The suggestions that German IT security experts have put on politicians’ agenda in their country are similar to those that their colleagues in other European countries discuss - above all the claim to create good conditions for digital transformation in order to remain competitive in the future. IT security experts and managers are addressing politicians with a total of nineteen memoranda*. We have selected some of these to illustrate them in more detail. The threat of cybercrime is becoming more serious every year. CIOs and security managers try to keep pace and protect their businesses, organizations, authorities and institutions from attacks. In the face of increased cases of Ransomware attacks, fake news and cyber espionage, they are encouraging the political parties to consider amongst other things the following IT security-relevant issues.
"Digital sovereignty: The Federal Republic of Germany must not lose its technological sovereignty over critical IT applications."
US technologies are used worldwide. There are (almost) no alternatives to American firewalls, cloud services or operating systems. In view of the American leadership in the technology sector, it is essential for Germany to develop its own technologies in order to be able to participate and add value in future-oriented industries.
"There is a need for a politically independent concept of how Germany protects companies from being spied on with the help of IT and can protect their innovations."
Interesting point, but how should politics create such a framework and how should they implement it? The wheels of politics grind slowly, too slowly. To hope for politically independent ideas could be a hope in vain, and in terms of IT security, others are likely to stay out in front.
"The German government must become an active, orchestrating player in cybersecurity, providing its findings on testing protection quality of procedures, products and services to others, especially to the federal states and municipalities, and establishing a basic shield of protection in the medium term in authorities/public organizations."
Here, too, we see that it is industry rather than politicians who are able to act, because industry has more know-how and more flexible structures overall, and thus is much more likely to create the desired result faster and more efficiently.
"Digitization must not automatically mean the loss of sovereignty over confidential data."
This memorandum aims to carefully consider who may and should have access to confidential enterprise information. Since many IT solutions are very complex many enterprises are moving some of their data and processes to the cloud. Cloud solutions are not only very convenient and comfortable, but also easy to implement and their use is recommended in many areas. If you think of meetings or presentations with participants from different countries, software providers of internet-based web and video conferences have become indispensable in business life. However, a service that is not suitable for confidential meetings may create new and significant risks. It is therefore important to carefully consider and balance business processes and areas before digitizing them. Can the sovereignty over the company data be at another company for example an American cloud service? Or for data integrity must the data remain in the company itself? In either case security solutions such as Cryptshare can be used. It can be operated on-site, or by a service provider of choice and still requires a small amount of administrative effort.
"Data protection" made in Germany "must be an internationally competitive location factor."
"Made in Germany" is still for some a quality feature - although some automotive manufacturers have added some "dents" to the image in recent years. Germany is one of the countries in Europe with the most advanced data protection laws. So a clear plea to politicians: This is good and should remain in place. Politicians should not allow themselves to be compromised on new legislative proposals - even if these are repeatedly demanded and liked by data-driven companies. At the same time, however, it is also a plea to companies to apply the principle of "privacy by design", which means that data protection must be considered from the outset when developing new technology and to incorporate data protection-friendly settings. In this way, data protection "made in Germany" can be a real competitive advantage and become the preferred alternative for companies worldwide.
"Users need to be motivated to use cryptography in the digital environment."
We can only underline this as a necessity. Digital data can be copied, modified and manipulated quickly and easily. Digital communications are vulnerable and they are increasingly attacked in a targeted manner to derive a monetary benefit. The state could raise awareness among its citizens in the form of reconnaissance campaigns and raise a more open attitude towards encryption technology among companies and private individuals. Educational programs in schools and universities could provide profound knowledge about encryption methods and massively reduce the inhibition threshold for everyday use.
"Mail encryption must be simple and therefore usable for all, which means supporting a uniform technology throughout Germany."
Yes and no. We do believe that email encryption needs to be simple. We go even further and say: it must be simple, secure and comprehensible. (People using Cryptshare confirm this.) But the De-Mail subsidized by the Federal Government is anything but easy. It has not established itself to this day. "Currently there are more than a million De-Mail participants" (For comparison: Cryptshare counts over 2.5 million licensed users in 30 countries.) The complicated identity checks when setting up a De-Mail account discourages people to create an account. Perhaps the criticism of lack of security up to 2015 and the faded trust ever since are possible reasons for a slow take up. Or the fact that De-Mail, as a national stand-alone solution, has failed to achieve the goal of digital communication, which is becoming increasingly international in our globalized world. At this point, we would like to plead for diversity and competition in the market, and recommend companies to use simple, secure and comprehensible email communication like Cryptshare.
""Governmental trojans" are to be rejected."
Here, too, yes and no! On the one hand, the online search of potential of criminals is actually helpful to protect the population and can help to clarify criminal offenses or even prevent them in the best case. On the other hand, there is the often-expressed fear that the government will systematically monitor its citizens. Ultimately, the debate is still needed in which we need to find out how much security and what level of privacy we want. Could the answer be not to reject Governmental trojans in principle, but to use them reasonably and in a controlled way in order to curb criminal elements. At the end of the day, this is a question of trust in the government and the effectiveness of its supervisory authorities.
We can agree on most reasonable proposals and encourage the politicians to put the political focus on IT security-relevant points in the interests of the German economy and in the interest of their citizens - now and into the future. The government can do a lot to strengthen information security in Germany, among other things through tax incentives, the strengthening of the awareness of IT-related issues from early age with the help of awareness programs, starting in school and beyond, through suitable courses of study and further through competitions, tenders, research fees to create incentives, promote IT talents and motivate them to enter the IT security sector. The state can do a lot, but does not have to do everything. Creating favorable conditions is certainly the best measure that it can take. When it comes to implementation, IT companies are certainly faster and more efficient.