Transatlantic Cyber Forum Policy Debates





Transatlantic Cyber Forum

Policy Debates | January 31, 2017

Issue: Official Announcement about the Central Authority for Information Technology in the Security Domain

Track: Encryption and Lawful Hacking



On January 20 the Ministry of Interior officially announced the setup of the Central Authority for Information Technology in the Security Domain (ZITiS). The office is tasked to service security and intelligence agencies with tools and capacities for lawful hacking, interception and analysis. ZITiS is solely tasked to provide assistance and not engage in operational activities or pool human resources from the existing security and intelligence offices. Germany’s Cyber Security Strategy which has been published last year included the formation of this office as an action item.

What has not been covered in the official announcement is that it will not provide any assistance to the Federal Intelligence Service due to the legal and political framework. In a first step, ZITiS will provide its services to the Office for the Protection of the Constitution (domestic intelligence) as well as to the Federal Police and Federal Office of Criminal Investigation. Further down the road ZITiS is supposed to offer assistance to additional security and intelligence agencies including those on state level. It is currently unclear who will head this office.

Choosing Munich as location might have a strategic background as the Federal Intelligence Service just moved (mainly) from Munich to the new office in Berlin; the state level Office of Criminal Investigation has been active in lawful hacking and lawful interception since quite some time and famously acquired Trojan horse malware from DigiTask in 2008 to conduct lawful hacking. Additionally, Bavaria is known to be the most “security conscious” state in Germany.


Fact Sheet

German Name: Zentrale Stelle für Informationstechnik im Sicherheitsbereich

Abbreviation: ZITiS

Area of Supervision: Ministry of Interior

Location: Munich, Bavaria

Employees: 120 targeted for 2017 and up to 400 until 2022

Resources: 10 million Euro (excl. salaries) for 2017 (Ministry of Interior total budget for 2017 as comparison: 7.8 billion Euro)

Responsibilities: Development and acquisition of tools as well as training of staff in the following areas: crypto analysis, IT forensics, lawful interception, big data analysis. Point of contact for questions related to technologies and crime fighting, counterintelligence and danger defense.



Author: Dr. Sven Herpig


Transatlantic Cyber Forum

Policy Debates | March 3, 2017

Issue: Encryption Backdoors on the EU-Level

Track: Encryption and Lawful Hacking



On February 28, The Register reported about apparently yet another German-French attempt to jointly pursue a backdoor-policy to enable law enforcement agencies to overcome the “going dark” phenomenon. The Register refers to a letter addressed to the European Commission which is co-signed by both the German and French Ministries of the Interior.



The letter itself does not specifically state a backdoor policy or weakening of encryption mechanisms. It simply states that a new legal initiative should be started on the EU level in October 2017 – that would be after both, the German and French elections -- which allows the respective authorities to technically and legally tackle the challenge which arises for the law enforcement agencies from the widespread use of encrypted communications (by terrorists).

Last year there was a similar debate about a joint German-French statement on national security. The French version back then included a section on decryption of communications whereas the German version did not. German officials then stated that the German version was indeed the correct one.

We talked to the responsible senior official from the Ministry of Interior who stated that the joint letter sent to the EU Commission does not aim for the implementation of backdoors. It is the Ministry of Interior’s (and therefore the administration’s) strategic guideline to not attempt to broadly implement backdoors. The administration does not support the idea of broadly weakening encryption through backdoors, though it naturally explores other options to counter the growing use of encrypted communications and data storage. A first step has been the establishment of the Central Authority for Information Technology in the Security Domain (ZITiS) which has been described in the TCF Policy Debates on January 31.




Author: Dr. Sven Herpig


Transatlantic Cyber Forum

Policy Debates | March 31, 2017

Issue: Alleged Cyber Operation against the German Parliament

Track: Cyber Defense & Political Infrastructures



The German federal elections will take place on September 24 this year. Bearing in mind the breach of the German parliament’s computer network ‘Parlakom’ in 2015 as well as unsuccessful attempts against the parliament and Angela Merkel’s ruling party (CDU) in 2016, more cyber operations are to be expected until election day.

On March 28, the German newspaper Süddeutsche Zeitung (SZ) reported about an alleged cyber operation against the German parliament to have taken place earlier this year.



One day after the SZ released its article, Germany’s cyber security agency (BSI) issued a corresponding statement. Even though there is no reference to the SZ article, details of the statement indicate it being a direct response to that article. The BSI explains in its statement that the agency has been lending support to the IT staff of the German parliament since early February. Experts helped to detect and analyse anomalies in the parliament’s network traffic. The analysis revealed that the suspicious activity originated from the website of the Jerusalem Post which had been manipulated to deliver malicious content to its viewers (drive-by-attack). Staff and members of the parliament had been accessing this website as part of their day-to-day work. No damage had been caused to their systems due to the new security mechanisms that had been implemented as lessons learned from the 2015 attack. Judging by the disclosed information it does not appear to be a targeted operation against the German parliament. The BSI’s statement seems very credible. Over the past months, the agency has offered support to various political stakeholders - such as parties - which are involved in the (pre-)election process.

At an event organized by the Stiftung Neue Verantwortung in Berlin on March 13, Hillary Clinton’s campaign manager Robby Mook offered some insights into how to deal with ‘fake news’ and cyber security during elections. He also directly offered advice to the German political parties.

The 16 Gigabyte worth of documents that were extracted from the Parlakom in 2015 have not yet resurfaced. It is possible that some of those documents will soon be used in a doxing operation against German politicians and parties. Unlike the American, Dutch or even French political landscape, the most likely beneficiary of such an operation - the right-wing party AfD - is nowhere close to winning the election with a current estimate of 7% of the votes. However, a well-tailored doxing operation might be enough to cost Angela Merkel her chancellorship as the rivalling Social Democratic Party is currently only 2% behind.




Author: Dr. Sven Herpig


Transatlantic Cyber Forum

Policy Debates | March 31, 2017

Issue: Wikileaks, Vault7 and Germany

Track: Encryption Policy & Lawful Hacking



On March 7 around 2 pm CET Wikileaks published a redacted version of the alleged "CIA spy arsenal" in the cyber domain. Dubbed "Vault7", Wikileaks announced that it would just be the first trove of documents it will reveal as part of its "Year Zero" series.



As project director of the Transatlantic Cyber Forum, Sven was asked to discuss the implications from a German introspective with Deutsche Welle at The Day. The discussion is in English.




Author: Dr. Sven Herpig


Transatlantic Cyber Forum

Policy Debates | April 24, 2017

Issue: Establishment of Germany’s Cyber Command (CIR)

Track: Cyber Defense & Political Infrastructures



On April 5th, the new Cyber Defence Command (CIR) of the German Federal Armed Forces was officially commissioned by minister of defence Ursula von der Leyen in Bonn. With Lt. Gen. Ludwig Leinhos as its head, the command will be of equal rank as the armed forces, air force and the navy. The division has started with a workforce of 260 soldiers and is planning to expand until 2021 to a size of roughly 14.000 soldiers and civil employees.

Four units will be subordinated to the Cyber Defence Command from July 2017 onwards: the Command Strategic Reconnaissance - a small and secretive unit that has trained offensive cyber-attacks -, the Command Support Unit, the Centre for Operational Communication and the Centre for Geoinformation. The research centre for Cyber Defense of the Federal Armed Forces University is based in Munich near the Central Authority for Information Technology in the Security Domain (ZITiS). [1] 



The establishment of a German Cyber Defence Command is a necessary organizational measure to further strengthen the cyber capabilities of the Federal Armed Forces by merging relevant working units under one umbrella. This will allow for better coordination, improvement of capabilities as well as faster planning and procurement. CIR builds upon existing competence, expertise and manpower from within the military. The human resources will be pooled from existing divisions, together with their organizational units. As of now, there are only about 100 new posts to be created for CIR – the remainder of the 13.500 staff is already employed by the military.

Two arguments have been spread in the media as the underlying reasons for the CIR setup. First, the Russian influence and cyber operation against the Democratic National Committee and the integrity of the election in general. Second, a high number of cyber attacks against the military’s IT-infrastructure in the first nine weeks of 2017. While the threat to the IT-infrastructure was clearly exaggerated[2], both reasons do not play a role at all. The changes surrounding CIR were the result of a restructuring effort within the military which is partially laid out in the official document dated April 2016: “Abschlussbericht Aufbaustab Cyber- und Informationsraum.”[3]

It remains unclear so far to what extent the new command will possess offensive capabilities and responsibilities. In an internal strategy paper that was leaked two years ago offensive cyber capabilities were considered by minister von der Leyen as a supporting, complementary or substituting tool. Officially, its task has primarily a defensive character but it seems unrealistic in the cyber security context to build defensive capabilities without strengthening the offensive capabilities as well. Especially in Germany the distinction between defensive and offensive actions is of importance as the parliament must approve offensive military operations (‘Parlamentsvorbehalt’) – including cyber. Therefore, the establishment of the Cyber Defense Command also raises the necessity of a broader debate about the definition of an offensive action in the cyber domain.

