Transatlantic Cyber Forum Policy Debates
- January 31, 2017: Official Announcement about the Central Authority for Information Technology in the Security Domain
- March 3, 2017: Issue: Encryption Backdoors on the EU-Level
- March 31, 2017: Issue: Alleged Cyber Operation against the German Parliament
- March 31, 2017: Wikileaks, Vault7 and Germany
- April 24, 2017: Establishment of Germany’s Cyber Command (CIR)
- May, 2017: Issue: German government analyses offensive cyber capabilities, so-called “hackbacks”
- June 2, 2017: Issue: German government discusses “hackbacks”
- June 27, 2017: Issue: Intensification of targeted surveillance of suspects via so called ‘state trojan’ software
- July 27, 2017: Issue: Germany bolsters cyber security for upcoming elections
- September 14, 2017: Issue: Germany runs pilot project on automatic facial recognition at major Berlin train station
- October 27, 2017: German coalition talks and possible implications for security and privacy policies
- November 22, 2017: German coalition talks collapse
- December 7, 2017: German Ministry demands workarounds for digital security mechanisms
- April 6, 2018: Coalition agreement of the new German Government
- June 8, 2018: German Vulnerabilities Equities Process
- August 7, 2018: Active Cyber Defense in Germany
- September 3, 2018: “German DARPA” to be established (All TCF tracks)
- January 10, 2019: "Germany's cybersecurity policy 2019 – what to expect"
- April 8, 2019: "The National Cyber Defense Center"
- May 15, 2019: "Active Cyber Defense"
- October 31, 2019: "Right-Wing Attack in Halle: New Security Laws Do Not Always Help"
- November 22, 2019: "The One Dimensional 5G Policy of the German Government"
- April 9, 2020: "Digital Location Tracking, Contact Tracing and Quarantine Enforcement in Times of COVID-19 - The German Debate"
- May 19, 2020: "International Arrest Warrant in Response to State-Sponsored Cyber Operation"
- August 6, 2020: German Cybersecurity Policy Update
- November 10, 2020: Draft Law expands Surveillance Powers for Germany’s Intelligence Agencies
- December 7, 2020: Issue: The German government plans digital predetermined breaking points
- January 4, 2021: New Law Fosters IT Security of German Hospitals
- March 30, 2021: German Emotet takedown in the legal gray zone
- April 14, 2021: The Encryption Debate in Germany: 2021 Update
- July 14, 2021: Issue: IT Security Act Passed Despite Public Criticism
- December 9, 2021: Issue: German Cybersecurity Policy 2021-2025
Transatlantic Cyber Forum
Policy Debates | January 31, 2017
Issue: Official Announcement about the Central Authority for Information Technology in the Security Domain
Track: Encryption and Lawful Hacking
On January 20 the Ministry of Interior officially announced the setup of the Central Authority for Information Technology in the Security Domain (ZITiS). The office is tasked to service security and intelligence agencies with tools and capacities for lawful hacking, interception and analysis. ZITiS is solely tasked to provide assistance and not engage in operational activities or pool human resources from the existing security and intelligence offices. Germany’s Cyber Security Strategy which has been published last year included the formation of this office as an action item.
What has not been covered in the official announcement is that it will not provide any assistance to the Federal Intelligence Service due to the legal and political framework. In a first step, ZITiS will provide its services to the Office for the Protection of the Constitution (domestic intelligence) as well as to the Federal Police and Federal Office of Criminal Investigation. Further down the road ZITiS is supposed to offer assistance to additional security and intelligence agencies including those on state level. It is currently unclear who will head this office.
Choosing Munich as location might have a strategic background as the Federal Intelligence Service just moved (mainly) from Munich to the new office in Berlin; the state level Office of Criminal Investigation has been active in lawful hacking and lawful interception since quite some time and famously acquired Trojan horse malware from DigiTask in 2008 to conduct lawful hacking. Additionally, Bavaria is known to be the most “security conscious” state in Germany.
German Name: Zentrale Stelle für Informationstechnik im Sicherheitsbereich
Area of Supervision: Ministry of Interior
Location: Munich, Bavaria
Employees: 120 targeted for 2017 and up to 400 until 2022
Resources: 10 million Euro (excl. salaries) for 2017 (Ministry of Interior total budget for 2017 as comparison: 7.8 billion Euro)
Responsibilities: Development and acquisition of tools as well as training of staff in the following areas: crypto analysis, IT forensics, lawful interception, big data analysis. Point of contact for questions related to technologies and crime fighting, counterintelligence and danger defense.
Author: Dr. Sven Herpig
Transatlantic Cyber Forum
Policy Debates | March 3, 2017
Issue: Encryption Backdoors on the EU-Level
Track: Encryption and Lawful Hacking
On February 28, The Register reported about apparently yet another German-French attempt to jointly pursue a backdoor-policy to enable law enforcement agencies to overcome the “going dark” phenomenon. The Register refers to a letter addressed to the European Commission which is co-signed by both the German and French Ministries of the Interior.
The letter itself does not specifically state a backdoor policy or weakening of encryption mechanisms. It simply states that a new legal initiative should be started on the EU level in October 2017 – that would be after both, the German and French elections -- which allows the respective authorities to technically and legally tackle the challenge which arises for the law enforcement agencies from the widespread use of encrypted communications (by terrorists).
Last year there was a similar debate about a joint German-French statement on national security. The French version back then included a section on decryption of communications whereas the German version did not. German officials then stated that the German version was indeed the correct one.
We talked to the responsible senior official from the Ministry of Interior who stated that the joint letter sent to the EU Commission does not aim for the implementation of backdoors. It is the Ministry of Interior’s (and therefore the administration’s) strategic guideline to not attempt to broadly implement backdoors. The administration does not support the idea of broadly weakening encryption through backdoors, though it naturally explores other options to counter the growing use of encrypted communications and data storage. A first step has been the establishment of the Central Authority for Information Technology in the Security Domain (ZITiS) which has been described in the TCF Policy Debates on January 31.
- https://regmedia.co.uk/2017/02/28/french_german_eu_letter.pdf (French)
- https://netzpolitik.org/2016/innenminister-fordern-hintertueren-gegen-verschluesselung-in-der-franzoesischen-version-der-gemeinsamen-erklaerung/ (German)
Author: Dr. Sven Herpig
Transatlantic Cyber Forum
Policy Debates | March 31, 2017
Issue: Alleged Cyber Operation against the German Parliament
Track: Cyber Defense & Political Infrastructures
The German federal elections will take place on September 24 this year. Bearing in mind the breach of the German parliament’s computer network ‘Parlakom’ in 2015 as well as unsuccessful attempts against the parliament and Angela Merkel’s ruling party (CDU) in 2016, more cyber operations are to be expected until election day.
On March 28, the German newspaper Süddeutsche Zeitung (SZ) reported about an alleged cyber operation against the German parliament to have taken place earlier this year.
One day after the SZ released its article, Germany’s cyber security agency (BSI) issued a corresponding statement. Even though there is no reference to the SZ article, details of the statement indicate it being a direct response to that article. The BSI explains in its statement that the agency has been lending support to the IT staff of the German parliament since early February. Experts helped to detect and analyse anomalies in the parliament’s network traffic. The analysis revealed that the suspicious activity originated from the website of the Jerusalem Post which had been manipulated to deliver malicious content to its viewers (drive-by-attack). Staff and members of the parliament had been accessing this website as part of their day-to-day work. No damage had been caused to their systems due to the new security mechanisms that had been implemented as lessons learned from the 2015 attack. Judging by the disclosed information it does not appear to be a targeted operation against the German parliament. The BSI’s statement seems very credible. Over the past months, the agency has offered support to various political stakeholders - such as parties - which are involved in the (pre-)election process.
At an event organized by the Stiftung Neue Verantwortung in Berlin on March 13, Hillary Clinton’s campaign manager Robby Mook offered some insights into how to deal with ‘fake news’ and cyber security during elections. He also directly offered advice to the German political parties.
The 16 Gigabyte worth of documents that were extracted from the Parlakom in 2015 have not yet resurfaced. It is possible that some of those documents will soon be used in a doxing operation against German politicians and parties. Unlike the American, Dutch or even French political landscape, the most likely beneficiary of such an operation - the right-wing party AfD - is nowhere close to winning the election with a current estimate of 7% of the votes. However, a well-tailored doxing operation might be enough to cost Angela Merkel her chancellorship as the rivalling Social Democratic Party is currently only 2% behind.
- http://www.sueddeutsche.de/politik/netz-sicherheit-hackerangriff-auf-den-bundestag-1.3440215 (German)
- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/Cyber-Angriff_auf_den_Bundestag_Stellungnahme_29032017.html (German)
- http://www.spiegel.de/politik/deutschland/sonntagsfrage-umfragen-zu-bundestagswahl-landtagswahl-europawahl-a-944816.html (German)
Author: Dr. Sven Herpig
Transatlantic Cyber Forum
Policy Debates | March 31, 2017
Issue: Wikileaks, Vault7 and Germany
Track: Encryption Policy & Lawful Hacking
On March 7 around 2 pm CET Wikileaks published a redacted version of the alleged "CIA spy arsenal" in the cyber domain. Dubbed "Vault7", Wikileaks announced that it would just be the first trove of documents it will reveal as part of its "Year Zero" series.
As project director of the Transatlantic Cyber Forum, Sven was asked to discuss the implications from a German introspective with Deutsche Welle at The Day. The discussion is in English.
Author: Dr. Sven Herpig
Transatlantic Cyber Forum
Policy Debates | April 24, 2017
Issue: Establishment of Germany’s Cyber Command (CIR)
Track: Cyber Defense & Political Infrastructures
On April 5th, the new Cyber Defence Command (CIR) of the German Federal Armed Forces was officially commissioned by minister of defence Ursula von der Leyen in Bonn. With Lt. Gen. Ludwig Leinhos as its head, the command will be of equal rank as the armed forces, air force and the navy. The division has started with a workforce of 260 soldiers and is planning to expand until 2021 to a size of roughly 14.000 soldiers and civil employees.
Four units will be subordinated to the Cyber Defence Command from July 2017 onwards: the Command Strategic Reconnaissance - a small and secretive unit that has trained offensive cyber-attacks -, the Command Support Unit, the Centre for Operational Communication and the Centre for Geoinformation. The research centre for Cyber Defense of the Federal Armed Forces University is based in Munich near the Central Authority for Information Technology in the Security Domain (ZITiS). 
The establishment of a German Cyber Defence Command is a necessary organizational measure to further strengthen the cyber capabilities of the Federal Armed Forces by merging relevant working units under one umbrella. This will allow for better coordination, improvement of capabilities as well as faster planning and procurement. CIR builds upon existing competence, expertise and manpower from within the military. The human resources will be pooled from existing divisions, together with their organizational units. As of now, there are only about 100 new posts to be created for CIR – the remainder of the 13.500 staff is already employed by the military.
Two arguments have been spread in the media as the underlying reasons for the CIR setup. First, the Russian influence and cyber operation against the Democratic National Committee and the integrity of the election in general. Second, a high number of cyber attacks against the military’s IT-infrastructure in the first nine weeks of 2017. While the threat to the IT-infrastructure was clearly exaggerated, both reasons do not play a role at all. The changes surrounding CIR were the result of a restructuring effort within the military which is partially laid out in the official document dated April 2016: “Abschlussbericht Aufbaustab Cyber- und Informationsraum.”
It remains unclear so far to what extent the new command will possess offensive capabilities and responsibilities. In an internal strategy paper that was leaked two years ago offensive cyber capabilities were considered by minister von der Leyen as a supporting, complementary or substituting tool. Officially, its task has primarily a defensive character but it seems unrealistic in the cyber security context to build defensive capabilities without strengthening the offensive capabilities as well. Especially in Germany the distinction between defensive and offensive actions is of importance as the parliament must approve offensive military operations (‘Parlamentsvorbehalt’) – including cyber. Therefore, the establishment of the Cyber Defense Command also raises the necessity of a broader debate about the definition of an offensive action in the cyber domain.
However, the defensive/ security approach of CIR is not without trouble. Since Germany published its new cyber security strategy last year, the military is eyeing more responsibilities within Germany’s – historically very civilian – cyber security architecture. The military wants to lend a helping hand to critical infrastructures under cyber attack or in the event of substantial cyber operations against the state. As CIR grows, expect to see more of those discussions. Those responsibilities might be seen by policy-makers and public as a raison d’être and grounds for additional financial and human resources.
Another practical challenge for the new command will be the recruitment of skilled employees. As the command plans to expand its workforce rapidly within the next years, it currently discusses to lower the requirement (e.g. fitness level, educational level) for new employees of the command. In 2016 the army launched a highly controversial advertising campaign to attract new cyber recruits. In 2018 a new course of study on “Cyber Security” will start at the university of the Federal Armed Forces in Munich.
German Name: Kommando Cyber- und Informationsraum
Abbreviation: KdoCIR / CIR (sometimes also CIRk - with reference to Star Trek)
Area of Supervision: Ministry of Defence
Location: Bonn, North Rhine-Westphalia
Employees: 260 soldiers starting in 04/2017; until 2021 targeting ~ 14.000 soldiers and civilian employees
Resources: Currently no information available
Responsibilities: The Command is responsible for the operation and protection of the Federal Armed Forces’ IT-systems domestically as well as during operations abroad. Capabilities for reconnaissance and impact (read: offensive cyber operations) in the cyber and information domain are supposed to be strengthened and expanded. Additionally, they support all other commands of the Armed Federal Forces and contribute to an overall security provision by strengthening the cyber security infrastructure through the exchange and cooperation with other institutions. CIR will also contribute to the improvement of Germany’s civilian cyber security architecture.
- Abschlussbericht Aufbaustab Cyber- und Informationsraum (German)
- Bundeswehr Kommando Cyber- und Informationsraum (German)
- Strategische Leitlinie Cyber-Verteidigung der Bundeswehr (German)
- Deutsche Welle News: German army launches new cyber command (English)
 Presented in Policy Debates “Official Announcement about the Central Authority for Information Technology in the Security Domain” on January 31, 2017.
 284.000 attacks were mentioned by a representative of the military. However, it does not tell us something substantial about the actual threat as the number does not refer to targeted or advanced attacks only
 Final report on the setup within the cyber and information domain.
Author: Dr. Sven Herpig
Transatlantic Cyber Forum
Policy Debates | May, 2017
Issue: German government analyses offensive cyber capabilities, so-called “hackbacks”
Track: Cyber Defense & Political Infrastructures + Encryption Policy & Lawful Hacking
In the aftermath of cyber attacks against German political foundations, the German Bundestag in 2015, the DNC and recently the Macron campaign an investigative report by German news and broadcast media (WDR, NDR, Süddeutsche) has recently discovered that the German government is currently considering the development and expansion of offensive cyber capabilities as a response to cyber attacks. Germany's Federal Security Council, chaired by Chancellor Angela Merkel, carries out an analysis. The federal government’s analysis aims to find out what the legal implications would be, what technical means exist and by whom the offensive measures would be carried out. The results will be presented this summer to the Federal Security Council, which meets behind closed doors.
Specifically, the government is looking into the possibility of ‘hacking back’ to actively wipe the entire hostile servers through which attacks e.g. against civilian targets such as critical or political infrastructure are guided and thereby hopes to stop cyber operations, steal back documents and strategically take-down botnets. Requirements for an offensive response according to the German government would be that any request for mutual assistance in a criminal matter is arbitrary or that the attack cannot be stopped with other political and diplomatic means.Domestically, there is currently not much of a legal basis for such a project. The government’s analysis caused public backlash among IT researchers, civil society groups and the opposition parties, like the Green party. Arguments against those offensive measures are mainly the fear of collateral damage caused to third parties, questions of compensation in case of damage to third party systems and attack attribution.
Moreover, the German government’s talk of “getting back stolen information” let some doubt that it has grasped the technical understanding of a hack.
The discussions around the offensive capabilities ‘hackback’ by the government in Germany is similar other debates about hackback in other countries. What is unique in the German case and has not been picked up in the discussion yet is that the German government frames this as the ‘digital final (fatal) shot’ (German: finaler Rettungsschuss) - a definition used in German police law for shooting the attacker for the sake of the protection of the victim. Since Germany is aiming at a discussion on internal security where its military cannot get involved in, the language chosen reflects the decision to frame the discussion in police instead of military jargon.
In the event of a cyber attack against for example the electric grid, the government argues that the servers could be taken from the internet. Two challenges stand out with this application of legal speech to the new domain: Updating the ‘final (fatal) shot’ merely to make it digital, would actually mean a general redefinition of the final shot in itself. A final shot is supposed to stop a dangerous act from happening and to provide protection to the victim before it can get injured. In the digital sense it is difficult to stop the a person from launching an attack from a server before the attack occurs. Usually one finds out about the attack while it is happening and could only stop it from causing more damage. In a fatal shot scenario the situation would have to allow for a clear condition knowing that the server will definitely be used to attack and therefore engage in preemptive measures against it. This is very unlikely unless the government holds communication or information about a planned attack. The form of offensive measures which the government would consider in this context appear to be more comparable to a preemptive strike in military terms. This would however contradict the civil framing of this debate thus far. The country faced a similar challenge about military and civilian responsibilities when it discusses the cyber security of critical infrastructures last year.
Moreover, it causes issues when it comes to the decision on which institution would handle such measures. The Minister of the Interior noted correctly that there is also a dispute due to the federal system - police law is under the jurisdiction of the Länder (states) which means that for example the “final (fatal) shot” despite its difficulty to apply this concept in the first place, is actually not harmonised in all German Länder police laws. Hence the German government will have difficulty to apply their concepts and distinguish existing once adapting them to the new domain cyberspace.
Another angle of discussion which we will follow up with when there is more insights is the debate surrounding which institutions would handle this kind of offensive strategy. Currently up for discussion are: the Federal Office for Information Security (BSI), the Foreign Intelligence Service (BND), the German army (Bundeswehr), the Central Authority for Security in the Information Sphere (ZITiS) and the Federal Office for the Protection of the Constitution (BfV).
Transatlantic Cyber Forum
Policy Debates | June 2, 2017
Issue: German government discusses “hackbacks”
Track: Cyber Defense & Political Infrastructures + Encryption Policy & Lawful Hacking
An investigative report by German news and broadcast media (WDR, NDR, Süddeutsche) has recently discovered that the German government is currently considering the development and expansion of offensive cyber capabilities as a response to cyber attacks. Germany's Federal Security Council, chaired by Chancellor Angela Merkel, is carrying out this analysis. It aims to find out what the legal implications would be, what technical means exist and by whom the offensive measures would be carried out. The results will be presented this summer to the Federal Security Council, which meets behind closed doors.
Specifically, the government is considering the possibility of ‘hacking back’ to actively wipe systems which are used to attack civilian targets such as critical or political IT-infrastructures, steal back documents or strategically take-down botnets. Requirements for an offensive response according to the German government would be that any request for mutual assistance in a criminal matter is arbitrary or that the attack cannot be stopped by other political and diplomatic means. Domestically, there is currently not much of a legal basis for such a project. The revelation of this ongoing analysis caused public backlash among IT researchers, civil society groups and opposition parties, like the Green party. Arguments against those offensive measures are mainly the fear of collateral damage caused to third parties, questions of compensation in case of damage to third party systems, sparking international conflicts and the possible lack of attack attribution.
Moreover, the German government’s talk of “getting back stolen information” led some to doubt that it has grasped the technical understanding of a cyber attack.
The discussions around ‘hackback’ by the government in Germany are similar to debates about hackback in other countries. What is unique in the German case and has not been picked up in the discussion yet, is that the German government frames this as the ‘digital final (fatal) shot’ (German: finaler Rettungsschuss) - a definition used in German police law for shooting the attacker for the sake of the protection of the victim. Since Germany is aiming at a discussion on internal security where its military cannot get involved in, the language chosen reflects the decision to frame the discussion in police instead of military jargon.
In the event of a cyber attack against, for example, the electric grid, the government argues that the servers could be taken off the internet. Two challenges stand out with this application of legal speech to the new domain: updating the ‘final (fatal) shot’ merely to make it digital, would mean a general redefinition of the final shot in itself. It is supposed to stop a dangerous act from happening and to provide protection to the victim before it can get injured. In the digital sense, it is difficult to stop a person from launching an attack from a server before the attack occurs. Usually one finds out about the attack while it is happening and could only stop it from causing more damage – mitigating the impact. In a fatal shot scenario, the situation would have to allow for a clear condition knowing that the server will definitely be used to attack and therefore engage in preemptive measures against it. This is very unlikely unless the government has evidence or other pertinent information about a planned attack. The form of offensive measures which the government would consider in this context appear to be more comparable to a preemptive strike in military terms. This would however contradict the civil framing of this debate thus far. The country faced a similar challenge about military and civilian responsibilities when it discussed the cyber security of critical infrastructures last year. Moreover, it causes issues when it comes to the decision about which institution would handle such measures. The Minister of the Interior noted correctly that there is also a dispute due to the federal system - police law is under the jurisdiction of the Länder (states). This means that the “final (fatal) shot” - despite its difficulty to apply this concept in the first place - is actually not harmonized in all German state police laws. Hence the German government will have difficulty applying their concepts and distinguishing between existing ones, when adapting them to the new domain - cyberspace.
Another angle of this debate is which institutions would handle this kind of offensive strategy. Currently up for discussion are: the Federal Office for Information Security (BSI), the Foreign Intelligence Service (BND), the German army (Bundeswehr), the Central Authority for Information Technology in the Security Domain (ZITiS) and the Federal Office for the Protection of the Constitution (BfV).
