DSI Publications

The article analyses the proposed hack back/active cyber defence legislation from the perspective of international law. It concludes that while such a policy would not be contrary to Germany's obligations under international law per se, it would be hard to justify in the majority of cases. This is because the remedies self-defence and countermeasures will likely be unavailable due to the persistent problem of timely attribution of cyber operations, and the requirements of the alternative plea of necessity will rarely be met in practice.

For more than a year, EU member states have been debating whether and how to restrict the participation of the Chinese technology group Huawei in the expansion of their 5G mobile networks. Caught between its two main trading partners, the US and China, the EU is facing a geopolitical test on several levels. Will Europe be able to ensure the security and reliability of digital infrastructures of key economic and social importance? Will it lead the way in 5G and the associated next wave of industrialisation, or will lose out on innovation? How should EU member states deal with their dependence on foreign technologies and strengthen its "digital sovereignty", a political priority of the EU Commission under Ursula von der Leyen? The latter in particular could be the most important strategic challenge the EU has to face in the long term - especially in the context of the intensifying trade conflict between the US and China and the threat of a "decoupling" of technological supply chains.
[Über ein Jahr lang debattieren EU-Mitgliedsstaaten bereits darüber, ob und wie sie die Beteiligung des chinesischen Technologiekonzerns Huawei an dem Ausbau ihrer 5G-Mobilfunknetze einschränken sollen. Gefangen zwischen ihren beiden wichtigsten Handelspartnern, den USA und China, steht die EU vor einem geopolitischen Test auf mehreren Ebenen. Wird Europa langfristig in der Lage sein, die Sicherheit und Zuverlässigkeit digitaler Infrastrukturen von zentraler Bedeutung für Wirtschaft und Gesellschaft zu gewährleisten? Wird es bei 5G und der damit verbundenen nächsten Welle der Industrialisierung tonangebend sein oder weiter an Innovationskraft verlieren? Wie sollen die EU-Mitgliedsstaaten mit der Abhängigkeit von ausländischen Technologien umgehen und jene „digitale Souveränität“ erreichen, deren Stärkung eine der politischen Prioritäten der EU-Kommission unter Ursula von der Leyen ist? Insbesondere letztere könnte die wichtigste strategische Herausforderung sein, der sich die EU langfristig stellen muss – vor allem im Kontext des sich intensivierenden Handelskonflikts zwischen den USA und China und einer drohenden „Entkopplung“ technologischer Lieferketten.]

The challenges that the EU faces with 5G go beyond cyber and national security threats. For Europe, the rollout of the 5G infrastructure has become a geopolitical test on several levels. Will Europe be a shaper or taker of 5G technology and the new era of industrialization it promises to propel? How will it be able to control the security and reliability of such key digital infrastructures in the long-term? Eventually, how should EU member states manage their dependencies on foreign technologies and strengthen their “technological sovereignty” – a political priority of the incoming EU Commission led by Ursula von der Leyen? The latter might be the most important strategic issue the EU will need to tackle in the long-term and will be decisive for the Union’s ability to shape its own future in the digital age.

Physical Unclonable Functions (PUFs) and, in particular, XOR Arbiter PUFs have gained much research interest as an authentication mechanism for embedded systems. One of the biggest problems of (strong) PUFs is their vulnerability to so called machine learning attacks. In this paper we take a closer look at one aspect of machine learning attacks that has not yet gained the needed attention: the generation of the sub-challenges in XOR Arbiter PUFs fed to the individual Arbiter PUFs. Specifically, we look at one of the most popular ways to generate sub-challenges based on a combination of permutations and XORs as it has been described for the "Lightweight Secure PUF". Previous research suggested that using such a sub-challenge generation increases the machine learning resistance significantly.
Our contribution in the field of sub-challenge generation is three-fold: First, drastically improving attack results by Rührmair et al., we describe a novel attack that can break the Lightweight Secure PUF in time roughly equivalent to an XOR Arbiter PUF without transformation of the challenge input. Second, we give a mathematical model that gives insight into the weakness of the Lightweight Secure PUF and provides a way to study generation of sub-challenges in general. Third, we propose a new, efficient, and cost-effective way for sub-challenge generation that mitigates the attack strategy we used and outperforms the Lightweight Secure PUF in both machine learning resistance and resource overhead.

The public hearing of the Digital Agenda Committee on the topic of "IT security of hardware and software as a precondition for digital sovereignty" on Wednesday, December 11, 2019, analyzed how citizens, companies, but also public administration organizations in Germany are positioned with regard to digital sovereignty . The Committee led by Hansjörg Durz (CDU/CSU) focused primarily on the current state of Germany's IT infrastructure and governance, the need for legislative action, and security gaps.
In her statement, Isabel Skierka gives an assessment of Germany's industrial policy position in the field of digital technologies and the IT security situation and recommendations for strengthening digital sovereignty and IT security at the national and European level.

[Wie die Bürger, Unternehmen, aber auch die Verwaltung in Deutschland hinsichtlich der digitalen Souveränität aufgestellt sind, dazu gaben die Sachverständigen bei einer öffentlichen Anhörung des Ausschusses Digitale Agenda zum Thema „IT-Sicherheit von Hard- und Software als Voraussetzung für Digitale Souveränität“ am Mittwoch, 11. Dezember 2019, unterschiedliche Einschätzungen ab. Bei der Expertenbefragung unter Leitung von Hansjörg Durz (CDU/CSU) ging es vor allem um den Ist-Zustand der IT-Struktur Deutschlands, gesetzgeberischen Handlungsbedarf und Sicherheitslücken.
In ihrer Stellungnahme gibt Isabel Skierka eine Einsch¨ätzung zur industriepolitischen Stellung Deutschlands im Bereich digitaler Technologien sowie der IT-Sicherheitslage und Empfehlungen für die Stärkung digitaler Souveränität und der IT-Sicherheit auf nationaler und europäischer Ebene.]

Today’s digital strategy of governments worldwide is failing. The result is a weakening of government functions in the digital sphere – with risks for democracy and freedom. Digital innovation on a society-wide scale will only be effective if governments adopt stronger digital strategies. Key issues are a principle-oriented, less-specific digital regulation, bigger government’s spendings for digital infrastructures, a greater autonomy of state and local governments, and the establishment of a ‚Ministry for Digital Affairs“.