However, the defensive/ security approach of CIR is not without trouble. Since Germany published its new cyber security strategy last year, the military is eyeing more responsibilities within Germany’s – historically very civilian – cyber security architecture. The military wants to lend a helping hand to critical infrastructures under cyber attack or in the event of substantial cyber operations against the state. As CIR grows, expect to see more of those discussions. Those responsibilities might be seen by policy-makers and public as a raison d’être and grounds for additional financial and human resources.

Another practical challenge for the new command will be the recruitment of skilled employees. As the command plans to expand its workforce rapidly within the next years, it currently discusses to lower the requirement (e.g. fitness level, educational level) for new employees of the command. In 2016 the army launched a highly controversial advertising campaign to attract new cyber recruits. In 2018 a new course of study on “Cyber Security” will start at the university of the Federal Armed Forces in Munich.


Fact Sheet

German Name: Kommando Cyber- und Informationsraum

Abbreviation: KdoCIR / CIR (sometimes also CIRk - with reference to Star Trek)

Area of Supervision: Ministry of Defence

Location: Bonn, North Rhine-Westphalia

Employees: 260 soldiers starting in 04/2017; until 2021 targeting ~ 14.000 soldiers and civilian employees

Resources: Currently no information available

Responsibilities: The Command is responsible for the operation and protection of the Federal Armed Forces’ IT-systems domestically as well as during operations abroad. Capabilities for reconnaissance and impact (read: offensive cyber operations) in the cyber and information domain are supposed to be strengthened and expanded. Additionally, they support all other commands of the Armed Federal Forces and contribute to an overall security provision by strengthening the cyber security infrastructure through the exchange and cooperation with other institutions. CIR will also contribute to the improvement of Germany’s civilian cyber security architecture.




[1] Presented in Policy Debates “Official Announcement about the Central Authority for Information Technology in the Security Domain” on January 31, 2017.

[2]  284.000 attacks were mentioned by a representative of the military. However, it does not tell us something substantial about the actual threat as the number does not refer to targeted or advanced attacks only

[3] Final report on the setup within the cyber and information domain.


Author: Dr. Sven Herpig


Transatlantic Cyber Forum

Policy Debates | May, 2017

Issue: German government analyses offensive cyber capabilities, so-called “hackbacks”

Track: Cyber Defense & Political Infrastructures + Encryption Policy & Lawful Hacking



In the aftermath of cyber attacks against German political foundations, the German Bundestag in 2015, the DNC and recently the Macron campaign an investigative report by German news and broadcast media (WDR, NDR, Süddeutsche) has recently discovered that the German government is currently considering the development and expansion of offensive cyber capabilities as a response to cyber attacks. Germany's Federal Security Council, chaired by Chancellor Angela Merkel, carries out an analysis. The federal government’s analysis aims to find out what the legal implications would be, what technical means exist and by whom the offensive measures would be carried out. The results will be presented this summer to the Federal Security Council, which meets behind closed doors.

Specifically, the government is looking into the possibility of ‘hacking back’ to actively wipe the entire hostile servers through which attacks e.g. against civilian targets such as critical or political infrastructure are guided and thereby hopes to stop cyber operations, steal back documents and strategically take-down botnets. Requirements for an offensive response according to the German government would be that any request for mutual assistance in a criminal matter is arbitrary or that the attack cannot be stopped with other political and diplomatic means.Domestically, there is currently not much of a legal basis for such a project.  The government’s analysis caused public backlash among IT researchers, civil society groups and the opposition parties, like the Green party. Arguments against those offensive measures are mainly the fear of collateral damage caused to third parties, questions of compensation in case of damage to third party systems and attack attribution.

Moreover, the German government’s talk of “getting back stolen information” let some doubt that it has grasped the technical understanding of a hack.



The discussions around the offensive capabilities ‘hackback’ by the government in Germany is similar other debates about hackback in other countries. What is unique in the German case and has not been picked up in the discussion yet is that the German government frames this as the ‘digital final (fatal) shot’ (German: finaler Rettungsschuss) - a definition used in German police law for shooting the attacker for the sake of the protection of the victim. Since Germany is aiming at a discussion on internal security where its military cannot get involved in, the language chosen reflects the decision to frame the discussion in police instead of military jargon.

In the event of a cyber attack against for example the electric grid, the government argues that the servers could be taken from the internet. Two challenges stand out with this application of legal speech to the new domain: Updating the ‘final (fatal) shot’ merely to make it digital, would actually mean a general redefinition of the final shot in itself. A final shot is supposed to stop a dangerous act from happening and to provide protection to the victim before it can get injured. In the digital sense it is difficult to stop the  a person from launching an attack from a server before the attack occurs. Usually one finds out about the attack while it is happening and could only stop it from causing more damage. In a fatal shot scenario the situation would have to allow for a clear condition knowing that the server will definitely be used to attack and therefore engage in preemptive measures against it. This is very unlikely unless the government holds communication or information about a planned attack. The form of offensive measures which the government would consider in this context appear to be more comparable to a preemptive strike in military terms. This would however contradict the civil framing of this debate thus far. The  country faced a similar challenge about military and civilian responsibilities when it discusses the cyber security of critical infrastructures last year.

Moreover, it causes issues when it comes to the decision on which institution would handle such measures. The Minister of the Interior noted correctly that there is also a dispute due to the federal system - police law is under the jurisdiction of the Länder (states) which means that for example the “final (fatal) shot” despite its difficulty to apply this concept in the first place, is actually  not harmonised in all German Länder police laws. Hence the German government will have difficulty to apply their concepts and distinguish existing once adapting them to the new domain cyberspace.

Another angle of discussion which we will follow up with when there is more insights is the debate surrounding which institutions would handle this kind of offensive strategy. Currently up for discussion are: the Federal Office for Information Security (BSI), the Foreign Intelligence Service (BND), the German army (Bundeswehr), the Central Authority for Security in the Information Sphere (ZITiS) and the Federal Office for the Protection of the Constitution (BfV).




Authors: Dr. Sven Herpig und Julia Schuetze



Transatlantic Cyber Forum

Policy Debates | June 2, 2017

Issue: German government discusses “hackbacks”

Track: Cyber Defense & Political Infrastructures + Encryption Policy & Lawful Hacking



An investigative report by German news and broadcast media (WDR, NDR, Süddeutsche) has recently discovered that the German government is currently considering the development and expansion of offensive cyber capabilities as a response to cyber attacks. Germany's Federal Security Council, chaired by Chancellor Angela Merkel, is carrying out this analysis. It aims to find out what the legal implications would be, what technical means exist and by whom the offensive measures would be carried out. The results will be presented this summer to the Federal Security Council, which meets behind closed doors.

Specifically, the government is considering the possibility of ‘hacking back’ to actively wipe systems which are used to attack civilian targets such as critical or political IT-infrastructures, steal back documents or strategically take-down botnets. Requirements for an offensive response according to the German government would be that any request for mutual assistance in a criminal matter is arbitrary or that the attack cannot be stopped by other political and diplomatic means. Domestically, there is currently not much of a legal basis for such a project.  The revelation of this ongoing analysis caused public backlash among IT researchers, civil society groups and opposition parties, like the Green party. Arguments against those offensive measures are mainly the fear of collateral damage caused to third parties, questions of compensation in case of damage to third party systems, sparking international conflicts and the possible lack of attack attribution.

Moreover, the German government’s talk of “getting back stolen information” led some to doubt that it has grasped the technical understanding of a cyber attack.



The discussions around ‘hackback’ by the government in Germany are similar to debates about hackback in other countries. What is unique in the German case and has not been picked up in the discussion yet, is that the German government frames this as the ‘digital final (fatal) shot’ (German: finaler Rettungsschuss) - a definition used in German police law for shooting the attacker for the sake of the protection of the victim. Since Germany is aiming at a discussion on internal security where its military cannot get involved in, the language chosen reflects the decision to frame the discussion in police instead of military jargon.

In the event of a cyber attack against, for example, the electric grid, the government argues that the servers could be taken off the internet. Two challenges stand out with this application of legal speech to the new domain: updating the ‘final (fatal) shot’ merely to make it digital, would mean a general redefinition of the final shot in itself. It is supposed to stop a dangerous act from happening and to provide protection to the victim before it can get injured. In the digital sense, it is difficult to stop a person from launching an attack from a server before the attack occurs. Usually one finds out about the attack while it is happening and could only stop it from causing more damage – mitigating the impact. In a fatal shot scenario, the situation would have to allow for a clear condition knowing that the server will definitely be used to attack and therefore engage in preemptive measures against it. This is very unlikely unless the government has evidence or other pertinent information about a planned attack. The form of offensive measures which the government would consider in this context appear to be more comparable to a preemptive strike in military terms. This would however contradict the civil framing of this debate thus far. The country faced a similar challenge about military and civilian responsibilities when it discussed the cyber security of critical infrastructures last year. Moreover, it causes issues when it comes to the decision about which institution would handle such measures. The Minister of the Interior noted correctly that there is also a dispute due to the federal system - police law is under the jurisdiction of the Länder (states). This means that the “final (fatal) shot” - despite its difficulty to apply this concept in the first place - is actually not harmonized in all German state police laws. Hence the German government will have difficulty applying their concepts and distinguishing between existing ones, when adapting them to the new domain - cyberspace.

