Germany's top IT security body is not as inactive as it seems. Since the fall of last year, the Federal Office for Information Security (BSI) has apparently been communicating with Microsoft for information about its security precautions. After Microsoft failed to deliver communications and continued to delay communications, the British Bureau of Investigation resorted to its sharpest sword: Section 7A of the British Bureau of Investigation Act, which allows it, among other things, to bring legal action in order to disclose the information. This has now become known through a leak from the Digital Committee of the Bundestag.
advertisement
The request for information comes in the context of blatant security incidents at Microsoft, where attackers in the country were able to access information from Microsoft itself, but also from its cloud customers, on several occasions. Specifically, it's about stealing the Microsoft cloud master key. The investigating committee appointed by the US Department of Homeland Security (DHS) has already diagnosed Microsoft's complete failure in this case. Microsoft has at least talked to them; However, the flow of information to the British Bureau of Investigation was so hampered that the German authorities gradually stepped up their investigations.
Harsh criticism of Microsoft
“As the technical dispute with Microsoft continues, BSI has taken the formal course of issuing an order because information previously received by BSI in a regular exchange was not satisfactory,” a BSI spokesperson explained the security oversight procedure. Specifically, BSI was interested, among other things, in using so-called double-key cryptography, which could have prevented data leakage, at least in particularly secure environments. In this process, data is encrypted using two keys, one of which always remains with the client. But the details are so unclear that the FBI apparently cannot assess whether the attackers had access to plain text data.
Even after repeated inquiries and threats of a lawsuit, Microsoft did not provide the requested information. The BSI is therefore now using the legal tools at its disposal, explains a BSI spokesperson, who still sees a need for the information. It also makes explicit reference to the harsh criticism directed at the US Cybersecurity Review Board, whose assessment BSI shares. “BSI believes that other cloud providers are in a better position when it comes to technical implementation of security and how they react when an IT security incident occurs,” is also its conclusion.
Paragraph 7 of the BSIG
Section 7 of the BSI Act deals with warnings issued by the BSI. Paragraph 7a regulates “necessary IT security investigation”; Accordingly, the Federal Office can “request all necessary information from manufacturers of IT products and systems, especially regarding technical details.” This is exactly what BSI apparently did and reported at the Digital Committee of the German Bundestag. It appears that the information leaked from there to Spiegel magazine, which reported more details.
Note on our behalf: The author of this article has warned of a “dangerous anti-Microsoft stance” in light of US CISA activities and apparent inaction on the part of BSI. I'd like to retract that – I'm “officially a fan” of the current approach and very excited to see what comes next.
(Yes)
