In late April 2016, German Defense Minister Ursula von der Leyen unveiled a plan to establish a dedicated "cyber and information command" in the German military, the Bundeswehr. A reorganisation of the armed forces to bolster its computer systems and network defence capabilities had long been overdue and was discussed in the German Federal Ministry of Defence for more than a decade. <1>
But when the Defense Minister announced the cyber security plans for the armed forces, she faced significant scepticism from parts of the German public. Several media outlets and politicians warned of the dangers that Germany could gear up toward 'cyber war' and engage in an uncontrollable digital arms race. <2> This view was aptly expressed at a parliamentary hearing by a German security policy expert who argued that the development of "preparatory measures for placing malware in opponents' computer systems" amounted to a "colonisation of the web contradicts the German culture of military restraint." <3> Many argued that the Bundeswehr should adopt purely defensive measures to protect its own networks and not conduct any operations in foreign networks. <4> The Ministry of Defence itself responded that the Bundeswehr would act only within the provisions of its constitutional mandate and would not engage in any offensive computer network operations, unless it was mandated to do so by the Parliament.
This year's debate over the Bundeswehr's relatively modest new cyber plans shows how the German public's long-fraught relationship with its military and intelligence agencies now encompasses the digital arena. The Edward Snowden revelations in 2013 brought the field of cyber security out of its niche existence in Germany, sparking a debate and anti-surveillance backlash that was more intense in the country than just about anywhere else. The Snowden revelations also shone a spotlight on how far behind the curve the German government was in the realm of cyber security. In the three years since, Germany has struggled to shape a new digital agenda to improve both its IT security efforts and its cyber intelligence capabilities. It has been hampered both by limitations in resources and personnel, as well as the German public's unease with surveillance and the use of force.
The German government has in recent years launched a range of digital security initiatives, including a law regulating the protection of critical infrastructure. This article focuses on one of the latest and most controversial initiative: plans to form a new cyber command in the German military. The debate around the plans and the nascent efforts to implement are emblematic of the broader political and institutional tensions in Germany at the intersection of information security and national security.
< style="color: #163449;">The reorganisation of the Bundeswehr's cyber capabilities
Until recently, the German armed forces played a minor role in cyber security compared with militaries in North Atlantic Treaty Organization allied countries such as the United States, France or the United Kingdom. This year's adoption of a military strategic guideline for cyber defence and reorganisation of the armed forces for this purpose thus set a milestone in German defence policy. From the military's new White Paper published shortly after, it becomes clear that cyber security has become an integral part of national defence strategy in the context of hybrid and conventional warfare threats. The word 'cyber' alone appears 74 times in the 125-page White Paper. <5>
The strategy has been hyped both by proponents and critics, either as a major step forward towards being able to finally defend the nation in the digital realm, or as a dangerous move toward Germany's participation in a possible cyber war.
Looking at the reorganisation more closely, it is firstly a task that any large organisation or company faces on the path of digitalisation: the Bundeswehr has to maintain a reliable and secure IT architecture for its 280,000 users. Beyond that, it has to recruit highly qualified personnel, keep pace with technological innovation, and reflect often conflicting political interests.
To date, the Bundeswehr's cyber defence capabilities consist of three components: a Computer Emergency Response Team (CERT), a secretive 'computer network operations' (CNO) unit, and participation in an inter-agency centre for information sharing. The CERT is responsible for incident response of the Bundeswehr’s networks and systems. On the offensive side, the CNO unit is part of the 'strategic reconnaissance and intelligence' command, and is able to intrude into and disrupt foreign networks and systems. It employs around 80 IT security experts. In addition, the Bundeswehr contributes to the information sharing in the 'National Cyber Defense Center', which is led by the Federal Office for Information Security (BSI). <6> However, the center consists of only around ten members in total and its existence has been declared unjustified by the German Federal Court of Audit on grounds of a lack of effectiveness. <7> It will likely be strengthened by an updated national cyber security strategy.