- http://www.sueddeutsche.de/digital/hacking-deutschland-plant-cyber-gegenschlaege-1.3469443 (German)
- http://www1.wdr.de/mediathek/audio/wdr5/wdr5-leonardo-top-themen/audio-was-passiert-bei-einem-hack-back-100.html (German)
- https://causa.tagesspiegel.de/politik/darf-die-bundeswehr-cyber-attacken-zur-verteidigung-nutzen (German)
- http://www.zeit.de/digital/internet/2017-04/cyberangriffe-bundesregierung-hackback-gegenangriff (German)
- http://www.sueddeutsche.de/digital/it-sicherheit-man-kann-nicht-einfach-zurueckcybern-1.3490624 (German)
- https://netzpolitik.org/2017/kommentar-verfassungsschutz-chef-maassen-will-zu-den-digitalen-waffen-greifen/ (German)
- http://www.politico.eu/article/great-german-hack-back-cyber-troops-digital-attacks/?utm_source=POLITICO.EU&utm_campaign=b0647e470a-EMAIL_CAMPAIGN_2017_05_24&utm_medium=email&utm_term=0_10959edeb5-b0647e470a-189739885 (English)
Transatlantic Cyber Forum
Policy Debates | June 27, 2017
Issue: Intensification of targeted surveillance of suspects via so called ‘state trojan’ software
Track: Government hacking and encryption policy
The German parliament passed a legislative amendment  which significantly intensifies government hacking by law enforcement. Among other changes, law enforcement agencies are now permitted to infiltrate a suspect’s computer and smartphone for repression instead of only prevention of crimes. Though it was very restrictively allowed beforehand in cases like terrorism, the new legislation allows the use of targeted surveillance in many more crimes, for example money laundering, tax evasion, and drug related crimes.
That way law enforcement can gain access to a suspect's entire digital communications, data, cloud, camera etc. which is called Online Search in German (‘Online Durchsuchung’). Additionally, law enforcement can conduct a less invasive surveillance, monitoring ongoing communications pre-encryption, called source telecommunication surveillance in German (‘Quellen TKÜ’). There is an existing software for this purpose called ‘state trojan’, but law enforcement agencies might develop or buy additional software with the help of the newly found ZITiS (see our briefing in January).
The amendment was recommended by Heiko Maas, the Federal Minister of Justice and Consumer Protection, and submitted by the coalition parties  to be included in a law dealing with more effective and practical law enforcement in general. Thus, the new hacking powers for law enforcement were just part of a much bigger bill which concentrated on other methods, such as allowing police to use DNA to figure out hair and eye color and other less controversial adjustments which were deemed highly necessary by all parties. The inclusion of the amendment shortly before the law was passed, without much time for discussion, caused outrage by the opposition party, civil society and experts. This fast-track procedure was criticised by opponents as a way to avoid critical public discussion and debate about the state trojan details, such as scope, technicalities and constitutional rights violations. This is rare in Germany that at such short notice in the last two weeks before the end of the legislative cycle, a significant and known to be controversial amendment is added to a bill. There was no public hearing even in the Bundestag. One committee was convened to obtain statements from the public. A critical statement by lawyer Buermeyer, who is also part of the Transatlantic Cyber Forum, was prepared in just ten days. Buermeyer submitted his judgment of the law warning that it would be unconstitutional - an argument which was supported by the German Association of Lawyers, who also argued that it is unconstitutional.
Nevertheless, the judicial committee passed the amendment and added it into the law about to be passed just two weeks before the large summer break which is essentially the end of the legislative cycle, as Germany is electing a new Bundestag in September.
That many things were left open for discussion became clear when the opposition parties, the Greens and the Left, focused their entire statements on the state trojan software on the day of voting (22nd of June) and criticised the law ahead of the vote for that amendment. The Greens argued that it lessens security in general, it would be too broad for too many crimes and that it is against many rights. This did not change the coalition of SPD and CDU/CSU, the two governing parties, which were both committed to passing the law. They focused their statements mostly on the other parts of the law arguing only that the state trojan is necessary to solve crimes and that law enforcement is adapting to the new digital age. They argued that accessing telecommunications, such as text messages won’t give them any relevant information as most calls and messages are made via encrypted applications such as Whatsapp.
The trojan software is nothing new, however, the scope of its usage was greatly broadened in the new amendment.
As the usage of encrypted messengers and therefore encrypted communication via, for example, WhatsApp and Telegram, has increased among criminals rapidly over the last years, law enforcement agencies are complaining about rising ‘going dark’ difficulties hampering criminal prosecutions. In the statement given, it was argued that only about 19% of communication is done via non-encrypted ways and its content would be something irrelevant like ordering a pizza. Law enforcement already created a way to circumvent encryption in 2008. The usage however was severely restricted and defined by a Federal Constitutional Court judgement in 2008. Then the court also created the right to integrity and confidentiality in electronic systems, as the court argued that much of personal life is digital, now. Critics say that this updated law will cause yet another new Federal Constitutional Court decision, because it ignores the high barriers set for the usage of the state trojan in 2008 and 2016 and is in violation of the mentioned right.
The German Federal Constitutional Court first differentiated between online surveillance, which means the complete access to past and present communications and data of a suspect, and the less invasive source telecommunication surveillance which means the access to smartphones to gain access to ongoing conversations. It has further set high barriers for the former. In a further decision, in April 2016, the Federal Constitutional Court highlighted that online searches may be used to prevent international terrorism and when sufficient evidence exists that human lives, their physical integrity or basis of life are endangered.
Both have been used very rarely. Source telecommunication surveillance was applied a few times on the state level.
The new law really creates a provocation of the Federal Constitutional Court decisions:
- As it is firstly used in a much broader scale in crimes which do not risk the immediate lives of people - e.g. ‘Online Search’ can now be used in cases of money laundering .
- Police may only use it to prevent a crime, but with the online surveillance in its full form it may also be used to retrieve evidence of already committed crimes - and start a new investigation
- Nowadays the monitoring of devices like smartphones allows extensive intrusions into the privacy of an individual (i.e. access to pictures, activation of microphones etc.). It is argued that the broad scale usage will violate privacy and the privacy of uninvolved third parties.
Overall, the barriers of the new law are much lower which could lead to increased use in general.
Moreover, concerns have been raised about the control mechanisms of the state Trojan. Past investigations have revealed that the state Trojan possesses greater technical abilities than currently allowed. For example, even with a source telecommunication surveillance it is not guaranteed that it can only access ongoing communication - something required by law but technically not convertible. These insights have led to increasing demands for independent control mechanisms of the state Trojan. Further points of criticism are the violation of IT-systems’ integrity and the exploitation of software vulnerabilities by the state which have been raised by critics to this day whenever there was usage on a state (Länder) level.
There are two different forms of targeted surveillance using the state trojan software:
1. Online search - the most intrusive form getting access to the device’s data, communications, hardware, backup etc.
- Allowed since 2008 after a Federal Constitutional Court decision to prevent cases of very extreme danger, risk of death and since 2016 international terrorism by the Federal Criminal Police Office
2. Source telecommunication surveillance
- 2008 Federal Constitutional Court decision differentiated source telecommunication surveillance from online search and determined it to be less invasive and confirmed with the right to integrity and confidentiality in electronic systems IF it technically only accesses ongoing communications - since then use judged on a case by case basis applying state (Länder) laws or the Federal Criminal Police Law. However, its use in cases of traditional telecommunication law was criticised since this law (about which update this briefing is about) had no proper legal speech allowing the use of the software to infiltrate phones and proposed proper rules for the technicality.
3. The Telecommunication surveillance law governs the use of traditional surveillance such as access to text messages, phone calls which can be applied for 38 serious crimes. Now this law is updated to include legal speech which allows the use of targeted surveillance, such as source telecommunication surveillance and online speech.
- In the new law it was added that infiltration into information systems is now allowed as part of surveillance, legalising the use of source communication surveillance if proportional and technically feasible. This means that it recognises that before the source communication surveillance can start and create technical barriers for the access of more than just ongoing communication, the system needs to be infiltrated. The legal text supports its use in 38 different serious crimes (Examples: cases of treason, sedition, endangering the democratic rule money laundering, drug trafficking, child pornography, murder, manslaughter, tax evasion, smuggling of foreigners, incitement of fraudulent application of asylum - find all crimes in English in footnote).
- Moreover, the new law changed that source communication surveillance can be decided by the prosecutor's office if there is immediate danger ahead, needing only a judge's ruling after three days. Before the use was always determined by a judge.
- The online search is now allowed by police not just the Federal Criminal Police Office. This was extended from use in cases of international terrorism and risk of livelihood to 27 serious crimes (see last page for exact crimes). Moreover, an online search can now also be used to investigate a crime after it happens.
- Online search is, moreover, also allowed regressively in case that during a search the investigation finds a hint about another serious crime, then they can open a new investigation.
- In Section 100d 2 of the amended law it determines that if there is knowledge about a core area of the private conduct of life which was found while doing an online search or the source telecommunication surveillance, then this is not to be used and deleted immediately.
- Law enforcement argues that it will determine usage in each unique case and restrict technical capabilities accordingly.
- Traditional telecommunication surveillance was used in 2015 32,000 times in 6,000 cases
- On a case by case basis the extensiveness of targeted surveillance will be decided by a judge or in cases of danger ahead, by the prosecutor's office and confirmed by the judge.
This decision is a win for law enforcement until the legality is determined by the Constitutional Court. Interestingly, the legality of the evidence retrieved from using those methods are not necessarily clear as there is no precedent - thus this is something to be determined once cases emerge. It is definitely not a win for broader civil society, the net-political scene, IT experts or those who care about governance of the digital sphere in general, as the leading parties showed no interest in solving some of the very controversial parts of the law, leaving many issues unresolved (here see TCF paper by Sven Herpig). The fast track showed that it was a way to avoid a real discussion.
The 2016 Federal Constitutional Court decision about government hacking urged the government to make the use more clear by June 2018. However, it seems that the governing parties did not want take more time and leave it up to the next legislature after the Bundestag election this September.
It was a way of giving into political pressures of law enforcement agencies which fear that their work is not effective and could allow an increase in crime rate which was stated in one hearing. The net-political scene in Germany needs to deal with the reality now, and in case it is not struck down by the Federal Constitutional Court, propose solutions for the problems of government hacking allowing some of the concerns of law enforcement to be taken seriously.
27 crimes online searches can be done for:
2) Particularly serious criminal offences for the purposes of subsection (1), number 1, shall be:
1. pursuant to the Criminal Code:
a) crimes against peace, high treason, endangering the democratic state based on the rule of law, treason, and endangering external security pursuant to sections 80, 81, 82, 89a, pursuant to section 94, section 95 subsection (3) and section 96 subsection (1), in each case also in conjunction with section 97b, as well as pursuant to section 97a, section 98 subsection (1), second sentence, section 99 subsection (2), section 100 and section 100a subsection (4);
b) formation of criminal groups pursuant to section 129 subsection (1) in conjunction with subsection (4), second part of the sentence, and formation of terrorist groups pursuant to section 129a subsections (1), (2), (4) and subsection (5) first sentence, first alternative, in each case also in conjunction with section 129b subsection (1);
c) counterfeiting money and official stamps pursuant to sections 146 and 151, in each case also in conjunction with section 152, as well as pursuant to section 152a subsection (3) and section 152b subsections (1) to (4);
d) crimes against sexual self-determination in the cases referred to in section 176a subsection (2), number 2, or subsection (3), section 177 subsection (2), number 2, or section 179 subsection (5), number 2;
e) distribution, acquisition and possession of pornographic writings involving children in the cases referred to in section 184b subsection (3);
f) murder and manslaughter pursuant to sections 211 and 212;
g) crimes against personal liberty pursuant to section 234, section 234a subsections (1) and (2), sections 239a and 239b, and trafficking in human beings for the purpose of sexual exploitation and for the purpose of exploitation of labour pursuant to section 232 subsection (3), subsection (4) or subsection (5), section 233 subsection (3), in each case to the extent that it concerns a felony;
h) gang theft pursuant to section 244 subsection (1), number 2, and aggravated gang theft pursuant to section 244a;
i) aggravated robbery and robbery resulting in death pursuant to section 250 subsection (1) or subsection (2), section 251;
j) extortion resembling robbery pursuant to section 255 and a particularly serious case of extortion pursuant to section 253 under the conditions set out in section 253 subsection (4), second sentence;
k) commercial handling of stolen goods or gang handling of stolen goods or commercial gang handling of stolen goods pursuant to sections 260 and 260a;
l) a particularly serious case of money laundering or concealment of unlawfully acquired assets pursuant to section 261 under the conditions set out in section 261 subsection (4), second sentence;
m) a particularly serious case of taking and offering bribes pursuant to section 335 subsection (1) under the conditions set out in section 335 subsection (2), numbers 1 to 3;
2. pursuant to the Asylum Procedure Act:
a) inducing an abusive application for asylum pursuant to section 84 subsection (3);
b) commercial or gang inducement of an abusive application for asylum pursuant to section 84a subsection (1);
3. pursuant to the Residence Act:
a) smuggling of aliens pursuant to section 96 subsection (2);
b) smuggling resulting in death and commercial and gang smuggling pursuant to section 97;
4. pursuant to the Narcotics Act:
a) a particularly serious case of a criminal offence pursuant to section 29 subsection (1), first sentence, numbers 1, 5, 6, 10, 11 or 13, subsection (3) subject to the requirements of section 29 subsection (3), second sentence, number 1;
b) a criminal offence pursuant to section 29a, section 30 subsection (1), numbers 1, 2, and 4, or section 30a;
5. pursuant to the War Weapons Control Act:
a) a criminal offence pursuant to section 19 subsection (2), or to section 20 subsection (1), in each case also in conjunction with section 21;
b) a particularly serious case of a criminal offence pursuant to section 22a subsection (1) in conjunction with subsection (2);
6. pursuant to the Code of Crimes against International Law:
a) genocide pursuant to section 6;
b) crimes against humanity pursuant to section 7;
c) war crimes pursuant to sections 8 to 12;
7. pursuant to the Weapons Act:
a) a particularly serious case of a criminal offence pursuant to section 51 subsection (1) in conjunction with subsection (2);
b) a particularly serious case of a criminal offence pursuant to section 52 subsection (1), number 1, in conjunction with subsection (5).
(3) The measure may be directed only against the accused and may be implemented only on the private premises of the accused. The measure shall be admissible on the private premises of other persons only if it can be assumed on the basis of certain facts that
Author: Julia Schuetze
Transatlantic Cyber Forum
Policy Debates | July 27, 2017
Issue: Germany bolsters cyber security for upcoming elections
Track: Cyber Defense & Political Infrastructures
On September 24, 2017 Germany will hold its federal elections. After the cyber operations conducted against the German parliament in 2015, Democratic National Committee in 2016 and the Macron campaign in 2017, there is widespread anticipation of a similar attack aiming to influence the 2017 elections in Germany. The country has been ramping up its digital defences and resilience in the past months, also due to the fact that operations against its parties and think tanks are still ongoing. Although politicians and media have been very vocal about the cyber threat the country is facing in the upcoming elections, the attention has died down a bit over the last couple of weeks.
Since end of 2016, the executive and legislative branch have undertaken several steps to increase cyber security. The German parliament adjusted its security mechanisms to be more in line with the one that the Federal Office for Information Security (BSI)runs to protect the executive branch. Additionally, the IT-commission of the parliament contracted an IT-security company to make a holistic assessment and discover flaws in the IT-infrastructure. The results were encouraging but also showed that there is still a lot of work to be done. The BSI offered IT-security training to the political parties represented in the parliament in order to bolster their defences when facing an adversarial cyber operation during the time leading up to the elections.
When it comes to the electoral process, Germany has not digitized the process, which is beneficial to the overall security. The voting and counting of the votes is manual and therefore can be redone if the results shown on the state or federal level deviate from the actual count on the local level. A dedicated and secured network is used to transmit the results of the voting from state and national level. Additionally, there are several fallback mechanisms in place to submit the results of the count. The entirety of the voting process and therefore its security is being carried out under the umbrella of the Ministry of Interior. The Ministry is not only the focal point for election security but also the supervising ministry for the BSI and the domestic intelligence service. Judging from an architectural point of view, this appears to be a prudent approach.
The BSI carried out a penetration test for the Electoral Management Body (EMB) in order to find and patch vulnerabilities. The EMB also increased redundancy by tripling its IT-infrastructure and explored ways to coordinate and cooperate with BSI’s cyber defence centre, Germany’s inter-agency cyber security cooperation platform. During the election, the BSI will also have a single-point-of-contact assigned directly to the EMB to increase efficiency of response. The BSI also announced to test the security of the “Wahl-O-Mat”, a popular political/ election compass tool.
When it comes to resiliency against influence operations and fake news campaigns, there were talks among the parties, a “gentlemen’s agreement”, to not exploit any leaks or fake news stories. The media has also been asked to be extremely vigilant and responsible when picking up related stories. Germany also benefits from a non-antagonistic multi-party system. It is not known for a polarization which is as strong as the one that we have seen with the Brexit-vote as well as the American and French elections. This will contribute to the resilience.
A policy idea that might be connected to cyber operations during the elections and that has been floated in Germany for months is the hack back issue. The idea is to “get back” stolen documents through hacking into a server and delete the documents there. This idea has been met with some resistance in Germany - due to the lack of a feasible approach - and therefore not been legally implemented yet.
Thus, from the technical point of view, the local level appears to be the most vulnerable. It is not part of the secured and dedicated network to transmit voting results and it holds the voter registration databases. The latter’s security has not been addressed as far as we know. The voting results (as well as the voter registrations) can be manually double-checked and – in case of the results – transmitted by alternative means. The worst that could happen would be a (slight) delay in the final count on state and federal level. When it comes to resilience against adversarial media campaigns, Germany benefits from its political structure and it is considered unlikely that even an elaborate campaign would sway the vote for more than a low single digit figure. Based on the current forecast and Germany’s political system, this would not have a severe impact.
Sidenote: The documents extracted from the German parliament in the 2015 cyber operations have yet to surface. While many expect the documents to be exploited in the 2017 elections, I personally believe that the operation’s goal was only espionage. The perpetrators wanted to learn about Germany’s stand and negotiation tactics vis-à-vis to Russia without specifically looking for compromising material.
 One system called “Schadsoftware-Erkennungs-System” (translation: malware-detection-system) (SES) protects against targeted cyber attacks such as spear-phishing - the attack vector used in the Parlakom operation - and the other one called “Schadsoftware-Präventions-System” (translation: malware-prevention-system (SPS) protects internal devices from accessing malicious servers and websites.
 The report itself is classified, so this assumption is based on the public knowledge derived from a German media outlet which had access to a version of this report.
 We gave an overview in the Policy Debate on June 2 entitled “German government discusses “hackbacks””.
- https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Jahresberichte/BSI-Jahresbericht_2010_pdf.pdf?__blob=publicationFile [German]
- http://www.sueddeutsche.de/digital/it-sicherheit-zahlreiche-sicherheitsluecken-im-netzwerk-des-bundestags-1.3462578 [German]
- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2016/Vorsorge_Wahlmanipulation_30122016.html [German]
- https://www.heise.de/newsticker/meldung/Bundeswahlleiter-staerkt-Schutz-gegen-Cyberattacken-3740401.html [German]
- http://www.tagesspiegel.de/politik/bundestagswahl-wahlleiter-stellt-sich-auf-hackerangriffe-und-fake-news-ein/19254094.html [German]
- https://www.morgenpost.de/politik/article210739993/Wie-die-Bundestagswahl-gegen-Hackerangriffe-geschuetzt-wird.html [German]
Transatlantic Cyber Forum
Policy Debates | September 14, 2017
Issue: Germany runs pilot project on automatic facial recognition at major Berlin train station
Track: Surveillance Governance and Oversight Innovation
The German government is testing automatic facial recognition software at a large train station in Berlin. Especially in train stations in Berlin there has been a trend in expanding installation of surveillance cameras. Currently, 900 train stations in Germany are monitored by 6,000 video cameras and the material is evaluated in real-time. These cameras could potentially be upgraded with facial recognition technology. A cross-government project group consisting of representatives of the federal police, Ministry of the Interior (BMI), the Federal Crime Agency (BKA), and the Deutsche Bahn AG (DB AG) is testing the so-called intelligence video software. The technology allows mass collection, storage and analysis of faces and behaviors in open spaces in real time. The test is supposed to last six months. It is split in two phases: First, three different systems of facial recognition are deployed and tested using the real time video streams of the already existing surveillance cameras. Secondly, intelligent video analytics softwares are being tested aiming to analyze behavior trying to identify dangerous situations, e.g. individuals lying helplessly on the floor. With this new technique, the police argues, crimes and dangerous situations can be recognised in advance. Thus far predictive policing is piloted in nearly all Länder (states) - for example in Duisburg where the police is using algorithms to predict burglaries. De Maizière, Federal Minister of the Interior, hopes that facial recognition will increase security dramatically. After the six months testing period, he wants to test if this technology can be used all over Germany on top of the existing video surveillance. The pilot project is tested with 275 volunteers that the police recruited over the last weeks at the train station, by handing out vouchers as a compensation for participants.
