Schneier on Security

A blog covering security and security technology.

« Online Student Exams | Main | NIST on Security Logs »

May 17, 2006

Bundesamt für Sicherheit in der Informationstechnik

The Bundesamt für Sicherheit in der Informationstechnik, or Federal Office for Information Security, or BSI, is Germany's equivalent of the NSA. They have an English-language website that has a number of English-language security publications.

Posted on May 17, 2006 at 12:21 PM • 19 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Jojo • May 17, 2006 12:36 PM

You don't mean the telephone spying NSA I hope...

Jochen • May 17, 2006 12:42 PM

Actually Germany's equivalent of the NSA is the Verfassungsschutz (http://verfassungsschutz.de/en/index_en.html). BSI is more kind of a government CERT and only responsible for IT security matters. There are no spies there. ;)

Jojo • May 17, 2006 12:48 PM

But the Verfassungsschutz is for internal affairs, the MAD (Militärischer Abschirmdienst) is for the issues of the Bundeswehr (army) and we have the BND (Bundesnachrichtendienst) which is for foreign affairs.

Valentin • May 17, 2006 1:00 PM

comparing BSI and NSA is a bit far fetched. BSI employs like 400 people .. and its role (at least officially) is only defensive i.e. securing computer systems (especially those owned by the state), not spying on anyone.

Klaus • May 17, 2006 1:31 PM

Even though it is also a government agency, the BSI is basically the opposite of the NSA, since one of it's goals (in addition to improving general IT security) is providing Counter-Eavesdropping technologies for the administration but also the general public, e.g. IT companies (see their own web page: http://www.bsi.bund.de/english/department3.htm).

Nicholas Weaver • May 17, 2006 1:48 PM

One thing people forget is that the NSA has two roles. There's the "Spy on everyone else" roll, and there is the "Keep our systems safe" role.

Jeff • May 17, 2006 1:59 PM

@Nicolas Weaver: s/everyone else/everyone/

Jorge • May 17, 2006 3:32 PM

What's probably important to know for non-germans is that the BSI, contrary to the NSA, has a good reputation, especially a reputation for suggesting sensible things and actually sponsoring security-enhancing projects (e.g., an own debian-based Linux desktop distribution targeted at other government agencies). Part of their activities even entered official open source packages, like their S-MIME/OpenPGP efforts - see http://www.gnupg.org/aegypten/.

With all the insanity that happens in governments around the world (our own, too), it is refreshing to have some people who still use their brain.

Jonas • May 17, 2006 4:37 PM

They are like the NSA only in the way that they have a lot of good people who seem to understand cryptography and computer security. They opposed the "Epassport"-initiative, they provide and support open-source cryptography software and they analyze security vulnerabilities.

They do not, in any way, spy on people. It's simply not their role. In fact, spying on people in Germany is primarily the NSA's job, who shares its results with the German government, but we also just had a huge scandal with the BND (= CIA equivalent) eavesdropping on journalists for almost a decade.

So your statement is certainly not entirely true.

Fuzzy • May 17, 2006 9:12 PM

@Jorge

The NSA has also sponsored security-enhancing projects, like SELinux (Security-Enhanced Linux). http://www.nsa.gov/selinux/
The NSA has also published guides to help secure systems (Security Configuration Guides). http://www.nsa.gov/snac/
As Nicolas pointed out, the NSA is also charged with helping to protect computer systems.

RandomEvent • May 18, 2006 1:41 AM

@Fuzzy
NSA and BSI are both sponsering open source software but the BSI ist definitely not the equivalent of the NSA. The BSI is just the appropriate authority of the german goverment for everything which has to do with information technology. The BSI is neither monitoring civilian telephone, fax and data traffic nor integrated in operations of the army.

Rochus • May 18, 2006 4:11 AM

The closest equivalent to the BSI is the NCSC - with the difference, that the NCSC is part of the NSA, but the BSI is not part of any intelligence agency.

Clive Robinson • May 18, 2006 11:02 AM

Bruce,

You have forgoton to mention that Germany unlike most other countries has quite good laws for protecting their citizens from unwarented search. This also carries over to the electronic realm as well so they end up with some of the best privecy laws around.

This is due in the main to the problems caused by a certain little corpral who thought he could rule the world by any means he and his cronies deamed necasary...

Interestingly their securtiy serivces make a lot lot less noise about "super criminals" using "hard crypto" etc...

Till • May 18, 2006 7:46 PM

* I agree that the BSI does a lot of good work and often makes sensible suggestions (the only exception I remember being their argument defending a small keyspace for e-passports).

* The law establishing the BSI mentions support of law enforcement and the Constitution Protection Offices (http://en.wikipedia.org/wiki/Verfassungsschutz) as one of their jobs. However, the law also says that every such request for support has to be documented. Here's a rough translation of the relevant paragraph

BSIG § 3 (1) The BSI has the following mission: [...] 6. Support of a) the police and law enforcement agencies in the execution of their mission as defined by law, b) the Constitution Protection Offices in the analysis and evaluation of information gathered during the observation of terrorist activities or [of??] intelligence activities within the limits set by the state and federal laws concerning the Constitution Protection Offices. This support may provided only in so far as it is necessary to prevent or investigate activities that are targeted against Information Security or make use of Information Security."

