New IT security law proposed by Angela Merkel’s cabinet gives the country’s security authority more power to exclude suppliers it deems posing threat to Germany’s critical information systems.
For a long time, the German government, in particular the Chancellor herself, has been trying to strike a balance between American pressure to ban Huawei on security ground and its concern to antagonise China, one of its most important export markets. That balance looks to have finally come about in the shape of the new security law.
Dubbed “IT Security Act 2.0” (“Zweite Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme”, or “IT-Sicherheitsgesetz 2.0“), the new law would give the Federal Office for Information Security (“Bundesamt für Sicherheit in der Informationstechnik”, or BSI) significantly more power than before to vet vendors for Germany’s critical information systems, which include cellular networks, networks used by the utilities, hospitals, and transport, as well as networks of the federal government.
Unlike a few other European countries, like the UK or Sweden, the new law, which still needs to be passed by the Bundestag, Germany’s lower house of parliament, does not explicitly ban Chinese vendors like Huawei. However, the bar is raised if Huawei or other Chinese vendors are to be allowed to build those critical information systems in Germany, including 5G networks.
According to reporting by Süddeutsche Zeitung, a Munich-based broadsheet and one of Germany’s largest daily newspapers, there will be a two-layer security vetting process on vendors and equipment.
Information network operators should inform BSI in advance the critical equipment they plan to use. BSI will conduct the security examination of the equipment and components on technical level. If they suspect a security risk, a political examination will be carried out on the manufacturer’s reliability. The Federal Chancellery will have the ultimate decision-making power.
It is the second layer of examination that will raise the barrier against Huawei, as all Chinese companies are legally bound to co-operate with the country’s intelligence agencies. Some suggested the bar is too high for Huawei to play any meaningful role in Germany’s future information network construction. “Obviously a lot depends on how it is applied, but the crucial thing is that it gives us the ability to exclude Huawei. Now it all depends on whether the political will is there to do it,” said Nils Schmid, a Social Democrats MP, quoted in the Financial Times.
The new barrier could pose a problem for Deutsche Telekom, the country’s biggest telecom operator, which has relied heavily on Huawei’s equipment. IT Security Act 2.0 does not specify if on-network equipment should be removed if it is found insecure, though it does require operators of critical infrastructures to store network data for four years, so that cyber-attacks can be retrospectively tracked even if they are not detected immediately.
Meanwhile, Huawei’s spokesman told Reuters that the company welcomed the new law. “For the 5G networks this means that there are higher and equal security standards for all suppliers.” This echoes the company’s position when a similar security law was passed in Finland recently.