The pilot project has been criticized for two main reasons: Firstly, the setup of the test phase and secondly, the overall legal and political question of introducing facial recognition software for surveillance cameras in public places in Germany. With regard to the pilot project the Federal Officer for Data Protection (Bundesdatenschutzbeauftragte) said that it is problematic that trial persons were not advised about the use of their personal data in a proper way. This critique is based on the findings of the NGO Digital Courage which has found that the transponder that the test persons have to wear catch more data than originally announced, such as movement of the person. Furthermore, the project implementation and evaluation is criticised as it does not use good empirical methods which would create a strong judgement about the success of the pilot project missing relevant criteria. More criticism came from the German Association of Lawyers which agreed with the data protection concerns and ultimately said that the pilot project would be unconstitutionally unsound because there was no broad societal discussion beforehand. They argue that using facial recognition via surveillance cameras is a significant reevaluation of constitutionally set personal rights. Further, they argue that before a democratic and free society chooses to go down this path, they need to know about the technical details - but they are not clear. The FDP wants to stop the trial and regards facial recognition technology also as unconstitutional. Same as die Grüne (the Green Party) and die Linke (the Left Party) which oppose the trial, whereas the current CDU coalition partner, the SPD is not against stopping the trial but evaluating the data protection concerns.
Testing such technology is a big step in Germany where security cameras without facial recognition are contested and not as widely used as for example in the US or the UK, although there is a trend to install them on more public places such as train stations. Having went to the Südkreuz train station I must agree that the area which is marked as the testing ground is not clearly marked . If one is well informed, you would see the signs which define via which doors one would have to walk to be not caught by the cameras. Nevertheless, you would not be able to go to the supermarket in the train station without crossing the testing area. Due to the lack of information about technical details, it is also unclear how the government and company is safeguarding all the information they are using as well as the kind of algorithms applied. The use of AI in connection with privacy is a hot topic in germany as the recent study which claims to have found that AI can identify the sexual preference of people is highly criticized in Germany. This pilot project is implemented in the midst of of Germany's federal election campaign and looks like an election stunt for the CDU and its public security focused election campaign. The topic will however stay in focus after the elections when a coalition is formed.
 https://www.heise.de/newsticker/meldung/Berlin-1000-moderne-Ueberwachung... 1000 new cameras were installed in 2015 just in berlin underground stations
- https://www.rbb24.de/politik/beitrag/2017/08/berlin-bahnhof-suedkreuz-gesichtserkennung-buergerrechtler-ueben-scharfe-kritik.html (German)
- http://www.spiegel.de/netzwelt/netzpolitik/gesichtserkennung-am-berliner-suedkreuz-ein-test-fuer-unsere-freiheit-a-1160867.html (German)
- https://anwaltverein.de/de/newsroom/pm-9-17-deutscher-anwaltverein-gesichtserkennung-in-bahnhoefen-greift-massiv-in-grundrechte-ein (German)
- https://kleineanfragen.de/berlin/18/11080-pilotprojekt-videoueberwachung-am-bahnhof-suedkreuz (German)
- https://netzpolitik.org/2017/ortstermin-am-suedkreuz-die-automatische-gesichtserkennung-beginnt/ (German)
- https://www.bundestag.de/presse/hib/2017_08/-/525556 (German)
- http://www.tagesspiegel.de/berlin/neue-ueberwachungskameras-in-berlin-testphase-fuer-gesichtserkennung-am-suedkreuz-ist-gestartet/20120258.html (German)
- https://www.welt.de/politik/deutschland/article167290600/Gesichtserkennung-die-naechste-Stufe-der-Ueberwachung.html (German)
- https://www.morgenpost.de/bezirke/tempelhof-schoeneberg/article211395129/Im-Bahnhof-Suedkreuz-startet-Test-zur-Gesichtserkennung.html (German)
Author: Julia Schuetze
Transatlantic Cyber Forum
Policy Debates | October 27, 2017
Issue: German coalition talks and possible implications for security and privacy policies
Track: Encryption Policy and Government Hacking, Cyber Defense and Political IT-Infrastructures and Surveillance Governance and Oversight Innovation
German election 2017
The federal elections in Germany on September 24th had far reaching consequences for the political landscape in Germany with a voter turnout of 76.2%, the strongest mandate since 2005. First and foremost, they have ended the legislative term of the grand coalition of social democrats (SPD) and conservatives (CDU/CSU) with severe losses for all established parties and a strong increase for the right-wing party Alternative für Deutschland (AfD). It became the third-strongest party during its first national election participation.
The SPD had their worst election result in the history of the party which was 20.5%. This continued the downward trend from what was seen in the last federal elections in 2013. As a result, the SPD declared immediately that they would go into the opposition where they will be the strongest opposition party in the parliament. This step has gained wide approval among the public as the SPD was increasingly overshadowed by its previous coalition with the CDU/CSU.
The CDU and CSU both suffered considerable losses as well. For the CDU, with 26.8% (-7.3%), the results have intensified internal divisions within the party about the future strategic orientation of the party. The results have also internally weakened Merkel’s moderate-leftist stance with the CSU suffering high losses in their home state of Bavaria (-10,5%).
The AfD has successfully mobilized non-voters and protest voters from other parties. Their overwhelming electoral support of 12.6% (+7.9%) has shaken German establishment parties with the consequences remaining to be seen. A recent study conducted by the SNV has shown that AfD voters are less inclined to trust traditional media than most other Germans. For 16% of AfD voters social media was the most important source of information about the election – as compared to 6% for Germans overall.
The leftist party DIE LINKE has gained a small amount of support overall with 9.2% (+0.6%), but has lost considerable support in the traditional strongholds of Eastern Germany to the AfD.
The liberal party (FDP) and the Greens (Die Grünen) have also seen an increase of support during the federal elections. The FDP has focused on digitization, education and migration topics in their election campaign and have almost doubled their previous result to up to 10.7% (+5.9%). The Greens saw a marginal increase of support 8.9% (+0.5%) with a focus on environmental, educational issues as well as civil rights and liberties.
The election results have paved the way for a so-called “Jamaica coalition” for which exploratory talks between the CDU/CSU, the Greens and the FDP are currently ongoing. These complicated coalition talks are expected to be completed by January 2018. If the coalition talks fail, then there are only two options: another grand coalition between the CDU/CSU and the SPD or re-elections. Re-elections appear unlikely as the established parties would probably lose even more support. Moreover, as the SPD immediately announced that they would not be available for coalition talks, a Jamaica coalition appears most probable. This would be the first time that three - or in fact four parties (considering the sister parties CDU/CSU) - would form a government. Difficult coalition talks are expected regarding the topics of migration, finances and security - including cyber security.
Overall, all four parties demand a strengthening of the institutional framework of tech policy but in different forms. The FDP have attracted attention with their call for a “Ministry of Digital Affairs” which of course they are eyeing to claim as their ministry, while the CDU/CSU proposed in their electoral program a new digitization secretary of state in the Chancellery as they would be heading it. The Greens instead advocate for a greater independency of the German Federal Office for Information Security (BSI) - which is currently under the Ministry of Interior - and clearly condemn offensive cyber operations including hack backs.
Overall, from their electoral program it is likely to expect that the Greens and the FDP will strike a balance with the national security and surveillance focus of the CDU/CSU. The SPD had been supportive of such proposals during the last legislature with only small opposition parties in the parliament as a counterbalance. This allowed the past grand coalition to push through controversial legislation e.g. the extended use of the state trojan which the Liberals and Greens strongly oppose. SPD will likely be the main opposition party and therefore most probably not support CDU/CSU proposed legislation on those topics even though it had done so in the past. With a Jamaica-coalition, digitally liberal parties (FDP and Greens) will be in power and are likely to advocate for continued legislative focus on tech policy issues like net neutrality, IT security and data privacy. For the FDP, and to a certain degree also for the Greens - to maintain support among its constituents it must make legislative momentum on these tech policy issues. Moreover, the CDU/CSU depends on the FDP and the Greens for legislative wins which gives the FDP and the Greens considerable leverage on legislative direction.
Many decisions about policy directions will depend on the division of the ministries between the parties.
Due to internal divisions between the CDU (traditionally seen as the more moderate element of the two sister parties) and the CSU; the CSU will try to get concessions from its bigger sister party. This could be in the form of claiming the Ministry of Interior - a big bargaining chip for the CDU and likely the only concession that the FDP and Greens would accept. At the same time, given the migration focus of the CSU, this could allow for greater flexibility when it comes to IT security and data protection initiatives of the FDP and the Greens.
The FDP proposal of a Ministry of Digital Affairs would imply the creation of a solely, independent ministry and consolidate responsibilities from most of the other ministries. Due to this being such a drastic change, it is unlikely that it would occur. Rather, the position of a digitization state secretary is more politically feasible as its role would be strictly coordinating activities across existing ministries. The CDU’s suggested allocation to the Chancellery might be another bargaining chip to the respective party. There is for example a high level multi-stakeholder coordination body for cyber security, the Federal Cyber Security Council (Cyber-SR), with the secretariat based within the Ministry of Interior.
In conclusion, the new coalition should give pause for optimism as there is a growing number of politicians (potentially in power) that are aware of and knowledgeable about current technological debates and developments - especially regarding IT security and data protection. Concerning the AfD it remains unclear what stance the party is going to take on tech policy issues and how productive the party’s work will be.
Right now, pretty much everything is still in political limbo -- the most important strategic document will be the coalition treaty which is expected to be finalized by January 2018. Once the coalition has been formed and agreed on the joint document, another policy debate is going to analyse its content and possible implications.
 This refers to the colors of the coalition parties which match the Jamaican flag.
 This policy debate is to serve as a starting point for what the recent federal elections would mean for German tech policy. This examination is based on existing party platforms and the conclusions drawn from them might bear of speculative nature.
Sven Herpig (SNV) and Cathleen Berger (Mozilla) discuss “What’s to come for Germany’s digital agenda?” on September 27 [Video/English]
Julia Schuetze (SNV) discusses possible tech policy post German elections at Tech Policy Podcast [Audio/English]
Germany’s offensive cyber capabilities [English]
Why Germany is better at resisting fake news [English]
Official election results [German]
Analysis of possible consequences for German tech policy [German]
Positions of Jamaica-coalition partners on digitization policy [German]
Positions of Jamaica-coalition partners on domestic security and surveillance [German]
SNV Fake News Study 2017 [German]
Analysis of swing voters [German]
On the interpretation of the losses in eastern Germany [German]
Electoral program of the CDU/CSU [German]
Electoral program of the FDP [German]
Electoral program of the Greens [German]
Transatlantic Cyber Forum
Policy Debates | November 22, 2017
Issue: German coalition talks collapse
Track: Encryption Policy and Government Hacking, Cyber Defense and Political IT-Infrastructures and Surveillance Governance and Oversight Innovation
In the October 27th policy debate, we outlined the results of Germany's September elections and what the possible coalition talks may have on cyber security and privacy policies. Unfortunately, the coalition talks ended rather abruptly earlier this week. The four involved parties were not able to agree on several issues and the Liberal party (FDP) therefore put an unilateral end to the negotiations - for now.
These recent events have underlined an uncommon characteristic of the German political system: the coalition treaty. If parties want to form a governing coalition after the elections they must first come up with a coalition “treaty”. Though, there is no legal requirement for such a treaty and it is not binding, it is common practice for the coalition parties to agree upon one. The treaty outlines the political agenda of issues to be debated and passed in parliament over the duration of the legislature. It is difficult to put a topic of debate on the agenda during those four years which is not in the treaty. Similarly, there is a lot of public and political pressure on the parties if they do not tackle any of the previously agreed topics in the agenda. Topics vary but cover a vast field of policies ranging from environmental protection to migration and public security as well as, the more recent debate on the effects of digitalization. Moreover, many of the parties must pass the final treaty internally - and if the base of one involved party does not approve the treaty, that means back to the drawing board for all the involved parties. Since the September election, the parties were not able to come up with a coalition treaty that all of them agree on and further still it was rejected before the party bases even got the chance to vote on it.
Topics such as government hacking, vulnerability management and intelligence oversight made it in the final draft of the coalition treaty as already predicted in the last policy debate. Additionally, the ongoing coalition talks as well as the recent publication of the VEP charter led to an intense discussion about Germany's lack of a vulnerability management process.
From a general political perspective, there are four options for the coalition talks going forward. First, the public and political pressure will force the four parties back to the negotiation table. Second, the second strongest party, the social democrats (SPD), will revoke their strong stand against forming a coalition again with Angela Merkel's conservative party (CDU and CSU) and enter coalition talks. The third option is for the CDU and the Green party to form a minority government. And the last option is reelections. Reelections will probably not lead to a significantly different outcome - CDU/CSU pairing up with two smaller parties or the two major parties, SPD and CDU/CSU, forming a coalition. A minority government is (almost) unheard of in the German political setting, and both the FDP and the SPD have reiterated not wanting to enter coalition talks (again) - there is no confident take on what is going to happen.
What is important to keep in mind though is that the German administration still functions. The day-to-day business of governing continues as usual and the minister heads are still in office albeit limited in what new initiatives they can start. Thus, operational stability is not an issue.
Therefore, we expect to see the TCF topics being reflected in the next round of talks as well - regardless of what party is involved.
Leaked final draft of the coalition treaty [German]
Legal framework for the transitionary period between two governments [German]
Political statement on cyber security for the coalition talks, issued by the Stiftung Neue Verantwortung [German]
Political Survey after the coalition talks ended [German]
Transatlantic Cyber Forum
Policy Debates | December 7, 2017
Issue: German Ministry demands workarounds for digital security mechanisms
Track: Encryption Policy & Government Hacking and Intelligence Governance & Oversight Innovation
On November 30th, Germany's Federal Minister of the Interior Thomas de Maizière (CDU) was reported to be drafting a proposal that would legally mandate third party entities to allow for secret surveillance. Maizière recommended this policy in response to how increasingly difficult it is for security services to overcome security systems without alerting a suspect of an investigation. As an example, he cited that alarms for cars today have become so sophisticated that the owners are sent electronic notification at the slightest hint of tampering. The policy also signaled to industry that the state should receive exclusive access rights to Internet connected devices such as smart home appliances. Lastly, there was specific mention of “kill switches” where the government would retain the right to turn off private citizens computers if it were discovered that such devices were a part of a Botnet. This would be seen as a pre-emptive strategy by the government to stop criminals from the spreading infected programs. The report of such a policy prompted a swift backlash from activists, industry and politicians alike who are concerned about the digital and physical effects of such policies.
It is important to keep in mind that the coalition government for Germany has yet to be formed. As such, the government will not pass any laws or amendments unless they are considered extremely urgent. Additionally, if we take the historical long view, the Ministry of Interior has held firm on its no-backdoor, no-encryption-regulation policy since 1999. Maizière's policy proposal then would be a major shift away from how the Germany government traditionally approaches the issue of backdoors. What is more likely, is that the proposal is not a major shift in policy but rather a targeted one seeking specific goals. For example, in the case of the suspect with the car, the government would mandate the intermediary that is forwarding tampering alert text messages to not deliver the alert to the suspect. This would then allow the security services time to plant a surveillance device which would have had to been approved by a respective judicial authority. Similarly, it the same process would be required for smart home devices. Any notion that the proposal seeks backdoor access to, for example switch on microphones of smart TVs, was firmly rejected by the Ministry of Interior when questioned by reporters. Furthermore, ISPs have already been authorized to apply a "walled garden" approach to computers of their users which are infected by a botnet until they are disinfected. Legislative basis covering this has been passed in 2015 as part of the IT-security law. According to a statement from the Ministry issued after the first report, "kill switches" were never up for debate. Lastly, the policy proposal does underline that a precondition for all measures including surveillance activities would need judicial approval.
Like many governments, Germany is trying to develop policy that keeps pace with technological change while addressing (traditional) surveillance in responsible ways. Currently, the political atmosphere is one where little change will occur across all ministries as coalition talks progress. It is unlikely that the Ministry of Interior seeks to implement backdoors but rather looks for ways to require manufacturers and service providers of digital security systems to support law enforcement operations in any way they can short of implementing backdoors.
Initial report of Thomas de Maizière’s proposed policy [German]
Report about the Ministry's reply to an enquiry for details [German]
Article with statements from German politicians [German]
The Local - German government wants ‘backdoor’ access to every digital device: report [English]
Authors: Dr. Sven Herpig
Transatlantic Cyber Forum
Policy Debates | April 6, 2018
Issue: Coalition agreement of the new German Government
Track: All TCF tracks
In February, after five months of coalition talks among different parties in Germany, Merkel’s party the Christian Democrats (CDU), the Social Democrats (SPD) and the Christian Social Union (CSU) agreed on a coalition agreement and consequently formed the new government in Germany. The coalition agreement which determines the goals and viewpoints of the government coalition affects also the topics the Transatlantic Cyber Forum deals with. Issues that are not mentioned in the coalition agreement are not impossible but difficult to put on the government’s agenda. Likewise, goals in the agreement will be tackled during the governing period as they serve as indicator for the government’s success during its legislation period. We have summarised the main points of the coalition agreement and shortly present our take on the goals of the government.
The coalition agreement emphasises its support for the use of encryption. It aims to make encryption available for everyone and supports the communication of standards, such as PGP and SMIME.
Our Take: This is consistent with the German government’s general notion about becoming encryption country number 1. This follows the government’s take since 1999 not to weaken encryption or mandate backdoors. However, for this government strong encryption goes hand in hand with government hacking, enabling law enforcement agencies to tackle the perceived “going dark” challenge.
Government Hacking & Vulnerability Governance
Despite its support for encryption, the coalition agreement states clearly that this must not in any way hinder law enforcement to do their work. Police is supposed to have the same means for investigation as it has offline. The parties argue that there should be no difference if a suspect is using traditional communication or encrypted online communication. Government hacking as a means to enable this, is not explicitly mentioned. The agreement also discusses the problem of using the retrieved digital evidence. Specifically, the German government wants to take the European route and focus on the EU cyber initiative “Justice in Cyberspace/E-Evidence” about handling digital evidence with the purpose of balancing privacy, the right of providers and companies with the general values of an open and free online community. In this context, the concept of “data ownership” that the CDU has introduced last term and is controversially discussed, comes into play again.
Vulnerability management is only discussed in the context of businesses but not as a form of government vulnerability disclosure. The parties state in the agreement that companies and providers have to make vulnerabilities public when they know them and fix them as soon as possible.
Our Take: The statements let us believe that we will have a continuation in government hacking legislation. The argument around law enforcement stayed the same and if any, manifest or may expand the support for government hacking even though the term is not explicitly mentioned. Vulnerabilities are seen more in the context of a threat to consumer rights. It makes no mention about a relation to government hacking - and hackbacks - and the need for government also to disclose known vulnerabilities. However, that vulnerabilities are even recognized and mentioned is a step further and could smooth the work for a government vulnerability disclosure process which we have confirmed is in the works at the Federal Ministry of the Interior, Building and Community.
Liability and Responsibility
The importance of consumer protection online is emphasised. Two goals are the creation of clear liability rules that will be set in place and research to test how certain cyber security insurance models could work. Here the government aims to balance the responsibility of all involved stakeholders, such as companies, consumers etc.
Our Take: This topic has been debated intensely in the past few years without coming to a conclusion so far. Therefore, it makes sense to include it in the agreement to further the discussion leading to concrete results.
In the area of cyber defense, the German government aims to discuss ways of defending and preventing cyber attacks better. In the agreement, soft means, such as the creation of better defense sensibilisation is supposed to be achieved for all stakeholders and intensified for specific target groups. Moreover, the government wants to modernize education and training to include digital and cybersecurity skills. It has also put emphasis on defending and preventing attacks against the critical infrastructure and aims to explore means to do that.
Our Take: Here we can see at best an intensification of the sensibilisation measures which goes hand in hand with the cybersecurity strategy goals of 2016. Interesting is however, that it is vaguely stated that the government wants to explore means to defend and prevent. In earlier versions of the agreement, government hackbacks were a clear option - this is now watered down but not off the table as recent discussions show.
Cybersecurity Organizational Architecture & IT Security Standards
The government proposes several organisational changes in the context of cybersecurity. One is a national cyber security pact which aims to bring together all important stakeholders (manufacturer, provider and user as well as the public administration). Furthermore, an update to the IT legislation is supposed to make the Federal Agency for Information Security (BSI) more neutral and independent ultimately making it the central agency for cyber security. The BSI would take up a broader advising role for state and federal administration, gain further responsibility for consumer protection. Here it will become the central agency for certification and standards such as giving out seals of quality (“Gütesiegel”) for IT products which would show how long the provider has to give updates for hard- and software. The IT security legislation will be expanded to reflect the greater role of the BSI. This also goes along with the emphasis to create products that abide by security by design.
The Federal Ministry for Defense and the Federal Ministry of the Interior, Building and Community will establish an agency with the task to research disruptive innovations in cybersecurity and key technologies as well as an IT security fund for security relevant key technologies.
Last but not least, the government created the position of State Minister for Digitalisation in the chancellery. Dorothee Bär (CSU) was appointed, with the purpose of coordinating the efforts of different ministries (e.g. transport & infrastructure, interior, economy). She is the former state secretary for digital infrastructure in the Federal Ministry of Transport where she focused on support of digital education, computer games.
Our take: We have been supporting the efforts to strengthen the BSI. It is an improvement,even though it will still be under the umbrella of the Ministry of Interior, Building and Community which also houses the research agency that explores means for government hacking (ZITiS), as well as the domestic intelligence agency (BfV) and the Federal Office for Criminal Investigations (BKA).
The new State Minister for Digitalisation has more of a symbolic power as the German government seems to have recognized that digital policy is interconnected and spans across all ministries and that a coherent strategy may be a good way to move forward. Ms. Bär does not have a strong record of experience when it comes to cybersecurity, so we have to wait and see which direction she will take on the subject. So far, she has been outspoken against data retention and the infamous network enforcement law but on the other hand regards data protection as an unnecessary barrier for digitisation. She does not have a large group of employees to assist her but relies on the employees and political will of the Ministers of the relevant ministries.
