Hacker authority: Faeser wants to upgrade Zitis to a monitoring center
Since 2017, the controversial Central Office for Information Technology in the Security Sector (Zitis) has only been active on the basis of a decree by the former Federal Interior Minister Thomas de Maizière (CDU) to provide support in fundamental rights-sensitive areas such as telecommunications surveillance, cryptanalysis, forensics and big data analysis for other security authorities. This work is now to be subsequently put on a legal basis. At the same time, the current Minister of the Interior, Nancy Faeser (SPD), wants to significantly expand the powers and scope of the institution that has become known as the hacking authority.
“Consistent” expansion planned
This emerges from a key issues paper by the Federal Ministry of the Interior (BMI), which the portal Netzpolitik.org has published. In the coalition agreement, the traffic light agreed to create a legal basis for the Zitis and federal-state institutions such as the Joint Counter-Terrorism Center, to regulate their responsibilities more clearly and to guarantee seamless supervision. The Greens in particular have long been pushing for this passage to be implemented. However, there was no talk of strengthening Zitis’ role, it was more about legislative containment.
In its cyber security agenda, however, Faeser has already hinted that Zitis is to be “consistently” expanded to become a central service provider with its own national development capabilities and assessment competence. The aim is to enable the self-proclaimed “Cyber Authority 4.0” to provide other federal security authorities with technical solutions and IT services in an even better and “targeted” manner.
Faeser’s house now wants to follow this plan with action. The plan is to legalize the unilateral decree and to further develop Zitis as a central “service provider for its users” in the security sector. Services for the provision and operation of IT services are to be added to the previous tasks. This includes the programming of technical solutions such as state trojans “including their further development, maintenance and care” as well as the “hosting of services commissioned by the users”. It was recently announced that Zitis was interested in the spyware Predator from the Intellexa conglomerate.
Participation of more authorities
Zitis is currently working primarily on behalf of the Federal Criminal Police Office (BKA), the Federal Office for the Protection of the Constitution and the Federal Police. As part of the legislative process, which is to be initiated on the basis of the key points, the Federal Ministry of the Interior now wants to have “participation opportunities for other authorities” examined. In particular, the draft should provide that the Federal Intelligence Service (BND), the Customs Criminal Police Office and the Federal Office for the Military Counterintelligence Service (MAD) can continue to benefit from Zitis’ work at their own discretion. It is also important to find out whether these authorities could become direct users of the facility. The work program is to be discussed with an advisory board.
The government alliance also agreed to guarantee “complete control” of the Zitis by parliaments and data protection authorities. The key points don’t give much in this regard. It only mentions that the General Data Protection Regulation (GDPR) and the Federal Data Protection Act as well as the associated supervisory and control provisions also apply to the service unit. There is actually a separate data protection directive at EU level for security agencies and the judicial sector, which is not entirely in line with the GDPR.
Only in the further course of the proceedings does the BMI want to determine whether “a specific legal basis for the processing of personal data” should be anchored directly in the Zitis Act. This could be necessary for examination and testing purposes “in favor of the further development of technical solutions”, changes of purpose and to handle “special categories” of personal information.
No word on how to deal with vulnerabilities
In addition, Zitis’ competencies should no longer be limited to the development and testing of eavesdropping solutions, for example. “For the research and development of new functions for recording and evaluation devices for telecommunications surveillance and for the evaluation of products available on the market in this area, there is a need for the trial application of the surveillance functions,” states the interior department. The Telecommunications Surveillance Ordinance (TKÜV) would have to be adapted for this.
In the paper, the Federal Ministry of the Interior does not say a word about the “effective weak point management” that was also agreed by the traffic light. The coalition agreement states that the state “should not buy or keep any security gaps open”, but should “always strive to close them as quickly as possible” under the leadership of a more independent Federal Office for Information Security (BSI). For the effective use of state Trojans, however, it is necessary to hoard and exploit IT vulnerabilities.
Not everyone in the opposition – but also in the coalition – agrees with the plan. “As the Green parliamentary group, we definitely still see room for improvement,” explained Konstantin von Notz, deputy parliamentary group leader and chairman of the parliamentary control committee over the secret services (PKGr) to heise online. “We will be very intensively involved in the further discussion about the agreed concrete legal regulation. Our goal is maximum legal clarity regarding the specific work of Zitis, but also improved parliamentary control. Both are long overdue.”
“Unfortunately, it happened as feared: A law on Zitis is to be used to develop it into the federal interception center,” complained Martina Renner, leader of the left-wing faction in the Bundestag’s Interior Committee, to Netzpolitik.org. “Instead of limiting the tasks and powers, the cornerstones contain their expansion.” The planned parliamentary control is “ridiculous”.
(my)
To home page