With its new cyber security plan, the Ministry of Defence established two new organisational structures: a cyber and information domain (CIR) command in the military and a cyber/IT department in the Ministry of Defence. <8> "We have a great deal of expertise in the Bundeswehr, but we must bundle it more sensibly, make it more visible, and set it up to be more powerful," Defence Minister von der Leyen said when she announced the plan in April. <9>
The CIR command will combine existing IT capabilities of the Bundeswehr and become operational in April 2017. An inspector with the rank of a lieutenant general will lead the CIR, in which 300 officers will command around 13,700 soldiers. These soldiers will be assigned to CIR from other branches of the military, the criterion being that they have been dealing with IT in one way or the other in their previous jobs. The command's responsibilities include IT security, military intelligence, geo-information, and operative communications. The cyber/IT department in the Ministry will be responsible for the IT architecture and information security of the Bundeswehr. It will become operational by October 2016 and be headed by a chief information officer (CIO). The new CIO has already been found and comes from one of the biggest German industrial firms: Klaus-Hardy Mühleck from ThyssenKrupp. <10>
< style="color: #163449;">Human resources
One of the major challenges for the military will be to recruit, educate, and train the personnel necessary to fulfil the task. While the 13,500 soldiers that are supposed to staff the cyber command represent existing personnel to be assigned from other branches of the military, many of the other positions that compose the 'top layer' of the cyber command and the cyber/IT department will need to be more highly qualified.
There are a number of measures the Bundeswehr needs to take to fill the ranks of its planned cyber command: it needs to offer more flexibility in the armed forces' institutionalised career tracks, pay higher salaries for experts, and offer education for new recruits and advanced training possibilities.
According to the Bundeswehr's report on expanding its cyber security capabilities, it is planning steps to improve career opportunities and salary levels for IT security experts. <11> The report does not further specify these measures and it remains to be seen how the Defence Ministry is going to implement them. In the fields of education and training, the Ministry has already taken more concrete action. It has launched a new cyber security studies Masters programme at the Bundeswehr University from which around 70 students will graduate every year. <12> While it will take years until a sufficiently large number of graduates will be able to work in the Bundeswehr, this is an important first step. Moreover, the military has launched a large scale advertising campaign and promised to accept some applicants without formal educational qualification, recognising that it is already having trouble recruiting sufficient personnel for the military as a whole.
All of these measures will help, but won't succeed in fully staffing the necessary workforce in the coming years. Therefore, the armed forces will need to consider hiring private contractors for some tasks — potentially raising some of the same legal and security issues that have emerged related to the National Security Agency contractors in the US. <13> So far, the Bundeswehr has only suggested it will cooperate with reservists who are now working in IT security.
< style="color: #163449;">Innovation
A major challenge for the government will be how to ensure it has access to the technologies it needs in order to stay on the leading edge of technological innovation of electronic and cyber defence. This is an issue that governments struggle with around the world. The Bundeswehr will need to cooperate more closely with research institutions and private sector firms. The ministry wants to make this issue a priority by establishing a separate sub-department on cyber innovation and wants to expand cooperation with private companies and start-ups. In the mid-to long-term the military should probably think about establishing a supporting technological innovation agency modelled after the US Defence Advanced Research Projects Agency.