E-governance and Security
In a short sentence it is mentioned that the government aims to introduce a form of online administration which makes communication with the government easier. Furthermore, it is proposed to use a form of electronic ID to authentify citizen for these services.
Our Take: As of now, the security aspects are not talked about. The statements argue for usability and easy access. Here it will be interesting to what extent the security of design concept which is mentioned in other parts and expected by private sector products is implemented and who would support the implementation as the German government lacks sufficient IT security personal. Additionally, Germany already has an existing electronic ID which has failed to become mainstream as citizens will be asked to choose whether they would like to have it activated on their national ID or not. Marketing and use cases of the ID have been bad in the past which led to a low adoption rate.
Law Enforcement Power
The Federal Agency for Criminal Investigations is supposed to increase its workforce and is going to be expanded as the central hub for police-relevant-data. Moreover, the government wants to implement an investment fund for the IT of German police forces. In the area of criminal investigation the data transfer between justice and police is supposed to be improved. In this context, the German government wants to create a basis for sharing data that is relevant for criminal investigations among EU countries. Closing holes in the prosecution of people who are found guilty for criminal activity online or spreading illegal online content are aimed to be closed.
Our Take: Increasing the police’s workforce seems like a prudent move but it is unclear if there will be sufficient adequate applicants for those positions. In the past, this has proven quite challenging. Data sharing has lately been further on the EU level as well and seems - for Germany - also to be response to the 2016 terrorist attack in Berlin.
Foreign Policy and Cybersecurity
The German government states that it aims to protect key technologies from sale or acquisition which would in any way limit the use of certain important technologies. In order to do that, the German government wants to add the relevant national and European regulatory means to enable this. The digitalisation of the armed forces (Bundeswehr) is supported and continues.
Our Take: Protecting the crown jewels of German tech has been discussed for quite some time under the term “technological sovereignty” without yielding any meaningful results other than the hotly disputed “no spy agreement”. Apart from the Snowden revelations, one reason was BlackBerry’s acquisition of Secusmart. Secusmart developed a hardened smartphone for the German government which is being used by for unclassified and lowly classified communication.
The university of the German armed forces has gained professorships in the area of cybersecurity and the reserve personal is supposed to be engaged more closely in the area of cybersecurity in form of a cyber community that includes civil and military personal. They too however have problems to find suitable personal. The question here is to what extent an expansion in cyber capabilities is useful, if it cannot be used to defend civilian infrastructure as the Bundeswehr is strictly separated.
Conclusion: Overall, we see a continuation of the last term of the grand coalition and a great focus on inner security and expanded cyber powers for law enforcement which is not necessarily good for cybersecurity. The emphasis on citizen’s rights is strong only in the context of consumer protection. We can expect to have the government hackback discussion appear again. Almost all of the positive developments we identified during the prior coalition talks between the Liberals, Greens and Social Democrats - the only party of those three which is now in power - cannot be found in this coalition agreement.
 In the past, Germany’s national cyber security agency has even provided funding for the further development of PGP4Win.
 The Federal Ministry of the Interior has been expanded and renamed in “... of the Interior, Building and Community”.
 Soll der Bundes jetzt zurückschlagen? https://www.morgenpost.de/politik/article213686139/Hackerangriffe-Soll-der-Bund-jetzt-zurueckschlagen.html
 Our political positioning for the post-election period 2017/2018: https://www.stiftung-nv.de/de/publikation/umfassende-cyber-sicherheitspolitik-fuer-deutschland-20
- Coalition Agreement [German] https://www.cdu.de/system/tdf/media/dokumente/koalitionsvertrag_2018.pdf?file=1
- Das digitale bekommt eine Staatsministerin [German] https://www.zdf.de/nachrichten/heute/das-digitale-bekommt-eine-staatsministerin-100.html
- Warum zurückhacken keine gute Idee ist [German] https://www.computerwoche.de/a/warum-zurueckhacken-keine-gute-idee-ist,3544641
- Soll der Bundes jetzt zurückschlagen? [German] https://www.morgenpost.de/politik/article213686139/Hackerangriffe-Soll-der-Bund-jetzt-zurueckschlagen.html
Transatlantic Cyber Forum
Policy Debates | June 8, 2018
Issue: "German Vulnerabilities Equities Process"
Track: "Encryption Policy & Government Hacking"
In September 2017, Germany's Federal Ministry of the Interior, Building and Community first announced that it was considering developing a Vulnerabilities Equities Process (VEP) for Germany. This followed inter alia increasing public pressure to address the issue of vulnerability handling after the government took several steps towards a more offensive stance in cyberspace, including extending a legal mandate for government hacking, consolidating its military cyber forces, and creating a centralized agency for procuring hacking tools and vulnerabilities. Moreover, there have been extensive and ongoing discussions about active cyber defense -- so-called hack backs (see past TCF policy debates).
During a public panel discussion on June 6th, the Head of the newly created Department for IT- and Cyber Security at the Federal Ministry of the Interior, Building and Community, shared first insights into government plans regarding a "German VEP”. The government representative officially described the discussion on the panel as a first step in this debate, which should be ongoing and continue to include different stakeholders, as solutions to different facets of the problem need to include expertise and experience from all sectors. The Federal Ministry of the Interior, Building and Community extended an invitation for further discussion to other stakeholders in order to assist the Ministry’s work in developing a German Vulnerability Equities Process through public debate and possibly other means.
The government representative also said that his Ministry is currently not retaining any zero-day vulnerabilities. Asked whether that was also true for the Federal Ministry of Defense and the Foreign Intelligence Agency (BND) he said that he could only speak on behalf of the Federal Ministry of the Interior, Building and Community.
The Stiftung Neue Verantwortung (SNV) and Germany's Federal Academy for Security Policy organized this panel. The government representative was joined on stage by Ari Schwartz (Venable LLP), Lucie Krahulcova (AccessNow), and moderator Sven Herpig (SNV), all of whom are experts contributing to the Transatlantic Cyber Forum.
The Transatlantic Cyber Forum has advocated for a public debate about this issue in Germany since last year. It managed to get the Federal Ministry of the Interior, Building and Community interested in this debate. The Ministry has expressed strong interest in the work that the TCF has done on the VEP; this is a valuable opportunity for the TCF to have a direct impact on the VEP policy-drafting process in Germany.
- Cyber-Sicherheitspolitik in Deutschland Konferenz [German]
- TCF Policy Debate "Official Announcement about the Central Authority for Information Technology in the Security Domain", January 2017
- TCF Policy Debate "Establishment of Germany’s Cyber Command", April 2017
- TCF Policy Debate "German government discusses hackbacks", June 2017
- TCF Policy Debate "Intensification of targeted surveillance of suspects via so called ‘state trojan’ software", June 2017
Transatlantic Cyber Forum
Policy Debates | August 9, 2018
Issue: Active Cyber Defense in Germany
Tracks: "Encryption Policy & Government Hacking" and “Cyber Defense & Political IT Infrastructures”
Since 2015 when threat actors penetrated the IT systems of the German Parliament, security and intelligence agencies in Germany have been pushing for a legal framework enabling them to conduct active cyber defense. Since then, technical and (international) legal experts as well as civil society and private sector representatives have been pushing back against this idea.
For the last twelve months, this issue has been rather dormant due to unusually prolonged coalition talks after the federal elections last year, which prohibited the formation of a government. While the new coalition treaty - the jointly agreed document specifying policy priorities of the governing parties - does not explicitly state active cyber defense as a goal, representatives of security and intelligence agencies are making their rounds to convince policy-makers and the public of the need to strike back in cyberspace. Draft concepts discussing specific measures which should be part of an active cyber defense legislation are currently drawn up in the respective agencies.
Due to also somewhat counterproductive public and political debates referring to all kinds of different definitions and measures without finding any common ground, we saw the need to talk to representatives from the respective ministries as well as security and intelligence agencies and create the first comprehensive overview of suggested activities under the umbrella of “hackbacks”/ active cyber defense for Germany.
Suggested activities range from requesting virtual images of compromised servers from Internet Service Providers and web hosters, to hacking domestic and foreign IT systems, and even conducting Distributed-Denial-of-Service attacks to disrupt attackers’ infrastructures.
The German debate is entirely focused on the civilian agencies in the public sector with the intelligence agencies currently being thought of as bodies for implementation.
Distinct from this, the new cyber division of the armed forces is legally allowed to conduct offensive cyber operations, following conventional and existing procedures: parliamentary approval and state of defense.
It is not yet fully clear how the government is going to approach the legislation that aims to govern active cyber defense in the civilian sphere. It is likely that a comprehensive change to the current legislative framework enabling said activities would require a two-thirds majority in parliament. The ruling parties CDU/CSU and SPD do not have this kind of majority. Additionally, a good number of members from the SPD seem to not support this issue. We therefore expect (most) active cyber defense provisions to be injected in the planned legislation for protecting critical infrastructures -- the second version of the IT security law -- which we will likely see next year.
- TCF Policy Debate “German government analyses offensive cyber capabilities, so-called “hackbacks”, May 2017
- TCF Policy Debate "German government discusses hackbacks", June 2017
- TCF Policy Debate “Coalition agreement of the new German government”, April 2018
- Comprehensive overview “Hackback ist nicht gleich Hackback” [German]
- TCF Policy Debate “Establishment of Germany’s Cyber Command (CIR)”, April 2017
Author: Dr. Sven Herpig
Transatlantic Cyber Forum
Policy Debates | September 3, 2018
Issue: “German DARPA” to be established
Track: All TCF tracks
Inspired by DARPA and its Israeli counterpart, the German Ministers of Defense and Interior announced on August 29 the setup of a new “cyber agency”. This new agency will be tasked with identifying and funding cutting-edge research of offensive and defensive cyber technologies for both civil and military purposes. Compared to existing programs it is explicitly asked to fund high-risk high-potential “disruptive” German research endeavours in their early stages even though many of them might fail to lead to any breakthrough or final product. Although the funding has not yet been approved by the government, the Ministries foresee a budget of around 200 million Euros (~234 million USD) over the course of the next 5 years with 80% of it to be spent on research funding. The funding is supposed to be increased later on. The two main arguments for establishing such an agency were: less bureaucracy and more high-risk funding to catch up with the digitization and making Germany more secure.
The new government has only formed a couple of months ago and the first major initiative after the summer break has to do with cyber security. That is good news and signals what priority this issue takes on the political agenda. Furthermore, Germany is willing to acknowledge that it has fallen far behind other countries when it comes to digitalization and especially to an extent with cyber security research.
Unfortunately, that is where the good news end. From the information available it is unclear why the already existing German institutions that are funding (cyber security) research should not receive additional financial resources and be enabled to engage with more risky research projects. There are already the Ministry of Research and Education, the Cyber Innovation Hub of the Army, the Federal Office for Information Security and the only recently established Central Authority for Information Technology in the Security Domain. In addition to giving the funding to those already existing agencies and allowing them to undertake more risky research endeavours, the establishment of a coordinating body would have probably been more efficient than an entirely new agency, because setting up an agency creates additional bureaucracy (e.g. administration) and does not reduce it.
Another issue is how this “German-only” funding for cyber security research projects will be perceived on the EU-level. After all, the security field of the 80 billion Euros EU research programme Horizon 2020 is funding similar projects already.
Germany acknowledging and being willing to do more to advance German cyber security research is definitely a good thing. Whether this particular approach is fit to do just that remains to be seen. When competing with the likes of the United States, China and Israel, a consolidated EU approach seems much more promising.
- Germany creates DARPA like Cybersecurity Agency
- Setup of a new Cyber Agency [Video/German]
- TCF Policy Debate “Official Announcement about the Central Authority for Information Technology in the Security Domain”, January 2017
- Horizon 2020
Author: Dr. Sven Herpig
Transatlantic Cyber Forum
Policy Debates | January 10, 2019
Issue: “Germany's cybersecurity policy 2019 – what to expect"
Track: All TCF tracks
Issue: Developments of the cybersecurity architecture
1. Expansion of cybersecurity research institutions, such as the Agency for Innovation in Cybersecurity and other cybersecurity research hubs
In order to protect Germany from future cyber attacks and to ensure that the country will be a leading innovative force in the field of international cybersecurity, the German cabinet agreed on launching an "Agency for Innovation in Cybersecurity" in 2018, led by the Federal Ministry of Defence (BMVg) and the Federal Ministry of the Interior (BMI). This agency’s work will kick off in 2019 with a an investment of €200 million over the next 5 years. Research projects will focus on cybersecurity technologies protecting national as well as international security with a special emphasis on radical and highly innovative approaches. Comparable to the Defense Advanced Research Projects Agency (DARPA) in the US, the agency will also help Germany to become more independent and develop its own key technologies in the field of cybersecurity. The German government also continues to fund three main cybersecurity research hubs, KASTEL in Karlsruhe (The Competence Center for Applied Security Technology initiated by the Federal Ministry of Education and Research (BMBF)), CISPA in Saarbrücken which becomes the new Helmholtz-Zentrum for Information Security and CRISP in Darmstadt, the new National Research Centre for Applied Cybersecurity. The main research topics that the government is looking to fund are IT concepts for Industry 4.0 and applied scenarios for post-quantum-cryptography.
The US budget for DARPA is roughly 0.017 % of the country's GDP as compared to Germany which plans to spend roughly 0.00127% of its GDP on the newly founded cyber security research agency. In that regard, the US spends 13 times as much money on it compared to Germany. So it remains to be seen what Germany’s research agency can actually achieve. Its effectiveness would depend on its research focus which is not yet publicly known. Close cooperation on research topics across the Atlantic would be beneficial as well. A good development is the support of research hubs and universities that have developed at state level. They receive more and more national and international recognition and funding. The expertise emerging from those hubs should be monitored globally.
- https://www.heise.de/newsticker/meldung/Bundesregierung-schafft-Agentur-fuer-Cybersicherheit-4150079.html (German)
- https://www.bmi.bund.de/SharedDocs/kurzmeldungen/DE/2018/08/cyberagentur.html (German)
- https://www.politico.eu/article/germany-to-launch-darpa-style-agency-to-develop-cyber-defense/ (English)
2. Expansion of the Federal Office for Information Security (BSI) and Cyber Defense Center
Firstly, in light of growing threats through cyber attacks, and due to a new mandate that was set in the coalition agreement of the governing parties CDU and SPD, the German Federal Office for Information Security (BSI) will cooperate more closely with the federal states. The BSI will offer its support and advice to the federal states on techniques to set standards and build structures in order to achieve a high level of cyber security state-wide. Depending on the state, this can take different routes and the cooperation is defined in individual agreements with the states. Some model partnerships with Hessen and Rheinland-Pfalz were already initiated in 2017, as well as in 2018 with Lower Saxony, North Rhine-Westphalia, Berlin, the Saarland, Baden-Württemberg, Saxony and Thuringia. It can mean, for example, that the BSI, based in Bonn, will create local offices across Germany to assist states in their cybersecurity efforts and actually provide on-site staff support. In other partnerships, the support looks more like a close coordination and information sharing effort. In early 2018, Bavaria was the first of the German federal states to invest in its own cybersecurity agency separate from the BSI, the Landesamt für Sicherheit der Informationstechnik (LSI). The BSI plans to share its know-how and best-practices and work closely with them but would not necessarily open an office in Bavaria.
Secondly, the coalition agreement imagined an expansion of the cyber defense center, a platform hosted by the BSI in which all relevant cyber experts from different government agencies meet and coordinate when a cyber attack occurs. Currently this is an information-sharing hub. This year it will be discussed to what extent the hub become a more operationalized unit and further include representatives from federal states and the private sector. It is unclear if BSI will continue to host this newly formed Cyber Defense Center Plus. Operationalization may include the creation of a joint threat landscape which is currently still left to the individual ressorts.
This is an interesting development and an attempt to bring cybersecurity expertise and cyber readiness on the state level. The approach that the BSI is setting up offices in states that need more support than others, is useful. It strengthens the agency overall. That some states create their own agency is normal in federalism and thus far not problematic if they are working closely with the BSI together. It will however raise the competition for a skillful workforce. States should really start educating their own staff.
The changes to the cyber defense center are still discussed mostly behind closed doors.
- https://www.br.de/nachricht/mittelfranken/inhalt/landesamt-fuer-sicherheit-in-der-informationstechnik-startet-100.html (German)
- https://www.bsi.bund.de/DE/DasBSI/Aufgaben/Bund-Laender-Koop/Bund_Laender_node.html (German)
- https://www.bsi.bund.de/DE/Themen/Cyber-Sicherheit/Aktivitaeten/Cyber-Abwehrzentrum/cyberabwehrzentrum_node.html (German)
- https://blog.bwi.de/raus-aus-der-defensive-cyberabwehr-in-deutschland/ (German)
Issue: Recent Policy Developments
1. Cybersecurity seen as a cross-cutting issue in new digital strategy
The German Federal Government recently launched its so-called “Digital Strategy” that results in a an implementation strategy based on a five-point plan covering areas, such as digital skills, infrastructure and equipment, innovation and digital transformation, society in digital change, and modern state. The content of the strategy was developed over the past year with all cabinet members. Now the focus lies on the strategic implementation. For this the government has put forth some very specific indicators and some not so specific indicators to measure the success of the strategy. It will be constantly updated and reviewed, which can be tracked on the website digital-made-in-de. Cybersecurity is seen as a cross-cutting issue. Its success indicators range from “acknowledging cybersecurity in every action of the digital implementation strategy” to the more concrete step of funding more secure IT in hospitals through a ‘hospital infrastructure fund’.
The implementation plan of the digital strategy is basically a more transparent document that outlines specific activities that are being done by different ministries and aims to achieve holistic governance despite clear separation of government departments. There were no surprises when the plan was published. Nevertheless, it is positive that cybersecurity is seen as an important issue that spans across all policy fields and actions. However, we would have expected a more specific idea of how this looks in an implementation plan.
2. The rise of e-government as a challenge, and reason for broader cybersecurity efforts
All German government services will be available online by the end of 2022. Achieving this goal is a focal point of the digital implementation strategy and an ambitious goal for the upcoming years. It comes with two major challenges: cybersecurity and federalism. “Federal, state and municipal officials so far only know who will be responsible for 347 of the 575 administrative services destined for online. It only means they know which state or city will develop the application so everybody can use it” (Heide, 2018, in Handelsblatt). In order to ensure that this transition will run smoothly, the concern of the security of information is a focal point. Until 2021 the government wants to offer digital health records but data protection and data security experts as well as consumers and patients associations are sceptical about the security.
Cybersecurity in Germany becomes a prerequisite for those services to be adopted but also a reason to expand the portfolio of cyber attack responses. As State Secretary and Federal CIO at the Ministry of Interior Klaus Vitt noted the new threat landscape demands the expansion of responses, e.g. active cyber defense (see below) and the Cyber Defense Center (as was discussed before). Moreover, the challenge is also that the cybersecurity agency, BSI, has only limited legislative allowance to demand standards or assist state level authorities with cybersecurity. We may therefore see a discussion on whether legislative action is needed that may change the current cybersecurity architecture, so that the BSI gains more authority on state level to fulfill their tasks. This needs to be discussed among federal and state representatives.
- https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2018.pdf?__blob=publicationFile&v=5 (German)
- https://www.saarbruecker-zeitung.de/sz-spezial/internet/verbraucherschuetzer-fordern-freiwillige-und-sichere-digitale-patientenakten_aid-35407509?output=amp&__twitter_impression=true (German)
- https://www.handelsblatt.com/today/politics/bureaucracy-1-0-germany-lags-getting-government-services-online/23583302.html?ticket=ST-3709095-eKE0cZgAHFMQVjph9ybo-ap5 (English)
- https://www.bundesregierung.de/breg-en/service/the-digital-strategy-of-the-german-government-1550216 (English)
- https://www.udldigital.de/it-sicherheitsgesetz-2-0-bmi-skizziert-erste-weiterentwicklungen/ (German)
- https://www.udldigital.de/zukunftskongress-staat-und-verwaltung-bundes-cio-klaus-vitt-zu-e-government-und-it-sicherheitsvorhaben/ (German)
3. Active Cyber Defense
The topic of this year's annual conference of the Federal Criminal Police Office (BKA Herbsttagung 2018), which took place from Nov 21 - 23, was "Security in an Open and Digital Society". The president of the BKA, Holger Münch, announced that a new cyber crime department will be founded and the issue of active cyber defense was addressed. Not only the Federal Criminal Police Office demands a discussion on the need for active cyber defense. Horst Seehofer, German Interior Minister, supported the idea of active cyber defense during the Nuremberg Digital Summit, saying that it should exist as an option of last resort and also his State Secretary and CIO Vitt mentioned that a discussion on the issue is needed. So far, active cyber defense - or a so called hack-back - is lacking a legal base in Germany. A legal analysis by the research and legal until of the Parliament was made public and concluded that there are several issues concerning the legality of active defense when it comes to international law.
Active Cyber Defense has been debated more openly since the 2015 hacking of the German parliament. Currently, there is no legal basis for active cyber defense apart from a military cyber response when invoking self-defense or as part of a parliament approved military mission. Unfortunately, the public discussion has not evolved much in the past few years with hardliners on both sides spouting populist pseudo-arguments. We have drafted and published an overview of possible active cyber defense measures and consulted government officials and members of parliament on the issue. We expect to see concrete legislative action in Q1/Q2. While it will likely take constitutional changes (requiring a two third majority in parliament) to fully implement the active cyber defense requirements of the government, the opposition and possibly even one of the ruling parties are not expected to support the amendments. Therefore, we might see an active cyber defense bill light which doesn’t touch constitutional provisions or alternatively any changes buried deep in the new cyber security law which is supposed to be passed in Q2/Q3 this year.
