Government's Role in Providing a Secure Framework for Digital Transformation

Yeah, thank you very much for the warm welcome. It's really a pleasure to be here and talk and discuss. So I don't, I don't want to just talk to you. I hope you can enter discussion. Have enough time to have a questions and answer section. So my name is Mike Aor. I'm member of the German bonus tax since the last election. Some words about me originally I've studied mathematics and computer science, then worked short for a while in Columbia with Siemens, then came back to Germany and joined UHS Linox. And since then I'm working in the open source related IT industry.

2004, I founded my own consulting and software development company together with some colleagues from suse. And in parallel 2009, I've started to do politics, regional politics in my hometown baggage Kapa. So as a spare time project. And then from time to time I, I shifted more time into politics. And so last year I got the chance to come into the German bonus talk where I am now speaker for digitization policy for the green party or for the green group and the parliament.

And I'm, I've also a seat and the Committee for Economic Affairs where I'm also responsible for no one questions of digital economy, but also trade related issues, for example. So what we're talking about, if you can slip to the next one please. So ensuring a safe digital environment in, in our days we say the biggest issue is the climate crisis, of course, but then in most cases, people as second, A second item mention digitization, which is key for politics for many reasons. One reason is it causes climate pollution by itself.

So we have the task here to reduce climate impacts of the IT industry, of course is this one task on the other hand use digital innovations to lever developments for climate protection. So these are two sides of a, of a metal. So this is one point. And of course security.

If we, we see what happened over the last year. Some things that we, especially the green party always highlighted that cybersecurity is a big issue. We have to protect our infrastructure and we are vulnerable here. It's now really highlighted after Russia's attack on the UK Ukraine. And we've also seen some impact here in Germany, for example, if you remember the attack on two cables of German railway communication infrastructure and the consequences it had.

So by just cutting two cables, you could stop the whole train trains in northern Germany so that you see how big the impact of a small attack could be. Another example was the attack on satellite infrastructure, which as a side effect cost a lot of wind melts to stop producing energy. So it's obvious that we have to do a lot of things here and that it, it's really is important for politics in general.

Okay, so what's the landscape? We've seen that the bc, the German Federal Bureau for IT security has issued a new report. And what we've all suspected is that that attacks and threats have increased over time. More and more companies got attacks. We see a lot of numbers of ransomware attacks on smaller companies and we don't, we really don't know how many this, these are because many of the smaller companies, they just pay the fee. And so we can just suspect that it is a big issue.

Okay, so what do we have next? Our next slide please?

Yeah, I've already said some of these things and one thing that becomes more and more clear is the dependencies that we have. When the war started, we were mostly talking about energy supply. So energy supply from the east was cut, but at that time not a lot of people talked about the dependency to the west. So what happens if submarine cables are cut, which is technically possible.

And then we have to think about our dependency on those cables first and also on the infrastructure on the other side of the Atlantic Ocean, which is run by big American companies and eventually comes under political pressure if you look to the next presidential elections in two years. So in short words, the question is, are the United States in the long term a reliable partner for trade and for it collaboration? So just imagine that a president for some reason cuts the connection to European companies.

So can, can we be sure that, that we can rely on the connections on the services provided by US companies for the next five or 10 years? It's just a question. So this is one reason to become independent or to do more to become independent. And when we go to the next slide.

Okay, sorry. Got mixed up with a, with a slide.

I, I come back to the independence question later. So just start with the national things. So over the last years we have seen that the German government hasn't done a lot to develop a strategy to defend ourselves against cybersecurity attacks. So one big thing is the so-called C umbrella law that's in German. So C is abbreviation for critical infrastructure. And what we've always demanded over the last year was to make this, this law better, to especially purify responsibilities, define standards on how to protect critical infrastructure. And the government.

I have to say, this is a little bit in delay here. So we talk a lot with the Ministry of Interior was responsible to come around with a new draft for the, for the next generation of this law. And that is something where we put pressure on where we have to put pressure on. Then the big issues are the small medium enterprises. I've already mentioned ransomware techs, we've seen a lot of those and well, ransomware tech is one thing, but if it is possible to enter into such amount of companies to encrypt data, it's also possible to destroy the infrastructure.

And if you imagine that all the power that is used to make ransomware attacks switches the intention to shutting down the infrastructure they attack, we, we may have large effects on, on the whole economy. So this is really a big problem. So we have to do more to protect SMEs, to enable them to protect themselves. We have some, some funds in the Ministry for Economy, but still that's not enough.

