Germany’s BSI guns for better tech security

Every business using tech (which means every business) should now hope that the days of insecure platform design are numbered, as one of the most powerful cybersecurity agencies on the planet steps into the ring to demand tougher security.

Following the financial disaster of the Microsoft/CrowdStrike debacle, the BSI — Germany’s Federal Office for Information Security — is demanding that tech firms take swift steps to secure their products and prevent a repeat meltdown. 

No more designer insecurity

The BSI is summoning Big Tech companies to a conference later this year and will be pushing for kernel access to be restricted or abandoned. That’s almost certainly going to mean Microsoft will need to cease allowing kernel access in Windows, just as Apple already did years ago. What Apple understood is that the risks of providing such access are too high and the consequences too great.

While many in the industry seem to think it’s normal for a computer outage to generate billions of dollars of damage to global systems and businesses, those outside that bubble disagree. That’s why Apple doesn’t do that.

There is another way

Apple’s approach to platform security isn’t foolproof. Security is ephemeral; delivering it is an eternal dance — and sometimes errors take place.  But, at least in Apple’s case, it is an ongoing investment characterized by a high degree of proactive protection. Apple’s security teams identified the risks of kernel access and got rid of it — not without opposition. 

(Microsoft has claimed it can’t get follow suit because of a 2009 agreement with the European Commission, but perhaps it could have argued already for the need to do so. I don’t know if it did.)

Chalk and cheese, and it goes way back

The difference between these approaches is not new. Think back to the early days of Mac OS X, when Apple introduced a virus-safe browser called Safari even when other browsers remained full of security flaws. I won’t say who made the dominant browser then, but you might be able to guess where that insecurity by design came from. Watch this 2006 ad for some insight into this continued commitment to platform insecurity. 

It’s a commitment that seems to extend to the present day, given the TCO costs in terms of security and tech support when you compare Apples to Windows. (The University of Kentucky recently claimed its move to Apple devices cut IT costs by 50%.)

Perhaps it is unfair to expect Microsoft, still the world’s most widely used computing platform, to match Apple on security.

The argument is growing

Apple’s success in creating platforms developers can use while eradicating kernel access shows that it’s possible to create a secure platform without leaving the very heart of that platform exposed. The powerful cybersecurity regulator thinks so, too. 

Not only does BSI want Microsoft to take urgent steps to secure its platforms (which it should have done years ago), but it also wants security firms such as CrowdStrike to redesign their tools to make such access unnecessary.

CrowdStrike, however, has argued that products like firmware analysis or device control “would not be possible” without it. The regulator doesn’t agree, telling the WSJ that it is, “positive that robust technical solutions which also respect EU regulation can be found for the problem at hand.”

Financial liability

The nature of regulation is that events take time to unfold. But it seems clear one approach that would help focus the mind of tech firms would be to make them financially responsible for outages of this kind. 

We know business lost billions as a result of the CrowdStrike/Microsoft debacle; we also know the terms and conditions of the user agreements forced on those customers mean they’ll get little or none of that lost money back. 

How does that lack of liability foster a security-first culture? Why bother being proactive about security if you face no consequences for your own failure?

Ensuring every tech firm delivers solutions at least as secure and reliable as Apple’s has to be the goal of any regulation. It seems to me that making tech firms financially responsible for such errors should help make that happen. 

Of course, that means waiting for action. What if you can’t wait that long? 

There is an alternative

For many in business making purchasing decisions today, there is another approach: deploy Apple products, just like the German government has. After all, as well as plenty of solutions to help integrate those products into existing Microsoft infrastructure, the platform has a now-decades long track record for better security, regular updates, hardware-based encryption and data protection that is second to none in the business. 

More from Jonny Evans

• For IT, Jamf’s Microsoft Azure partnership means a lot
• Convenience has a cost, privacy has iPhone
• Apple, this is the time to seize the moment

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.