- https://www.heise.de/newsticker/meldung/BKA-Chef-fordert-neue-Kompetenzen-und-schafft-Cybercrime-Abteilung-4229760.html (German)
- https://www.heise.de/newsticker/meldung/Cyberabwehr-Seehofer-befuerwortet-Hack-Back-als-Ultima-Ratio-4239426.html (German)
- https://www.handelsblatt.com/politik/deutschland/innere-sicherheit-rein-defensive-cyberabwehr-reicht-der-regierung-nicht-mehr/22892284.html?ticket=ST-3494358-9oilm4b590dPTHdZm79e-ap1 (German)
- https://www.bundestag.de/blob/560900/baf0bfb8f00a6814e125c8fce5e89009/wd-3-159-18-pdf-data.pdf (German)
4. AI & Cyber Security
In the German government, the use of AI in cybersecurity is mainly discussed from the angle of using AI to secure systems better or detect cyber threats. A team of the German Federal Office for Information Security (BSI) participated in the annual CHES (Conference on Cryptographic Hardware and Embedded Systems) Challenge and won. The BSI uses technologies of artificial intelligence and machine learning to set and further develop national and international cyber security standards. For the CHES Challenge 2018, the participants solved tasks dealing with AES (Advanced Encryption Standard) implementations and combined conventional cryptography techniques with artificial intelligence. In civil society, academia and industry experts, the negative effects of AI on cybersecurity are discussed more and more. The so-called Adversarial Machine Learning, when an adversary manipulates an AI to achieve a certain outcome or the use of AI to deploy a cyber attack is becoming a focus of some cybersecurity experts and research groups.
The new Transatlantic Cyber Forum working group will however set its focus on securing AI and machine learning against threats. This will become very important as Germany starts to implement its AI strategy.
When it comes to machine learning and artificial intelligence, the German government is still in its infancy. That the national cyber security agency has already dedicated resources to further its research in the area is a first step in the right direction. The work of the newly formed TCF working group therefore has the potential to achieve a relevant impact.
- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2018/KI-Sicherheitskonferenz_14112018.html (German)
- https://www.zeit.de/digital/internet/2017-04/kuenstliche-intelligenz-hacker-neuronale-netze-pertubation (German)
- https://theconversation.com/artificial-intelligence-cyber-attacks-are-coming-but-what-does-that-mean-82035 (English)
- https://www.eset.com/de/about/presse/pressemitteilungen/pressemitteilungen/was-bedeutet-kuenstliche-intelligenz-fuer-cybersecurity-3-prognosen/ (German)
- https://www.eco.de/wp-content/uploads/2018/12/KI_Cybersecurity_Diskussionsgrundlage.pdf (English)
5. Constitutional Complaint against State Trojan/Government Hacking Legislation from 2017 and Right to Encryption
In August, the data protection organization Digitalcourage and the Gesellschaft für Freiheitsrechte has filed a constitutional complaint against the use of the so-called state trojan. Shortly after, many politicians across the entire political spectrum followed and criticized the use of the state trojan as well, which allows monitoring of communications in messenger services such as WhatsApp. In 2019 we may expect the results of the constitutional complaint. Moreover, politicians from the Liberal Party (FDP) filed a motion on the right to encryption that gained some support from the Greens and the Social Democrats.
- https://netzpolitik.org/2018/nrw-ablehnung-der-herausgabe-von-unterlagen-zum-staatstrojaner-haelt-rechtlicher-pruefung-nicht-stand/ (German)
- https://www.hessenschau.de/politik/verfassungsbeschwerde-gegen-staatstrojaner,kurz-staatstrojaner-100.html (German)
- https://blog.avira.com/de/verfassungsbeschwerde-gegen-bundestrojaner/ (German)
- https://www.bundestag.de/dokumente/textarchiv/2018/kw48-de-recht-auf-verschluesselung/580082 (German)
6. Shortage of IT-security personnel
Due to the demographic shift and a shortage of skilled workers, including science and IT-related professions, the SPD has insisted on a new law, facilitating immigration for those who can fill the gaps. Since the shortage does not only affect jobs carried out by people with university degrees but also those occupations requiring qualified vocational training, the new law assesses several key issues: recognition of degrees and especially vocational training acquired abroad, employability of non-EU immigrants (companies do not have to ensure anymore whether a German or EU citizen could be employed instead), and an easier travel entry in order to search for work. One other legislation, the “Qualifizierungschancengesetz” (English: Law for Qualification), aims to make it easier and cheaper for businesses to send their employees to get qualification. The private sector however argues that this form will not be effective.
Instead of developing a holistic and focused analysis that will lead to a strategy to tackle the shortage of cybersecurity, the German parties are debating an immigration reform. Unfortunately we cannot expect a major and holistic strategy of Germany to tackle the shortage of cybersecurity personnel in public or the private sector. The immigration reform could help short-term but looking at the global shortage of cyber security personnel, it is unlikely that Germany, especially given its fairly low wages for cybersecurity experts, will be their first choice. Germany really needs a long-term strategy to tackle the lack of a cybersecurity workforce. The law that aims to create easier and cheaper access to further learning opportunities may also fall short of its expectations as there may be simply not enough educational courses and cybersecurity skills are not necessarily developed within the offered three to four weeks time spans. Further educational efforts and incentives may need to be implemented.
- http://www.spiegel.de/politik/deutschland/fachkraefte-zuwanderungsgesetz-wirtschaftsverbaende-machen-druck-auf-regierung-a-1244111.html (German)
- https://www.dw.com/en/germany-sets-out-new-law-to-find-skilled-immigrants/a-46381146 (English)
- https://www.dw.com/en/germanys-new-immigration-laws-open-door-for-skilled-labor/a-45734442 (English)
- https://www.sueddeutsche.de/politik/zuwanderung-es-hakt-noch-1.4255564 (German)
- https://www.bmas.de/DE/Service/Gesetze/qualifizierungschancengesetz.html (German)
- https://www.handelsblatt.com/politik/deutschland/qualifizierungschancengesetz-unternehmen-erwarten-korrekturen-beim-weiterbildungsgesetz/23197444.html?ticket=ST-3727404-OIzeinZDJz4N9E5DBRPf-ap5 (German)
7. IT-Security Law 2.0
A new legislation that updates the original IT Security Law from 2015 is being drafted right now - the IT Security Law 2.0. The legislation is expected to broaden the application of IT security measures to a wider group of institutions and services. In order to achieve that, it is being discussed to switch from the definition of supply-critical to IT-critical. Then industries like the chemical industry which heavily rely on IT would be included. At the same time, it is being discussed to possibly lower the criteria for becoming critical infrastructure. Then the federal security agencies would have a better overview of what needs to be secured on the state level as some services are sole supplier in certain areas are not large enough to hit the supply-criticality on a national level under the current standards. Another important factor is the question of regulating supply-chain-security and the use of certification, security labels and liability. The EU Cybersecurity Act helped to set some framework under which conditions this can be legislated.
No draft has been publicly circulated yet, therefore it is difficult to assess this legal approach in detail. For most parts that have been discussed so far, it seems like a reasonable addition to the existing IT Security Law. However, there are two shortcomings that we can see so far. First, the current version of the draft appears not to cover additional security measures for voting IT-infrastructure and political parties, something that we have been advocating for. Things might however change with the fallout of the leak/doxxing of German politicians that was discovered in early January 2019. Secondly, it is possible that amendments which do not directly relate to the official intention of the law, for example active cyber defense provisions, will be buried somewhere inside the proposal.
- https://www.udldigital.de/it-sicherheitsgesetz-2-0-bmi-skizziert-erste-weiterentwicklungen/ (German)
- https://www.com-magazin.de/news/sicherheit/bundesinnenministerium-plant-nbsp-it-sicherheitsgesetz-20-1578575.html (German)
- http://europa.eu/rapid/press-release_IP-17-3193_de.htm (English)
- http://www.spiegel.de/netzwelt/web/daten-von-politikern-und-prominenten-geleakt-was-wir-ueber-taeter-und-opfer-wissen-a-1246406.html (German)
8. Vulnerability Management System
In 2018, the Ministry of the Interior, Building and Community started developing a national vulnerability assessment and management process, similar to the Vulnerability Equities Process (VEP) in the US. Though not much is known about the process yet, the Ministry officially announced the process in June 2018 during a conference jointly organized by the Federal Academy for Security Policy and the Stiftung Neue Verantwortung.
The first draft of the concept is supposed to be shared with the respective Ministries and security agencies shortly, if it has not been circulated already. We are expecting to see the concept go (more) public within the next couple of months. The development of the process has been inspired inter alia by the UK and US counterparts as well as likely by the work that the Stiftung Neue Verantwortung has done within the Transatlantic Cyber Forum.
Transatlantic Cyber Forum
Policy Debates | April 8, 2019
Issue: “The National Cyber Defense Center"
Track: All TCF tracks
The creation of the National Cyber Defense Center (German: Nationales Cyber-Abwehrzentrum, „Cyber-AZ“) in Germany was announced as part of the Cyber Security Strategy adopted in 2011. It is an information and cooperation platform for several authorities with the aim to prevent and counter cyber-attacks through intensified cooperation. The Cyber-AZ, with headquarters in the German Federal Office for Information Security (BSI) in Bonn, is not an independent authority, but rather an association of various authorities, exchanging information on (operative) cyber security in Germany while remaining within their respective area of responsibility/competence. The cooperation itself is regulated by administrative arrangements between the authorities. The agreements can be retrieved online, based on a request under the Freedom of Information Act (IFG).
In the coalition agreement signed in 2013, the CDU/CSU and SPD agreed to expand the capacities of Cyber-AZ. However, details of what this expansion might look like were only addressed in the Cyber Security Strategy for Germany adopted in 2016. It states: "As a joint institution, it will be further developed into a central cooperation and coordination platform. In the future, the Cyber-AZ should be equipped with own assessment and evaluation capabilities and create an up-to-date report on the cyber security situation in Germany.“
To what extent this project has been implemented is hard to estimate based on the publicly available information. Moreover, it was in the context of the Cyber Security Strategy of 2016, that the involvement of the German federal states was explicitly mentioned for the first time.
In the coalition negotiations in 2017, the topic was addressed again, but the 2018 agreement remains very vague in its demands. The position of the BSI should be strengthened and likewise the "security authorities in the prosecution and prevention of cyber crime [through the] creation of a necessary legal, organizational as well as technical framework“. The claim to strengthen the Cyber Defense Center was not discussed again until the beginning of 2019, when the personal data of different Members of the German Bundestag were leaked.
Structure and mode of operation
Members working together in the Cyber-AZ include representatives from the Federal Office for Information Security (BSI), the Federal Office for the Protection of the Constitution (BfV), the Federal Office for Civil Protection and Disaster Assistance (BBK), the Federal Criminal Police Office (BKA), the Federal Police, the Customs Criminal Office, the Federal Intelligence Service (BND), the German Armed Forces (Bw), the Military Counterintelligence Service (BAMAD), and the Federal Financial Supervisory Authority (BaFin). The authorities are staffed by representatives of these ministries, either as permanent staffers of the Cyber-AZ, or as rotating staff. With 8 employees, the largest representation is sent by the BSI. The supervising operators of critical infrastructures (KRITIS) are also part of Cyber-AZ. The Cyber-AZ spokesperson is BSI President Arne Schönbohm. In its structure, Cyber-AZ is similar to the Joint Counter-Terrorism Centre.
The cooperation of the authorities in Cyber-AZ is characterized by its own perception as an information and cooperation platform. The participating authorities contribute insights and perspectives from their respective fields in order to avoid cyber attacks at an early stage. They discuss topics such as weaknesses of IT products, vulnerabilities, different forms of cyber-attacks and criminal profiles.
By exchanging information and knowledge, risks related to cyberspace can be analyzed and evaluated holistically. At the end of this collaborative process, a recommendation for actions to be taken is formulated based on the experience and knowledge of the authorities involved. Products developed by the Cyber-AZ include the „Cyber-Lage“, a daily situation report on cyber security, as well as an annual report. Additionally, analyses of specific cases are conducted as well.
Moreover, the „Cyber-Sicherheitsrat“, Cyber Security Council, (Cyber-SR) periodically receives recommendations from the Cyber-AZ. The analyses conducted by the Cyber-AZ include both intelligence and police information.
Since its creation in 2011, both the operation and structure of the Cyber-AZ have evolved. The forms of cooperation include daily briefings, working groups, project based groups and workshops - depending on the duration of the task and the topic. In the course of becoming more and more a platform for cooperation, the initial structure of associated and core authorities (shell model) has been replaced. Instead, a steering committee decides the focus of the work and sets up the working groups.
The Cyber Defense Center plays a significant role in Germany's cyber security architecture. Similar to the Cyber Security Council, which brings together relevant actors on a political and strategic level, the Cyber-AZ provides an inter-agency platform for operational cooperation. It fulfills an essential function in terms of coordination and communication between the multitude of authorities that provide cyber security in Germany. Before the creation of the Cyber Defense Center, such a platform did not exist, and activity in the field was highly siloed.
Previously, the Cyber-AZ has been criticized for both its products as well as the coalition itself. The cooperation of different authorities may lead to a mixing of police and intelligence services and is therefore regarded as a violation of the so-called principle of division of authorities („Trennungsgebot“).
Furthermore, in an internal report of the Federal Audit Office in 2014, the Cyber-AZ was strongly criticized as well. Not only was the platform insufficiently staffed to meet its objectives, it was also questionable what the concrete result of the collaboration was. Additionally, there was a lack of competence witnessed and it was unclear what actually happened in the case of a cyber attack. The criticism expressed can also be attributed to the fact that since its creation, the Cyber-AZ not only tries to unite the different expectations of the authorities involved, but also their different ways of working, their "cultures" and their willingness to share their knowledge. Conflicting approaches in dealing with cyber attacks (including "counseling culture" versus "culture of persecution") make cooperation difficult, as well as a restrained willingness to share one's own knowledge and information. Furthermore, in terms of structures and public perception, the BSI's great influence became apparent. Not only does the BSI make up a large proportion of the workforce, the one-sidedness of the input was also frequently criticized. BfV and BBK reportedly provided very little information; about 98% of information contributed was done so by the BSI at the beginning. Though it can be questioned whether solely the BSI can be held responsible for this, it illustrates the potential for improvement of the Cyber-AZ in its role as an information and exchange platform with a number of different agencies, not only the BSI.
In the overall view of these criticisms, it becomes clear that the collaboration of several authorities in Cyber-AZ is a balancing act between compliance with the „Trennungsgebot“ on the one hand and an effective and balanced flow of information on the other.
Finally, the question regarding the cooperation with and dissociation from other institutions within the BSI, such as the „CERT-Bund“, Computer Emergency Response Team (CERT) for federal agencies, and the „IT-Lagezentrum“, IT Situation Centre, (IT-LZ) has been raised. Due to similar work areas, there was a risk of redundancies and duplications in the structure. However, the focus of the „CERT-Bund“ and the „IT-Lagezentrum“ is the immediate, specific response to incidents, handling the situation, as well as technical restoration. The Cyber-AZ, on the other hand, focuses more on information sharing and coordination of actions.
The Cyber Defense Center Plus
Since the founding of the Cyber-AZ, the challenges as well as the authorities have further developed. It is, therefore, a logical next step to expand the Cyber Defense Center and turn it into a Cyber Defense Center Plus. The envisaged increased connection between the federal and state levels, as well as the cooperation with selected companies are both useful strategies. The former could also be a way to prevent some of the federal states from creating their own offices for Information Security, so-called Landesämter für Sicherheit in der Informationstechnik, (LSI). While computer emergency response teams (CERTs) are an important (technical) point of connection on the state level, the creation of independent LSIs threatens to worsen the already existing lack of specialists in public administration and create parallel structures.
An extension of the Cyber-AZ is most effective when the Cyber-AZ remains in the Federal Office for Information Security (BSI), which - according to the legal framework - is „the central reporting institution for cooperation of the national authorities in matters of security in information technology“.
The limited personnel resources of the Cyber-AZ are outweighed by its access to the broad and in-depth technical expertise of BSI professionals. Plus, the IT Situation Center is located in the BSI as well and in case of a crisis, it becomes the IT Crisis Response Center, a central element for the technical processing and coordination of IT security incidents.
Currently, various models and connections of Cyber Defense Center Plus are discussed. An affiliation of the Cyber-AZ Plus to the Bundeswehr, intelligence services or police is not recommended - not only due to a less developed expertise, but also because of a possible loss of trust of important cooperation partners in the industry, academia, civil-society and even other authorities. The cultural and legal frameworks of the police and intelligence services can pose another challenge. While the police, during the acquisition of information about an offense, is obliged to immediately initiate investigations (Legalitätsprinzip), intelligence services often hold back information to either facilitate the process of solving a crime or to make counterintelligence possible. None of the aforementioned aspects are true for the BSI, whose mission is to strengthen IT security. A possible affiliation of the Cyber-AZ Plus to the Bundeswehr is also not possible simply because no cyber attack on Germany has passed the threshold for a military reaction. Because the BSI guarantees IT security at a technical level, they should be the starting point of any Cyber-AZ Plus process. German cyber security policy has been shaped by its focus on IT security and a strict separation of the civil and military domain. The protection of IT systems and networks should clearly be prioritized over solving crimes, law enforcement or other repressive measures.
Therefore, the extension process into a Cyber Defense Center Plus has to take into account the criticism. It is in many ways reasonable and in some areas, the problems are „homemade“ by the federal government. Naming an information and cooperation platform (at the time of the creation in 2011) a "Defense Center" raises unfulfillable expectations – especially given past and current resources and task allocations. It was never the goal of this institution to repel a cyber attack. There are authorities currently responsible for this, such as the Federal Office for Information Security, the Federal Criminal Police Office, the Bundeswehr or even the Federal Office for the Protection of the Constitution. All these authorities are members of the Cyber-AZ. The primary focus of Cyber-AZ so far has been bringing together the most important actors in order to facilitate the exchange between them. This is a key task, and it is difficult to judge whether the Cyber-AZ has been able to fulfill it. The exchange between authorities can also be viewed critically: How is the cooperation between police authorities and intelligence services in the Cyber Defense Center in compliance with the „Trennungsgebot“? There is no public information accessible to answer this question. More transparency around cooperation of the authorities participating in the Cyber Defense Center is necessary.
Conclusion and legal framework
Similar to the Central Office for Information Technology in the Security Sector (ZITiS), there is also no legal mandate for the Cyber Defense Center. The representatives of the authorities involved in the Cyber Defense Center act according to the legal basis of their respective authorities. This is the case for the technical and legal supervision, as well as the parliamentary and legal control. An establishing legislation would presumably be limited to a minimum level of competences and powers, as these are already granted to the relevant authorities.
The focus of such a law would therefore be the legal establishment of the Cyber-AZ Plus as well as the structural cooperation between the various authorities (including, inter alia, scope and modus operandi of the information exchange). The creation of an agency under law would presumably require a change in the constitution (eg. transferring of the process of emergency response in cyberspace from state to national level). In order to promote transparency and facilitate the embedding of the Cyber Defense Center in the existing architecture of authorities, it would make sense to create a clear legal basis for executive actions. Moreover, this would certainly improve understanding and the public perception of the role and work of Cyber-AZ. This is especially important when the cooperation with actors from industry and countries is expanded as part of the Cyber-AZ Plus conception and thus the Cyber-AZ can fulfill its important role in the heart of the German cyber security architecture.
Authors: Sven Herpig and Clara Bredenbrock
Transatlantic Cyber Forum
Policy Debates | May 15, 2019
Issue: Active Cyber Defense
Track: All Tracks
The German Ministry of the Interior, Building and Community has been very active drafting bills lately. At the end of March, Netzpolitik, a news outlet focusing on digital rights and internet policy, leaked the Bill to Harmonize Constitutional Protection Law (domestic intelligence law). In the beginning of April, the draft IT-Security Law 2.0 followed. Both bills aim to massively expand the security agencies’ authorities. And they have another thing in common: Both laws bring active cyber defense back to the negotiation table.
For about two years, a simplified active cyber defense “model” has been discussed in official security circles. This model gives an overview of the digital options when reacting to cyber attacks – sorted by their level of intensity. The first stage is about support to impede attacks. In stage two, concrete threats shall be spotted and attackers trapped, e.g. by using honeypots. Stage three foresees the tracking of data extracted by adversaries. Stage four would allow security agencies to hack attackers’ devices and change or delete data saved on them. The last stage would enable the government to respond through Distributed Denial-of-Service (counter) attacks with the goal to deactivate the attacker’s IT-infrastructure.
There is already a legal basis for some of the corresponding measures for the first three stages. The IT-Security Law 1.0, passed in 2015, requires Internet Service Providers to inform their clients in case their computers have been infected with malware. Since corresponding EU provisions  have been implemented, Internet Service Providers can deny Internet access to devices that are, for example, infected with malware.
Although the recent public parliamentary hearing on information security also touched upon the active cyber defense model, it has still not been circulated publicly. The Office for Criminal Investigations (German FBI) developed this classified model.
To shed light on the opaque policy making process and push for a more nuanced public debate, we have published our own “Model for Explaining Active Cyber Defense Measures” with information we were able to gather from the government and related expert discussions. According to this definition, active cyber defense is “an active countermeasure in the cyber domain, below the threshold for armed conflict, that is designed to defend against and/or attribute a cyber attack”. Based on currently available information, this definition is similar to the one used by the German government internally.