Source: http://www.bsi.de/bsi/bsiges.pdf

* The BSI used to be part of the crypto division (Zentralstelle für das Chiffrierwesen, ZfCh) of Germany's equivalent of the CIA, the Bundesnachrichtendienst (BND). See the official history of the BSI (in English): http://www.bsi.de/english/history.htm .

* Googling found this 1995 inquiry by German members of parliament (Green Party):

http://dip.bundestag.de/btd/13/033/1303313.pdf

They compare ZfCh to NSA and GCHQ and ask how BSI deals with the seemingly conflicting goals of helping the general public improve computer security and helping the BND (and MAD?) gather intelligence. Here's the federal government's reply:

http://dip.bundestag.de/btd/13/034/1303408.pdf

They deny that the BSI has conflicting goals. Most importantly, on p. 8, they deny that in 1991-1995 any support has been provided to the intelligence agencies BND, MAD, and the Constitution Protection Offices. This was more than 10 years ago, when the BSI didn't even have a website, so who knows what they're doing now. I also would like to know what checks and balancies are in place.

* On a side note, readers outside Germany might be suprised to learn that while the Constitution Protection Offices can't arrest anybody, their mission consists almost exclusively of domestic spying on the political oppositon (if they are "extremists"):

http://en.wikipedia.org/wiki/...

This is not some twist by the Government, but included in Germany's constitution under the umbrella of a "defensive democracy". In three words, Hitler was elected.

falsepositive • May 18, 2006 7:53 PM

Well, your basically right about the laws, Clive - but the laws aren't worth to much when agencys like the BND ignore them frequently... and sadly, the current developments (data retention etc) aren't to encouraging.

Thomas • May 19, 2006 3:16 AM

Clive,
the protection of the privacy of european citizens will end soon when the european countries implement the European Data Retention Act into national law... :(

Till • May 19, 2006 10:12 AM

I agree that the BSI does a lot of good work and often makes sensible
suggestions (the only exception I remember being their argument
defending a small keyspace for e-passports).

* The law establishing the BSI mentions support of law enforcement and
the Constitution Protection Offices
(http://en.wikipedia.org/wiki/Verfassungsschutz) as one of their jobs.
However, the law also says that every such request for support has to be
documented. Here's a rough translation of the relevant paragraph

BSIG § 3 (1) The BSI has the following mission: [...] 6. Support of
a) the police and law enforcement agencies in the execution of their
mission as defined by law, b) the Constitution Protection Offices in the
analysis and evaluation of information gathered during the observation
of terrorist activities or [of??] intelligence activities within the
limits set by the state and federal laws concerning the Constitution
Protection Offices. This support may provided only in so far as it is
necessary to prevent or investigate activities that are targeted against
Information Security or make use of Information Security."

Source: http://www.bsi.de/bsi/bsiges.pdf

* The BSI used to be part of the crypto division (Zentralstelle für das
Chiffrierwesen, ZfCh) of Germany's equivalent of the CIA, the
Bundesnachrichtendienst (BND). See the official history of the BSI (in
English): http://www.bsi.de/english/history.htm .

* Googling found this 1995 inquiry by German members of parliament
(Green Party):

http://dip.bundestag.de/btd/13/033/1303313.pdf

They compare ZfCh to NSA and GCHQ and ask how BSI deals with the
seemingly conflicting goals of helping the general public improve
computer security and helping the BND (and MAD?) gather intelligence.
Here's the federal government's reply:

http://dip.bundestag.de/btd/13/034/1303408.pdf

They deny that the BSI has conflicting goals. Most importantly, on p. 8,
they deny that in 1991-1995 any support has been provided to the
intelligence agencies BND, MAD, and the Constitution Protection Offices.
This was more than 10 years ago, when the BSI didn't even have a
website, so who knows what they're doing now. I also would like to know
what checks and balancies are in place.

* On a side note, readers outside Germany might be suprised to learn
that while the Constitution Protection Offices can't arrest anybody,
their mission consists almost exclusively of domestic spying on the
political oppositon (if they are "extremists"):

http://en.wikipedia.org/wiki/...

This is not some twist by the Government, but included in Germany's
constitution under the umbrella of a "defensive democracy". In three
words, Hitler was elected.

J. Asscroft • May 21, 2006 3:46 PM

Jojo wrote:

> But the Verfassungsschutz is for internal affairs, the
> MAD (Militärischer Abschirmdienst) is for the issues of the Bundeswehr

But hey, the NSA is now for internal affairs as well, isn't it?? ;->

Lasse Norson • May 23, 2006 3:28 AM

The good reputation of BSI got some damage in the recent past. E.g., last year they excluded invited talker Andreas Pfitzmann, a German professor for privacy and IT-security, from BSI's German IT-Security Conference, when they learned that his talk would criticize the use of biometrics. Also, some research results (esspecially regarding biometrics) are withheld from the public.

Post a comment

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

Subscribe via Kindle

Blog Menu

Search

Powered by DuckDuckGo

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D