Biden Schönbohm - Uncertainty is growing!

The scandal surrounding BSI boss Arne Schönbohm and the discussions surrounding Joe Biden's executive order on the data protection agreement with the EU are two new, extremely worrying pieces of news from the IT security world. Not all the details are yet available in either case, and the news situation is changing rapidly. And yet it can be said that both processes reveal fundamental problems with data security and data protection in Germany that cannot be remedied with minor adjustments in one direction or the other. Instead, it is time to fundamentally reorganize data protection and data security in Germany.

Four central requirements for a reorganization emerge:

1. Data protection and security are technical issues and must be regulated by a technical department!

An institution that is supposed to guarantee data security in Germany must test and recommend the best technical solutions and measures independently of political influence. There must be no entanglement of interests whatsoever. The case of Schönbohm and his relationship with the Cybersecurity Council Germany is a prime example of how things should not be done. The fact that the head of a federal authority responsible for IT security in Germany is associated with an association with unclear objectives, which also wants to give the impression of a highly official function in its name, is unacceptable. Furthermore, an institution such as the BSI must operate in line with the times. The fact that this is not the case is demonstrated, for example, by the awarding of IT security labels by the BSI. Such labels can only be applied for in the categories of broadband routers, email services and smart consumer devices. As if cloud computing, virtualization or edge computing etc. did not exist. The BSI seems to be decades behind in terms of technology.

2. We need a reliable seal of approval for general IT solutions and IT security solutions!

Companies and authorities need a reliable seal that confirms that they can use certain applications and IT security solutions without hesitation. At the moment, the reliability of such certifications is as poor as that of the numerous organic seals in the food industry. Currently, certifications are either issued by a kind of self-declaration to an independent organization such as the BSI or by membership of an association or industry association. None of these supposed seals of approval has any more value than, for example, stating when entering the USA that you are not planning a terrorist attack during your stay. There are even cases of companies receiving or retaining such certifications that have hit the headlines for money laundering for Russia or other illegal transactions, for example. It is unacceptable for any toaster in Germany to be tested and certified more thoroughly and reliably than IT security products that protect our critical infrastructures.

Criteria that must be minimally included in a thorough, independent review include, for example:

• Development location Germany: to what extent are there really no parties involved in the development that are not subject to German jurisdiction?
• Source code check: The source code must be disclosed and not only checked to see whether it contains technical errors or backdoors. The software supply chain, i.e. the origin of individual components, must also be checked.
• The software must be subjected to in-depth penetration tests.
• The provider company itself must be checked for links. Are there (personal) links with dubious organizations or powers that cannot be trusted? Does the company supply products to countries with which we are engaged in cyber warfare?

Incidentally, such a review must not be completed with the certification. Any subsequent breach of the award criteria must result in the withdrawal of the quality seal.

3. Data security and data protection must work better together and need more competencies!

Data security and data protection must work hand in hand, especially in the current situation of cyber warfare. In recent times, data protection authorities have often proved to be overburdened or inconsistent. This has just been made clear once again by the data protection officers' fiddling around with the use of MS 365. Even when data protection officers were consistent enough to prohibit the use of MS 365 in schools, they were unable to offer technically adequate alternatives. Furthermore, violations have gone and continue to go largely unpunished.

4. We need clear rules - now!

The discussion about protecting European data from unauthorized access by US authorities is now in its umpteenth round. Companies do not know what measures they need to take or which (cloud) solutions they are allowed to use. As long as they are not given clear guidelines and do not have to fear any consequences, they will continue to act according to the motto "Business as usual. Joe Biden's executive order on the data protection agreement with the EU is therefore just another episode of the political soap opera, in which only a bogus solution to an urgent problem is presented. The key question to the executive order is: when is surveillance, i.e. access to data of European citizens or companies, "proportionate"? As data protection activist Max Schrems noted in a statement, the EU and the US have different views on what is proportionate. It is an illusion that data of European citizens and companies can be secured with such vague formulations. We should not put up with this new episode of the transatlantic data protection soap opera. The EU Commission must finally provide clarity here.

Disclaimer:
Insofar as this document contains legal explanations and advice, this constitutes non-binding information without any guarantee of completeness or accuracy. In this respect, it does not constitute legal advice and Eperi GmbH does not claim to represent or even replace such advice.