Another angle of this debate is which institutions would handle this kind of offensive strategy. Currently up for discussion are: the Federal Office for Information Security (BSI), the Foreign Intelligence Service (BND), the German army (Bundeswehr), the Central Authority for Information Technology in the Security Domain (ZITiS) and the Federal Office for the Protection of the Constitution (BfV).




Authors: Dr. Sven Herpig und Julia Schuetze



Transatlantic Cyber Forum

Policy Debates | June 27, 2017

Issue: Intensification of targeted surveillance of suspects via so called ‘state trojan’ software

Track: Government hacking and encryption policy



The German parliament passed a legislative amendment [4] which significantly intensifies government hacking by law enforcement. Among other changes, law enforcement agencies are now permitted to infiltrate a suspect’s computer and smartphone for repression instead of only prevention of crimes. Though it was very restrictively allowed beforehand in cases like terrorism, the new legislation allows the use of targeted surveillance in many more crimes, for example money laundering, tax evasion, and drug related crimes.

That way law enforcement can gain access to a suspect's entire digital communications, data, cloud, camera etc. which is called Online Search in German (‘Online Durchsuchung’). Additionally, law enforcement can conduct a less invasive surveillance, monitoring ongoing communications pre-encryption, called source telecommunication surveillance in German (‘Quellen TKÜ’). There is an existing software for this purpose called  ‘state trojan’, but law enforcement agencies might develop or buy additional software with the help of the newly found ZITiS (see our briefing in January).



The amendment was recommended by Heiko Maas, the Federal  Minister of Justice and Consumer Protection, and submitted by the coalition parties [5] to be included in a law dealing with more effective and practical law enforcement in general[6]. Thus, the new hacking powers for law enforcement were just part of a much bigger bill which concentrated on other methods, such as allowing police to use DNA to figure out hair and eye color and other less controversial adjustments which were deemed highly necessary by all parties. The inclusion of the amendment shortly before the law was passed, without much time for discussion, caused outrage by the opposition party, civil society and experts. This fast-track procedure was criticised by opponents as a way to avoid critical public discussion and debate about the state trojan details, such as scope, technicalities and constitutional rights violations. This is rare in Germany that at such short notice in the last two weeks before the end of the legislative cycle, a significant and known to be controversial amendment is added to a bill. There was no public hearing even in the Bundestag. One committee was convened to obtain statements from the public. A critical statement by lawyer Buermeyer[7], who is also part of the Transatlantic Cyber Forum, was prepared in just ten days. Buermeyer submitted his judgment of the law warning that it would be unconstitutional - an argument which was supported by the German Association of Lawyers, who also  argued that it is unconstitutional.[8]

Nevertheless, the judicial committee passed the amendment and added it into the law about to be passed just two weeks before the large summer break which is essentially  the end of the legislative cycle, as Germany is electing a new Bundestag in September.

That many things were left open for discussion became clear when the opposition parties, the Greens and the Left, focused their entire statements on the state trojan software on the day of voting (22nd of June) and criticised the law ahead of the vote for that amendment. The Greens argued that it lessens security in general, it would be too broad for too many crimes and that it is against many rights. This did not change the coalition of SPD and CDU/CSU, the two governing parties, which were both committed to passing the law. They focused their statements mostly on the other parts of the law arguing only that the state trojan is necessary to solve crimes and that law enforcement is adapting to the new digital age. They argued that accessing telecommunications, such as text messages won’t give them any relevant information as most calls and messages are made via encrypted applications such as Whatsapp. 

The trojan software is nothing new, however, the scope of its usage was greatly broadened in the new amendment.

As the usage of encrypted messengers and therefore encrypted communication via, for example, WhatsApp and Telegram, has increased among criminals rapidly over the last years, law enforcement agencies are complaining about rising ‘going dark’ difficulties hampering criminal prosecutions. In the statement given, it was argued that only about 19% of communication is done via non-encrypted ways and its content would be something irrelevant like ordering a pizza. Law enforcement already created a way to circumvent encryption in 2008. The usage however was severely restricted and defined by a Federal Constitutional Court judgement in 2008. Then the court also created the right to integrity and confidentiality in electronic systems, as the court argued that much of personal life is digital, now. Critics say that this updated law will cause yet another new Federal Constitutional Court decision, because it ignores the high barriers set for the usage of the state trojan in 2008 and 2016 and is in violation of the mentioned right.

The German Federal Constitutional Court first differentiated between online surveillance, which means the complete access to past and present communications and data of a suspect, and the less invasive source telecommunication surveillance which means the access to smartphones to gain access to ongoing conversations. It has further set high barriers for the former. In a further decision, in April 2016, the Federal Constitutional Court highlighted that online searches may be used to prevent international terrorism and when sufficient evidence exists that human lives, their physical integrity or basis of life are endangered.

Both have been used very rarely. Source telecommunication surveillance was applied a few times on the state level.

The new law really creates a provocation of the Federal Constitutional Court decisions:

  • As it is firstly used in a much broader scale in crimes which do not risk the immediate lives of people - e.g. ‘Online Search’ can now be used in cases of money laundering .
  • Police may only use it to prevent a crime, but with the online surveillance in its full form it may also be used to retrieve evidence of already committed crimes - and start a new investigation
  • Nowadays the monitoring of devices like smartphones allows extensive intrusions into the privacy of an individual (i.e. access to pictures, activation of microphones etc.). It is argued that the broad scale usage will violate privacy and the privacy of uninvolved third parties.

Overall, the barriers of the new law are much lower which could lead to increased use in general.

Moreover, concerns have been raised about the control mechanisms of the state Trojan. Past investigations have revealed that the state Trojan possesses greater technical abilities than currently allowed. For example, even with a source telecommunication surveillance it is not guaranteed that it can only access ongoing communication - something required by law but technically not convertible. These insights have led to increasing demands for independent control mechanisms of the state Trojan. Further points of criticism are the violation of IT-systems’ integrity and the exploitation of software vulnerabilities by the state which have been raised by critics to this day whenever there was usage on a state (Länder) level.[9]



There are two different forms of targeted surveillance using the state trojan software:

1. Online search - the most intrusive form getting access to the device’s data, communications, hardware, backup etc.

  • Allowed since 2008 after a Federal Constitutional Court decision to prevent cases of very extreme danger, risk of death[10] and since 2016 international terrorism[11] by the Federal Criminal Police Office

2. Source telecommunication surveillance

  • 2008 Federal Constitutional Court decision[12] differentiated source telecommunication surveillance from online search and determined it to be less invasive and confirmed with the right to integrity and confidentiality in electronic systems IF it technically only accesses ongoing communications - since then use judged on a case by case basis applying state (Länder)[13] laws or the Federal Criminal Police Law. However, its use in cases of traditional telecommunication law was criticised since this law (about which update this briefing is about) had no proper legal speech allowing the use of the software to infiltrate phones and proposed proper rules for the technicality.

3. The Telecommunication surveillance law governs the use of traditional surveillance such as access to text messages, phone calls which can be applied for 38 serious crimes. Now this law is updated to include legal speech which allows the use of targeted surveillance, such as source telecommunication surveillance and online speech.

  • In the new law it was added that infiltration into information systems is now allowed as part of surveillance, legalising the use of source communication surveillance if proportional and technically feasible. This means that it recognises that before the source communication surveillance can start and create technical barriers for the access of more than just ongoing communication, the system needs to be infiltrated.  The legal text supports its use in 38 different serious crimes[14] (Examples: cases of treason, sedition, endangering the democratic rule money laundering, drug trafficking, child pornography, murder, manslaughter, tax evasion, smuggling of foreigners, incitement of fraudulent application of asylum - find all crimes in English in footnote).
  • Moreover, the new law changed that source communication surveillance can be decided by the prosecutor's office if there is immediate danger ahead, needing only a judge's ruling after three days. Before the use was always determined by a judge.
  • The online search is now allowed by police not just the Federal Criminal Police Office. This was extended from use in cases of international terrorism and risk of livelihood to 27 serious crimes (see last page for exact crimes). Moreover, an online search can now also be used to investigate a crime after it happens.[15]
  • Online search is, moreover, also allowed regressively in case that during a search the investigation finds a hint about another serious crime, then they can open a new investigation.
  • In Section 100d 2 of the amended law it determines that if there is knowledge about a core area of the private conduct of life which was found while doing an online search or the source telecommunication surveillance, then this is not to be used and deleted immediately.
  • Law enforcement argues that it will determine usage in each unique case and restrict technical capabilities accordingly.
  • Traditional telecommunication surveillance was used in 2015 32,000 times in 6,000 cases[16]
  • On a case by case basis the extensiveness of targeted surveillance will be decided by a judge or in cases of danger ahead, by the prosecutor's office and confirmed by the judge.



