When reports emerged late last year that researchers from CERT/CC, a respected American network security team, had helped the FBI to hack the anonymity network Tor, IT security experts were worried. Bodies like CERT/CC (the CERT Coordination Center), Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Teams (CSIRTs) exist to protect the networks of organizations or countries from security incidents. CERT/CC in particular is regarded among the hundreds of CERTs worldwide as a focal point for sharing information on computer security vulnerabilities.
If CERT/CC had indeed exploited vulnerabilities in the Tor software on behalf of the FBI, it would raise essential questions about the cooperation of IT security professionals with law enforcement and intelligence agencies – especially if such cooperation has negative implications for internet security. These questions resonate in countries beyond the United States, and Germany is no exception. Specifically, the German government needs to clarify the roles of the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) and the German CERT-Bund, which resides within the BSI.
CERTs play an important role in IT security. They not only protect the networks of individual organizations, but also coordinate responses to IT security incidents across organizational and national boundaries. More and more countries are establishing national CERTs, which collect and exchange information on IT security incidents and help domestic businesses, internet providers and users respond to such incidents. Besides cooperating with domestic organizations and companies, they serve as the national point of contact for CERTs from abroad. To protect computer networks and systems from attacks, experts must be in regular communication about attack patterns, malware samples, response tactics and data on vulnerabilities. In short, a national CERT is fundamental to a country’s coordination of IT security measures.
Germany does not yet operate a national CERT. Rather, CERT-Bund is a governmental CERT, mainly responsible for protecting government and public authority networks. With additional personnel and competences, it could develop into a national CERT. As a national team, CERT-Bund would have to fulfill a dual role: it would not only protect government networks, but also serve as an independent point of contact for businesses and citizens affected by IT security incidents. As a government agency mandated by the Ministry of the Interior, however, CERT-Bund might be unable to guarantee such independence, in particular with regard to other government actors like law enforcement agencies and secret services.
But cooperation between CERTs and government actors within an appropriate legal framework should be welcomed. For example, CERTs worldwide are increasingly cooperating with law enforcement agencies to prosecute online criminals or remove sources of malicious software. It becomes more complicated – as in the case of CERT/CC – when law enforcement or intelligence agencies put CERTs under pressure and use their technical services or information in pursuit of national security interests.
In the digital realm, the national security interests of intelligence agencies are not always complementary with network security. Case in point: the German Federal Intelligence Service (Bundesnachrichtendienst, or BND) dedicated €4.5 million to purchasing software vulnerabilities, which it can use to exploit networks; at the same time, the task of finding and fixing these very same vulnerabilities is an explicit part of the BSI’s mandate as the Federal Office for Information Security. In the interest of network security, a national CERT that resides within the BSI (as CERT-Bund currently does) would have to report information on security vulnerabilities to the software vendor and not share them exclusively with the BND.
Moreover, the disclosure of confidential information to government agencies without instituting the appropriate data protection and security safeguards can lower confidence in a national CERT. As a result, private businesses and citizens would share their information with reservation, which limits the effectiveness of a CERT. The incident data that private companies share with CERTs, for example, can reveal a great deal about customers, production flows and business secrets.
To function as an effective focal point for network security, a German national CERT must better define its relations with other government actors, particularly law enforcement agencies and intelligence services. To this end, there must be a set of rules and procedures that clearly and transparently outline the circumstances under which information sent by private actors to a national CERT can be forwarded to third parties or made public. Moreover, the CERT needs to respect the basic principles of data protection of personally identifiable information.
In setting up a national CERT, Germany conceivably could separate the responsibility for private networks and public infrastructure from the responsibility for government and public authority networks. The result would be a division of tasks between CERT-Bund and the national CERT. The former would be exclusively responsible for government networks. Meanwhile, the national CERT would manage information sharing with private companies, internet service providers and citizens; it would be institutionally independent from the government and involve CERT-Bund as a stakeholder in its jurisdiction. Austria and Brazil have been following this model for years. Their national CERTs are operated and financed by their countries’ respective country-code, top-level domain (ccTLD) registries, .at and .br.
By establishing an independent national CERT, the German government would not only strengthen the nation’s IT security. It would also send a strong signal to countries that are still in the planning stages of setting up IT security laws and capacities. Therefore, a clear separation of national security and IT security organizations would have the added benefit of strengthening Germany’s cyber foreign policy.
This is an updated version of a commentary originally published by Golem.de on January 11, 2016.
by Thorsten Benner, Mirko Hohmann
by Mirko Hohmann, Thorsten Benner
by Thorsten Benner