Cyber Security and Cyber Defense – Greater Protection Through Interministerial Collaboration

In 2016, Germany's federal government approved a Cyber Security Strategy for Germany. Action area 3 sets out criteria and guiding principles for an "Effective and sustainable national cyber security architecture" (translated from German). The key strategic goal and measure is to strengthen the defense aspects of cyber security. Thus the corresponding paragraph of the cyber security strategy states that the priority aspects of cyber defense are a military part of overall defense in cyberspace: "The defense capabilities of the Bundeswehr in cyberspace are [...] an essential part of the cyber security architecture. The close relationship is demonstrated both by the overlap in content regarding the technical implementation of protection measures, and by the use of and active participation in the structures, processes and reporting systems of cyber defense in ways and situations that are relevant to defense."¹

In April 2017, the German Federal Ministry of Defense (Bundesministerium der Verteidigung, BMVg) set up the Cyber and Information Domain Service (Kommando Cyber- und Informationsraum, KdoCIR). This was a significant strategic move, and had been announced in the cyber security strategy. It is therefore worth taking a new look at the strategic goals and measures that were described in 2016, relating them to current developments in cyber policy, and perhaps drawing new conclusions. This particularly applies to the interaction between civilian and military cyber security measures in the areas of protecting critical infrastructures, the threat situation in cyberspace, international cyber security policy and active cyber defense.

Protecting critical infra­structures

Special attention has been given in recent years to protecting critical infrastructures. A legal framework for protecting critical supply infrastructures has been created with the German IT Security Act (IT-Sicherheitsgesetz) of 2015, the resulting "Ordinance for determining critical infrastructures in accordance with the German Federal Office for Information Security Act" (Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI-Gesetz, BSI-KritisV), and the EU's Network and Information Systems (NIS) Directive.
Legislators are using a twin-pronged approach to promote cyber and information security. Firstly, they are imposing an obligation on businesses to produce, implement and audit company-specific information security concepts. This preventive approach will ideally be supported by creating an industry-specific minimum standard that businesses can use for guidance, which has already been taken up by the insurance industry, for example. The second part of the approach is intended to assist detection and response. By introducing a duty to report cyber security incidents, legislators have established the basis for producing a cyber security situational overview for critical infrastructures across all industries and sectors.

The draft German IT Security Act 2.0 represents a next step to protect prominent companies in Germany. The existing supply-critical approach is being extended e.g. to the waste disposal industry and the culture and media sector. In addition, the concept is being modified so that the regulations now also apply to businesses that, as a result of advancing digitization, are dependent on information technology to a greater degree than others. This would be the case if a cyber attack could paralyze their business activities, for example, or even cause large-scale damage. A new term, "IT-critical enterprises," has been coined for these businesses. But just being IT-critical would not in itself be a sufficient reason for regulation. Only if a special significance affecting the community as a whole becomes apparent does the state have a duty of care to protect these enterprises, ultimately for the benefit of citizens. Good examples of the need for regulation of this kind include the chemical industry, due to its potential for large-scale harm, the defense and security industry in its role as a supplier to the Bundeswehr and other security agencies at federal and state level, the auto industry because of its importance for the economy as a whole with regard to IT in production planning and control systems, and also businesses that have substantial knowledge and expertise requiring protection (intellectual property).

So where, within the whole civilian topic of cyber security for critical infrastructures, do we find the link to the structures of military defense? Let us consider the extended concept of critical infrastructures that includes IT-critical enterprises having an importance for society as a whole. Now it immediately becomes clear that the Bundeswehr and its supply industry can absolutely be identified as critical infrastructure in this sense - even in peacetime. This is immediately evident from the digitization and interconnectedness of the armed forces in general, the use of highly complex IT in weapons systems, the automation of mobile vehicles and aircraft, and a fully digitized communication and command infrastructure.
Conversely, in peacetime and in a state of defense, the Bundeswehr depends on the functioning of civilian critical infrastructures in the extended sense stated above. The availability of national and international telecommunications and the national and international internet are prime examples.

