Feature story from Germany: Protection of Classified Information
The Bundesrechnungshof, Germany’s supreme audit institution, provides advice, on the basis of its audit experience, to Parliament and the Federal Government about public expenditures and revenues at federal level. The Bundesrechnungshof also examines the extent to which federal institutions meet the requirements for protecting the data they process. Ultimately, the Bundesrechnungshof itself must also comply with these requirements when it comes to the collection of sensitive data.
The protection of data in Germany is regulated by various laws, ordinances and standards. Of particular note are the Federal Data Protection Act, which also regulates the handling of personal data by public bodies, and the Social Code.
Figure 1: There is a wide range of information worth protecting
Due to the nature of the Bunderechnungshof’s mandate, most of its audits may involve sensitive data with high protection requirements, as shown in Figure 1. This data is processed either analogously or digitally and must be protected in an appropriate way. However, the aforementioned data must be distinguished from so-called classified information (CI). CI are facts, objects or findings, irrespective of their form of presentation. This information must be classified and protected for reasons of national interests, particularly in the interest of the Federation or any of its States. CI may include documents as well as the associated keys for decryption, encryption, and the data streams for their transmission. However, business secrets, trade secrets, invention secrets, tax secrets or other private secrets or matters of the personal sphere may also be sensitive and need to be protected.
The Security Clearance Act (SCA) defines the requirements and the procedure for security clearance of personnel that is entrusted with security-sensitive tasks or has access to classified information. The General Administrative Regulation on the Material Protection of Classified Information (the Regulation) regulates the material and organizational protection of classified information.
Figure 2: Security markings according to the Security Clearance Act and the Regulation
For federal authorities working with CI, it is mandatory to adhere to the Regulation. The authority responsible for CI determines the level of classification it receives. The handling of CI is strictly regulated. All parties involved must meet specific security requirements. Only authorized persons with a security clearance may view, process or pass on CI. No individual may be informed or receive CI sooner or in a more extensive way than necessary to perform its duties. Violations of the regulations on the protection of CI may be prosecuted under criminal law.
The Regulation defines material and personnel requirements for the protection of CI. At the federal level, two different federal authorities determine how these requirements must be designed and implemented. The Federal Office for the Protection of the Constitution (German: Bundesamt für Verfassungsschutz, BfV) is responsible for clearance of personnel. On the basis of the Security Clearance Act, the BfV subjects employees who are to have access to CI to a multi-stage security screening process, depending on the level of clearance required. A distinction is made between a simple security check (Ü1 - confidential clearance), an extended security check (Ü2 - SECRET clearance) and an extended security check with security investigations (Ü3 - TOP SECRET clearance). For this purpose, in addition to a self-disclosure, register queries are also carried out with police and security authorities. In the case of the extended security check with security investigations, interviews and further investigations are also carried out in the private sphere of the employees to be cleared and their partners.
Figure 3: Differentiation according to protection types and responsibility
Asset-related protection requirements are defined by the German Federal Office for Information Security (German: Bundesamt für Sicherheit in der Informationstechnik, BSI). The BSI provides so-called "Technical Guidelines" for certain areas of asset-related protection. Federal authorities have to adhere to these where applicable. Asset-related protection standards regulate or define
- access to CI,
- how to organize the protection of CI in an agency and across agencies,
- the criteria which CI should receive which classification level,
- how CI are to be handled and marked,
- how authorized persons may pass on CI to other authorized persons,
- which organizational, material and technical measures are to be used to protect CI, and
- how CI may be processed with IT.
If an authority wants to process CI with the help of IT, it basically has to meet the same requirements as for traditional analogous CI. Nevertheless, further requirements must be considered when processing CI with IT. For example, the Regulation defines additional measures with regard to hardening the hardware and software components used, as well as further activities in the areas of radiation protection (for telephones and computers, for example), protection from eavesdropping (for spoken communication) and physical security (safes, alarm systems, access and separation technologies).
The following graphic provides an example of the technical and material challenges involved in processing CI if classified as CONFIDENTIAL or higher. The processing of such information is limited to secure areas. The IT systems used to process CI must be approved by the BSI and operated separately from the in-house network (air-gapped network). To avoid security risks, non-approved or private hardware components such as notebooks or cell phones/tablets/smart watches are not allowed in secure areas. The auditors of the Bundesrechnungshof may come into contact with information of all classification levels during their audits in the federal administration. Taking this into account the Bundesrechnungshof has designed its security zone and IT systems to process CI up to a TOP SECRET classification level.
Figure 4: Typical processing of CI in the federal administration
According to the Regulation, federal authorities may only process CI with IT systems that have been approved for this purpose by their management. Approval may only be granted if an information security concept, which complies with the BSI standards governing IT baseline protection, has been implemented. In addition, further requirements from the Regulation must be met. These include in particular that the IT systems that process CI
- follow the principle of "knowledge only when necessary",
- adhere to the principles on classification and marking of classified information,
- ensure the management and logging of CI (who accessed which information asset and when, and where is the information asset located),
- are compliant with the rules on the (temporary) retention of CI,
- are secure over their entire life cycle,
- ensure a secure destruction of CI,
- comply with the requirements for the transmission of CI via technical communication links, and
- comply with the relevant provisions of supranational or intergovernmental organizations and bilateral secrecy agreements.
In practice, the proper operation of IT that processes CI poses major challenges for the federal administration. In its current annual report for 2022, the Bundesrechnungshof identified numerous shortcomings in this regard. Federal authorities audited had, among other things,
- incomplete or outdated information security concepts,
- inadequately secured local networks,
- outdated operating systems in use,
- servers, clients and databases insufficiently protected against cyberattacks and
- IT personnel deployed that had no security clearance.
The findings took into account that measures to protect CI must be considered and designed individually for each authority. In addition, security protection is cost-intensive because it requires well-organized and monitored processes and expensive IT systems. These expenditures are only adequate and effective if all parties involved comply with the existing rules.
The ongoing digitization in the federal administration makes it all the more urgent for federal authorities to check whether they are complying with the Regulation. In the opinion of the Bundesrechnungshof, the federal authorities must significantly increase their information security. Only in this way can they effectively protect CI, local networks and federal networks against modern cyber threats. Supreme audit institutions can make an important contribution by auditing how protection of classified information is guaranteed by authorities.