Germany’s cyber defence strategy discussed behind closed doors

The German government wants to implement a more 'offensive' approach to cybersecurity. Civil society only finds out about these plans via leaked documents. [Robert Avgustin] [Robert Avgustin]

Germany is currently preparing a new cyber defence strategy. An internal concept paper from the government foresees the use of so-called hack-backs and changes to the German Basic Law. But experts have criticised the exclusion of the general public from discussions about a new cyber defence strategy. EURACTIV Germany reports.

The strategy is characterised by a much more active defence than is customary in Germany and goes as far as providing for the destruction of servers through which cyber attacks are carried out.

The leaked concept paper names four stages. In the case of the first two, “it may be necessary to block or redirect data traffic,” the German broadcaster BR say. This would be done either by telecommunications operators or by the federal police authorities. So far, with these being relatively unproblematic, interventions in foreign computers or servers do not appear to be necessary.

If there is a stage-three-attack, the attacker’s network should be allowed to be hacked – for example, to delete or modify data and thus fend off the intrusion. And in the case of a stage-four-attack, the paper speaks of “measures to influence the functioning of the IT system used for the attack”. This could shut down the external system.

It is questionable how realistic this all is. For example, data cannot be deleted so easily, explained cybersecurity expert Matthias Schulze from the foundation Stiftung Wissenschaft und Politik. “Foreign intelligence services and hackers naturally have backups. The idea of deleting data is a bit of a problem in the digital age,” he told EURACTIV.

Also, “shooting down” foreign systems is a strange idea. You can delete hard disks, you can prevent a system from rebooting immediately, but hackers would then simply avoid redundant systems.

“The effect of deleting a computer is very small. If the person being hacked into has reasonably good IT security, the computer will be up and running again within a few hours,” said Schulze.

EU negotiators reach agreement on cybersecurity act

Representatives from the European Commission, Council and Parliament on Monday (10 December) evening banded together to strengthen the bloc’s Cybersecurity efforts, reaching agreement on the EU’s cybersecurity act.

An active defence as last resort

Since 2011, security authorities, such as the Federal Intelligence Service, the Federal Office for the Protection of the Constitution and the Federal Office for Information Security, have been coordinating their activities at the Cyber Defence Centre in Bonn.

In close cooperation, a decision is expected to be made on whether “there is a significant cyber attack from abroad”, according to BR. If an attack can no longer be fended off by other means and the counter-attack could put an end to the attack or at least weaken it, a separate committee should decide whether or not an active defence is warranted. Such a decision would involve, inter alia, the Chancellery, the Foreign Office and the Ministries of Justice, Defence and the Interior.

But only in very few cases will it even be possible to find out who is behind an attack, said Schulze. Under international law, this could prove to be quite problematic. Server attacks usually affect several connected computers, which have been seized one after the other.

This may involve systems that have nothing to do with the attacker. “As long as there is no clarity as to exactly which computers are involved and which systems they receive, shutting them down becomes very problematic. What if one of them is in a hospital, for example,” said Schulze.

This is also controversial under international law as foreign computers are often located in third countries that have nothing to do with the attack. These third countries could then be drawn into a conflict, which would violate their sovereignty.

Also, a counterattack under international law is only legitimate under certain conditions. These include armed attacks, casualties, the destruction of infrastructure, the collapse of power plants or water supplies. “Such thresholds are very rarely reached,” the scientist continued.

Christchurch Call: EU struggling to get anti-terror measures right

New Zealand and France gathered states and social media organisations around the same table on Wednesday (15 May) to take joint action against terror online. The EU has been negotiating a regulation on preventing the dissemination of terrorist content online for months, but critics find it too restrictive and fear censorship. EURACTIV Germany reports

“Fundamental rights are unnecessarily being watered down”

This new strategy for an active cyber defence could interfere with fundamental rights. According to BR, the concept paper mentions, for example, the basic right to digital privacy, the inviolability of the home and the secrecy of telecommunications.

According to Schulze, interfering with the German Basic Law is unnecessary.

“If, for example, the power grid is switched off and people die, then we already have the authority to defend ourselves, and this then falls under the right to self-defence. If self-defence is proclaimed by the authorities, countermeasures by the Bundeswehr are legitimate,” he said.

In the debate, worst-case scenarios are always mentioned, but cyber attacks have never reached such extremes. 99% of cyber attacks are still below the threshold of an armed attack and are still just cybercrimes.

Using worst-case scenarios in the debate to interfere with the German Basic Law is very problematic, according to Schulze.

A lack of transparency

Schulze considers Germany’s defence and security policy, including with regard to the digital space, to be a rather cautious one. But since 2016, the German government has, of course, been attempting to change its policy, by adopting an approach that is between being too defensive and too offensive.

Deterrence through retaliation – this is how Annegret Bendiek, an expert on European cybersecurity policy at Stiftung Wissenschaft und Politik, sums up Germany’s policy.

“The EU takes a very classic defensive approach. The idea is deterrence through resilience. The German strategy is moving in the direction of classic security and defence policy. Although it is different from the EU’s approach, both approaches are capable of complementing each other,” she told EURACTIV.

However, Germany’s position on cybersecurity is hard to discern and the leaked concept paper does not make its approach any clearer. Isabel Skierka of the Digital Society Institute also criticised this.

In addition, the involvement of civil society and research institutions is lacking. “The federal government is acting very secretively. Everything we know is because of leaked documents,” said Schulze.

“If we now take a more offensive course, we will also become a stronger target and this can cause collateral damage,” he added.

EU tests cyber resilience ahead of May elections

EU institutions have put their cyber systems to the test in a bid to assess the efficiency of responses to attacks against critical network infrastructure ahead of European elections in May.

Europe must maintain own course after US blacklisted Huawei, Germany says

Chancellor Angela Merkel and Germany's powerful BDI industry association distanced themselves on Thursday (16 May) from the US government's decision to put Chinese telecom equipment giant Huawei Technologies on a blacklist.

Citing national security concerns, Donald Trump signed an executive order …

Subscribe to our newsletters

Subscribe

Want to know what's going on in the EU Capitals daily? Subscribe now to our new 9am newsletter.