< style="color: #163449;">Use of force in the digital domain
Perhaps the most difficult issue, however, is how the military's new cyber capabilities will fit with Germany’s culture of military restraint. As mentioned earlier, Germany's postwar constitution requires any use of force by Bundeswehr troops abroad to be mandated by the Parliament — an expression of Germany's postwar suspicion of an overly powerful security apparatus. <14>
The Defence Ministry said this year that the requirement for a parliamentary mandate also holds true for cyber operations. <15> In the context of the current threat landscape of hybrid warfare and conventional warfare, a realistic scenario is that the offensive use of cyber capabilities is one of several means that Parliament allows the Bundeswehr to use as part of a broader mission mandate. In fact, a report from September 2016 publicised the Bundeswehr's only publicly known offensive cyber operation to date was part of Gemrany's mission in Afghanistan, mandated by parliament. <16>
The requirement for a parliamentary mandate presents several challenges. While in theory, it seems simple to distinguish between offensive and defensive measures in the digital domain — anything that happens in the Bundeswehr's own networks is defensive and anything that involves action in foreign networks crosses the threshold to offensive action — this distinction is not easily upheld in practice. Since the threshold for when a computer network operation is equivalent to an armed attack is not clearly defined in international law, it also remains unclear when the Bundeswehr would require the involvement of the Parliament. Moreover, in practice, operations which have been deemed to require secrecy for their success, have been subject only to limited parliamentary control. <17> This might be the case for operations in the digital sphere, which rely on secrecy even more than conventional attacks. <18> Hence, the executive and legislative need to consider a range of different scenarios when examining this question.
In addition, it is not clear whether the Bundeswehr itself is capable of conducting its own sophisticated cyberattacks — raising legal questions about cooperation with intelligence services, which are also viewed with caution by much of the German public. With its current operational capabilities, it is unlikely, that the Bundeswehr would be capable of launching a major computer network attack, for example, as a retaliatory measure. Depending on the target, attackers would need intelligence about the characteristics of the network and systems they want to breach and the vulnerabilities that can be used. This kind of work is the task of intelligence agencies in most cases and indeed all publicly known large-scale cyber espionage or sabotage attacks — for example, Stuxnet, the Saudi Aramco hack, the German Bundestag hack, the US Office of Personnel Management hack — seem to have mostly been projects of intelligence agencies. <19>
The military's new cyber command will likely need to cooperate with German intelligence agencies, but the legal and political modalities of this cooperation are far from clear. While in the US, intelligence and military cyber operations operate under common leadership — as of this writing, General Michael Rogers, Commander of the US Cyber Command and Director of the National Security Agency — in Germany, such overlap would be unthinkable. The German Chancellery oversees the foreign intelligence agency Bundesnachrichtendiesnt (BND), the Interior Ministry oversees the domestic intelligence agency Bundesamt für Verfassungsschutz (BfV), while the Defence Ministry oversees the Bundeswehr. Even information sharing between the military and the Germany’s BND foreign intelligence agency is politically sensitive and on complex legal ground. <20> Two leading lawmakers on digital and security issues have said that due to the unavoidable cooperation between intelligence agencies and the Bundeswehr on cyber issues, "the classical separation of responsibilities is blurred," requiring parliamentary oversight of military and intelligence cooperation in cyberspace "to be urgently established." <21> The military's efforts to strengthen its digital firepower will thus be met with constitutional and parliamentary roadblocks and public scrutiny that, in this combination, are unfamiliar in many other countries. <22>
< style="color: #163449;">Conclusion
The defence of national networks and systems in the digital realm blurs the boundaries between domestic and external security, and therefore also the responsibilities of civilian and military branches of government. "Ensuring cyber security and defene is … a whole-of-government task that must be performed collectively" by the Defence, Interior and Foreign Ministries, including the "joint protection of critical infrastructure," the Defence Ministry's White Paper states. The Bundeswehr must therefore "make an increasingly important contribution to general government preventive security." <23>
How this whole-of-government approach will look and who in the government will be leading it eventually is yet to be seen. Resolving these issues will be a major challenge, given both the political sensitivities described above and that cyber security measures are currently scattered across government ministries and departments. The German government's digital policy efforts have so far been fragmented and led to incoherence among different government departments' approaches. While Germany's "Digital Agenda 2014 to 2017" lays out a number of priorities for the German government to take, including for cyber security, responsibilities are assigned to a range of different ministries with often conflicting views. Fragmentation is a common problem many countries face in a number of policy areas, especially 'novel' ones like digital policy. But the German government lacks a coordinating element for digital policy, which could take the form of an own ministry, a coordinating subdivision in the Chancellery or an inter-ministerial department. The government will need to coordinate its digital policy, and cyber security policy in particular, to gain more trust from the public for its endeavours. Its updated cyber security strategy to be published in November 2016 should shine more light on the way ahead. The road map laid out will likely be the result of a political struggle for responsibilities and resources between different government departments and the Ministries of Interior and Defence, in particular.