The government wants to introduce several competencies for active cyber defense through the new IT-Security Law. According to the draft bill, the Federal Office for Information Security (civilian and purely defensive version of the NSA, tasked inter alia with protecting government networks and critical infrastructures) will be allowed to use sinkhole servers to reroute botnet traffic and set up honeypots to better study attack techniques. Furthermore, the bill will authorize the Federal Office for Information Security to mandate Internet Service Providers to limit, reroute or halt their services in case of disruptions. If, for example, a system is disrupted due to a Denial-of-Service attack, the agency could command the Internet Service Providers to reroute this harmful data traffic or suppress it. If the bill passes unaltered, the Federal Office for Information Security can also instruct Internet Service Providers, if certain conditions are met, to purge infected IT systems (e.g. through remote patching or removing malware). Technical details on how that is supposed to work operationally are murky at best.
The bill also includes new regulations in case illegally obtained or published data is transferred through the networks of telecommunication providers and platforms. When providers become aware of it, they must inform the Office for Criminal Investigations immediately, block access to the data and delete them where appropriate. These measures can also be ordered by responsible authorities like police.
Domestic Intelligence Law
The new competencies for domestic and foreign intelligence services in the new domestic intelligence law weigh even heavier. The Federal Office for the Protection of the Constitution (German domestic intelligence agency) will be given authority to use malware to collect data from domestically based IT systems and infrastructures, including for attribution purposes. Similarly, this shall also apply to the Federal Intelligence Service (German foreign intelligence agency). There is one caveat: if the bill passes unchanged, the Federal Intelligence Service will be able to conduct government hacking operations abroad as well as in Germany against German targets.
Conclusion and Outlook
Apparently, the coalition treaty, a non-binding yet politically powerful agreement between the governing parties, was ignored during the drafting of both laws. The treaty states that when competencies of security agencies are to be broadened, this must be accompanied by parallel and appropriate expansion of parliamentary oversight. Additionally, the minimum standards for government hacking which have been developed by the Transatlantic Cyber Forum and published last year have been ignored so far. While the standards have been presented to the government, and several of them are already being implemented, the new bills do not include the remaining ones. That would be a necessary requirement for prudently limiting the new powers given to the security agencies by these laws.
The legal basis for even more invasive measures like the take-over of attacker infrastructures or Distributed Denial-of-Service counterattacks will likely be included in another legislative package later this year.
Transatlantic Cyber Forum
Policy Debates | October 31, 2019
Issue: Right-Wing Attack in Halle: New Security Laws Do Not Always Help
Track: Encryption and Government Hacking
This op-ed has been published by ZEIT Online and translated by us. The original piece can be found here. Wording of the original applied.
After the attack in Halle, the CDU/CSU demands more competences for German security authorities. This should include an objective evaluation of what they are currently capable of.
Do we need stricter safety laws to prevent attacks like the one in Halle? No, say Sven Herpig, Head of International Cybersecurity Policy at the Berlin-based think tank, Stiftung Neue Verantwortung (SNV), and Ulf Buermeyer, Chairman of the civil rights organization Gesellschaft für Freiheitsrechte (GFF). In this guest article, they argue why the governing conservative parties (CDU/CSU) are cleverly using the attack in Halle in their own interest and why it does not necessarily help to give the security agencies even more powers, for example in accessing WhatsApp messages.
Just one day after the terrorist attack at a synagogue in Halle that left two dead and several injured, the political debate on how security agencies can better protect people in Germany against (right-wing) terrorism was ignited. Of all parties in the Bundestag, the CDU/CSU's demands have so far been the most far-reaching: CDU politician Mathias Middelberg (who is on the Committee on Internal Affairs and Community) demanded that the domestic intelligence agency (Bundesamt für Verfassungsschutz) be given access to encrypted communication channels such as WhatsApp. In addition, telephone and Internet providers would be obliged to gather data on communication behaviors of the entire population and not to delete it for a certain amount of time.
The proposed measures were not developed over night. They are part of a larger bundle of legislative changes, which domestic politicians have been proposing for more than half a year, and are now revisiting. These include reform plans with bulky names such as the "Harmonization of Constitutional Protection Law" (Harmonisierung des Verfassungsschutzrechts), the "IT Security Act 2.0" (IT-Sicherheitsgesetz 2.0), or the deliberate installation of backdoors in messaging apps. These reforms will grant German security agencies and intelligence services even more powers than they already possess.
When can we speak of complete surveillance?
Some of these laws were said to have been passed before the summer recess. Due to massive criticism, also from the social democrats-led Ministry of Justice, the internal drafts were subjected to further revision. After the attack in Halle, it is now likely that the CSU-led Ministry of the Interior will try to push the complicated reforms in a type of package for quicker progression through the parliament. Such an approach would unfortunately fit the reputation of the Minister of the Interior Seehofer, who recently said that laws had to be made sufficiently complicated in order to keep criticism as low as possible. From the point of view of the ruling CDU -- who apparently considers it politically advantageous to implement tougher domestic policies -- this approach is understandable. But when it comes to finding effective measures against terrorism, this is the worst possible course of action. The main reason for this is that there is no time for an independent external analysis of the proposed legislation. Terrorism experts, security researchers, and the general public would have no opportunity to critically discuss whether the planned measures could actually provide better protection against rightist terrorism, irrespective of political bias, and what hits this would entail for citizens.
Doubts about the effectiveness and proportionality of further-reaching powers are warranted, and an empirically-founded, critical discussion of security policy in recent years is long overdue. For the past two decades, the capabilities to spy on the population in Germany have been continuously expanded. While ruling on data retention in 2010, the Federal Constitutional Court (Bundesverfassungsgericht) already decided that further expansion of surveillance powers must be considered in the context of all existing surveillance measures. Lawyer Alexander Roßnagel later described this as a "total surveillance account": Under constitutional law, powers cannot be viewed in isolation; rather, attention must be paid to the extent to which the monitoring of the population as a whole is achieved. It would simply not be compatible with the human image of the constitution if more and more so-called "security packages" were stacked on top of each other at the federal and state level, which together would enable the population to be almost completely monitored by government agencies.
Instead of demanding ever new laws that successively shrink the privacy of citizens in a kind of salami tactics, a more rational approach is necessary. It could be simple: the federal government and individual states would have to examine, in a joint body with independent scientific support, which powers security authorities already have. Then, on the basis of concrete incidents, this could be analyzed to determine whether the problems are actually caused by a lack of legal leeway - or whether the reasons are to be found in the lack of use of existing powers or in poor coordination between the numerous bodies on federal and state levels.
The effectiveness of previous laws has never been evaluated
Many of the powers that the Minister of the Interior recently demanded for intelligence services could, for example, have long since been used by the police and the judiciary. Instead of granting authorities further far-reaching powers, the solution could be to define the responsibilities more clearly and to put an end to the co-existence (and, often, opposition) of security authorities. Instead, the expansion of security legislation is being pushed forward, in some cases with massive encroachments on the fundamental rights of citizens according to the motto: it has long been possible to investigate everything, but not every agency can do it yet.
In May of this year, the Federal Commissioner for Data Protection and Freedom of Information, Ulrich Kelber, called for a moratorium on security laws. This is an interesting idea that has received far too little attention so far. In essence, the point is that the federal government must not introduce any new security laws until certain conditions have been met.
Kelber himself does not see the already enshrined powers of the security authorities exhausted. However, these conditions should also include that the federal government and the states continuously and scientifically establish and publish "surveillance accounts". Furthermore, the evaluation of security laws, which is laid down in the respective legislation, must inevitably be carried out. The first IT security law, for example, provides for a partial evaluation, which would have been due in the summer. Although the Ministry of the Interior is working on extending this law, according to current knowledge, it has not even submitted the evaluation of its predecessor. It would also be important to know whether the challenges in previous (botched) terrorism-related investigations are really due to a lack of powers on the part of the security authorities or other problems. If the problem was not the lack of powers, then there is no need for new ones.
New legislation does not mean effective legislation
As an opponent of such a moratorium, one can, of course, argue that it paralyzes the legislative process and that any subsequent terrorist attack is a direct consequence of the moratorium. But that would be purely polemic. On the one hand, the required conditions for new security laws are a basic component of good legislation. Just because there are new laws does not mean that they are effective. New powers, which are based neither on empirical evidence nor on an evaluation of existing powers, sometimes cannot ensure security more effectively than no legislation at all, but can cause harm if they deepen the current confusion of competences - disregarding the negative effects on fundamental rights. On the other hand, it would have the advantage that the federal government would finally have to differentiate its laws between public security powers and others, for example measures for IT security. It is possible that the IT Security Act 2.0 will have already passed through parliament without this mixture of public security and IT security.
Of course, a moratorium would be a bold move -- but if it were combined with an honest evaluation of where the problems actually lie, it would be a much better (and urgently needed) attempt to improve the security architecture in Germany. Ultimately, it is a matter of developing laws and responsibilities that meet the high standards of transparency, effectiveness, legal certainty and the protection of fundamental rights. In a democracy, especially one with Germany's history, we can all agree that these standards are needed, especially when it comes to encroaching on our fundamental rights. But if you consider that the Ministry of the Interior has constantly drafted laws in the past which were subject to review by the Federal Constitutional Court (at least in part) and that the Minister of the Interior has questionable, if not undemocratic, ideas about the legislative process, then such a moratorium, together with empirically based evaluation, is currently not only the single tried and tested means, but also a great opportunity. In this way, Germany could be given a security architecture that would be more effective and more respecting of fundamental human rights than it is today.
Transatlantic Cyber Forum
Policy Debates | November 22, 2019
Issue: The One Dimensional 5G Policy of the German Government
Track: Encryption and Government Hacking
This op-ed has been published by Frankfurter Allgemeine Zeitung and translated by us. The original piece can be found here. Wording of the original applied.
Jan-Peter Kleinhans, Project Director ICT Supply Chains & Geopolitics
Stiftung Neue Verantwortung (SNV)
Last summer, a Europe-wide debate was sparked on how to deal with Chinese 5G equipment - for the next generation of mobile communications. The United States, Australia, Japan and a handful of European Member States view having network components from Huawei and ZTE (two Chinese network suppliers) as a threat to national security. The fear is that the Communist Party of China (CPC) could pressure both manufacturers to disrupt foreign networks. As a result, the German Federal Network Agency (BNetzA) recently issued new IT security requirements for German network operators. However, this purely technical measure is not even close to sufficiently solving the problem. The German government still has yet to address the industrial and foreign policy challenges.
From the start, the government understood it as a strictly technical problem. That is why the BNetzA and the Federal Office for Information Security (BSI) were entrusted with the revision of IT security requirements for German network operators: Technical authorities finding technical solutions to technical problems. Neither the Ministry of Economic Affairs nor the Federal Foreign Office were commissioned to prepare their own risk assessments.
The current criticism of the safety catalog is based on the fact that the unique risks associated with the use of Chinese vendors were not addressed. Chinese vendors can continue to operate in the German market despite the stricter requirements. The new requirements definitely make our future mobile networks more secure, as they apply to all manufacturers and operators to the same extent. However, not all manufacturers are "equal". Chinese network equipment providers pose a higher risk than their European competitors - Nokia and Ericsson. This higher risk does not come from Huawei and ZTE providing products of inferior quality, but rather comes from the ability of the Chinese Communist Party to take drastic measures and to exert pressure on Chinese manufacturers. Such a risk can hardly be reduced by technical measures.
How likely it is that the Chinese government would want to compromise a foreign telecommunications network (equipped with Chinese components) is, however, a geopolitical and not a technical question. There is, however, no geopolitical answer yet.
The problem has another dimension, which requires an industrial policy response: thanks to state subsidies and economies of scale, Huawei could easily push European competition out of the market in the long run. Regardless of IT security risks, continued unimpeded market access for Huawei and ZTE carries the risk that Europe could be left behind in a key technology. The US has recognized that China's economic protectionism distorts competition and sees the danger for Nokia and Ericsson. The US is even considering how to support both companies financially. Chinese network suppliers therefore represent not only a technical but also an industrial-political challenge. There is, however, no industrial policy answer yet.
In the coalition agreement, the government postulated that Germany would become the "leading market for 5G". It should, therefore, be asking itself how to become the leading market without strategically investing in European technology. To minimize the "Huawei Question" exclusively to IT security is negligent and short-sighted. How to handle Chinese 5G network equipment must be considered from different perspectives: IT security, national security, foreign trade and industrial policy. If this does not happen, important dynamics may be overlooked and any policy would be blind to long-term negative effects on both the economy and society.
Transatlantic Cyber Forum
Policy Debates | April 9, 2020
Issue: Digital Location Tracking, Contact Tracing and Quarantine Enforcement in Times of COVID-19 - The German Debate
Amid the COVID-19 pandemic, like so many other governments around the world, Germany is discussing the need for digital solutions to conduct location tracking and contact tracing for virus containment. The German government seems to follow the “hammer and dance” approach of strong epidemiological authority and initial suppression through social distancing (“the hammer”) as well as long-term efforts to keep the virus contained until a vaccine is developed (“the dance”). Location tracking and contact tracing could be tools to support the long-term efforts. However, the world faces a pandemic and an unprecedented health crisis, and many tools that would not usually be considered appropriate under privacy considerations are being discussed as possible measures for a state to take. This is the case even though data protection is known to be a crucial sociocultural aspect of German society. It is therefore necessary to square this circle and balance health and surveillance concerns.
From Location Tracking to Contact Tracing
The public debate started when Deutsche Telekom repeatedly shared anonymized location data of customers with the Robert Koch-Institute, Germany’s disease control agency. By comparing data sets, health authorities can understand whether the society is complying with containment measures at a broader scale. Privacy advocates and data protection lawyers criticized this approach, questioning whether sharing this type of data with the government is “useful or proportionate, even in a time of crisis” (source). German Health Minister Jens Spahn (CDU) has been one of the most prevalent voices of the German government advocating for the use of tracking and tracing apps to contain the virus. After the draft legislation for an amendment to the Infection Protection Act (“Infektionsschutzgesetz”) was leaked prior to its submission to the German Bundestag in the end of March, it received significant pushback -- specifically a paragraph that would have allowed use of personal smartphone location data to identify contacts of infected citizens without their explicit consent. The leaked proposal was criticized by the Federal Ministry of Justice, other institutions and experts. Since then, however, Spahn dismissed this paragraph and has won approval along party lines for promoting public discourse around a voluntary solution to track infections. The current political agreement seems to be a Bluetooth-based contact tracing app similar to Singapore's TraceTogether or Austria’s Stopp Corona app. Prior to this development, the government temporarily advocated for phone tracking solutions (GPS and triangulation) following the South Korean example. The Economic Council of the CDU even promoted credit card tracking and motion profiles, likely to be inspired by South Korea as well.
Bluetooth-based contact tracing will be an addition to the existing number of German-language digital solutions (e. g. information dashboards, self-diagnosis apps and localized disaster warning apps) that already exist or are currently under development as part of government-run COVID-19 Hackathon. One of these digital solutions is a recently published app (“Datenspende”) by the Robert Koch-Institute, that evaluates pseudonymized health data from users’ smartwatches and fitness bracelets, and matches them with zip codes and personal body data to understand the development of symptoms and identify possible hotspots of infections.
Towards a Joint European Solution?
Simultaneously to the debate on foreign apps, hundreds of scientists and engineers are working on the development of a European solution. Seventeen institutions from across Europe are currently developing a Bluetooth-based (BTE) peer-to-peer contact tracing solution called “Pan-European Privacy-Preserving Proximity Tracing” (PEPP-PT). Rather than an app, it will be a standard that can be adapted and integrated into various apps and allows for communication between them. PEPP-PT could serve as a European solution that is decentralized enough to be integrated into national efforts regarding apps while enabling the much-needed data exchange, so that European member states can “dance” together.
Practical Challenges and the Way Forward
German efforts in finding a technical solution that protects user privacy is accompanied by other questions as well. It is up to discussion whether a voluntary tracing app would reach critical mass, and what that would be, and thus whether this would achieve adequate usage among German society. Estimates say that more than half of the population with access to smartphones (76 percent of German citizens older than 16 years) would have to download a contact tracing app to break infection chains.
The German debate on COVID-19-related digital solutions reflects the struggle to balance health and privacy and surveillance concerns, especially in emergency situations. There is no German discussion on quarantine enforcement solutions (e.g. “geofencing”) yet. If Germany implements a tracing app in the upcoming weeks, it will likely follow a decentralized peer-to-peer Bluetooth-based (BTE) solution. The devil however, as they say, is in the detail. The launch of the Datenspenden-app (“data donation”) of the German disease control agency on April 7 has been accompanied by harsh criticism for the solution’s lack of anonymization, lack of approval from the Federal Data Protection Officer, opaque IT-security audit, use of centralized 3rd party servers for data aggregation and inclusion of IoT devices. Coming from the same agency that is also supposed to offer the national contact tracing solution in the coming weeks, it leaves much to be desired.
- Corona-Datenspende-App, Robert Koch-Institute.
- Coronavirus: The Hammer and the Dance, Pueyo.
- Coronavirus apps let people avoid high-risk locations in South Korea, Independent.
- Coronavirus-Krise: Bundesjustizministerin lehnt Handyortung ab, Heise Online.
- COVID-19 Digitale Lösungen in D-A-CH, Herpig.
- European mobile operators share data for coronavirus fight, Reuters.
- Germany aims to launch Singapore-style coronavirus app in weeks, Reuters.
- Help speed up contact tracing with TraceTogether, Gov.SG.
- How to restore data privacy after the coronavirus pandemic, World Economic Forum.
- Jens Spahn lässt Testballon steigen, Netzpolitik.
- Kommt jetzt die Corona-App?, Tagesspiegel.
- So funktioniert das digitale Infektionswarnsystem, Spiegel.
- So tracken andere EU-Länder, Tagesspiegel.
- Stopp Corona, Österreichisches Rotes Kreuz.
- Telekom übergibt zweiten Handydatensatz ans Robert Koch-Institut, Spiegel.
- Twitter, https://twitter.com/netzpolitik/status/1247447849023004672.
- Twitter, https://twitter.com/z_edian/status/1247584165823987713.
- Wer trackt hier wen?, Frankfurter Allgemeine Zeitung.
- Wie wir COVID-19 unter Kontrolle bekommen, Bundesinnenministerium.
- Wirtschaftsrat fordert mehr Corona-Tests und Tracking von Infizierten, Wirtschaftsrat Deutschland.
Transatlantic Cyber Forum
Policy Debates | May 19, 2020
Issue: International Arrest Warrant in Response to State-Sponsored Cyber Operation
In early May, Germany’s Federal Prosecutor issued for the first time in response to a state-sponsored cyber operation an international arrest warrant for a Russian national, Dmitriy Sergeyevich (dt.: Dmitrij Sergejewitsch) Badin. Badin is supposedly employed by the Russian Main Directorate of the General Staff of the Armed Forces (GRU) of the Russian Federation. He is believed to be part of "Fancy Bear", the Russian cyber operations group within the GRU. The international arrest warrant indicates that he is responsible for compormisingthe IT-infrastructure of the German parliament in 2015. The cyber operation gained access through Chancellor Merkel’s email accounts and other members of parliamentarian’s email accounts. At least 16GB of data was taken but it is still not sure which information was gathered in detail. Thus far, there has been no subsequent leaking of the extracted information which was expected by man to happen during the 2017 general elections. Baldin was already indicted by the U.S. government in 2018 for computer hacking, wire fraud, aggravated identity theft, and money laundering between 2014 and 2018. Allegedly he is responsible for breaking into Hillary Clinton’s presidential campaign emails. On May 13, Chancellor Merkel went on the record saying that there is “hard evidence” that points to Russia. She further states that she takes this very seriously.
Germany’s past responses to state-sponsored malicious activity
To analyse whether this is a shift in Germany’s response culture, it helps to look back: Thus far, the German responses to cyber operations conducted against it concentrated on prevention and operational response and its foreign policy actions are focused on developing norms to increase the stability of cyberspace, freedom of expression and building capacity in other countries. Cyber operations so far are not yet addressed as part of a broader foreign policy or security policy towards a certain country, for example with Russia. This is unlike the U.S. approach naming certain countries it is in conflict or in competition with including in cyberspace. Germany has not really openly threatened that it would impose costs either. Moreover, the German government has so far not been a driving force behind public attribution on the international stage. The only public attribution after a cyber incident was done by the Minister of Foreign Affairs in a press statement about the expulsion of Russian diplomats due to the Scripal incident, an effort led by the United Kingdom. Here the Minister of Foreign Affairs added that the expulsion was also done due to the cyber incident that affected the foreign office in 2018, saying that it was most likely Russian actors that were responsible for infiltrating the foreign office. However, public attribution to Russia had been done frequently by the former Head of Germany’s Domestic Intelligence. Whether this is an actual public attribution by the German government as it was only communicated through media channels by himself and not followed up by or embedded in other political actions or in a foreign policy approach towards Russia in an official German government statement.
Germany has not participated so far in any ‘coalitions of the willing and capable’ that were formed in reaction to major incidents and which attribute that incident to a state. Examples of a coordinated response by a coalition of the willing and capable was seen, most prominently after NotPetya, where Australia led a coordinated attribution effort. In February 2018, within days of each other, seven nations including Australia attributed the NotPetya cyber attacks to Russia. Even though the German government may have had access to confidential insights into the attack’s origins that the White House shared with German intelligence, Germany did not join the coalition. Germany has however supported the EU Council’s decision in reaction to WannaCry and NotPetya which condemns the attack, but did not attribute.
