Germany’s Federal Office for Information Security had been receiving unaccustomed attention lately. The once obscure agency, whose German name is abbreviated as BSI, is responsible for managing the government’s computer and communications security.
But these days, the BSI is mentioned whenever government officials in Berlin speak about lessons learned from the U.S. National Security Agency’s spying on German Chancellor Angela Merkel’s phone.
Thomas de Maizière, Germany’s interior minister, aims to significantly boost the scope of the BSI, which falls under his authority. Questions about secure information technology are becoming more complex and diverse and, “therefore, the additional expansion of the BSI is necessary,” said de Maizière, a member of Mrs. Merkel’s conservative Christian Democrats.
But Germany’s central IT-security agency faces acute financial problems, sources close to the BSI told Handelsblatt. Important projects for improving data security and updating the BSI’s protection recommendations for businesses are likely to be affected by budgetary constraints recently triggered by Germany’s parliament. Until further notice, all federal authorities will no longer be able to access funds unused from the previous year.
This decision hit the BSI particularly hard. Because complex IT projects often take years to complete, about €28 million ($37.6 million) in unspent funding had accumulated. The amount of money the BSI can no longer access counts for more than a third of its annual budget of about €80 million. The agency in Bonn is now allowed to spend money only on essential services.
“The ministries in question have to find a solution - this must not endanger any projects.”
A spokesperson for Mr. De Maizière declined to comment in detail about the BSI’s financial situation. Reinhard Brandl, a parliamentary budget expert for Mrs. Merkel’s conservatives, has asked the interior and finance ministries to look for solutions.
For de Maizière, the financial situation is not only unpleasant, it’s politically tricky. He will soon present a draft of an IT-security law, where the BSI’s difficulties will fuel criticism of his efforts to beef up Germany’s technological defenses. In particular, members of the German business community, which also relies on the BSI expertise, have warned the planned expansion will overstrain an agency of only 580 employees. Given its growing remit, it is “indispensable to have a capable BSI,” according to one business manager who requested anonymity.
Mr. de Maizière wants to require operators of key German industries such as power plants and water and telecommunications companies to report serious cyberattacks. The BSI would use this information to assess the situation and advise companies about additional protection measures. But companies and security experts said the BSI can’t even fulfill its advisory function today with its puny resources.
As an example, they point to the fact that it took the BSI months to first react to the data theft of 16 million German online accounts recently.
This article was translated by Anna Park Kim. To contact the author: firstname.lastname@example.org