This decision is a win for law enforcement until the legality is determined by the Constitutional Court. Interestingly, the legality of the evidence retrieved from using those methods are not necessarily clear as there is no precedent - thus this is something to be determined once cases emerge. It is definitely not a win for broader civil society, the net-political scene, IT experts or those who care about governance of the digital sphere in general, as the leading parties showed no interest in solving some of the very controversial parts of the law, leaving many issues unresolved (here see TCF paper by Sven Herpig[17]). The fast track showed that it was a way to avoid a real discussion.

The 2016 Federal Constitutional Court decision about government hacking urged the government to make the use more clear by June 2018. However, it seems that the governing parties did not want take more time and leave it up to the next legislature after the Bundestag election this September.

It was a way of giving into political pressures of law enforcement agencies which fear  that their work is not effective and could allow an increase in crime rate which was stated in one hearing.[18] The net-political scene in Germany needs to deal with the reality now, and in case it is not struck down by the Federal Constitutional Court, propose solutions for the problems of government hacking allowing some of the concerns of law enforcement to be taken seriously.












[14] Section 100a [Conditions Regarding Interception of Telecommunications]







27 crimes online searches can be done for:

2) Particularly serious criminal offences for the purposes of subsection (1), number 1, shall be:

1.  pursuant to the Criminal Code:

a)  crimes against peace, high treason, endangering the democratic state based on the rule of law, treason, and endangering external security pursuant to sections 80, 81, 82, 89a, pursuant to section 94, section 95 subsection (3) and section 96 subsection (1), in each case also in conjunction with section 97b, as well as pursuant to section 97a, section 98 subsection (1), second sentence, section 99 subsection (2), section 100 and section 100a subsection (4);

b)  formation of criminal groups pursuant to section 129 subsection (1) in conjunction with subsection (4), second part of the sentence, and formation of terrorist groups pursuant to section 129a subsections (1), (2), (4) and subsection (5) first sentence, first alternative, in each case also in conjunction with section 129b subsection (1);

c)  counterfeiting money and official stamps pursuant to sections 146 and 151, in each case also in conjunction with section 152, as well as pursuant to section 152a subsection (3) and section 152b subsections (1) to (4);

d)  crimes against sexual self-determination in the cases referred to in section 176a subsection (2), number 2, or subsection (3), section 177 subsection (2), number 2, or section 179 subsection (5), number 2;

e)  distribution, acquisition and possession of pornographic writings involving children in the cases referred to in section 184b subsection (3);

f)  murder and manslaughter pursuant to sections 211 and 212;

g)  crimes against personal liberty pursuant to section 234, section 234a subsections (1) and (2), sections 239a and 239b, and trafficking in human beings for the purpose of sexual exploitation and for the purpose of exploitation of labour pursuant to section 232 subsection (3), subsection (4) or subsection (5), section 233 subsection (3), in each case to the extent that it concerns a felony;

h)  gang theft pursuant to section 244 subsection (1), number 2, and aggravated gang theft pursuant to section 244a;

i)  aggravated robbery and robbery resulting in death pursuant to section 250 subsection (1) or subsection (2), section 251;

j)  extortion resembling robbery pursuant to section 255 and a particularly serious case of extortion pursuant to section 253 under the conditions set out in section 253 subsection (4), second sentence;

k)  commercial handling of stolen goods or gang handling of stolen goods or commercial gang handling of stolen goods pursuant to sections 260 and 260a;

l)  a particularly serious case of money laundering or concealment of unlawfully acquired assets pursuant to section 261 under the conditions set out in section 261 subsection (4), second sentence;

m)  a particularly serious case of taking and offering bribes pursuant to section 335 subsection (1) under the conditions set out in section 335 subsection (2), numbers 1 to 3;

2.  pursuant to the Asylum Procedure Act:

a)  inducing an abusive application for asylum pursuant to section 84 subsection (3);

b)  commercial or gang inducement of an abusive application for asylum pursuant to section 84a subsection (1);

3.  pursuant to the Residence Act:

a)  smuggling of aliens pursuant to section 96 subsection (2);

b)  smuggling resulting in death and commercial and gang smuggling pursuant to section 97;

4.  pursuant to the Narcotics Act:

a)  a particularly serious case of a criminal offence pursuant to section 29 subsection (1), first sentence, numbers 1, 5, 6, 10, 11 or 13, subsection (3) subject to the requirements of section 29 subsection (3), second sentence, number 1;

b)  a criminal offence pursuant to section 29a, section 30 subsection (1), numbers 1, 2, and 4, or section 30a;

5.  pursuant to the War Weapons Control Act:

a)  a criminal offence pursuant to section 19 subsection (2), or to section 20 subsection (1), in each case also in conjunction with section 21;

b)  a particularly serious case of a criminal offence pursuant to section 22a subsection (1) in conjunction with subsection (2);

6.  pursuant to the Code of Crimes against International Law:

a)  genocide pursuant to section 6;

b)  crimes against humanity pursuant to section 7;

c)  war crimes pursuant to sections 8 to 12;

7.  pursuant to the Weapons Act:

a)  a particularly serious case of a criminal offence pursuant to section 51 subsection (1) in conjunction with subsection (2);

b)  a particularly serious case of a criminal offence pursuant to section 52 subsection (1), number 1, in conjunction with subsection (5).

(3) The measure may be directed only against the accused and may be implemented only on the private premises of the accused. The measure shall be admissible on the private premises of other persons only if it can be assumed on the basis of certain facts that



(All German)


Author: Julia Schuetze


Transatlantic Cyber Forum

Policy Debates | July 27, 2017

Issue: Germany bolsters cyber security for upcoming elections

Track: Cyber Defense & Political Infrastructures



On September 24, 2017 Germany will hold its federal elections. After the cyber operations conducted against the German parliament in 2015, Democratic National Committee in 2016 and the Macron campaign in 2017, there is widespread anticipation of a similar attack aiming to influence the 2017 elections in Germany. The country has been ramping up its digital defences and resilience in the past months, also due to the fact that operations against its parties and think tanks are still ongoing. Although politicians and media have been very vocal about the cyber threat the country is facing in the upcoming elections, the attention has died down a bit over the last couple of weeks.



Since end of 2016, the executive and legislative branch have undertaken several steps to increase cyber security. The German parliament adjusted its security mechanisms to be more in line with the one that the Federal Office for Information Security (BSI)[19]runs to protect the executive branch. Additionally, the IT-commission of the parliament contracted an IT-security company to make a holistic assessment and discover flaws in the IT-infrastructure. The results[20] were encouraging but also showed that there is still a lot of work to be done. The BSI offered IT-security training to the political parties represented in the parliament in order to bolster their defences when facing an adversarial cyber operation during the time leading up to the elections.

When it comes to the electoral process, Germany has not digitized the process, which is beneficial to the overall security. The voting and counting of the votes is manual and therefore can be redone if the results shown on the state or federal level deviate from the actual count on the local level. A dedicated and secured network is used to transmit the results of the voting from state and national level. Additionally, there are several fallback mechanisms in place to submit the results of the count. The entirety of the voting process and therefore its security is being carried out under the umbrella of the Ministry of Interior. The Ministry is not only the focal point for election security but also the supervising ministry for the BSI and the domestic intelligence service. Judging from an architectural point of view, this appears to be a prudent approach.

The BSI carried out a penetration test for the Electoral Management Body (EMB) in order to find and patch vulnerabilities. The EMB also increased redundancy by tripling its IT-infrastructure and explored ways to coordinate and cooperate with BSI’s cyber defence centre, Germany’s inter-agency cyber security cooperation platform. During the election, the BSI will also have a single-point-of-contact assigned directly to the EMB to increase efficiency of response. The BSI also announced to test the security of the “Wahl-O-Mat”, a popular political/ election compass tool.

When it comes to resiliency against influence operations and fake news campaigns, there were talks among the parties, a “gentlemen’s agreement”, to not exploit any leaks or fake news stories. The media has also been asked to be extremely vigilant and responsible when picking up related stories. Germany also benefits from a non-antagonistic multi-party system. It is not known for a polarization which is as strong as the one that we have seen with the Brexit-vote as well as the American and French elections. This will contribute to the resilience.

A policy idea that might be connected to cyber operations during the elections and that has been floated in Germany for months is the hack back issue.[21] The idea is to “get back” stolen documents through hacking into a server and delete the documents there. This idea has been met with some resistance in Germany - due to the lack of a feasible approach - and therefore not been legally implemented yet.

Thus, from the technical point of view, the local level appears to be the most vulnerable. It is not part of the secured and dedicated network to transmit voting results and it holds the voter registration databases. The latter’s security has not been addressed as far as we know. The voting results (as well as the voter registrations) can be manually double-checked and – in case of the results – transmitted by alternative means. The worst that could happen would be a (slight) delay in the final count on state and federal level. When it comes to resilience against adversarial media campaigns, Germany benefits from its political structure and it is considered unlikely that even an elaborate campaign would sway the vote for more than a low single digit figure. Based on the current forecast and Germany’s political system, this would not have a severe impact.

Sidenote: The documents extracted from the German parliament in the 2015 cyber operations have yet to surface. While many expect the documents to be exploited in the 2017 elections, I personally believe that the operation’s goal was only espionage. The perpetrators wanted to learn about Germany’s stand and negotiation tactics vis-à-vis to Russia without specifically looking for compromising material.