The international arrest warrant is the first response that publicly attributes a state-sponsored hacker. The Prosecutor's Office, the Federal Office for Information Security and private companies investigated the cyber operations by analyzing at least 300 servers. Germany requested for legal assistance in 23 states. According to Süddeutsche information was collected by the German federal police, the German federal investigative police and the U.S. and the Netherlands. The evidence had eventually persuaded the investigative judge at the federal court said Süddeutsche further.
Strategic shift in responses?
There are two significant differences in comparison to other past responses to cyber operations. One is the evidence that led to the arrest warrant that the German government is very confident in and the other is the acknowledgment that this cyber operation is part of a broader strategy that another state, in this case Russia, uses. Chancellor Merkel in the parliamentary hearing on 13th of May pointed to the “hard evidence” and explained that this is part of Russia’s hybrid warfare strategy which also includes “desorientation” and “twisting of facts”. This statement acknowledges that the cyber operation is a tactic within a broader strategy. Merkel in her statement about how this may affect the relationship with Russia, then clearly stated that although she will continue to work together with Russia, “the trustful relationship is disturbed”. This means that the act of a cyber operation does have an impact on the foreign and security policy of Germany towards Russia, however it is not signalled how exactly. Moreover, parliamentarians pressed her on the consequences against Russia. Merkel reacted by saying vaguely “of course we always reserve measures, also against Russia.” Merkel did not specify what those other measures are, but clearly signalled that other measures may follow suit. The way Chancellor Merkel frames the incident currently, it is about Russia’s and Germany’s relationship more broadly, which may also include another non-cyber incident that occurred where the Federal Prosecutor's Office is investigating a murder of a Georgian citizen in Berlin last December which could also lead to an indictment. This could mean that there may be a broader response towards Russia - not solely focusing on cyber operations.
The reaction to this cyber operation does not point towards a broader strategic shift in Germany’s responses to state-sponsored cyber operations as a whole but it signals that it is willing to go to great lengths - by contacting 23 states over five years to collect evidence - and then respond with legal measures. The response is however not embedded in a broader cyber diplomacy or international cybersecurity strategy that would make Germany’s responses to future cyber operations more predictable.
Next: EU sanctions?
Germany supported through the European Council decision adopted in June 2017, the establishment of the so-called EU Cyber Diplomacy Toolbox. It includes measures suitable for an immediate response to cyber incidents as well as elements to encourage cooperation, facilitate the mitigation of immediate and long-term threats, and influence the behavior of potential aggressors in the long term. These measures range from diplomatic and political to economic actions to prevent, detect or react to malicious cyber activities, including those that do not rise to the level of internationally ‘wrongful acts’ but are considered as ‘unfriendly acts’. This toolbox includes foreign policy tools including restrictive measures. In order to operationalize this, the Cyber Sanctions Regime was passed by a Council decision in 2019. Importantly though those responses can only be implemented if all member states agree.
What makes this case possibly a good fit for an EU level response is that firstly there were already at least two European countries (Germany and the Netherlands) involved in collecting evidence for attribution and secondly, there are more cyber operations affecting EU member states that were attributed to GRU or persons associated with the GRU by EU member states. In 2018 the Dutch intelligence caught four GRU agents trying to hack into the international chemical weapons watchdog’s headquarters in The Hague. And in 2017, five more member states (Denmark, Lithuania, Estonia, Norway, Latvia, Sweden, and Finland) publicly attributed or supported the attribution of NotPetya ransomware attack to the Russian military intelligence unit, the GRU. The sanctions regime can be applied against persons or entities that are responsible for cyber-attacks or attempted cyber-attacks. Sanctions may also be imposed on persons or entities associated with them. Restrictive measures include a ban on persons travelling to the EU, and an asset freeze on persons and entities. Hence, in theory those three cases could build the basis for the use of restrictive measures against the GRU as an entity or individual persons associated with the GRU.
In February 2020, it was reported that the EU considers sanctions against Chinese or Russian groups over hacking. Hence, it may be a possibility that the German response was just the first step and may be followed up with an EU response. For an EU response the question is however whether all member states would support the decision. Another major European power which puts special emphasis on the cyber domain is France. French President Macron has already in February called for using the sanctions regime against Russia but for election meddling. However, the French government has thus far not officially attributed the 2017 Macron email leaks to the GRU. For the German government there is also the question of whether Germany would use its own response measures against Russia, however they may look like, and then still join an EU response that is solely focused on the cyber aspect of the operation.
Author: Julia Schuetze
- Hackerangriff auf Bundestag - Haftbefehl gegen Russen - Politik, SZ.de
- EU Considers Sanctions Against Chinese, Russian Groups Over Hacking, Bloomberg
- Germany's Responses to Large Scale Malicious Cyber Incidents and Opportunities for AUS-GER future cooperation, KAS Online
- Cyber-attacks: Council is now able to impose sanctions,Council of the European Union
- Cyber attacks: EU ready to respond with a range of measures, including sanctions,Council of the European Union
- DMITRIY SERGEYEVICH BADIN, FBI
- U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations, U.S. Department of Justice
- Response to malicious cyber activities: Council adopts conclusions, Council of the European Union
- Rekonstruktion eines Cyberangriffs: Wie russische Hacker Angela Merkels Mailkonten knackten - DER SPIEGEL - Netzwelt
- Merkel macht Russland wegen Hackerangriffs schwere Vorwürfe
- Merkel macht Russland für Hackerangriff auf Bundestag verantwortlich
- Merkel blames Russia for ‘outrageous’ cyberattack on German parliament
- Visual guide: how Dutch intelligence thwarted a Russian hacking operation, The Guardian
- Blaming Russia for NotPetya was coordinated diplomatic action, ZDnet
- Germany to investigate Russia ties to Georgian murdered in Berlin, DW
- Macron calls for attribution, cybersanctions to stop Russian election meddling, Politico
Transatlantic Cyber Forum
Policy Debates | August 6, 2020
Issue: German Cybersecurity Policy Update
As the next federal elections to be held in autumn 2021 are approaching quickly, the federal government does not have a lot of time to push forward new legislation. Everything that has not been passed by late spring next year will have to wait until 2022. This is especially problematic for Germany’s cybersecurity policy as the respective Ministry has not yet yielded any success during the current legislature. Due to this, many proposals hit the public and parliamentary debate right before summer recess.
1. A new cybersecurity strategy for Germany
The current cybersecurity strategy is from 2016. With a newly appointed federal CIO, the Ministry of the Interior, Building and Community is pushing for the development of a new strategy to be published in 2021. At the end of July, the Ministry approached selected industry associations, civil society organisations, and research facilities to provide feedback to the 2016 strategy and suggestions on what should be included in the 2021 version. While it is noteworthy that the Ministry solicited advice from a range of stakeholders, the timing during the summer break and the relatively short period of two weeks for a response made it appear as if the government was not genuinely interested in substantiated feedback. Compounding this issue was the fact that the government did not offer any information or data on which an external evaluation can be based.
2. A new cybersecurity law for Germany
Since 2018, the Ministry of the Interior, Building and Community has been working on updating the 2015 IT Security Law. Hefty criticism of the first leaked version in 2019 and a not yet concluded 5G debate have led to long delays. The latest draft of the law, which we have criticised in-depth (write-up of the policy analysis available in German only), has not yet been introduced to the parliament as the government still has to wait for a response to its notification towards the EU. It is expected that the draft law will be discussed in parliament in September/October. While several aspects are questionable, this law would give internet service providers the legal authority to force-install updates and software on their customers’ computers (e. g. to take them out of a botnet). So far, the government has not presented any evidence that these mechanisms would be required. It also seems unlikely that it would be proportionate as less invasive mechanisms (e. g. ISP-mandated “walled garden”) were already introduced with the IT Security Law from 2015.
3. Changes to the intelligence and telecommunications law
The most problematic policy changes that are currently underway, however, are hidden away in two separate legal amendments. Changes to the telecommunication law (TKG) would extend its legal authority to additional services (e. g. OTT services), including instant messenger platforms such as WhatsApp. Additional amendments would force these service providers to assist government agencies in their government hacking operations. Amendments to the intelligence law (G-10), on the other hand, would massively expand the legal authority to conduct such operations - which so far can only be carried out by law enforcement - to include all of the country's intelligence agencies (write-up of the policy analysis available in German only). Should the legal amendments pass unchanged, as it seems right now, the government would, for example, be able to instruct internet service providers to install malware proxy servers or instruct companies to deliver targeted poisoned updates of their software (digest in German available here).
Transatlantic Cyber Forum
Policy Debates | November, 10 2020
Issue: Draft Law expands Surveillance Powers for Germany’s Intelligence Agencies.
A draft law expands surveillance powers for Germany’s federal and state intelligence agencies. It is backed by the ruling coalition of Conservatives (CDU/CSU) and Social Democrats (SPD) and will amend the G10 Act, the Act Restricting the Privacy of Correspondence, Posts and Telecommunications (Gesetz zur Beschränkung des Brief-, Post- und Fernmeldegeheimnisses), as soon as it passes the German parliament – which is just a matter of time. The law enables all of Germany’s civilian and military intelligence agencies on state and federal levels to conduct government hacking operations through “Quellen Telekommunikationsüberwachung (Quellen-TKÜ)”. Quellen-TKÜ allows for the surveillance of communication on end-user devices.
The Ministry of the Interior plans to apply this measure to investigate serious threats to the democratic constitutional state and the free democratic basic order. The draft law is met with widespread criticism of various organizations across sectors – including the Federal Commissioner for Data Protection Freedom of Information – due to its invasive and disproportionate nature, insufficient safeguards, and lack of empirical evidence backing the expansion of surveillance powers.
Author: Rebecca Beigel
- New hacking powers for German intelligence agencies, Kilian Vieth and Charlotte Dietrich
- GFF and Amnesty are challenging strategic mass surveillance, Gesellschaft für Freiheitsrechte
- Bundeskabinett beschließt Novelle des Verfassungsschutzgesetzes, Bundesministerium des Inneren, für Bau und Heimat
- BfDI kritisiert Quellen-TKÜ für Nachrichtendienste, Federal Commissioner for Data Protection Freedom of Information
Transatlantic Cyber Forum
Policy Debates | December 7, 2020
Issue: The German government plans digital predetermined breaking points
At EU level, Germany is driving forward the search for technical solutions to give security authorities insight into encrypted communication. This would weaken the IT security of all citizens.
During its EU presidency, the German government would have had a chance to put urgent issues on the European agenda. In the area of cyber security, for example, it could have tried to position Europe more strongly internationally as a counterweight to the offensive cyber strategies of the USA and China. Instead, it decided to attack secure, encrypted communications – one of the foundations of our digital life and the European economy.
Messengers such as WhatsApp, Signal or Threema use encryption so that no one, not even the app operators, have access to the respective communication content. This serves to protect against criminals, for example. However, intelligence services and the police have been criticizing for years that this would cause them to miss important information – without being able to prove this empirically. These pros and cons have in principle been known for decades under the keyword "crypto wars", and in Germany, for example, they were publicly criticized in June 2019: In an open letter, representatives of civil society, politics, industry and science opposed the plans of the German government to mandate backdoors in messengers. So far this protest has been successful, but now the German government is trying to push its idea forward at EU level.
The draft resolution of the German Council Presidency states that technical solutions must be found to enable security authorities to access encrypted communication content, especially in messengers.
The authors of the resolution don't want to let anyone see how exactly this is to be implemented at EU level. Instead, they refer to a future dialog with the operators of digital platforms and services. Apparently, the operators are to be encouraged to provide a technical solution for their products, either "voluntarily" or through regulation.
The fact is that the German government is attempting, via the EU level, to mandate digital predetermined breaking points for hundreds of millions of IT systems in Europe, thus apparently following the surveillance plans of its Anglo-American partners.
Their argumentation is that intelligence services and police could provide more security if there were such predetermined breaking points in encrypted communication – in other words, a master key for the security authorities. The arguments put forward are the big guns, for example the fight against international terrorism. But examples from the past and the public evidence speak against this view. The terrorist acts of the NSU and Anis Amris cannot be attributed to secure, encrypted communication; all relevant information was available to the investigating authorities.
One of the greatest and most acute security threats for Germany and Europe is the continuously increasing cybercrime. This is confirmed year after year by the situation pictures of the Federal Criminal Police Office and the Federal Office for Information Security. Malicious software regularly paralyses companies, public authorities, hospitals and other critical infrastructures, thus threatening society and the state. Could such dangers be countered by mandating predetermined breaking points in IT systems? No, on the contrary: It is possible that the criminals could even benefit from it, thereby further increasing the threat to the European economy and society. After all, these predetermined breaking points make IT systems less secure by design. At the same time, organized crime is already using in-house developments for messengers and may escape such predetermined breaking points anyway. This leaves unsafe messengers, which the European economy and society would then have to continue using because they have no other option.
Predetermined breaking points can be abused by government employees and cyber criminals can discover them. In addition to these challenges, which affect us directly and here in this country, weakening encryption would also have serious consequences for citizens in countries that surveil their populations. If these predetermined breaking points in messengers exist, then they are not only for Germany, but also for China, Saudi Arabia and other states. As a European state, one must be aware of these collateral damages.
It is a capital error of thought to say that one must limit the liberties a little bit by predetermined breaking points, so that there is more security. Because in truth there is simply less security for everyone.
The argumentation that the spread of secure, encrypted communication will make the work of the investigating authorities impossible may sound simple, but so far it has not been proven. There is no public evidence of how often terrorists have not been caught because they have used secure, encrypted communication. There is no overview or evaluation of the type and amount of data that investigative authorities have access to today and how this amount has developed over the last thirty years. What's more, the investigating authorities have access to so much data that a Central Office for Information Technology in the Security Sector (ZITiS) was created specifically to deal with big-data analyses, among other things. So instead of making it clear that the authorities already have more data than they can process, the police and the Ministry of the Interior only ever talk about the small amount of data to which the security authorities have no access.
But even if it were true that the security authorities do not have sufficient access to data, they could still use source telecommunication surveillance or online searches to infiltrate suspects' smartphones or forensically read them after seizure. These are powers that not only police forces, but all intelligence services are likely to be given, following the cabinet decision in October.
Today, security politicians can consult enough studies from science, industry and civil society to critically question constructed scenarios, individual cases or seemingly alternative proposals of the security authorities. At present, the German government has to put up with the accusation that it is letting itself be pulled in front of the carts of the security authorities. Germany as the driving force for cyber security in Europe is apparently becoming an enabler for worldwide surveillance.
Transatlantic Cyber Forum
Policy Debates | January 4, 2021
Issue: New Law Fosters IT Security of German Hospitals
With a new law, the federal government provides German hospitals with a funding volume of 4.3 billion euro as of January 1, 2021, to foster digitization and emergency capacities. In accordance with the new law, hospitals need to apply for funds but are required to spend at least 15 percent of the funding requested on the improvement of their IT security.
The Hospital Future Act (Krankenhauszukunftsgesetz) came into force on October 29, 2020, and aims to reduce the investment backlog in the digitization of hospitals, which was highlighted particularly since the beginning of the COVID 19-pandemic. The Hospital Future Act was drafted by the Federal Ministry of Health (Bundesministerium für Gesundheit), then passed by the cabinet and the parliament in September, and by the Federal Council on October 9, 2020.
The new law implements the “Future Program Hospitals” (own translation, Zukunftsprogramm Krankenhäuser) that was previously decided upon by Germany’s ruling coalition of Conservatives (CDU/CSU) and Social Democrats (SPD) in June 2020 as part of the government’s 130 billion euro Corona economic stimulus package. The funding volume consists of three billion euro from federal funds as well as 1.3 billion euro from the federal states.
To provide the hospitals with the much-needed updates and innovations in accordance with the new law, a fund was established by the Federal Office for Social Security (Bundesamt für Soziale Sicherung). Until the end of 2021, hospitals can submit funding applications to the federal states. Funding is provided, i.a., for electronic documentation of care and treatment services, digital medication management, IT security measures and cross-sector telemedical network structures. An evaluation of the status of digitization at hospitals is planned for June 2021 and June 2023.
Transatlantic Cyber Forum
Policy Debates | March 30, 2021
Issue: German Emotet takedown in the legal gray zone
The original article was published on Netzpolitik.org by Sven Herpig und Dennis-Kenji Kipker. Below you can find the translated and slightly updated version of the article. For questions and comments, contact Sven Herpig.
Emotet-Takedown: The end does not justify the means
There are many indications that the Federal Criminal Police Office (BKA) has exceeded its powers in the takedown of the Emotet infrastructure. Even if the elimination of the malware was a great success, the measures must be legally reviewed.
In its narrower sense, cybercrime is probably the greatest current threat to cyberspace. The BKA defines it as “criminal acts directed against the Internet, other data networks, information technology systems or their data” (own translation). Therefore, successes against platforms and groups of criminals, such as the recent takedown of the Emotet malware infrastructure, are particularly important.
Even with such success stories, however, we must question whether the authorities have acted within the scope of their powers. In the case of the Emotet takedown, it appears that the BKA has not only stretched, but exceeded its powers.
Medicine against will
Information about the exact actions and the role of the BKA within the course of action against Emotet are not yet fully public. Though, it is highly likely that the BKA has interfered – without prior knowledge or consent of the respective owners – with the integrity of the Emotet victims’ computer systems, and hence with their “basic right for uncompromised computer systems” (German: Computergrundrecht).
On that account, the investigators have apparently used an adapted Emotet module, which was installed on the computer systems of the Emotet victims in the framework of the takedown, likely thanks to information and access gained by the physical search and seizure of Emotet infrastructure in Ukraine. This module was supposed to neutralize the Emotet malware on the systems and send back information about the infected systems. In doing so, they were assisted by a German IT security company. It has to be stressed that the BKA did not only install software on German, but also affected systems worldwide.
As an analogy, one can imagine that the authority has administered a third-party pill to the infected victims with the purpose of them getting well again. The victims although, did not learn about it, had not consented to it, and do know nothing about potential side effects.
The butcher at the scalpel
The encroachment of the Computergrundrecht by authorities is a highly invasive measure, which is why the Federal Constitutional Court has set high requirements for its enforcement. For several years, the German Federal Government and experts have been discussing the emergency response measures for protecting against threats in cyberspace through invasive countermeasures – or “active cyber defense”, also known as “hackback”.
Most recently, it became public, that the President of the BKA, Holger Münch, argued in a briefing to the Bundestag’s Committee on Internal Affairs and Community, that the actions leading to the Emotet takedown have taken place at the limit of legal admissibility and admitted that there would have been no legal basis for a complete cleanup of the infected systems through emergency response measures as they are not within the current powers of the BKA. In accordance, he claimed that there would have been no alternative means available and that the software update would have to be seen – in legal terms - as a seizure by technical means with the sole intent of using this data as evidence. Hence, he interpreted the resulting cleanup to constitute a mere side effect in order to permit the collection of evidence – instead of as an emergency response measure.
The protection against threats cannot justify the encroachment of the fundamental Computergrundrecht by the BKA for two reasons. On the one hand, the necessary framework conditions were not met in the present case. For example, there must be “actual indications of a concrete danger to a legal asset of paramount importance” (own translation). On the other hand, it is the states and not the federal level who are responsible for emergency response in cyberspace in cases of crime.
Even if one were to assume that the measures taken by the BKA are not a matter of emergency response but of criminal prosecution, and that measures can therefore be taken to preserve evidence on the computers of those affected, this would be a highly adventurous construction: firstly, because the case in question cannot be assigned to criminal investigations beyond doubt, and secondly, because the measures to preserve evidence took place on the IT systems of completely uninvolved parties.
In addition, such a technical measure would also have to be clearly distinguished from government hacking measures such as “online searches”, which must meet the highest constitutional standards. An intrusion into the IT systems of a large number of uninvolved parties must under no circumstances be based on a legal argument that operates in the legal grey area.
Even if the BKA were to cite a different legal basis for its actions, it would still have to credibly justify why it did not implement less invasive measure to achieve its goal. The current “Telekommunikationsgesetz” (Telecommunications Act, own translation) allows authorities to provide information to telecommunications service providers so that they can a) inform victims among their customers and provide cleanup options, and b) disconnect those same customers from the Internet until they have cleaned up their systems accordingly (“walled garden”).
While merely warning customers rarely leads to the desired outcome, measures based on the “walled garden” principle may have been more effective and less invasive. Apart from that, they would have been covered by existing law.
The Three Paragraphs (Riders) of the Basic Computer Right Apocalypse
The present case vividly illustrates how the Federal Government is intent on interfering with the Computergrundrecht via government agencies. Compromising IT systems to defend against cyber operations [sic!] has repeatedly been on the federal government’s agenda for years. This includes measures that are not yet covered by existing law and are similar to those used by the BKA. So far, the debate has been relatively vain in this regard, with neither clear authority responsibilities nor legal bases being created.
In addition, the current draft of the adaptation of the law on the protection of the constitution includes legal extensions which would not only allow all German intelligence services to use government hacking, but also mandate Internet Service Providers to cooperate.
The triumvirate of Computergrundrecht encroachments is completed by the powers called for in the current cabinet draft of the IT Security Act 2.0, which allows authorities to order Internet service providers to install software (updates) on their customers’ systems without their knowledge or consent. So far, the German government has not explained why existing, less invasive measures from the Telecommunications Act are not sufficient.
One could almost assume that police general clauses are being adduced to justify intrusive official measures in the Computergundrecht in order to establish a kind of "customary law". This does, however, in no way suffice the elevated constitutional requirements. Such an approach is highly dangerous: it does not only insidiously erode the guarantee of a central fundamental right of the information age, but also threatens to promote increasing indifference on the part of the authorities and habitualness on the part of citizens for interventions in IT systems.
Constitutional review necessary
The BKA and the Federal Government will claim beyond any doubt that they have acted within the framework of applicable law. Yet, on the basis of the current information, this is at least doubtful.
