Suddenly a few lines of program code appeared where they didn’t belong. Was it America’s NSA? Or maybe another intelligence service? It’s difficult to know.
Juniper Networks, a California-based internet security software company, warned the public at the end of last year that it had found two backdoors in an operating system used by some of its firewalls. Whoever knew how to exploit these holes could monitor encrypted data on thousands of devices. And just who was responsible for this breach? The main suspect, perhaps unsurprisingly, is the NSA.
If there is one thing foreign governments have learned from the revelations by former NSA contractor-turned-whistleblower Edward Snowden, it is that intelligence services around the world can and do go to great lengths to spy on other governments.
The German government, shaken from its naiveté by the revelation that the NSA eavesdropped on Chancellor Angela Merkel’s cellphone, is now making a real effort, and spending substantial sums, protecting itself from foreign intelligence services.
“In some countries, hardware manufacturers are forced by their governments to cooperate with intelligence services.”
As of March, IT companies working on German government contracts must guarantee in writing that the systems and devices they install are “free of damage causing software,” the kind that intelligence services could use as a backdoor to conduct surveillance.
The IT industry is working at breakneck pace to comply with the new rule and keep one of its most important customers happy. According to estimates by the digital association Bitkom, the German state spent €20.4 billion ($23 billion) on IT services and hardware in 2013. That figure could significantly increase in the coming years as the government seeks to build its own data cloud.
But not all companies will be able to benefit from the contracting boon.
“From conversations within the industry, we know that not all manufacturers are in a position to guarantee to their partners and customers that their products have no backdoors,” Ralf Koenzen, founder of the German router manufacturer Lancom, told Handelsblatt. “In some countries, hardware manufacturers are forced by their governments to cooperate with intelligence services.”
China’s Huawei, for example, has been repeatedly accused of building backdoors into its products for the Chinese intelligence services, a charge it has steadfastly denied.
Even domestic companies find the new rules onerous. They’re not only required to guarantee the integrity of their own IT systems, but also the hardware and software of their suppliers.
Steven Handgrätinger, the head of public contracts at Bechtle, said the IT systems giant is requiring its suppliers to sign a “disclosure statement for our own protection.” Hardware manufacturers like Nokia and Ericsson have already said they would sign such disclosures when requested.
“The rules could lead to more transparency,” Mr. Handgrätinger told Handelsblatt.
Though the rules might seem tough, the consequences of non-compliance aren’t very severe. A company that’s found to have installed software or hardware that violates the rules can keep its contract if it fixes the problem. The government can cancel the contract only if the problem isn’t fixed. The IT industry lobbied against and was able to defeat a tougher enforcement mechanism.
Whatever the rules, security breaches are almost inevitable given the complexity of telecom and computer technology.
“It’s a structural problem,” Felix Zimmermann, head of the public sector division at Bitkom, told Handelsblatt. The technology can be checked but there’s no such thing as 100 percent security, he said.
The interior ministry has described the new rules as “building blocks for more IT security that are indispensable but also insufficient on their own.” According to Mr. Zimmerman, the government will need knowledgeable staff to monitor compliance.
“Whoever demands IT security must be able to evaluate it,” he said.
In the end, German companies stand to benefit once they’ve adapted to the contracting rules. The country’s IT security association, Teletrust, plans to introduce a label that will tell customers whether or not a software or hardware product is safe.
Companies headquartered in Germany that conduct research and development in the country and are deemed trustworthy will be eligible for the label: “IT Security Made in Germany.”
Ina Karabasz is an editor at Handelsblatt’s companies and markets team, covering telecommunications, IT and security issues. Christof Kerkmann is an editor for Handelsblatt Online and writes about the technology sector. To contact the authors: email@example.com and firstname.lastname@example.org