[19]  One system called “Schadsoftware-Erkennungs-System” (translation: malware-detection-system) (SES) protects against targeted cyber attacks such as spear-phishing - the attack vector used in the Parlakom operation - and the other one called “Schadsoftware-Präventions-System” (translation: malware-prevention-system (SPS) protects internal devices from accessing malicious servers and websites.

[20]  The report itself is classified, so this assumption is based on the public knowledge derived from a German media outlet which had access to a version of this report.

[21]  We gave an overview in the Policy Debate on June 2 entitled “German government discusses “hackbacks””.




Authors: Dr. Sven Herpig und Julia Schuetze


Transatlantic Cyber Forum

Policy Debates | September 14, 2017

Issue: Germany runs pilot project on automatic facial recognition at major Berlin train station

Track: Surveillance Governance and Oversight Innovation



The German government is testing automatic facial recognition software at a large train station in Berlin. Especially in train stations in Berlin there has been a trend in expanding installation of surveillance cameras.[22] Currently, 900 train stations in Germany are monitored by 6,000 video cameras and the material is evaluated in real-time.[23] These cameras could potentially be upgraded with facial recognition technology. A cross-government project group consisting of representatives of the federal police, Ministry of the Interior (BMI), the Federal Crime Agency (BKA), and the Deutsche Bahn AG (DB AG) is testing the so-called intelligence video software. The technology allows mass collection, storage and analysis of faces and behaviors in open spaces in real time. The test is supposed to last six months. It is split in two phases: First, three different systems of facial recognition are deployed and tested using the real time video streams of the already existing surveillance cameras. Secondly, intelligent video analytics softwares are being tested aiming to analyze behavior trying to identify dangerous situations, e.g. individuals lying helplessly on the floor. With this new technique, the police argues, crimes and dangerous situations can be recognised in advance.  Thus far predictive policing is piloted in nearly all Länder (states)[24] - for example in Duisburg where the police is using algorithms to predict burglaries.[25] De Maizière, Federal Minister of the Interior, hopes that facial recognition will increase security dramatically. After the six months testing period, he wants to test if this technology can be used all over Germany on top of the existing video surveillance. The pilot project is tested with 275 volunteers that the police recruited over the last weeks at the train station, by handing out vouchers as a compensation for participants.



The pilot project has been criticized for two main reasons: Firstly, the setup of the test phase and secondly, the overall legal and political question of introducing facial recognition software for surveillance cameras in public places in Germany. With regard to the pilot project the Federal Officer for Data Protection (Bundesdatenschutzbeauftragte) said that it is problematic that trial persons were not advised about the use of their personal data in a proper way. This critique is based on the findings of the NGO Digital Courage which has found that the transponder that the test persons have to wear catch more data than originally announced, such as movement of the person. Furthermore, the project implementation and evaluation is criticised as it does not use good empirical methods which would create a strong judgement about the success of the pilot project missing relevant criteria. More criticism came from the  German Association of Lawyers which agreed with the data protection concerns and ultimately said that the pilot project would be unconstitutionally unsound because there was no broad societal discussion beforehand. They argue that using facial recognition via surveillance cameras is a significant reevaluation of constitutionally set personal rights. Further, they argue that before a democratic and free society chooses to go down this path, they need to know about the technical details - but they are not clear. The FDP wants to stop the trial and regards facial recognition technology also as unconstitutional. Same as die Grüne (the Green Party) and die Linke (the Left Party) which oppose the trial, whereas the current CDU coalition partner, the SPD is not against stopping the trial but evaluating the data protection concerns.  



Testing such technology is a big step in Germany where security cameras without facial recognition are contested and not as widely used as for example in the US or the UK, although there is a trend to install them on more public places such as train stations. Having went to the Südkreuz train station I must agree that the area which is marked as the testing ground is not clearly marked . If one is well informed, you would see the signs which define via which doors one would have to walk to be not caught by the cameras. Nevertheless, you would not be able to go to the supermarket in the train station without crossing the testing area. Due to the lack of information about technical details, it is also unclear how the government and company is safeguarding all the information they are using as well as the kind of algorithms applied. The use of AI in connection with privacy is a hot topic in germany as the recent study  which claims to have found that AI can identify the sexual preference of people is highly criticized in Germany. This pilot project is implemented in the midst of of Germany's federal election campaign and looks like an election stunt for the CDU and its public security focused election campaign. The topic will however stay in focus after the elections when a coalition is formed.



[22] 1000 new cameras were installed in 2015 just in berlin underground stations





More references


Author: Julia Schuetze



Transatlantic Cyber Forum

Policy Debates | October 27, 2017

Issue: German coalition talks and possible implications for security and privacy policies

Track: Encryption Policy and Government Hacking, Cyber Defense and Political IT-Infrastructures and Surveillance Governance and Oversight Innovation




German election 2017

The federal elections in Germany on September 24th had far reaching consequences for the political landscape in Germany with a voter turnout of 76.2%, the strongest mandate since 2005. First and foremost, they have ended the legislative term of the grand coalition of social democrats (SPD) and conservatives (CDU/CSU) with severe losses for all established parties and a strong increase for the right-wing party Alternative für Deutschland (AfD). It became the third-strongest party during its first national election participation.

The SPD had their worst election result in the history of the party which was 20.5%. This continued the downward trend from what was seen in the last federal elections in 2013. As a result, the SPD declared immediately that they would go into the opposition where they will be the strongest opposition party in the parliament. This step has gained wide approval among the public as the SPD was increasingly overshadowed by its previous coalition with the CDU/CSU.

The CDU and CSU both suffered considerable losses as well. For the CDU, with 26.8% (-7.3%), the results have intensified internal divisions within the party about the future strategic orientation of the party. The results have also internally weakened Merkel’s moderate-leftist stance with the CSU suffering high losses in their home state of Bavaria (-10,5%).

The AfD has successfully mobilized non-voters and protest voters from other parties. Their overwhelming electoral support of 12.6% (+7.9%) has shaken German establishment parties with the consequences remaining to be seen. A recent study conducted by the SNV has shown that AfD voters are less inclined to trust traditional media than most other Germans. For 16% of AfD voters social media was the most important source of information about the election – as compared to 6% for Germans overall.

The leftist party DIE LINKE has gained a small amount of support overall with 9.2% (+0.6%), but has lost considerable support in the traditional strongholds of Eastern Germany to the AfD.

The liberal party (FDP) and the Greens (Die Grünen) have also seen an increase of support during the federal elections. The FDP has focused on digitization, education and migration topics in their election campaign and have almost doubled their previous result to up to 10.7% (+5.9%). The Greens saw a marginal increase of support 8.9% (+0.5%) with a focus on environmental, educational issues as well as civil rights and liberties.




The election results have paved the way for a so-called “Jamaica coalition”[29] for which exploratory talks between the CDU/CSU, the Greens and the FDP are currently ongoing. These complicated coalition talks are expected to be completed by January 2018. If the coalition talks fail, then there are only two options: another grand coalition between the CDU/CSU and the SPD or re-elections. Re-elections appear unlikely as the established parties would probably lose even more support. Moreover, as the SPD immediately announced that they would not be available for coalition talks, a Jamaica coalition appears most probable. This would be the first time that three - or in fact four parties (considering the sister parties CDU/CSU) - would form a government. Difficult coalition talks are expected regarding the topics of migration, finances and security - including cyber security.



Digital narratives

Overall, all four parties demand a strengthening of the institutional framework of tech policy but in different forms. The FDP have attracted attention with their call for a “Ministry of Digital Affairs” which of course they are eyeing to claim as their ministry, while the CDU/CSU proposed in their electoral program a new digitization secretary of state in the Chancellery as they would be heading it. The Greens instead advocate for a greater independency of the German Federal Office for Information Security (BSI) - which is currently under the Ministry of Interior - and clearly condemn offensive cyber operations including hack backs.


Legislative branch

Overall, from their electoral program it is likely to expect that the Greens and the FDP will strike a balance with the national security and surveillance focus of the CDU/CSU. The SPD had been supportive of such proposals during the last legislature with only small opposition parties in the parliament as a counterbalance. This allowed the past grand coalition to push through controversial legislation e.g. the extended use of the state trojan which the Liberals and Greens strongly oppose. SPD will likely be the main opposition party and therefore most probably not support CDU/CSU proposed legislation on those topics even though it had done so in the past. With a Jamaica-coalition, digitally liberal parties (FDP and Greens) will be in power and are likely to advocate for continued legislative focus on tech policy issues like net neutrality, IT security and data privacy. For the FDP, and to a certain degree also for the Greens - to maintain support among its constituents it must make legislative momentum on these tech policy issues. Moreover, the CDU/CSU depends on the FDP and the Greens for legislative wins which gives the FDP and the Greens considerable leverage on legislative direction.


Executive branch

Many decisions about policy directions will depend on the division of the ministries between the parties.