And if we step back some months, when we talked about the 100 billion package for defense, we as a greens and we were, we had a common position with our coalition partners was that we need a large amount of this money. The thing we requested were 20 billion for cybersecurity issues. But then if you remember, there was this negotiations with the Christian Democrats, we needed them to agree to the law to change the constitution. They insisted to spend all of the money only into the army.

And now we have the problem that we, we don't have the funding here that we would need to invest in cybersecurity. So that is, that is one thing. And then some words about European initiatives. There are three currently under development, the NIS two directive, which is kind of a framework for maybe especially companies, they that are active in critical infrastructure. Then we have the directive on the resilience of critical entities. That's mainly for public infrastructure and the Cyber Resilience Act, which deals with any kind of devices that contain digital components.

So on the European area, most things are under discussion and I hope we see some progress there very soon. So now let's come back to the point on the next slide. Digital.

So, well I've, I've said before that I'm coming from the open source environment, put it in that way. Of course it is not our demand to say everything has to be opensourced, but we see open source software as a key factor to gain more independence, more sovereign because it's, it's the only way to be sure to evaluate software and to minimize the risk of having that to us in the software that we use. So this is something we recommend to use for everywhere where wherever possible. And so we have for example the Gaia X project on a German, France, European level.

The idea is to have a framework for an own infrastructure, a cloud infrastructure, but also a data sharing platform build on open source, which helps us to become independent from other countries, especially from the United States. So another point on this slide are the, the chains, the chains of materials that we need to produce stuff, especially microelectronics. So we've seen the pandemic situations, the consequences if we have problems with, with the supply of micro electronics.

So, and this is one reason why we have the, the ia, the European project for micro electronics. So the idea is to become as independent as possible when it comes to the production of micro electronics and other products that we need for our overall economic production in Europe. But micro electronics of course are a key factor here. So then we have on the national level, two more projects that one is the server tech fund, which is new. We have now it's about four, five a million euros to fund open source projects that have a key functionality for everybody. For example, encryption libraries.

They're often maintained by just a couple of of people and, but they have a great impact if you have a problem there with open SSL for example, which is used on many, many service and clients. So we want to help to make this opensource, this open basic opensource projects and products more secure. And the server tech fund helps, helps us as one instrument to achieve this. Then we have zees sent for guitar over ate. That's an institution inside the government to help governmental users supporting them when they use open source.

So if somewhere in their administration says, I have an open source product here, I want to use this institution will help them to get support. So that's, I think it's a key factor for making open source products usable inside the, the administration and government institutions. Our case. And then the next slide slide would be the conclusion. So we have seen our weaknesses. The one Ukraine has made it clear again how vulnerable we are. We have seen that cyber attacks can cause severe outages of infrastructure disrupt to economic and public life.

And it becomes clear that we need a whole of government approach tore in the digital sphere. I've mentioned the Curtis umbrella law. We need to enhance cybersecurity of the public and private sector and we need to strange digital sovereignty. So this is from me the the short input. So I'm looking forward to your questions and discussion. Thank you very much. Thank you. Are there any questions in the room just now? Yes sir.

Are you planning the Germany's a federal that in it's, and basically let's say bigger scale threat where this small scale approach would actually cause more problems than propels forward? Yeah, that's a very good question because you've, this is the biggest problem that as from the federal level, we can't force the the cities and the regions to do something when in the IT sector.

So, but we, what we're trying is to offer a platform to make it easier for them to collaborate. So collaboration has to grow up from the bottom. We can't enforce it, we can make it easier and we can, these entities make think about collaboration. And so one example is the breman based institution data part, which is found advisor state of BREMAN and now cooperate with other north regions and they start to offer cloud services for all public entities in Germany. So this is one, one approach but not enough.

The other thing is that if you think about the OTA game, maybe the online Suan gazettes where we had to approach of of efa so that one entity developed something and everybody else could use it. So good idea. But what the problem was, before you start developing software pieces of software in several places, you need a common base. So they forgot to define a standard for communication between the application.

So on this, this lead to a situation that you have a good app here in this town and then the next town another app which which is good but they can't communicate because they forgot to define the interfaces between and, and this is something we can not really enforce, but what we try to make them do by themselves by cooperating. Thanks. So are there any other questions in the room just now? Here we go.