Legal action by affected citizens and companies could provide a remedy, because the BKA has interfered with their systems without warning or consent, even though less invasive means with fewer side effects would have been possible. In that case, the courts would have to decide – but the fundamental problem would not be resolved.
The fact that the BKA has stretched or exceeded its powers weighs much more heavily. Also, the positive effects of the Emotet takedown should not distract from that. The issue here is not one of factually achieved results, but rather a legal assessment of whether a particular result would have been allowed to achieve in the first place.
One might be tempted to think that the Federal Government is trying to create facts with such operations with the purpose of underpinning future policies in this area – in the context of adapting the law on the protection of the constitution, the IT Security Act 2.0 and, in the future, in the framework of legislation on active cyber defense. And without regard to the fact that the Federal Constitutional Court has already stated at the time that the mere infiltration of a computer system makes it possible to carry out “full surveillance” , perceiving that “if a complex information technology system [...] is technically infiltrated, the decisive hurdle for surveillance on the system as a whole is taken with the infiltration” (own translation).
For this reason, legal action by those affected should not be awaited in order to find out whether the measures taken by the BKA were legally sound or not. They must be reviewed in terms of their constitutionality, even before the amendments of the law on the protection of the constitution or the IT Security Act 2.0 are passed. There must be as much rule of law.
Authors: Dr. Sven Herpig and Dennis-Kenji Kipker
Transatlantic Cyber Forum
Policy Debates | April 14, 2021
Issue: The Encryption Debate in Germany: 2021 Update
Below you can find the excerpt of a report, that was originally published as an International Encryption Brief for the Carnegie Endowment for International Peace. For a more detailed account and overview of developments in the field of encryption in Germany in terms of key actors, usage and expansion of German government hacking powers through policies and legislation, as well as vulnerabilities management please consult and continue reading the full report.
Introduction and Background
Germany’s government has supported widespread, strong, and unregulated encryption. In 2014, the government reaffirmed and extended this political commitment when it announced its goal to become the global leader in adopting encryption.
Instead of focusing on regulating encryption itself, Germany has worked to enable its security agencies to conduct targeted remote hacking operations. It has even passed a legal framework for that purpose. The legal debate about government hacking authority eventually led to a landmark Federal Constitutional Court ruling emphasizing the government’s responsibility for the integrity of information technology systems.
Whereas recent revelations about a past agreement between Germany’s Foreign Intelligence Agency and the CIA—in which they sold encryption machines with backdoors worldwide through the Crypto AG company —seems to suggest differently, Germany’s encryption policy has been clear and consistent for decades. Since 1999, the government has supported widespread strong encryption but has also reserved the right to find solutions for law enforcement and intelligence agencies to access digital evidence through government hacking. Government hacking is understood as “[remotely] interfering with the integrity of software – including online services – or hardware to access data in transit, data at rest, and sensors to manipulate a target’s device by law enforcement for the purpose of criminal investigations [in a targeted manner].”
While two years ago it seemed highly unlikely that Germany would steer away from its course of supporting strong, secure encryption without lawful access mechanisms, things have changed since then. Germany is exploring lawful access mechanisms on the European level while simultaneously extending government hacking powers in Germany.
Recent incidents, policy and legal developments, and institutional change over the last year did not significantly deviate from Germany’s long-standing encryption policy to eschew weakening encryption and rather focus on government hacking on the national level. However, three policy developments show that Germany’s commitment to secure encryption is not as strong anymore as it was before.
Firstly, in 2019, state ministries of the interior discussed the possibility of forcing vendors to create backdoors in their messenger applications. This idea was immediately met with strong public criticism that culminated in an open letter to the government against those plans. Within a few days, the letter had been signed by more than 200 companies, organizations, and representatives from academia, civil society as well as members of parliament.
Secondly, Germany introduced a resolution on “security through encryption and security despite encryption” under its European Council presidency. The resolution that was adopted in December 2020 supports the development of a regulatory framework and dialogue on solutions that enable competent authorities to “access data in a lawful and targeted manner.” While this may just be aiming at implementing a government hacking framework on the European level, it may also aim at lawful access mechanisms.
Lastly, the German Federal Foreign Office published a non-paper on EU cyber diplomacy together with Estonia, France, Poland, Portugal, and Slovenia. A single sentence revealed Germany’s deteriorating support for strong and secure encryption: “The EU and its Member States are invited to find solutions that allow law enforcement and other competent authorities to gain lawful access to digital evidence concerning malicious cyber activities, without prohibiting or generally weakening encryption, and in full respect of privacy and fair trial guarantees consistent with applicable law [emphasis added].”
Conclusion and Outlook
While there will always be a small group within German government and security circles who believes that weakening encryption will enable intelligence and law enforcement agencies to be more effective without sacrificing IT- and cybersecurity, this group’s impact has been negligible until 2020. Public debates in the aftermath of violent events about extending the powers of law enforcement and intelligence agencies in cyberspace are limited to government hacking, not backdoors.
From operational, institutional, policy, and legal views, Germany continues to adhere to the encryption policy it adopted in 1999: fostering strong encryption but enabling its intelligence and law enforcement agencies to conduct government hacking, at least on the national level. With its proposed EU council resolution and EU cyber diplomacy non-paper, Germany currently seems to be moving the backdoor and lawful access debate to the EU level—possibly because it knows its chances to pass these policies on the national level are very slim. Whether the EU will be an easier vector to broach these policies remains to be seen.
Transatlantic Cyber Forum
Policy Debates | July 14, 2021
Issue: IT Security Act Passed Despite Public Criticism
With a new law, Germany aims to foster its IT security. The German Bundesrat (the constitutional body representing the federal states at the federal level) endorsed the IT Security Act 2.0 (IT-Sicherheitsgesetz 2.0) on 7 May 2021. The German Bundestag had previously passed it on 23 April 2021 despite strong public criticism, including in an expert hearing in March 2021. The IT Security Act 2.0 follows the IT Security Act passed in 2015.
The IT Security Act 2.0 contains several amendments previously proposed by the Committee on Internal Affairs and Community. These amendments focused on several areas, for example, the power of Germany’s national cybersecurity agency, the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) or critical components and critical national infrastructure.
The power of the BSI was expanded significantly through the IT Security Act 2.0. The Act grants the BSI 799 new positions. The BSI is now, for example, authorized to use port scans at the intersection of publicly accessible information technology systems to public telecommunication networks to detect security vulnerabilities. However, these measures can only be applied to internet protocol addresses that are assigned to the information technology systems of the federal government or critical infrastructures, digital services, or companies of special public interest, which are not part of Germany’s critical infrastructure but are companies of certain economic importance. All these institutions are listed in a so-called “White List” that is continuously adapted. The BSI is further allowed to use systems and procedures and process data to collect and analyze the use of malware and other attack methods. The BSI may thus, for example, use techniques that simulate targets to an attacker (honeypots).
The BSI also gained new responsibilities in consumer protection and consumer information in the security of information technology. It is responsible for advising and warning consumers on security issues. To inform consumers of IT security products, the BSI further takes the lead in introducing a new IT security label. This label applies to products that fall within product categories defined by the BSI and informs consumers that a product meets certain IT security requirements for a predefined period of time. Participation of vendors and service providers is completely optional. A mandatory IT security label could only be introduced via the European Union.
The BSI can now establish minimum standards for the security of information technology at the federal level in consultation with the responsible ministries. These are required to be implemented, among others, by federal agencies, corporations, and institutions under public law and public enterprises that are majority-owned by the federal government and that provide IT services for the federal administration. For important minimum standards, the Federal Ministry of the Interior can, in consultation with the conference of IT officers of the ministries, also give orders to the BSI to monitor and inspect compliance. Another amendment was the introduction of attack detection systems as of May 1, 2023, as appropriate organizational and technical precautions for providers of critical national infrastructure as a standard to identify and prevent threats on an ongoing basis.
However, the IT Security Act 2.0 also covers other areas, such as critical components and critical national infrastructure. It defines critical components and entails provisions prohibiting their use to protect public order or security in the country. It further defines thresholds for excluding individual equipment suppliers from the network expansion. These thresholds have implications for the 5G network expansion, for example, and are therefore also commonly described as the “Huawei-clause”. It is now mandatory to certify critical components in public telecommunication infrastructures. In addition, manufacturers now have to issue a guarantee declaration towards providers of critical infrastructure as means for the federal government to prohibit the use of such components. Generally, as indicated above, the Federal Ministry of the Interior can prohibit the initial use of critical components in consultation with the Federal Foreign Office and affected ministries and departments on the basis of lack of IT security or potential endangerment of national security. Certification requirements for critical components in networks were introduced in the Telecommunications Act, which was also recently reformed.
The Act further expands Germany’s critical infrastructure to include the municipal waste disposal sector (Siedlungsabfallentsorgung). If a provider in this sector now reaches a threshold of 500.000 people served, it has to fulfill obligations for critical infrastructure providers, such as implementing cybersecurity measures. In addition, certain companies of special public interest are now obliged to implement IT security measures to ensure the availability, integrity, or confidentiality of their IT systems. These companies of special public interest are also obligated to provide data and information to the BSI if there are indications of an incident targeting their information technology systems. They also have additional reporting obligations, such as the submission of self-declaration to the BSI every two years that must entail, for example, which IT certifications were conducted. Which companies will be affected is not yet clear as it depends on an ordinance published later this year.
In addition to all these amendments, the IT Security Act 2.0 introduces several other minor changes, for example, transferring autonomy from the Ministry of Interior, Building and Community to the Federal Office for Information Security, an issue that has been debated for many years.
The approval of the IT Security Act 2.0 by the parliament as well as the Act’s legal amendments indicate that an IT Security Act 3.0 will soon be in the making.
 Dr. Sven Herpig, Stiftung Neue Verantwortung e.V., Sachverständigenstellungnahme für die Sitzung des Bundestagsausschusses für Inneres und Heimat am 01.03.2021 zum Entwurf eines Zweiten Gesetzes zur Erhöhung der Sicherheit Informationstechnischer Systeme – BT-Drucksache 19/26106, 2021, Sven Herpig. Stellungnahme für die Anhörung des Bundestagsausschusses für Inneres und Heimat, 2021, Manuel Atug, AG Kritis.
- A constitutional body within a federal system, Bundesrat.
- Bundesrat lässt IT-Sicherheitsgesetz 2.0 zähneknirschend passieren, Heise.
- Die "Unabhängigkeit" des Bundesamtes für Sicherheit in der Informationstechnik, Sven Herpig.
- Dr. Sven Herpig, Stiftung Neue Verantwortung e.V., Sachverständigenstellungnahme für die Sitzung des Bundestagsausschusses für Inneres und Heimat am 01.03.2021 zum Entwurf eines Zweiten Gesetzes zur Erhöhung der Sicherheit Informationstechnischer Systeme – BT-Drucksache 19/26106, 2021, Sven Herpig.
- German Bundestag adopts IT Security Act 2.0 - update for companies, Hogan Lovells.
- Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme (IT-Sicherheitsgesetz), Bundesanzeiger Verlag.
- KRITIS-Sektor Entsorgung, OPENKRITIS.
- Stellungnahme für die Anhörung des Bundestagsausschusses für Inneres und Heimat, 2021, Manuel Atug, AG Kritis.
- Zweites Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme (IT-Sicherheitsgesetz 2.0), Bundesamt für Sicherheit in der Informationstechnik.
- Zweites Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme, Bundesanzeiger Verlag.
Transatlantic Cyber Forum
Policy Debates | December 9, 2021
Issue: German Cybersecurity Policy 2021-2025
Topics: Cyber diplomacy, Cybersecurity, Digital policy
The original article was published on DirectionsBlog.eu by Alexandra Paulus and Sven Herpig.
What does the new German government’s coalition agreement say about the country’s future cybersecurity policy?
The new German government will mean a shift for the country’s cybersecurity policy. The joint coalition agreement of the three ruling parties lays out their plans for the next four years and signals changes of course in areas like encryption policy and “hackbacks”. In other fields – particularly cyber diplomacy – the devil will be in the details. The country’s cybersecurity policy will also be affected by broader policy projects, such as a review of all governmental surveillance powers and the development of a national security strategy.
In September 2021, Germans elected a new parliament – the Bundestag – and determined who would form the next federal government. The stakes were high: Angela Merkel, after 16 years as chancellor, wasn’t running. Merkel’s Christian Democrats and their Bavarian counterpart, the Christian Social Union, suffered a significant loss, to the benefit of other parties. Three parties – the Social Democrats, the Greens and the Liberals – entered coalition talks and on 24 November 2021 presented their coalition agreement. The new government – with social democrat Olaf Scholz as chancellor – was formally appointed on 8 December. This may signify a watershed moment for Germany’s cybersecurity policy: while the Christian Democrats have traditionally prioritised national security matters, the three parties that will form the new government have long emphasised their commitments to digital policy. Below is an overview of what to expect from German cybersecurity policy between now and 2025.
More Independence for the National Cybersecurity Agency
Germany’s national cybersecurity agency (BSI) plays a key role in protecting the country from cyber threats, earning it a place at the forefront of all relevant policy debates. For years, experts have argued that the BSI needs greater independence from the Federal Ministry of the Interior, as the latter is responsible for both promoting IT security and undermining IT security for the purpose of law enforcement and intelligence. This year, Germany passed the second version of its IT Security Law, which gave BSI a little more independence. However, that wasn’t enough for the parties forming the incoming government, as the coalition agreement refers repeatedly to a “more independent BSI”. In addition, the BSI will assume a central role connecting the various state-level cybersecurity agencies of Germany’s federal system.
Right to Encryption
Until 2020, Germany’s stand on encryption was quite straightforward: it was committed to strong encryption, while enabling law enforcement and intelligence agencies to conduct government hacking operations. In 2020, however, Germany moved the debate towards lawful access mechanisms by using its EU Council Presidency to table a resolution at the EU level advancing a particular interpretation of recital 54 in the draft of the EU Network and Information Security Directive 2. The current wording about encryption in the coalition agreement reverses this approach and instead promotes the right to encryption. It is not clear, however, how the new government plans to put the genie back in the bottle.
The coalition agreement promises “generally, no hackbacks”. However, it is unclear what the coalition defines as a “hackback” and what “generally” means in this context. It does definitely leave a small door open for invasive active cyber defence operations, especially since active cyber defence is mentioned in the country’s latest cybersecurity strategy, published in September 2021 under the outgoing government. The agreement’s effect will come down to the definitions of “active cyber defence” and “hackback” and the interpretation of “generally”. The German government should have been wiser than to pass a strategy during the outgoing government’s last months in office.
While the national cybersecurity strategy mentions a coordinated vulnerability disclosure process as well as a vulnerability equities process, the coalition agreement takes a slightly different approach to the topic. It designates BSI as the central coordinating agency and spells out that every vulnerability will be rapidly disclosed and that the government will neither stockpile nor procure vulnerabilities. Additionally, the current legal grey zone for security researchers will be addressed, so they don’t have to fear repercussions for discovering and disclosing vulnerabilities in a responsible manner. This has been a topic generating quite a bit of concern in recent months.
Reform of the (Cyber)security Architecture
A reform of Germany’s cybersecurity architecture has been debated for years, with a focus on the legal statuses of its national cyber defence center (NCAZ) and the agency in charge of procuring and researching tools to be used by law enforcement and intelligence agencies (ZITiS). Both are central entities that urgently need to be put on transparent and sound legal footings. This is also true of the nation’s leading strategic platform, the cybersecurity council (Cyber-SR), which has not been mentioned explicitly in the coalition agreement. However, the document does suggest reviewing not just specific stakeholders but the general security architecture. The coalition further promises to review the role of the army’s Cyber Command (CIRBw), though it is unclear what that actually means. The agency for technical assistance (THW) is supposed to include cybersecurity assistance in its portfolio, and civil society has spent several years promoting a concept of what that might look like.
Apart from security-by-design and default, the coalition agreement mentions cybersecurity specifically in connection with education platforms, small- and medium-size enterprises’ IT infrastructure, smart grids and the cloud for public administration. This suggests the coalition understands cybersecurity to be a cross-cutting issue that must be included ex ante in digitization projects – at least that’s what the authors would like to read into this.
National Security Policy and Cybersecurity Policy
There are two noteworthy issues at the intersection of security policy and cybersecurity policy that can be found in the coalition treaty. First, the government promises to map surveillance powers across the whole government, to evaluate whether more or less surveillance in certain areas is desirable. In the German debate, this is known as the “Überwachungsgesamtrechnung”. This issue is closely connected to a planned general evaluation of security laws, because it’s difficult to evaluate the usefulness of security laws without taking stock of what policy and intelligence powers exist and how effective they are – a point that experts have made in the past.
Policy Coherence and Whole-of-Government Approach
At the EU level, the document aims to establish “an EU digital policy that follows a whole-of-government approach” that bridges differences between the distinct directorates general. While this is a laudable objective, it raises the question of why the issue of policy coherence is not addressed with equal importance at the national level. Currently, Germany’s national cybersecurity policy in some regards misaligns with some of its cyber diplomacy commitments, for example in the case of encryption policy. However, such stringency would be essential as Germany currently does not have a cyber diplomacy strategy and the international aspects mentioned in the national cybersecurity strategy are in part contradictory. One way forward might be the national security strategy that the new government will elaborate. This would be the first such document for Germany.
On the global stage, the new government wants to pursue “active cyber diplomacy”. This diplomatic field has become polarised: one group of states led by Russia and China aims to undermine the global and open nature of the Internet. It is therefore encouraging to see that advocating for “a global, open internet” will be a priority of the new German government. After important cyber diplomacy advances in 2021, especially at the United Nations, the tenure of the new government will coincide with the second UN Open-Ended Working Group on cybersecurity and the drafting process of a global cybercrime convention at the UN. In both forums, Germany will need to coordinate with its partners and allies in the EU and beyond to put these calls into practice, for example by further developing the EU’s Cyber Diplomacy Toolbox or by developing response instruments that can be used when consensus among all EU member states – a prerequisite for triggering the toolbox – cannot be achieved.
Cyber Norms and International Law
Among the diverse cyber diplomacy issues, cyber norms and international law play a key role. In late 2020, Germany, together with five fellow EU member states, reaffirmed its commitment to both in a non-paper. While the coalition agreement endorses cyber norms, the authors do not detail how the government wants to overcome current challenges like lagging norm implementation. Regarding international law, the agreement calls for establishing “an international law of the net”. This formulation stands in contrast to Germany’s previous commitment, most recently outlined in the 2021 Position Paper On the Application of International Law in Cyberspace, that “international law, including the UN Charter and international humanitarian law (IHL), applies without reservation in the context of cyberspace”.
Alongside these norms and legal provisions regulating state conduct, the new German government also wants to play an increasingly active role in international forums and processes to develop technical standards. However, it remains unclear which issues Germany will prioritise and how the country will seek to build coalitions in international organisations, such as the International Telecommunication Union, in the face of growing opposition by authoritarian states.
Cyber Capacity Building
In the field of international cyber capacity building, the new leadership will aim at “supporting partners in building their independent digital infrastructures for strengthening their respective digital sovereignty”. This points to the Global Gateway initiative of the EU but seems to neglect other elements of cyber capacity building, many of which Germany already actively pursues. A key challenge will be to define the respective roles of the Federal Foreign Office and the Federal Ministry for Economic Cooperation and Development, as both ministries are active in this field now.
The future governing parties aim to reform export control regulation – including but not limited to cyber capabilities that can be used for malicious purposes – at both the national and EU level, following the recent recast of the EU dual-use regulation. The document goes beyond the EU regulation by committing to not exporting surveillance technologies to “repressive regimes”. This follows debates about the use of these technologies in human rights violations worldwide and export control action by the United States. It remains to be seen, however, how the German government will define and identify repressive regimes and surveillance technologies. This measure could contribute to the establishment of an international norm that severely restricts the proliferation of these technologies.
Another diplomatic priority of the new government will be arms control. Regarding “cyber weapons”, the coalition agreement envisions a “digital disarmament policy” that will advocate for “the peaceful use of […] cyberspace” and strive for cyber arms control initiatives. Considering the structural challenges of applying this policy instrument to software, it will be interesting to see which new approaches the government will follow.
The coalition agreement also lays out concrete priorities for cybersecurity dialogue and coordination with international partners. Digital policy will continue to figure prominently in Germany’s dialogues with the states of the Indo-Pacific region and the African continent. With the United States, Germany wants to collaborate more closely on technical standards, disarmament and international security. While the document does not specify this, it is likely that the whole-of-government China strategy that is to be drafted by the new government – on the topic of which the coalition agreement strikes a more assertive tone than previous German policy documents – will feature cybersecurity. The agreement does not specify cybersecurity as a priority in Germany’s diplomacy towards Russia.
There are a couple of issues, such as greater funding for cybersecurity research, product liability and exclusion of untrustworthy vendors, that the government will definitely need to provide more detail on during the next couple of months to indicate its plans and objectives.
The new government will have a lot to deliver on in the field of cybersecurity. Several initiatives could make lasting marks on both national policy and international debates, like the commitments to refrain from procuring software vulnerabilities and to avoid exporting surveillance technologies to repressive regimes. On other issues, the coalition agreement stands in contrast to previous commitments the German government has made, for instance in the national cybersecurity strategy or the Position Paper On the Application of International Law in Cyberspace. These tensions will need to be solved. In other cases, the coalition agreement contains blanket statements that are open to diverging interpretations – in these cases, the proof of the pudding will be in the eating. Independent from its actual implementation, the coalition agreement has a refreshing, brave and ambitious take on cybersecurity policy.