DSI Publications

Governmental hacking has come into the toolbox of the German security authorities - with legal powers for police forces and some intelligence services, with the development of corresponding technologies ("Government Trojan horses") and first deployment experiences. At the same time, government hacking is associated with considerable risks for the individuals concerned and for society at large. Governmental hacking is increasing and will persist. In the long term, it will constitute a major area of conflict between the promotion of information security on the one hand and the disruption of information security on the other.

[Staatliches Hacking ist im Instrumentarium der deutschen Sicherheitsbehörden angekommen – mit gesetzlichen Befugnissen für Polizeien und einige Nachrichtendienste, mit der Entwicklung entsprechender Technologien („Bundestrojaner“) und ersten Einsatzerfahrungen. Gleichzeitig ist staatliches Hacking mit erheblichen Risiken für die Betroffenen und die Gesellschaft insgesamt verbunden. Staatliches Hacking wird zunehmen und sich verstetigen. Es wird dauerhaft ein zentrales Spannungsfeld zwischen der Förderung von IT-Sicherheit auf der einen und der Durchbrechung von IT-Sicherheit auf der anderen Seite darstellen.]

The digital transformation of all areas of life also involves the public sphere. The government and politicians are called upon to digitally redesign state and local public services in all areas - from education to health care and transport. Digital platforms play a central role in the digital transformation. On the one hand, platform companies are drivers and supporters in the digitization also of public services. On the other hand, they are often market-dominating companies that can reduce the government's ability to design the digital services. Governments are requested, on the one hand, to develop their own platform strategy for the public sector and, on the other hand, to reduce the power of the market-dominating global platforms and to ensure competition.

The article examines the legal qualification of state-led information operations that aim to undermine democratic decision-making processes in other states. After a survey of the legal attitudes of states towards such operations during the Cold War, the impact of the digital transformation on the frequency and quality of information operations is explained. The article then assesses scholarly responses to the outlined paradigm shift regarding the prohibition of intervention, respect for sovereignty and the principle of self-determination. The study then inquires whether it is possible to detect a change in how states qualify adversarial information operations by tracking recent state practice and official statements of opinio juris. The survey concludes that there is insufficient uniformity to allow for an inference that the content of the analysed rules of customary international law has already shifted towards more restrictive treatment of foreign interference. As a possible way forward, the article ends with a proposal to focus on deceptive and manipulative conduct of information operations as the most viable path to outlaw such state behavior in the future. Instead of attempting to regulate the content of information, this approach is better suited to safeguard freedom of speech and other potentially affected civil rights.

© Cambridge University Press and The Faculty of Law, The Hebrew University of Jerusalem 2020

Am 4. März 2020 war das Digital Society Institute der ESMT Gastgeber der Konferenz Digitale Identitäten 2020, die unter der Schirmherrschaft des Bundesministeriums des Innern, für Bau und Heimat sowie des Bundesministeriums für Wirtschaft und Energie an der ESMT ausgerichtet wurde. Ziel der Konferenz war es, gemeinsam mit Stakeholdern aus Politik, Wissenschaft und Wirtschaft der Frage nachzugehen, wie eine sektorübergreifende Strategie für digitale Identitäten aussehen kann. Im Plenum und in vier sektoralen Workshops – in den Bereichen Bildung, Gesundheit, Mobilität und öffentlicher Verwaltung – diskutierten die Teilnehmerinnen und Teilnehmer über Anforderungen an digitale Identitäten, innersektorale Strategien zur Flächendeckung innerhalb des Sektors sowie über eine Strategie für eine sektorübergreifende digitale Identität.

The challenges that the EU faces with 5G go beyond cyber and national security threats. For Europe, the rollout of the 5G infrastructure has become a geopolitical test on several levels. Will Europe be a shaper or taker of 5G technology and the new era of industrialization it promises to propel? How will it be able to control the security and reliability of such key digital infrastructures in the long-term? Eventually, how should EU member states manage their dependencies on foreign technologies and strengthen their “technological sovereignty” – a political priority of the incoming EU Commission led by Ursula von der Leyen? The latter might be the most important strategic issue the EU will need to tackle in the long-term and will be decisive for the Union’s ability to shape its own future in the digital age.

Increasing dependence on information technology calls for strengthening the requirements on their safety and security. Vulnerabilities that result from flaws in hardware and software are a core problem which market mechanisms have failed to eliminate. A strategy for resolving this issue should consider the following options: (1) private- and public-sector
funding for open and secure production, (2) strengthening the sovereign control over the production of critical IT components within an
economic zone, and (3) improving and enforcing regulation. This paper
analyses the strengths and weaknesses of these options and proposes
a globally distributed, secure supply chain based on open and mathematically proved components. The approach supports the integration
of legacy and new proprietary components.

Physical Unclonable Functions (PUFs) and, in particular, XOR Arbiter PUFs have gained much research interest as an authentication mechanism for embedded systems. One of the biggest problems of (strong) PUFs is their vulnerability to so called machine learning attacks. In this paper we take a closer look at one aspect of machine learning attacks that has not yet gained the needed attention: the generation of the sub-challenges in XOR Arbiter PUFs fed to the individual Arbiter PUFs. Specifically, we look at one of the most popular ways to generate sub-challenges based on a combination of permutations and XORs as it has been described for the "Lightweight Secure PUF". Previous research suggested that using such a sub-challenge generation increases the machine learning resistance significantly.
Our contribution in the field of sub-challenge generation is three-fold: First, drastically improving attack results by Rührmair et al., we describe a novel attack that can break the Lightweight Secure PUF in time roughly equivalent to an XOR Arbiter PUF without transformation of the challenge input. Second, we give a mathematical model that gives insight into the weakness of the Lightweight Secure PUF and provides a way to study generation of sub-challenges in general. Third, we propose a new, efficient, and cost-effective way for sub-challenge generation that mitigates the attack strategy we used and outperforms the Lightweight Secure PUF in both machine learning resistance and resource overhead.

The public hearing of the Digital Agenda Committee on the topic of "IT security of hardware and software as a precondition for digital sovereignty" on Wednesday, December 11, 2019, analyzed how citizens, companies, but also public administration organizations in Germany are positioned with regard to digital sovereignty . The Committee led by Hansjörg Durz (CDU/CSU) focused primarily on the current state of Germany's IT infrastructure and governance, the need for legislative action, and security gaps.
In her statement, Isabel Skierka gives an assessment of Germany's industrial policy position in the field of digital technologies and the IT security situation and recommendations for strengthening digital sovereignty and IT security at the national and European level.

[Wie die Bürger, Unternehmen, aber auch die Verwaltung in Deutschland hinsichtlich der digitalen Souveränität aufgestellt sind, dazu gaben die Sachverständigen bei einer öffentlichen Anhörung des Ausschusses Digitale Agenda zum Thema „IT-Sicherheit von Hard- und Software als Voraussetzung für Digitale Souveränität“ am Mittwoch, 11. Dezember 2019, unterschiedliche Einschätzungen ab. Bei der Expertenbefragung unter Leitung von Hansjörg Durz (CDU/CSU) ging es vor allem um den Ist-Zustand der IT-Struktur Deutschlands, gesetzgeberischen Handlungsbedarf und Sicherheitslücken.
In ihrer Stellungnahme gibt Isabel Skierka eine Einsch¨ätzung zur industriepolitischen Stellung Deutschlands im Bereich digitaler Technologien sowie der IT-Sicherheitslage und Empfehlungen für die Stärkung digitaler Souveränität und der IT-Sicherheit auf nationaler und europäischer Ebene.]