State intervention – Rescue or ruin?
In recent months, a number of government agencies have been campaigning for state intervention in IT security. This includes an initiative to enforce a minimum level of security for home and small office routers. A policy document has been published by the Federal Office of Information Security (BSI) proposing mandatory requirements for these type of routers. Federal Criminal Police (BKA) President Holger Münch made a further demand at the current 2018 autumn conference . In the aftermath of the Telekom botnet hack in November 2016, some states in Germany did not participate in cleaning botnet devices in their jurisdiction due to a lack of legislation. Münch called for national powers to clean and remove bot nets in the event of a threat. He argues that this is necessary for the BKA to respond in the event of a national threat, similar to defending the country from terrorist acts.
Improved IT security is always a good idea and state intervention is sometimes the only effective way of enforcing change, such as the compulsory use of seat belts. However, it starts to get more complicated when the goals and motivations are not completely clear. The Chaos Computer Club and consumer associations accuse the BSI of failing to take sufficient account of users' needs in their policy. For example, it does not require the manufacturer to commit to providing security updates for a set period. This is a valid demand as minimum levels of security quickly become a waste of time if manufacturers stop providing security updates. It is equally understandable that manufacturers want to avoid such an obligation. If the period is too short, this will discourage customers, if it is too long, maintaining firmware and software becomes very expensive. The BSI claims to have spoken with all parties involved during the consultation process and to have invested a lot of time in the policy, but it does seem that a demand for mandatory security updates has probably fallen victim to the manufacturer lobby.
It is a pity that the criticism from the Chaos Computer Club has drowned out some of the good approaches to router security which the BSI has proposed. This includes limiting LAN/Wi-Fi services to a minimum (HTTP/S, DHCP and ICMP), disabling access to the configuration interface via guest Wi-Fi, and requiring WPA2 with strong passwords, as well as enabling a firewall and disabling remote configuration by default. All of these are important improvements that could have prevented many (if not all) hacks in recent years. A secure factory reset is also required, which deletes all personal data from the router and establishes a secure configuration state.
While the BSI is on the right track, the intention of the BKA president is more problematic. Admittedly, it would be desirable to clean bot-infected devices to prevent further infection and stop illegal activity. In the past, such actions have occasionally been carried out by security companies, which have always provoked controversial discussion. Issuing a state authority with a free ticket for this type of intervention seems open to a very high risk of abuse. The problems start in defining malware and deciding what should and should not be removed. How would state authorities ensure that they do not damage any programs or data when removing malware? What would happen if the removal software was intentionally or unintentionally flawed? Even if the aim is to improve security, the potential side effects are highly dangerous.
Government initiatives for improving information security are far reaching. No serious manufacturer can ignore a law or directive. But it is precisely for this reason that it is so important to proceed with caution and common sense. In the current completely unregulated router market, cleaning up is a good approach and manufacturers should also be obligated to provide updates for their products. However, awarding federal states the power to access all devices, which would be required to clean malware, simply seems a step too far. Information security remains a balancing act if it is not to lead to a surveillance state.