One shit storm is probably not enough
The CDU has reported a security researcher for volunteer work on the security of the party’s own election campaign app. This shows that in 2021 this party can neither have basic IT principles nor a sensible error culture.
Only in May did the CDU hit the headlines with its election campaign app CDU Connect. The IT security expert Lilith Wittmann had discovered a serious security gap in the software. She reported the vulnerability to the CDU, the BSI and the Berlin data protection officer. She then published details on this in a blog post. Responsible Disclosure is the practice followed by only disclosing a loophole when the danger for those affected has been averted.
The party apparently had Wittmann in the course of the talks about the vulnerability offered a consultancy activity. Wittmann has apparently rejected the offer – and party representatives apparently threatened legal consequences for disclosing the security gap.
On Tuesday she actually got an email from the LKA. There is a criminal complaint against them. Wittmann published a screenshot of the mail on Twitter. This was followed by a drama in three acts: The Chaos Computer Club announced on Wednesday morning that it would no longer report any security gaps to the CDU in the future. The hashtag #cduconnect was trending in social media and the topic was picked up by major media. On Wednesday afternoon, CDU Federal Managing Director Stefan Hennewig rowed back via Twitter. The criminal complaint was filed by mistake. The complaint was withdrawn and Wittmann apologized.
Unfortunately, she still has to worry about that. Just because the CDU has withdrawn the complaint does not mean that the proceedings have therefore also been discontinued, she writes on Twitter.
That being said, the signaling effect to other security experts is catastrophic. Anyone who has to reckon with an accidental report in the future – which may have been threatened beforehand, upsi – will probably do a devil to sacrifice their own free time again to check such software for gaps in the future.
The CDU shows with this behavior – the insecure app, the threat, the accidental display and the half-baked “apology” that only followed a corresponding media response – not only that its members have apparently learned nothing since Laschet’s hacking slip in May. It also shows where their priorities are. Obviously not with IT security and expertise and a sensible error culture. Otherwise you could have just sincerely apologized. Not only at Wittmann, by the way. Even with the almost 20,000 election campaign workers and supporters whose data was messed with. Otherwise, at the latest after Laschet’s embarrassment at Zervakis, you could have simply collectively trained yourself and informed yourself about how this Internet works.
Maybe that’s really too much to ask. But even then, the CDU could have at least one: n communications advisor: in who explains how not to stumble from one well-deserved shit storm into the next. After all, there is always something good about mistakes. You make it – and you can learn from it. Only the CDU apparently did not understand that. Instead, the motto here seems to be: “Make mistakes and best of all try again, because worse is always possible”.
According to surveys, the CDU applies among voters: inside as the party with the highest digital competence in Germany. The party has once again proven that this is a serious misjudgment. When do the consequences actually come?