Microsoft is sued by the BSI
BSI sues Microsoft for release of information on security disaster
The Federal Office for Information Security has apparently initiated official proceedings against Microsoft - and is still waiting for answers.
The highest German IT security authority is not as inactive as it seemed. Since last fall, the Federal Office for Information Security (BSI) has apparently been at Microsoft's door to obtain information on its security precautions. After Microsoft failed to deliver and continued to delay communication, the BSI then resorted to its sharpest sword: Section 7a of the BSI Act, which allows it to sue for the release of information, among other things. This has now become known through a leak from the Bundestag's Digital Committee.
The request for information comes in the context of the blatant security incidents at Microsoft, in which state attackers were able to access information from Microsoft itself, as well as from its cloud customers, on several occasions. Specifically, it concerns the theft of the master key to the Microsoft cloud. The investigative commission set up by the US Department of Homeland Security (DHS) has already diagnosed a complete failure on Microsoft's part in this case. Microsoft at least spoke to them; however, the flow of information to the BSI was so poor that the German authority gradually escalated its inquiries.
Harsh criticism of Microsoft
"The BSI took the formal route of issuing an order in the further course of the technical dispute with Microsoft because the information that the BSI had previously received in a regular exchange was not satisfactory," a BSI spokesperson explained the procedure to heise Security. Specifically, the BSI was concerned, among other things, with the use of so-called double key encryption, which could actually have prevented data leaks, at least in specially secured environments. With this method, the data is encrypted with two keys, one of which always remains with the customer. However, the details are so unclear that the BSI is apparently unable to assess whether the attackers were able to access plain text data after all.
Even after repeated requests and threats of legal action, Microsoft did not provide the requested information. Therefore, the BSI is now using the legal instruments at its disposal, explains the BSI spokesperson, who still sees a need for information. He also explicitly refers to the harsh criticism of the US Cyber Security Review Board, whose assessment the BSI shares. "The BSI sees that other cloud providers are better positioned when it comes to the technical implementation of security and how they react if an IT security incident occurs," he concludes.
Section 7 of the BSIG
Section 7 of the BSI Act deals with warnings from the BSI. Section 7a regulates the necessary "investigation of security in information technology"; according to this, the Federal Office can "demand all necessary information from manufacturers of information technology products and systems, in particular technical details". The BSI has apparently done just that and reported on this to the Digital Committee of the German Bundestag. From there, the information apparently leaked to Der Spiegel, which reported further details.
Note on my own behalf: The author of this article had warned of a "dangerous biting inhibition towards Microsoft" in view of the activities of the US CISA and the apparent inactivity of the BSI. I would like to take that back - I am "officially impressed" by the current approach and very curious to see what comes out of it.