Because the German Federal Ministry of the Interior (Bundesministerium des Innern, BMI) is responsible for public security and the security of supply to the population in peacetime, and because the BMVg and Bundeswehr need recourse to the critical infrastructures in a state of defense, a new challenge arises in terms of the sharing of tasks and responsibilities between both departments, including in the event of threats and attacks from cyberspace. A careful analysis and assessment of the respective IT dependencies on critical infrastructures and their interdependencies is therefore essential for internal and external security, even in a state of peace. This particularly applies to crisis and disaster preparedness, and ultimately also to a state of defense. Pre-coordinated response mechanisms should be derived from these considerations and rehearsed in advance.

Specifically, this concerns coordinated or even identical information security requirements for IT products or for the cyber security of network or communication infrastructures (those used jointly or, for example, under NATO). Many of these requirements are already being drawn up and put into practice, e.g. in approval procedures adopted by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) in connection with classified information, or in planned procurements for IT consolidation at federal level. Here the BSI's new IT baseline protection (IT-­Grundschutz) methodology with user-specific profiles for cyber security requirements is the tool of choice, also for the Bundeswehr.

But given the steady advance of digitization, new action areas are constantly arising - for example the cyber security of products in the Internet of Things, or communication via (virtual) networks with different security levels. Thus there is already a wealth of possible research approaches for the Agency for Innovation in Cyber Security (Agentur für Innovation in der Cybersicherheit) that is being jointly set up by BMVg and BMI. In addition, however, a common approach to the standardization of cyber security requirements in European and international standardization bodies is also desirable.

The threat situation in ­cyberspace and how to deal with it collectively

The National Cyber Defense Center (Nationales Cyber-Abwehrzentrum, CyberAZ) was established by BSI in 2011 as a cooperation and coordination platform. From within BMVg's area of responsibility, CyberAZ is assisted particularly by the Cyber and Information Domain Service (Kommando Cyber- und Informationsraum, KdoCIR). KdoCIR works together with the other federal security agencies, the German Federal Office of Civil Protection and Disaster Assistance (Bundesamt für Bevölkerungsschutz und Katastrophenhilfe, BBK), but also the critical infrastructure supervisory authorities. It exchanges information, analyses and assessments relating to the cyber situation. Based on this information sharing, the work of CyberAZ has the following main goals: coordinated operational handling of cyber security incidents, producing the dynamic national cyber security situational overview, and providing the authorities involved with coordinated and practiced crisis response mechanisms for a cyber crisis. There are plans to potentially expand CyberAZ to include the German federal states and private sector.

New challenges arise for CyberAZ at the interface between civilian and military defense. CyberAZ's cyber security situational overview is based in large part on the findings of civilian bodies such as the computer emergency response teams (CERT) in various authorities and other institutions. The sources used generally reflect a situation in the national and international networks that is characterized by a wide variety of cyber security incidents of a civilian nature, which are mainly attributable to cyber crime, cyber espionage, or cyber sabotage. Military cyber security scenarios do not fall within the task spectrum of the authorities concerned. Naturally they come under the responsibility of KdoCIR, within its own structures. The military cyber security situational overview is produced there, too. In the past, a differentiation between civilian and military cyber security scenarios could be derived from the embedding of cyber security incidents in security events in the physical world. But this clear distinction is no longer possible.

Cyber security incidents in the recent past demonstrate that we can expect an increase in cyberspace incidents with a hybrid character. Cyber attacks can be and increasingly are used below the threshold of military attacks in scenarios of inter-state diplomatic or political crises. They increase the complexity of the cyber security situation. A consistent and comprehensive analysis and assessment of such incidents, taking all aspects into account, can therefore only be carried out in cooperation between KdoCIR, BSI and the other agencies in CyberAZ. Of course one specific challenge in assessing hybrid attacks is to combine the technical assessment by CyberAZ with the assessment of the foreign-policy and military situation. Here it particularly falls to BMVg, the German Foreign Office (Auswärtiges Amt, AA), German Federal Chancellery (Bundeskanzleramt, BKAmt) and BMI together with their subordinate authorities to facilitate and structure cooperation and coordination with the respective situation centers.

Suitable preparations should also be made for a possible state of defense, so that all information on the civilian cyber security situation can be passed on to the Bundeswehr and ­KdoCIR in a crisis that is escalating into a state of defense. The necessary structures, legal bases and processes built on them are still only at an incipient stage, however.

