Yesterday, the German netizen platform Netzpolitik.org leaked a draft version of the upcoming German IT-security law. I will quickly dissect the noteworthy elements. Keep in mind that this draft is probably going to look different once it will be presented as a bill.
Compared to the draft law of March on the harmonisation of constitutional protection law, which included a full range of problematic capabilities like hack backs, domestic surveillance of German citizens by the BND (which it is not allowed to do) and more, the draft law on IT security is in many respects the „good cop“ and less problematic than the former, but also has its pitfalls.
It plans to increase the staff of BSI – the Federal German IT-Security Agency and gives it easier access to logs in government networks and IT. It also includes stricter reporting obligations for provider of critical infrastructures regarding incidents and vulnerabilities. The BSI is allowed to draw up crisis response plans with operators of critical infrastructures, a measure that should increase resilience after cyber-attacks. A central reporting point for vulnerabilities and incidents will be set up with BSI. However, more could have been done, in the form of policies to manage vulnerabilities (vulnerabilities equities process and mandatory coordinated vulnerability disclosure policies) in business and politics.
The BSI receives the authority to scan for vulnerable systems (port-scans of the web) and „vaccinate“ affected systems with security patches. This is regarded controversial in the IT- community, but it makes sense to use these capabilities very carefully and in a controlled manner. Internet service providers to block harmful traffic (i.e. Command and Control traffic) makes sense in itself, but in the event of a possible future extension to other areas (e.g. unpopular Internet content) this would guarantee the potential for abuse.
Problems arise with a newly added Darknet paragraph and the introduction of „digital trespassing“. This will broadly criminalise Internet services that provide access to illicit activities and basically means all TCP/IP enabled functions, i.e. all of the Internet. Services with legitimate functions, like TOR, could be criminalized. Law professionals further criticize the increased preventive focus of German IT and law-enforcement law.
The trespassing thing is also problematic. Criminalizing unauthorized access to systems can be particularly problematic for ethical hackers and vulnerability researchers. This goes against global trends like crowd-sourcing of IT security in the form of bug bounties, in which ethical hackers report security gaps found in products to a manufacturer.