Beyond this political struggle, the public debate surrounding the government's cybersecurity strategy illustrates broader tensions around the militarisation of German digital policy. This public scrutiny risks stymieing progress in cybersecurity policy making. However, the discussion is necessary to safeguard the balance between national security, network and information security and the protection of fundamental rights in the digital age.
This essay originally appeared in the third volume of Digital Debates: The CyFy Journal
<1> Thomas Wiegold, “Ein Update ist verfügbar,” ZEIT Online. April 27, 2016, accessed on August 28, 2016 http://www.zeit.de/digital/internet/2016-04/bundeswehr-cyberkrieg-it-aufruestung-nachwuchs
<2> For example see: Anna Biselli, “Es cybert bei der Bundeswehr: Digitales Aufrüsten um jeden Preis mit Gamern und Nerds,“ Netzpolitik.org, April 27, 2016, accessed on August 28, 2016 https://netzpolitik.org/2016/es-cybert-bei-der-bundeswehr-digitales-aufruesten-um-jeden-preis-mit-gamern-und-nerds/; “13 500 Soldaten im Cyberkrieg,". taz.de, April 26, 2016, accessed on August 24, 2016 http://www.taz.de/!5299284/; Konstantin von Notz, “Engagement für IT-Sicherheit statt Bundeswehr im Cyber-Krieg,“. GrünDigital, April 26, 2016, accessed on August 24, 2016 https://gruen-digital.de/2016/04/engagement-fuer-it-sicherheit-statt-bundeswehr-im-cyber-krieg/; Andre Meister, “Geheime Cyber-Leitline: Verteidigungsministerium erlaubt Bundeswehr “Cyberwar“ und offensive digitale Angriffe,“ Netzpolitik.org, July 30, 2015, accessed on August 24, 2016 https://netzpolitik.org/2015/geheime-cyber-leitlinie-verteidigungsministerium-erlaubt-bundeswehr-cyberwar-und-offensive-digitale-angriffe/;
<3> Marcel Dickow, “Stellungnahme zur Öffentlichen Anhörung des Verteidigungsausschusses des Deutschen Bundestages am 22. Februar 2016,” Deutscher Bundestag, February 22, 2016 accessed on August 24, 2016 https://www.bundestag.de/blob/409382/b9419561ac01bebea40956c403b8391d/stellungnahme-dickow-data.pdf
<4> See supra note ii and iii as well as Deutscher Bundestag. “Die Rolle der Bundeswehr im Cyberraum,” (Protocol of parliamentary hearing, February 22, 2016)
<5> “White Paper On German Security Policy and the Bundeswehr,” The German Federal Government, 2016
<6> For more information, see: “Dossier: Cyber Verteidigung,” German Federal Ministry of Defence, accessed on August 24, 2016 https://www.bmvg.de/portal/a/bmvg/!ut/p/c4/04_SB8K8xLLM9MSSzPy8xBz9CP3I5EyrpHK9
pNyydL2s_NIioKheSn5xcWZqUbFecmVSapF-QbajIgD93eVB/
<7> John Goetz und Hans Leyendecker, 7.06.2014. “Rechnungsprüfer halten Cyber-Abwehrzentrum für "nicht gerechtfertigt",“ Sueddeutsche Zeitung, June 7, 2014, accessed on August 22, 2016 http://www.sueddeutsche.de/digital/behoerde-in-bonn-rechnungspruefer-halten-cyber-abwehrzentrum-fuer-nicht-gerechtfertigt-1.1989433
<8> “Abschlussbericht Aufbaustab Cyber- und Informationsraum,“ The German Federal Ministry of Defence, April 2016