It's, Thank You Hanberg, go to University of Frankfurt. You mentioned the Federal Office of Information Security in one of your in quotes for reports as we quite a few of us probably know that this office is to some degree at the moment in limbo because there is some kind of conflict between the ministry of the interior and the president. And of course in your coalition contract you said you want to put up a new security architecture including putting BSI on a different position level, more independent. And I understand certain discussions are happening now in the government.

Do you see anything from the parliament side on that? Can you give us a position in the perspective? Well the problem is that the, the information we have are also very limited. So we had some reports from the ministry and the digitization committee, but as you can imagine it's about a personal issue. They don't give us any details about the investigations that are going on. So there's not much do we can, not much we can do from the parliamentary side right now.

But the idea, and that is what you mentioned, is to have the BSI in a better position, in a more independent position and that there are some discussions in the background between the parties and the coalition, but there's no concrete new law or something. So slow progress to be short.

Hi, we have a question here from one of our delegates online with the release of the new European Master Don server and the overall instability around Twitter. Is the German government planning on setting up their own MA server? Not that I know of and I'm not sure if this is a good idea that the government has an own Macon server for example, we the green party, we have an own one and I guess some other organizations have an own one too.

And interesting thing about Macon that you, that it is a federated system so it is not necessary that everybody has its own server, but if some, especially non-governmental organizations run such servers, we can use them and they are federated and they see each other. So it's an an interesting idea, but I don't think that it's necessary that the government runs it own ma server. Thanks. Any other questions in the room just now? Another one.

Okay, well let's go to Andre first. Thank you Matt. Thanks. You mentioned several times around smaller businesses and how to some extent they've been left to fend for themselves and you, you, you reference ransomware attacks and yet we see, and and I think you mentioned it, a lot of the structural investments are around large infrastructure, around government, around critical, you know, systems. What are the levers we can do to help those smaller businesses? Because I think they are the, the fastest adopters of new technology and the most fragile. Yes.

And, and smaller and medium business make around 95% of, of the German economy. So it's really an important factor. So you're right.

So, but the first thing is they are responsible by themselves like securing to have a door shut, have locks proper in place. So it's at first sight their responsibility to be safe. But of course we think about what can we do from the politics side.

So there, there is a, a special fund and the Ministry for Economy where companies can get money from, from invest in investments in cybersecurity. And the BSE has a program where they work together with local companies to, to give a first step consultancy and then have certified consultants, which they point the SSEs to so they can get help in the end. But to be short, it's their responsibility and we can try to help them get on the right track That we have. Another question. And back there, So I'm currently working with small medium enterprises.

I, I was before in a big company, I, this is not in my opinion the only answer to his question. For me it's more the problem. I'm working currently also with the project, with the, the you so to speak. The problem are all these regulations, I mean, so we're doing digital identities. The the whole script, which you have to work through all the, you know, really what you have to put in. It's like hundreds of pages. I understand it. But if you're a small company with a small business case, there is no way you could use these papers.

So coming back to your question, one thing is consultants, the technical side you were speaking about, for me, the other side is there too because you, you make these small companies do stuff, they don't even have the money to pay for all that work, which has to be done. So this is an advocate. What I'm doing also in, in this project, they say you gotta think about these people and like you said, it's 95%. So there are two answers to your question. I agree with you that I don't think that the government is doing enough.

I'm just saying that cuz and, and I'm really concerned that there's all these people writing exactly which epsilon you have to put in, in your code and all that kind of stuff. That's not doable. That's not doable. So there is a, it's really a strong trade off. I think there are enough companies, small companies helping when you've been attacked at something else.

But the, the regulations are the problems, not the BSI regulations, which are also a problem. But that makes, makes it hard. The security for those companies is really difficult.

I I, Yes, I agree that it's really difficult and I also agree that government could and should do more to have some, yeah. Coming back to the 100 billion package. So it was our desire to have like 20 billions out of this package for cybersecurity and especially for a private and public cybersecurity. And I also agree that it's really difficult for small companies to follow all the regulations and the recommendations.

So, and without the help of external consultants, it's nearly impossible. Yeah. And that's then cost a lot of money.

It's, it's a big problem. Yeah. Right. And thank you very much in the interest of time, just to make sure that we are back on time and that our online audience is, is, is still in time with us. I'm afraid we're gonna have to call it there. But once again, another round applause for Mark Mike. A Thank you.