IT SECURITY

Big Brother from Another Motherland

File picture illustration of the word 'password' pictured on a computer screen, taken in Berlin May 21, 2013. Security experts warn there is little Internet users can do to protect themselves from the recently uncovered "Heartbleed" bug that exposes data to hackers, at least not until vulnerable websites upgrade their software. Researchers have observed April 8, 2014, sophisticated hacking groups conducting automated scans of the Internet in search of Web servers running a widely used Web encryption program known as OpenSSL that makes them vulnerable to the theft of data, including passwords, confidential communications and credit card numbers. OpenSSL is used on about two-thirds of all Web servers, but the issue has gone undetected for about two years. REUTERS/Pawel Kopczynski/Files (GERMANY - Tags: CRIME LAW SCIENCE TECHNOLOGY)
Can the Internet ever be safe?
  • Why it matters

    Why it matters

    Foreign IT companies forced by their governments to cooperate with intelligence agencies could lose out on German government contracts.

  • Facts

    Facts

    • The German state is one of the largest IT customers in the country, having spent €20.4 billion in 2013.
    • IT companies contracted with the German state are required to vouch not just for the security of their own products, but also those of their suppliers.
    • When the rules are violated, the government can cancel a contract if the IT company in question fails to fix the security vulnerability.
  • Audio

    Audio

  • Pdf

Suddenly a few lines of program code appeared where they didn’t belong. Was it America’s NSA? Or maybe another intelligence service? It’s difficult to know.

Juniper Networks, a California-based internet security software company, warned the public at the end of last year that it had found two backdoors in an operating system used by some of its firewalls. Whoever knew how to exploit these holes could monitor encrypted data on thousands of devices. And just who was responsible for this breach? The main suspect, perhaps unsurprisingly, is the NSA.

If there is one thing foreign governments have learned from the revelations by former NSA contractor-turned-whistleblower Edward Snowden, it is that intelligence services around the world can and do go to great lengths to spy on other governments.

The German government, shaken from its naiveté by the revelation that the NSA eavesdropped on Chancellor Angela Merkel’s cellphone, is now making a real effort, and spending substantial sums, protecting itself from foreign intelligence services.

“In some countries, hardware manufacturers are forced by their governments to cooperate with intelligence services.”

Ralf Koenzen,, Public Sector Expert at Bitkom

As of March, IT companies working on German government contracts must guarantee in writing that the systems and devices they install are “free of damage causing software,” the kind that intelligence services could use as a backdoor to conduct surveillance.

The IT industry is working at breakneck pace to comply with the new rule and keep one of its most important customers happy. According to estimates by the digital association Bitkom, the German state spent €20.4 billion ($23 billion) on IT services and hardware in 2013. That figure could significantly increase in the coming years as the government seeks to build its own data cloud.

But not all companies will be able to benefit from the contracting boon.

“From conversations within the industry, we know that not all manufacturers are in a position to guarantee to their partners and customers that their products have no backdoors,” Ralf Koenzen, founder of the German router manufacturer Lancom, told Handelsblatt. “In some countries, hardware manufacturers are forced by their governments to cooperate with intelligence services.”

10 p14 The Power of IT-01

China’s Huawei, for example, has been repeatedly accused of building backdoors into its products for the Chinese intelligence services, a charge it has steadfastly denied.

Even domestic companies find the new rules onerous. They’re not only required to guarantee the integrity of their own IT systems, but also the hardware and software of their suppliers.

Steven Handgrätinger, the head of public contracts at Bechtle, said the IT systems giant is requiring its suppliers to sign a “disclosure statement for our own protection.” Hardware manufacturers like Nokia and Ericsson have already said they would sign such disclosures when requested.

“The rules could lead to more transparency,” Mr. Handgrätinger told Handelsblatt.

Though the rules might seem tough, the consequences of non-compliance aren’t very severe. A company that’s found to have installed software or hardware that violates the rules can keep its contract if it fixes the problem. The government can cancel the contract only if the problem isn’t fixed. The IT industry lobbied against and was able to defeat a tougher enforcement mechanism.

Whatever the rules, security breaches are almost inevitable given the complexity of telecom and computer technology.

“It’s a structural problem,” Felix Zimmermann, head of the public sector division at Bitkom, told Handelsblatt. The technology can be checked but there’s no such thing as 100 percent security, he said.

The interior ministry has described the new rules as “building blocks for more IT security that are indispensable but also insufficient on their own.” According to Mr. Zimmerman, the government will need knowledgeable staff to monitor compliance.

“Whoever demands IT security must be able to evaluate it,” he said.

In the end, German companies stand to benefit once they’ve adapted to the contracting rules. The country’s IT security association, Teletrust, plans to introduce a label that will tell customers whether or not a software or hardware product is safe.

Companies headquartered in Germany that conduct research and development in the country and are deemed trustworthy will be eligible for the label: “IT Security Made in Germany.”

 

Ina Karabasz is an editor at Handelsblatt’s companies and markets team, covering telecommunications, IT and security issues. Christof Kerkmann is an editor for Handelsblatt Online and writes about the technology sector. To contact the authors: kerkmann@handelsblatt.com and karabasz@handelsblatt.com

We hope you enjoyed this article

Make sure to sign up for our free newsletters too!