<9>“Von der Leyen: Die Bundeswehr im Cyber- und Informationsraum ‘besser und professioneller aufstellen‘,“ Press Release of the German Federal Ministry of Defence, April 26, 2016, accessed on August 24, 2016 https://www.bmvg.de/portal/a/bmvg/!ut/p/c4/NYvBCsIwEET_aDcBQeqtJSAe9aL1lrYhrHSTsm
7qxY83OTgD7zCPwSfWJr9T9Eo5-RUfOM50mj4w8R7hlYvUFZgSvTUIFcZ7-ywB5pyCNmpISpVRvGaBLYuuzRSRaoAWHI11g7HmH_vtO3e-HjtzcJfhhhtz_wMlMw79/
<10> “Von der Leyen umwirbt Thyssen-Manager für digitale Kriegsführung,“ Frankfurter Allgemeine Zeitung, April 23, 2016, accessed on August 24, 2016 http://www.faz.net/aktuell/politik/inland/bundeswehr-von-der-leyen-umwirbt-thyssen-manager-fuer-digitale-kriegsfuehrung-14195057.html
<11> “Abschlussbericht Aufbaustab Cyber- und Informationsraum,“ The German Federal Ministry of Defence, April 2016, p.34
<12> “Abschlussbericht Aufbaustab Cyber- und Informationsraum,“ The German Federal Ministry of Defence, April 2016
<13> Shane Harris, @ War: The Rise of the Military-Internet Complex (Ashgate: Blackstone Audio, Inc, 2015)
<14> Julian Junk and Christopher Daase, “Germany,” in Strategic Cultures in Europe: Security and Defense Policies Across the Continent, eds Heiko Biehl, Bastian Giegerich, and Alexandra Jonas (Wiesbaden: Springer, 2013)
<15> “Abschlussbericht Aufbaustab Cyber- und Informationsraum,“ The German Federal Ministry of Defence, April 2016, p5
<16> Matthias Gebauer, „Bundeswehr-Hacker knackten afghanisches Mobilfunknetz”, Spiegel Online, September 23, 2016, accessed on September 23, 2016 http://www.spiegel.de/politik/ausland/cyber-einheit-bundeswehr-hackte-afghanisches-mobilfunknetz-a-1113560.html
<17> For operations which require secrecy, the government only informs specific parliamentary party leaders and parliamentarians. This is practice, but not in the law to date. A report on the reform of the parliamentary mandate requirements suggests to establish this practice in the law. See: Michael Bothe,“Stellungnahme zu Rechtsfragen des Cyberwar für den Verteidigungsausschuss des Deutschen Bundestages,“ Deutscher Bundestag, 2016, Pp. 9-11.
<18> Michael Bothe, Ibid.
<19>“Die Rolle der Bundeswehr im Cyberraum,” (Protocol of parliamentary hearing, February 22, 2016), accessed on August 24, 2016 https://www.bundestag.de/blob/405090/f97d7ece26be2a34d19762c99b4b1511/61--sitzung_-22-02-2016-data.pdf
<20> Kai Strittmacher,“Warum schickt der BND der Bundeswehr abgehörte Daten?,“ Zeit Online, March 18, 2015, accessed on August 24, 2016 http://www.zeit.de/politik/deutschland/2015-03/bnd-bundeswehr-daten-ueberwachung/komplettansicht
<21> Rainer Arnold and Lars Klingbeil, “Ein digitales Update für das Völkerrecht,” Frankfurter Allgemeine Zeitung, May 10, 2016
<22> For context, see Heiko Biehl, Bastian Giegerich, Alexandra Jonas (eds.),Strategic Cultures in Europe: Security and Defense Policies Across the Continent (CANNOT FIND PLACE OF PUBLICATION, Springer, 2013)
<23> “White Paper On German Security Policy and the Bundeswehr,”see n. V, p38
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.