Yesterday, the members of Germany’s Social Democratic Party (SPD) voted in favor of the coalition agreement that will see Angela Merkel remain Chancellor for the next four years. Although digital and cyber issues were recurring themes during the election, the agreement leaves many questions unaddressed. Nevertheless, here’s what we can expect from the new German government over the next four years with respect to broadband roll-out, Europe’s digital economy, and cybersecurity.
Building Broadband Infrastructure And Strengthening Education
The coalition sets a goal of bringing gigabit internet speeds to every part of the country by 2025, and wants to enshrine a right to “fast internet” in the constitution within the next four years. To bring fiber to “every region and every county,” the government will support the private sector’s roll out with up to €12 billion in subsidies it hopes to raise though an auction of 5G frequencies.
These goals are laudable, but similar promises in the past have failed to materialize. Four years ago, the same coalition promised speeds of fifty megabits per second by 2018 and failed miserably. Germany currently ranks twenty-eight out of thirty-three in the OECD’s ranking of members with fiber connections. In Japan and South Korea, nearly 80 percent of all network connections are fiber, whereas only 2.1 percent are in Germany—20 percent below the OECD average.
Linked to its broader infrastructure efforts, the federal government will give Germany’s states €3.5 billion to connect schools and universities to the internet under an initiative it is calling “Digitalpakt#D.” As part of its efforts to shape “digital work 4.0,” the coalition will launch a national strategy for continued training and attempt to remove barriers to remote work.
A European Digital Economy?
It is no secret that many German politicians are skeptical of U.S. tech platforms and social media companies. Against this backdrop, the coalition reconfirms its commitment to the network enforcement law to regulate hate speech online, and signals that the law will be “developed further” within the next four years.
Concerned about the growing market power of tech giants, the coalition will launch a “Competition Law 4.0” commission to examine how existing anti-trust regulation could be adapted to take new business models into account. In a similar vein, the government will support efforts to collect taxes from “internet companies,” a term that is not clearly defined. There is a similar lack of detail when it comes to the coalition’s plans of establishing “strong German and European actors in the platform economy.” There is a mention that this fostering these actors could come through subsidizing German start ups but no financials are provided.
The coalition further aims to take a closer look at algorithms and artificial intelligence (AI). A commission on data ethics will be tasked to provide recommendations on the use and regulation of such technologies. Germany will further develop a “Masterplan for AI” and establish a joint AI research center with France to compete with the United States, Canada, and China.
To address emerging cyber threats, the coalition seeks to strengthen Germany’s federal information security agency, the BSI. The BSI will be expected to improve its security advice and offerings to citizens, civil society and small- and medium-sized companies, adding to its current responsibility of advising government and industry. However, the BSI will remain subservient to the Ministry of Interior against the wishes of some in the SPD and German cybersecurity community. The ministry oversees the police and domestic intelligence agency who deploy the government’s lawful hacking tools, which both groups see as incompatible with the BSI’s defensive mandate.
The coalition agreement omits two cybersecurity issues that received a lot of attention in 2017. The first is the legal authority of German federal agencies to “hack back” against adversaries to infiltrate their systems and potentially shut down command and control infrastructures. The second is the creation of a vulnerabilities equities process (VEP) for government agencies that would establish a formalized process for handling vulnerabilities discovered by federal agencies and make it transparent to those outside government. Despite their absence in the agreement, both topics are likely to be revisited in the next four years, especially against the backdrop of the major compromise of German government networks.
Although silent on the VEP, the coalition will look into ways to hold vendors of IT products accountable when they do not report or patch vulnerabilities in time, and will seek to create clearer product liability rules.
Odds and ends
It is noteworthy that the international dimensions of cyberspace are not prominently featured, though it is perhaps unsurprising given the domestic focus of the agreement. There is no mention of the need to build norms and rules for state action in cyberspace. The agreement stresses the coalition’s support for U.S.-EU Privacy Shield to facilitate cross-border data flows for private actors, but is silent on the challenges law enforcement faces when accessing data for evidentiary purposes. There is not even the standard commitment to a “free, open internet” and multi-stakeholder governance processes.
Overall, negotiators of the coalition agreement seemed to want to convince a domestic audience that the internet is no longer Neuland—or new territory to quote Angela Merkel. They successfully proved they were aware of the challenges at hand, but adding “4.0” at the end of a tech-related issue or creating a commission does not make for a truly forward-looking agenda.