Submit your essay to the AI-Cybersecurity Essay Prize Competition by January 2, 2025.
The AI-Cybersecurity Essay Prize Competition
Read more
Main Logo Expert commentary on tech and security

A new ‘turning point’ for Germany’s cyber posture?

Matthias Schulze 22 November 2024
Share On:
The 2022 invasion of Ukraine led to major updates to German defence policy, but cyber defence is still lacking
Main Top Image
Image created using DALL-E 2 and Chat GPT-4o

Germany is likely to hold early elections for a new government in February 2025, after the German governing coalition collapsed on November 7. The issue of active cyber defence is likely to emerge in the short period before the elections. The conservative Christian Democratic Union, which has a high chance of leading the next government, has been a supporter of active cyber defence. As a result, active cyber defence in peacetime may make a comeback. 

The 2022 Russian invasion of Ukraine led to the ‘Zeitenwende’ (‘historic turning point’), a paradigm shift in Germany’s relationship towards Russia and towards its own military and security policy. The German government created a one-time €100 billion special fund, to boost defence spending and fill gaps in the underfunded and overstretched armed forces, the Bundeswehr, in pursuit of NATO’s 2% target. A large chunk of the special fund was allocated to the cyber and information domain, resulting in many useful initiatives. 

However, there is still work to be done: Germany must find a way to counter cyber operations in peacetime, come up with more effective strategies to counter influence operations, and update strategic thinking about cyber operations below the threshold of armed attacks.

German cyber defence in peace…

The 2015 Russian government hack of the Bundestag was Germany’s wake-up call to cyber conflict. The following year, Germany drafted a new cybersecurity strategy to beef up defensive measures for critical infrastructure and to adopt a whole-of-government approach to cybersecurity. Politicians fiercely debated ‘hack backs’, offensive cyber operations to counter adversarial cyberattacks. In the following years, the Ministry of Interior developed a four-step approach of active cyber defences to counter cyber operations: first, traffic sink holing; second, domain seizures; third, data manipulation to stop attacks; and, fourth, in the most extreme cases, remote shutdowns of foreign command-and-control servers. The last two elements of offensive cyber in peacetime were to be used if all other options, including diplomacy and sanctions, failed to stop an attacker.

However, constitutional and operational challenges arose over whether the Federal Intelligence Service (BND), Federal Criminal Police Office (BKA), or Federal Office for Information Security (the cyber security agency, BSI) should manage these capabilities. Civil agencies either lacked the authority or technical capability to penetrate foreign networks, while the BND had the skills but no executive mandate

Federalism further complicated matters, because civil defence in peace time traditionally falls under individual states’ jurisdiction. So, the debate shifted to the need for a constitutional reform to give federal actors the required authority. However, constitutional changes require a two-thirds majority in the federal parliament, the Bundestag, and the debate stalled. In 2021, the new government wrote in its coalition agreement that ‘we fundamentally reject hack backs as a means of cyber defence.’ Political momentum was lost. 

Following the invasion of Ukraine and a significant uptick in Russian-aligned cyber operations against Germany in 2022, there have been renewed attempts to establish a peacetime cyber operations capability. Notably, Foreign Minister Annalena Baerbock and Minister for the Interior Nancy Faeser argued for bundling peace time offensive capabilities at the federal level, under the BKA or the Federal Police, whose primary job is border protection. The concept was not included in the 2023 German cybersecurity strategy, but was mentioned in somewhat vague terms in Germany’s first National Security Strategy that same year

… and war

In 2017, the Bundeswehr set up the Cyber and Information Domain Services (CIR) to conduct military operations in the cyber and information domains. It was tasked with reconnaissance and effects-based operations in the cyber and information domain, operation and protection of Bundeswehr IT systems, and the sharing of threat intelligence and situational awareness data through the National Cyber Defense Centre. It was also designed to drive consolidation and modernisation of the disparate IT infrastructure of the armed forces. CIR has grown to 16,000 employees. Initially designed as a service provider, like the Bundeswehr medical service, for main military branches (the air force, army, and navy), the Cyber and Information Domain Service was elevated to a fully-fledged fourth military branch in April 2024. 

Since 2017, CIR has developed its own offensive cyber-capability, to be activated only for self-defence against armed attacks on German or allied territory or as a force-multiplier in Bundeswehr missions abroad. Its Center for Cyber Operations houses around 100 civilian and military personnel for computer network operations. Standalone offensive cyber missions, however, would likely require a parliamentary mandate, comparable to the legal status of other cyber commands in Europe, including those in the Netherlands, Denmark, and Poland.