Due to internal divisions between the CDU (traditionally seen as the more moderate element of the two sister parties) and the CSU; the CSU will try to get concessions from its bigger sister party. This could be in the form of claiming the Ministry of Interior - a big bargaining chip for the CDU and likely the only concession that the FDP and Greens would accept. At the same time, given the migration focus of the CSU, this could allow for greater flexibility when it comes to IT security and data protection initiatives of the FDP and the Greens.

The FDP proposal of a Ministry of Digital Affairs would imply the creation of a solely, independent ministry and consolidate responsibilities from most of the other ministries. Due to this being such a drastic change, it is unlikely that it would occur. Rather, the position of a digitization state secretary is more politically feasible as its role would be strictly coordinating activities across existing ministries. The CDU’s suggested allocation to the Chancellery might be another bargaining chip to the respective party. There is for example a high level multi-stakeholder coordination body for cyber security, the Federal Cyber Security Council (Cyber-SR), with the secretariat based within the Ministry of Interior.



In conclusion, the new coalition should give pause for optimism as there is a growing number of politicians (potentially in power) that are aware of and knowledgeable about current technological debates and developments - especially regarding IT security and data protection. Concerning the AfD it remains unclear what stance the party is going to take on tech policy issues and how productive the party’s work will be.

Right now, pretty much everything is still in political limbo -- the most important strategic document will be the coalition treaty which is expected to be finalized by January 2018. Once the coalition has been formed and agreed on the joint document, another policy debate is going to analyse its content and possible implications.



[29] This refers to the colors of the coalition parties which match the Jamaican flag.

[30] This policy debate is to serve as a starting point for what the recent federal elections would mean for German tech policy. This examination is based on existing party platforms and the conclusions drawn from them might bear of speculative nature.



Authors: Dr. Sven Herpig und Tabea Breternitz


Transatlantic Cyber Forum

Policy Debates | November 22, 2017

Issue: German coalition talks collapse

Track: Encryption Policy and Government Hacking, Cyber Defense and Political IT-Infrastructures and Surveillance Governance and Oversight Innovation




In the October 27th policy debate, we outlined the results of Germany's September elections and what the possible coalition talks may have on cyber security and privacy policies. Unfortunately, the coalition talks ended rather abruptly earlier this week. The four involved parties were not able to agree on several issues and the Liberal party (FDP) therefore put an unilateral end to the negotiations - for now.

These recent events have underlined an uncommon characteristic of the German political system: the coalition treaty. If parties want to form a governing coalition after the elections they must first come up with a coalition “treaty”. Though, there is no legal requirement for such a treaty and it is not binding, it is common practice for the coalition parties to agree upon one. The treaty outlines the political agenda of issues to be debated and passed in parliament over the duration of the legislature. It is difficult to put a topic of debate on the agenda during those four years which is not in the treaty. Similarly, there is a lot of public and political pressure on the parties if they do not tackle any of the previously agreed topics in the agenda. Topics vary but cover a vast field of policies ranging from environmental protection to migration and public security as well as, the more recent debate on the effects of digitalization. Moreover, many of the parties must pass the final treaty internally - and if the base of one involved party does not approve the treaty, that means back to the drawing board for all the involved parties. Since the September election, the parties were not able to come up with a coalition treaty that all of them agree on and further still it was rejected before the party bases even got the chance to vote on it.


Our Take

Topics such as government hacking, vulnerability management and intelligence oversight made it in the final draft of the coalition treaty as already predicted in the last policy debate. Additionally, the ongoing coalition talks as well as the recent publication of the VEP charter led to an intense discussion about Germany's lack of a vulnerability management process.

From a general political perspective, there are four options for the coalition talks going forward. First, the public and political pressure will force the four parties back to the negotiation table. Second, the second strongest party, the social democrats (SPD), will revoke their strong stand against forming a coalition again with Angela Merkel's conservative party (CDU and CSU) and enter coalition talks. The third option is for the CDU and the Green party to form a minority government. And the last option is reelections. Reelections will probably not lead to a significantly different outcome - CDU/CSU pairing up with two smaller parties or the two major parties, SPD and CDU/CSU, forming a coalition. A minority government is (almost) unheard of in the German political setting, and both the FDP and the SPD have reiterated not wanting to enter coalition talks (again) - there is no confident take on what is going to happen.

What is important to keep in mind though is that the German administration still functions. The day-to-day business of governing continues as usual and the minister heads are still in office albeit limited in what new initiatives they can start. Thus, operational stability is not an issue.



Even though it is unclear where Germany is heading right now, this should not give cause for alarm. First off, the administration still functions. Second, and more importantly, it is apparent that all the issues that the TCF is working on are relevant to the current political landscape - and not only that - they are valued important enough to be codified in the coalition treaty. As to the reasons why the coalition talks failed, it is publicly known that migration and environment policy were the show stoppers - not cyber security and privacy policy.

Therefore, we expect to see the TCF topics being reflected in the next round of talks as well - regardless of what party is involved.




Authors: Dr. Sven Herpig und Julia Schuetze


Transatlantic Cyber Forum

Policy Debates | December 7, 2017

Issue: German Ministry demands workarounds for digital security mechanisms

Track: Encryption Policy & Government Hacking and Intelligence Governance & Oversight Innovation




On November 30th, Germany's Federal Minister of the Interior Thomas de Maizière (CDU) was reported to be drafting a proposal that would legally mandate third party entities to allow for secret surveillance. Maizière recommended this policy in response to how increasingly difficult it is for security services to overcome security systems without alerting a suspect of an investigation.  As an example, he cited that alarms for cars today have become so sophisticated that the owners are sent electronic notification at the slightest hint of tampering. The policy also signaled to industry that the state should receive exclusive access rights to Internet connected devices such as smart home appliances. Lastly, there was specific mention of “kill switches” where the government would retain the right to turn off private citizens computers if it were discovered that such devices were a part of a Botnet. This would be seen as a pre-emptive strategy by the government to stop criminals from the spreading infected programs. The report of such a policy prompted a swift backlash from activists, industry and politicians alike who are concerned about the digital and physical effects of such policies.


Our Take

It is important to keep in mind that the coalition government for Germany has yet to be formed. As such, the government will not pass any laws or amendments unless they are considered extremely urgent. Additionally, if we take the historical long view, the Ministry of Interior has held firm on its no-backdoor, no-encryption-regulation policy since 1999. Maizière's policy proposal then would be a major shift away from how the Germany government traditionally approaches the issue of backdoors. What is more likely, is that the proposal is not a major shift in policy but rather a targeted one seeking specific goals. For example, in the case of the suspect with the car, the government would mandate the intermediary that is forwarding tampering alert text messages to not deliver the alert to the suspect. This would then allow the security services time to plant a surveillance device which would have had to been approved by a respective judicial authority. Similarly, it the same process would be required for smart home devices. Any notion that the proposal seeks backdoor access to, for example switch on microphones of smart TVs, was firmly rejected by the Ministry of Interior when questioned by reporters. Furthermore, ISPs have already been authorized to apply a "walled garden" approach to computers of their users which are infected by a botnet until they are disinfected. Legislative basis covering this has been passed in 2015 as part of the IT-security law. According to a statement from the Ministry issued after the first report, "kill switches" were never up for debate. Lastly, the policy proposal does underline that a precondition for all measures including surveillance activities would need judicial approval.



Like many governments, Germany is trying to develop policy that keeps pace with technological change while addressing (traditional) surveillance in responsible ways. Currently, the political atmosphere is one where little change will occur across all ministries as coalition talks progress. It is unlikely that the Ministry of Interior seeks to implement backdoors but rather looks for ways to require manufacturers and service providers of digital security systems to support law enforcement operations in any way they can short of implementing backdoors.




Authors: Dr. Sven Herpig


Transatlantic Cyber Forum

Policy Debates | April 6, 2018

Issue: Coalition agreement of the new German Government

Track: All TCF tracks




In February, after five months of coalition talks among different parties in Germany,  Merkel’s party the Christian Democrats (CDU), the Social Democrats (SPD) and the Christian Social Union (CSU) agreed on a coalition agreement and consequently formed the new government in Germany. The coalition agreement which determines the goals and viewpoints of the government coalition affects also the topics the Transatlantic Cyber Forum deals with. Issues that are not mentioned in the coalition agreement are not impossible but difficult to put on the government’s agenda. Likewise, goals in the agreement will be tackled during the governing period as they serve as indicator for the government’s success during its legislation period. We have summarised the main points of the coalition agreement and shortly present our take on the goals of the government.


Encryption Policy

The coalition agreement emphasises its support for the use of encryption. It aims to make encryption available for everyone and supports the communication of standards, such as PGP[31] and SMIME.

Our Take: This is consistent with the German government’s general notion about becoming encryption country number 1. This follows the government’s take since 1999 not to weaken encryption or mandate backdoors. However, for this government strong encryption goes hand in hand with government hacking, enabling law enforcement agencies to tackle the perceived “going dark” challenge.


