the protection of digital infrastructures and, on the other hand, the safeguarding of the security authorities' capabilities for detection and reconnaissance.
Both can only be achieved with an efficient industry and a sufficient number of specially trained experts working at the authorities. The continuous training of a broad national knowledge base for all types of cyber operations is essential to avoid an exclusive dependence for support from abroad in the event of a crisis.
The second pillar often plays only a minor role in public perception, but is just as important as classic cyber security. After all, it strengthens the security authorities' ability to act in the future for the protection and security of Germany's citizens as well as its economy. Encryption methods reserved for the military up until just a few years ago are now freely available to everyone. This technology is used, for example, in many messenger services on smartphones – including by criminals while planning and committing crimes.
An important point in the conversation about digital sovereignty is how the security authorities can fulfil their mission in the current technological environment. On the one hand, it should make no difference whether a terrorist attack is planned on the telephone – and thus technically accessible to investigators – or in chat apps where messages are encrypted end-to-end. Citizens expect crimes to be investigated and solved even in the digital age. On the other hand, there is a need to ensure the protection of privacy – the cornerstones of the federal government's crypto policy will not be undermined by the founding of ZITiS. Secure encryption, including end-to-end encryption, is available to everyone. There are no obligations to deposit keys and no requirements to weaken cryptosystems.
Nevertheless, the state must find methods to obtain the data required to fulfil its mandate in the cases provided for by law. One of these methods is the responsible use of gaps in information systems, for instance in the case of legally regulated source telecommunications surveillance.
Tensions exist, of course, between closing security gaps for the protection of information systems and using a security gap to circumvent access protection so that security authorities can fulfil their mission. The state must deal responsibly with this issue and weigh the risk of keeping security gaps open against the possible benefits. Fear mongering and alarmism are misplaced here and undermine a constructive debate that must be had on this issue – ZITiS is happy to contribute its expertise to the further development of criteria for this evaluation process. One thing, however, must be clear to everyone involved: we cannot stop technological development, nor can we take ourselves back to earlier times that were technologically easier to handle. On the contrary, we must focus on maintaining our ability to act against the backdrop of technological development.
The points mentioned here are only a small part of the large field of digital sovereignty in which government action is required. The challenge now is to consistently meet the demands placed on us by digital sovereignty in order to making Germany's security authorities and all those affected future-proof.
Wilfried Karl took office as Director of ZITiS, the Central Office for Information Technology in the Security Sector (Zentrale Stelle für Informationstechnik im Sicherheitsbereich) on June 1, 2017. From 1993 to 2017, Mr. Karl worked in various positions in the SIGINT directorate of the German Federal Intelligence Service (Bundesnachrichtendienst), most recently as acting head of the directorate.