CIR faces the same problem as many other cyber commands: as a wartime capability, it cannot be easily used against cyber operations below the threshold of an armed attack and is thus less useful against the majority of cyber operations. Despite these constraints, CIR has been successfully practising its offensive capability through ‘red-teaming’ and NATO exercises like Locked Shields.

Zeitenwende for cyber?

Around 2019, the Bundeswehr began reprioritising national and alliance defence vis-à-vis out of area missions. A structural reform dubbed CIR 2.0 was initiated in 2021, aiming to enhance the command’s efficiency and reduce the complexity of its hierarchy. The commands for strategic reconnaissance and information technology were dissolved and decision-making processes centralised and accelerated. A new joint intelligence centre was created to combine military intelligence from all domains and a new Cyber and Information Domain Component Command was created to oversee all operations from one place. 

In reaction to Russia’s invasion of Ukraine, Olaf Scholz’s coalition government announced the Zeitenwende and the creation of a one-time special fund to update defenses and to bring general defense spending up to NATO’s 2% goal. Germany’s annual defence budget is about half the amount of the special fund – €50.4 billion in 2022. Although most of the fund was spent on modernising the air force and buying new tanks, the second-largest chunk was allocated to the cyber and information domain (about €20.7 billion of the €100 billion). 

However, most of that money is not flowing into cybersecurity or cyber defence directly but toward hardware and software upgrades to digitise the armed forces. This includes the digitisation of land-based operations (€ 8.6 billion), procurement of a new digital battlefield management system, and purchase of encrypted software-defined radios to interconnect thousands of vehicles, soldiers, and digitized command posts. Another goal was the creation of a new German Mission Network to interconnect various aspects of out-of-area missions (€ 2.6 billion), and a field-deployable, tactical wide area network system. Additionally, Germany’s tiny military satellite fleet is to be updated (€4,7 billion). Lastly, new data centres will be created to support various new digital services. 

Tasks for the next government

In 2024, multiple cyber-attacks, of likely Russian origin, targeted German ruling parties, alongside an increase in offline sabotage attempts. The Taurus Affair, which involved a leaked call of high-ranking Bundeswehr officials, raised concerns about cyber awareness and exposed German weaknesses in countering such efforts and coordinating strategic communication with allies (who were not amused). Unfortunately, the Zeitenwende and the special fund have not yet delivered on their promises to significantly enhance German cyber and information security. 

In terms of peace-time cyber operations, Germany is lagging behind, both in legal capability as well as strategic thinking. Many European countries have recognised the strategic dilemma of countering cyber operations below the threshold of armed conflict. They possess military cyber commands but only can legally use them in wartime and therefore lack civil means to respond to adversary cyber operations in peacetime. 

Therefore, countries like Sweden, Finland, and Poland that, before the invasion of Ukraine pursued purely defensive cyber postures, are currently considering including peacetime offensive components in their next cybersecurity strategies. Even Japan, which like Germany has a historic culture of military restraint, is setting up its first military cyber command and developing a cyber strategy including preemptive attacks. Many countries are abandoning purely reactive defence postures in favour of the offensive strategies of ‘constant contact’ or ‘persistent engagement’ pioneered by the US, as Richard Harknett notes

Meanwhile, CIR is tasked with and equipped for conflict in the information domain, but is constitutionally restricted to acting only in wartime. Other countries, like France and Sweden, have created psychological defence agencies, drafted counter-information operations doctrines, or updated their strategic communications to better react to Russian influence operations. All of this is currently lacking in Germany.

Given the current political headwinds of a new Donald Trump administration in the US, which might abandon NATO; increased aggressiveness of Russian hybrid warfare; and Chinese ambitions and prepositioning in Western critical infrastructure, the next government needs to update its cyber and information domain strategies as well as operational capabilities to meet the current realities of cyber conflict.

avatar
Matthias Schulze

Related

Featured image
Binding Edge
War in space is not what you think
Benjamin Charlton 25 January 2024
Read more arrow
Featured image
Binding Edge
The Uncertainty Maschine
Gavin Wilde 8 February 2024
Read more arrow
Featured image
Binding Edge
Responsible development can help harness AI advancements
Derek Reveron / John E. Savage 6 December 2023
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.