Government Hacking & Vulnerability Governance

Despite its support for encryption, the coalition agreement states clearly that this must not in any way hinder law enforcement to do their work. Police is supposed to have the same means for investigation as it has offline. The parties argue that there should be no difference if a suspect is using traditional communication or encrypted online communication. Government hacking as a means to enable this, is not explicitly mentioned. The agreement also discusses the problem of using the retrieved digital evidence. Specifically, the German government wants to take the European route and focus on the EU cyber initiative “Justice in Cyberspace/E-Evidence” about handling digital evidence with the purpose of balancing privacy, the right of providers and companies with the general values of an open and free online community. In this context, the concept of “data ownership” that the CDU has introduced last term and is controversially discussed, comes into play again.

Vulnerability management is only discussed in the context of businesses but not as a form of government vulnerability disclosure. The parties state in the agreement that companies and providers have to make vulnerabilities public when they know them and fix them as soon as possible.

Our Take: The statements let us believe that we will have a continuation in government hacking legislation. The argument around law enforcement stayed the same and if any, manifest or may expand the support for government hacking even though the term is not explicitly mentioned. Vulnerabilities are seen more in the context of a threat to consumer rights. It makes no mention about a relation to government hacking - and hackbacks - and the need for government also to disclose known vulnerabilities. However, that vulnerabilities are even recognized and mentioned is a step further and could smooth the work for a government vulnerability disclosure process which we have confirmed is in the works at the Federal Ministry of the Interior, Building and Community.[32] 


Liability and Responsibility

The importance of consumer protection online is emphasised. Two goals are the creation of clear liability rules that will be set in place and research to test how certain cyber security insurance models could work. Here the government aims to balance the responsibility of all involved stakeholders, such as companies, consumers etc.

Our Take: This topic has been debated intensely in the past few years without coming to a conclusion so far. Therefore, it makes sense to include it in the agreement to further the discussion leading to concrete results.


Cyber Defense

In the area of cyber defense, the German government aims to discuss ways of defending and preventing cyber attacks better. In the agreement, soft means, such as the creation of better defense sensibilisation is supposed to be achieved for all stakeholders and intensified for specific target groups. Moreover, the government wants to modernize education and training to include digital and cybersecurity skills. It has also put emphasis on defending and preventing attacks against the critical infrastructure and aims to explore means to do that.

Our Take: Here we can see at best an intensification of the sensibilisation measures which goes hand in hand with the cybersecurity strategy goals of 2016. Interesting is however, that it is vaguely stated that the government wants to explore means to defend and prevent. In earlier versions of the agreement, government hackbacks were a clear option - this is now watered down but not off the table as recent discussions show.[33]


Cybersecurity Organizational Architecture & IT Security Standards

The government proposes several organisational changes in the context of cybersecurity. One is a national cyber security pact which aims to bring together all important stakeholders (manufacturer, provider and user as well as the public administration). Furthermore, an update to the IT legislation is supposed to make the Federal Agency for Information Security (BSI) more neutral and independent ultimately making it the central agency for cyber security. The BSI would take up a broader advising role for state and federal administration, gain further responsibility for consumer protection. Here it will become the central agency for certification and standards such as giving out seals of quality (“Gütesiegel”) for IT products which would show how long the provider has to give updates for hard- and software. The IT security legislation will be expanded to reflect the greater role of the BSI. This also goes along with the emphasis to create products that abide by security by design.

The Federal Ministry for Defense and the Federal Ministry of the Interior, Building and Community will establish an agency with the task to research disruptive innovations in cybersecurity and key technologies as well as an IT security fund for security relevant key technologies.

Last but not least, the government created the position of State Minister for Digitalisation in the chancellery. Dorothee Bär (CSU) was appointed, with the purpose of  coordinating the efforts of different ministries (e.g. transport & infrastructure, interior, economy). She is the former state secretary for digital infrastructure in the Federal Ministry of Transport where she focused on support of digital education, computer games.

Our take: We have been supporting the efforts to strengthen the BSI.[34] It is an improvement,even though it will still be under the umbrella of the Ministry of Interior, Building and Community which also houses the research agency that explores means for government hacking (ZITiS)[35], as well as the domestic intelligence agency (BfV) and the Federal Office for Criminal Investigations (BKA).

The new State Minister for Digitalisation has more of a symbolic power as the German government seems to have recognized that digital policy is interconnected and spans across all ministries and that a coherent strategy may be a good way to move forward. Ms. Bär does not have a strong record of experience when it comes to cybersecurity, so we have to wait and see which direction she will take on the subject. So far, she has been outspoken against data retention[36] and the infamous network enforcement law[37] but on the other hand regards data protection as an unnecessary barrier for digitisation.[38] She does not have a large group of employees to assist her but relies on the employees and political will of the Ministers of the relevant ministries.


E-governance and Security

In a short sentence it is mentioned that the government aims to introduce a form of online administration which makes communication with the government easier. Furthermore, it is proposed to use a form of electronic ID to authentify citizen for these services.

Our Take: As of now, the security aspects are not talked about. The statements argue for usability and easy access. Here it will be interesting to what extent the security of design concept which is mentioned in other parts and expected by private sector products is implemented and who would support the implementation as the German government lacks sufficient IT security personal. Additionally, Germany already has an existing electronic ID which has failed to become mainstream as citizens will be asked to choose whether they would like to have it activated on their national ID or not. Marketing and use cases of the ID have been bad in the past which led to a low adoption rate.


Law Enforcement Power

The Federal Agency for Criminal Investigations is supposed to increase its workforce and is going to be expanded as the central hub for police-relevant-data. Moreover, the government wants to implement an investment fund for the IT of German police forces. In the area of criminal investigation the data transfer between justice and police is supposed to be improved. In this context, the German government wants to create a basis for sharing data that is relevant for criminal investigations among EU countries. Closing holes in the prosecution of people who are found guilty for criminal activity online or spreading illegal online content are aimed to be closed.

Our Take: Increasing the police’s workforce seems like a prudent move but it is unclear if there will be sufficient adequate applicants for those positions. In the past, this has proven quite challenging. Data sharing has lately been further on the EU level as well and seems - for Germany - also to be response to the 2016 terrorist attack in Berlin.


Foreign Policy and Cybersecurity

The German government states that it aims to protect key technologies from sale or acquisition which would in any way limit the use of certain important technologies. In order to do that, the German government wants to add the relevant national and European regulatory means to enable this. The digitalisation of the armed forces (Bundeswehr) is supported and continues.

Our Take: Protecting the crown jewels of German tech has been discussed for quite some time under the term “technological sovereignty” without yielding any meaningful results other than the hotly disputed “no spy agreement”[39]. Apart from the Snowden revelations, one reason was BlackBerry’s acquisition of Secusmart. Secusmart developed a hardened smartphone for the German government which is being used by for unclassified and lowly classified communication.

The university of the German armed forces has gained professorships in the area of cybersecurity and the reserve personal is supposed to be engaged more closely in the area of cybersecurity in form of a cyber community that includes civil and military personal. They too however have problems to find suitable personal. The question here is to what extent an expansion in cyber capabilities is useful, if it cannot be used to defend civilian infrastructure as the Bundeswehr is strictly separated.


Conclusion: Overall, we see a continuation of the last term of the grand coalition and a great focus on inner security and expanded cyber powers for law enforcement which is not necessarily good for cybersecurity. The emphasis on citizen’s rights is strong only in the context of consumer protection. We can expect to have the government hackback discussion appear again. Almost all of the positive developments we identified during the prior coalition talks[40] between the Liberals, Greens and Social Democrats - the only party of those three which is now in power - cannot be found in this coalition agreement.



[31] In the past, Germany’s national cyber security agency has even provided funding for the further development of PGP4Win.

[32] The Federal Ministry of the Interior has been expanded and renamed in “... of the Interior, Building and Community”.

[33] Soll der Bundes jetzt zurückschlagen?

[34] Our political positioning for the post-election period 2017/2018:

[35] See our Policy Debate “Official Announcement about the Central Authority for Information Technology in the Security Domain”, January 31, 2017.





[40]  See Policy Debate “German coalition talks collapse”, November 22, 2017




Authors: Dr. Sven Herpig und Julia Schuetze


Transatlantic Cyber Forum

Policy Debates | June 8, 2018

Issue: "German Vulnerabilities Equities Process"

Track: "Encryption Policy & Government Hacking"



In September 2017, Germany's Federal Ministry of the Interior, Building and Community first announced that it was considering developing a Vulnerabilities Equities Process (VEP) for Germany. This followed inter alia increasing public pressure to address the issue of vulnerability handling after the government took several steps towards a more offensive stance in cyberspace, including extending a legal mandate for government hacking, consolidating its military cyber forces, and creating a centralized agency for procuring hacking tools and vulnerabilities. Moreover, there have been extensive and ongoing discussions about active cyber defense -- so-called hack backs (see past TCF policy debates).

During a public panel discussion on June 6th, the Head of the newly created Department for IT- and Cyber Security at the Federal Ministry of the Interior, Building and Community, shared first insights into government plans regarding a "German VEP”. The government representative officially described the discussion on the panel as a first step in this debate, which should be ongoing and continue to include different stakeholders, as solutions to different facets of the problem need to include expertise and experience from all sectors. The Federal Ministry of the Interior, Building and Community extended an invitation for further discussion to other stakeholders in order to assist the Ministry’s work in developing a German Vulnerability Equities Process through public debate and possibly other means.