International cyber security policy

Close collaboration between BMVg and BMI, and between KdoCIR and BSI, also plays an important role in terms of Germany's active positioning in European and international cyber security policy. This is especially true of the measure entitled "Developing NATO's cyber defense policy" (translated from German). Here is another passage from the 2016 cyber security strategy:

"As a cornerstone of Germany's security and of Euro-Atlantic security, the North Atlantic Alliance relies on adequate protection against attacks from cyberspace in order to fulfill its core tasks, especially in the area of collective defense and in international stabilization deployments. The goal is to continuously increase the overall resilience of the Allies and of the Alliance, and to increase deterrence and defense capabilities not least in the context of hybrid threats."²

What is largely unknown, however, is the fact that BSI constitutes both the German NATO Crypto Security Authority (NCSA) and NATO Cyber Defense Authority (NCDA), and therefore represents Germany in various NATO bodies together with KdoCIR or BMVg. In historical development terms, this mainly reflects the fact that in the context of protecting classified information, BSI is responsible for national approvals of military communication equipment, and also contributes its expertise as part of corresponding NATO approval bodies. Logically, then, the role of the BSI was extended to the corresponding issues in cyber security (here the same as cyber defense), mainly in networks.

Now we need to consider the position with regard to further future developments. For NATO, in defense situations, it will be essential for the Member States to have suitably robust and reliable critical infrastructures in place, especially the network infrastructures that would be needed in a state of defense. Therefore, alongside the national and European cyber security requirements formulated above, corresponding requirements should be specified by NATO and implemented at national level. To ensure the availability of resilient networks both in civilian crisis or disaster scenarios and in a state of defense, it is necessary to coordinate the requirements resulting from the German IT Security Act with those from NATO. KdoCIR and BSI should cooperate more closely in the future to coordinate these requirements, which currently still exist loosely alongside each other.

Civilian and military aspects of an active cyber defense

At the present time, means of civilian defense for use in civilian crises or disasters in cyberspace - which take the form of cyber sabotage against critical infrastructures, with corresponding impacts - are being discussed under the term "active cyber defense." In the case of national defense, collective defense within NATO, or an overseas deployment, active defense measures can be deployed in cyberspace if a corresponding authorization is given by the German Bundestag for a deployment of the Bundeswehr or the powers of KdoCIR. For civilian active cyber defense measures, however, relevant legislation is still needed.

Furthermore, there is a need to develop the corresponding capabilities, in the first place for civilian defense measures in cyberspace based on the relevant authorizations. Enhanced protection for national infrastructures against cyber sabotage attacks from outside Germany could be achieved in the first instance e.g. by blocking (parts of) the internet, specifically blocking the attackers, and by the respective provider isolating the targeted systems. Inside Germany, if a crisis or disaster situation was detected in the national part of cyberspace, it is conceivable that BSI could have powers to issue orders and take action as a regulatory authority. BSI could assist the federal and state police forces with police emergency response activities, and also cooperate with police forces in other countries to ensure that attacker systems located there are neutralized.

In the most extreme case, for defense purposes, it should also be possible to deactivate attacker systems via active cyber defense measures, for example if imminent danger necessitates a response in the shortest possible time. Suitable decision-making processes in this regard would then also need to be established.

Yet even setting up a civilian active cyber defense, as outlined above, leaves complex questions unanswered. Hybrid threat scenarios, for example, where it is no longer possible to draw a sharp distinction between sabotage and military attacks, are a common method of destabilizing the victim in the "analog world" of today. Similar scenarios are all the more conceivable, and in many different forms, in the virtual world. Attackers could combine destabilizing activities in the analog world with cyber sabotage and thus create a double hybrid threat situation - civilian versus military and analog versus digital.

Solutions or approaches to such complex defense scenarios do not yet exist today. They require more in-depth analysis and assessment. This represents another field for extensive cooperation between military and civilian authorities in Germany, and with our partners abroad, particularly in the EU and NATO. Aside from resolving questions relating to international law and emergency response legislation, developing appropriate technical, organizational and political solutions, and creating suitable crisis response mechanisms, there is also a need for fundamental discussions about ethical standards in the digital and cyber world. This discussion has only just begun.