Special: Cybersecurity in Germany – Myth and Reality
There is a new threat. We cannot see it, hear it, or feel it, but it is there. It is putting industrialized countries under pressure and targets our infrastructure without any guns being pointed or shots being fired. Its troops are invisible, their attacks silent, and the front has no borders.
The Internet has made our world faster and our economy stronger. It connects people and markets. It links knowledge and ideas. But it opens up a new flank of vulnerability. And it is increasingly a scene of military conflict.
“Net wars” are raging. Meanwhile, experts fight over definitions. When does a military cyberwar begin under international law? When is an Internet attack crime, sabotage or espionage? In the age of cyberwarfare, modern industry is in danger since its digital technology contains numerous weaknesses. Among them, cryptography is a contested field. Experts claim that quantum computers could break virtually any encryption, but critics disagree.
It is undisputed that practically our entire infrastructure is now digitally networked. Now that Internet attacks are a reality, the vulnerability of virtual life has become apparent. Cyberattacks are highly attractive to online criminals. The perpetrators can rarely be identified. They operate internationally, in distributed teams, using fake sender addresses. In a cyberattack, at first no-one really knows who is behind the attack. Is it in fact an enemy power, is it a corporation, is it an organized crime syndicate, or is it an individual hacktivist? It is hard to tell.
In online attacks or cyberwarfare, there is a lack of clarity over what exactly constitutes armed conflict or “war”. Opinions on this differ widely. The U.S. State Department regards a cyberattack as an act of war if it causes a particular order of magnitude of damage or death. Possibly, this also implies responses by military means. But so far no-one has managed to determine where exactly the threshold lies.
The German federal government is also grappling with the issue of cyberattacks. As part of its cyber strategy, it is attempting to strengthen preventive measures for IT security in Germany. Cyber interests are an important “cross-cutting issue”, it says. Thus, the German Federal Foreign Office has acquired an International Cyber Policy Coordination Staff.
Where do the financial resources come from in Germany, and in an extreme scenario, which states are actually still able to rely on their cyber infrastructure? A build-up of cyber capabilities can be observed. The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) is providing IT advice to the German armed forces (Bundeswehr). In Tallinn, the NATO and its partners have established the Cooperative Cyber Defence Centre of Excellence against cyberwarfare, while agencies are paying close attention to the security of their own networks. At the same time, all of this provides very strong safeguards for each country’s respective own national military infrastructure.
Aside from Internet freedom and defense against cyberattacks, protection against espionage is also becoming an increasingly important theme since most cyberattacks are criminally motivated or originated by foreign intelligence. The protection against those attacks is, therefore, not necessarily a task for the military but rather also for the state. In Germany, the national cyber defence center connects its different agencies. The German federal office for information security (Bundesamt für Sicherheit in der Informationstechnik, BSI), the German Federal Intelligence Service (Bundesnachrichtendienst, BND), the German Federal Criminal Police Office (Bundeskriminalamt, BKA), the German Bundeswehr and others are taking care of German security interests and attempting to contain the threat.
Cyberspace is comparable to space, airspace, or the high seas. Even if cyberwarfare threats seem quantitatively unimportant, they have high relevance since they will become part of conventional warfare in the future. Monitoring and correctly interpreting Internet attacks will become an increasingly high priority for any armed forces.
But even today, some incidents which have come to light already demonstrate how delicate an cyberattacks can be, and how unexpectedly they can hit countries all around the world. Malicious software such as Stuxnet, which can “log in” by itself when connected via USB, reveals a new form of conflict between states. This is an area which cannot be covered solely by the private sector.
Thereby, cybersecurity is necessarily part of state security precautions, with cyberspace requiring new defense policy as well as military strategies. Especially the military is vulnerable, in particular because modern warfare – whether with tanks, warships or missiles – relies on IT systems. If someone disrupts the electronic systems in a warplane, this can have the same effect as an attack with a conventional anti-aircraft weapon. Furthermore, unfamiliar information and communication systems require specialized IT knowledge.
Dealing with cyber threats therefore requires special resources and well-trained armed forces. According to German defense policy guidelines, the Bundeswehr needs to cover this new range of capabilities as well. Like all armed forces, it needs to make its own technical and personnel capacities available to deal with cyberattacks as effectively as with conventional threats. Cyber vulnerability is not a myth. In the foreseeable future, the government will have to give an account of Germany’s cyber capabilities.
The digital front is a new global challenge between democracy and freedom, between the NSA and Google, and very different forms of government. This makes it all the more important to discuss resources, possibilities and opinions.
I wish you a pleasant read of our e-journal special.