The government representative also said that his Ministry is currently not retaining any zero-day vulnerabilities. Asked whether that was also true for the Federal Ministry of Defense and the Foreign Intelligence Agency (BND) he said that he could only speak on behalf of the Federal Ministry of the Interior, Building and Community.

The Stiftung Neue Verantwortung (SNV) and Germany's Federal Academy for Security Policy organized this panel. The government representative was joined on stage by Ari Schwartz (Venable LLP), Lucie Krahulcova (AccessNow), and moderator Sven Herpig (SNV), all of whom are experts contributing to the Transatlantic Cyber Forum.

Our Take

The Transatlantic Cyber Forum has advocated for a public debate about this issue in Germany since last year. It managed to get the Federal Ministry of the Interior, Building and Community interested in this debate. The Ministry has expressed strong interest in the work that the TCF has done on the VEP; this is a valuable opportunity for the TCF to have a direct impact on the VEP policy-drafting process in Germany.


Authors: Dr. Sven Herpig und Julia Schuetze

Transatlantic Cyber Forum

Policy Debates | August 9, 2018

Issue: Active Cyber Defense in Germany

Tracks: "Encryption Policy & Government Hacking" and “Cyber Defense & Political IT Infrastructures”



Since 2015 when threat actors penetrated the IT systems of the German Parliament, security and intelligence agencies in Germany have been pushing for a legal framework enabling them to conduct active cyber defense. Since then, technical and (international) legal experts as well as civil society and private sector representatives have been pushing back against this idea.

For the last twelve months, this issue has been rather dormant due to unusually prolonged coalition talks after the federal elections last year, which prohibited the formation of a government. While the new coalition treaty - the jointly agreed document specifying policy priorities of the governing parties - does not explicitly state active cyber defense as a goal, representatives of security and intelligence agencies are making their rounds to convince policy-makers and the public of the need to strike back in cyberspace. Draft concepts discussing specific measures which should be part of an active cyber defense legislation are currently drawn up in the respective agencies.


Our Take

Due to also somewhat counterproductive public and political debates referring to all kinds of different definitions and measures without finding any common ground, we saw the need to talk to representatives from the respective ministries as well as security and intelligence agencies and create the first comprehensive overview of suggested activities under the umbrella of “hackbacks”/ active cyber defense for Germany.

Suggested activities range from requesting virtual images of compromised servers from Internet Service Providers and web hosters, to hacking domestic and foreign IT systems, and even conducting Distributed-Denial-of-Service attacks to disrupt attackers’ infrastructures.

The German debate is entirely focused on the civilian agencies in the public sector with the intelligence agencies currently being thought of as bodies for implementation.  

Distinct from this, the new cyber division of the armed forces is legally allowed to conduct offensive cyber operations, following conventional and existing procedures: parliamentary approval and state of defense.

It is not yet fully clear how the government is going to approach the legislation that aims to govern active cyber defense in the civilian sphere. It is likely that a comprehensive change to the current legislative framework enabling said activities would require a two-thirds majority in parliament. The ruling parties CDU/CSU and SPD do not have this kind of majority. Additionally, a good number of members from the SPD seem to not support this issue. We therefore expect (most) active cyber defense provisions to be injected in the planned legislation for protecting critical infrastructures -- the second version of the IT security law -- which we will likely see next year.




Author: Dr. Sven Herpig



Transatlantic Cyber Forum

Policy Debates | September 3, 2018

Issue: “German DARPA” to be established

Track: All TCF tracks


Inspired by DARPA and its Israeli counterpart, the German Ministers of Defense and Interior announced on August 29 the setup of a new “cyber agency”. This new agency will be tasked with identifying and funding cutting-edge research of offensive and defensive cyber technologies for both civil and military purposes. Compared to existing programs it is explicitly asked to fund high-risk high-potential “disruptive” German research endeavours in their early stages even though many of them might fail to lead to any breakthrough or final product. Although the funding has not yet been approved by the government, the Ministries foresee a budget of around 200 million Euros (~234 million USD) over the course of the next 5 years with 80% of it to be spent on research funding. The funding is supposed to be increased later on. The two main arguments for establishing such an agency were: less bureaucracy and more high-risk funding to catch up with the digitization and making Germany more secure.

Our Take

The new government has only formed a couple of months ago and the first major initiative after the summer break has to do with cyber security. That is good news and signals what priority this issue takes on the political agenda. Furthermore, Germany is willing to acknowledge that it has fallen far behind other countries when it comes to digitalization and especially to an extent with cyber security research.

Unfortunately, that is where the good news end. From the information available it is unclear why the already existing German institutions that are funding (cyber security) research should not receive additional financial resources and be enabled to engage with more risky research projects. There are already the Ministry of Research and Education, the Cyber Innovation Hub of the Army, the Federal Office for Information Security and the only recently established Central Authority for Information Technology in the Security Domain. In addition to giving the funding to those already existing agencies and allowing them to undertake more risky research endeavours, the establishment of a coordinating body would have probably been more efficient than an entirely new agency, because setting up an agency creates additional bureaucracy (e.g. administration) and does not reduce it.

Another issue is how this “German-only” funding for cyber security research projects will be perceived on the EU-level. After all, the security field of the 80 billion Euros EU research programme Horizon 2020 is funding similar projects already.

Germany acknowledging and being willing to do more to advance German cyber security research is definitely a good thing. Whether this particular approach is fit to do just that remains to be seen. When competing with the likes of the United States, China and Israel, a consolidated EU approach seems much more promising.


Author: Dr. Sven Herpig


Transatlantic Cyber Forum

Policy Debates | January 10, 2019

Issue: “Germany's cybersecurity policy 2019 – what to expect"

Track: All TCF tracks


Issue: Developments of the cybersecurity architecture

1. Expansion of cybersecurity research institutions, such as the Agency for Innovation in Cybersecurity and other cybersecurity research hubs

In order to protect Germany from future cyber attacks and to ensure that the country will be a leading innovative force in the field of international cybersecurity, the German cabinet agreed on launching an "Agency for Innovation in Cybersecurity" in 2018, led by the Federal Ministry of Defence (BMVg) and the Federal Ministry of the Interior (BMI). This agency’s work will kick off in 2019 with a  an investment of €200 million over the next 5 years. Research projects will focus on cybersecurity technologies protecting national as well as international security with a special emphasis on radical and highly innovative approaches. Comparable to the Defense Advanced Research Projects Agency (DARPA) in the US, the agency will also help Germany to become more independent and develop its own key technologies in the field of cybersecurity. The German government also continues to fund three main cybersecurity research hubs, KASTEL in Karlsruhe (The Competence Center for Applied Security Technology initiated by the Federal Ministry of Education and Research (BMBF)), CISPA in Saarbrücken which becomes the new Helmholtz-Zentrum for Information Security and CRISP in Darmstadt, the new National Research Centre for Applied Cybersecurity. The main research topics that the government is looking to fund are IT concepts for Industry 4.0 and applied scenarios for post-quantum-cryptography.

Our take:

The US budget for DARPA is roughly 0.017 % of the country's GDP as compared to Germany which plans to spend roughly 0.00127% of its GDP on the newly founded cyber security research agency. In that regard, the US spends 13 times as much money on it compared to Germany. So it remains to be seen what Germany’s research agency can actually achieve. Its effectiveness would depend on its research focus which is not yet publicly known. Close cooperation on research topics across the Atlantic would be beneficial as well. A good development is the support of research hubs and universities that have developed at state level. They receive more and more national and international recognition and funding. The expertise emerging from those hubs should be monitored globally.



2. Expansion of the Federal Office for Information Security (BSI) and Cyber Defense Center

Firstly, in light of growing threats through cyber attacks, and due to a new mandate that was set in the coalition agreement of the governing parties CDU and SPD, the German Federal Office for Information Security (BSI) will cooperate more closely with the federal states. The BSI will offer its support and advice to the federal states on techniques to set standards and build structures in order to achieve a high level of cyber security state-wide. Depending on the state, this can take different routes and the cooperation is defined in individual agreements with the states. Some model partnerships with Hessen and Rheinland-Pfalz were already initiated in 2017, as well as in 2018 with Lower Saxony, North Rhine-Westphalia, Berlin, the Saarland, Baden-Württemberg, Saxony and Thuringia. It can mean, for example, that the BSI, based in Bonn, will create local offices across Germany to assist states in their cybersecurity efforts and actually provide on-site staff support. In other partnerships, the support looks more like a close coordination and information sharing effort. In early 2018, Bavaria was the first of the German federal states to invest in its own cybersecurity agency separate from the BSI, the Landesamt für Sicherheit der Informationstechnik (LSI). The BSI plans to share its know-how and best-practices and work closely with them but would not necessarily open an office in Bavaria.  

Secondly, the coalition agreement imagined an expansion of the cyber defense center, a platform hosted by the BSI in which all relevant cyber experts from different government agencies meet and coordinate when a cyber attack occurs. Currently this is an information-sharing hub. This year it will be discussed to what extent the hub become a more operationalized unit and further include representatives from federal states and the private sector. It is unclear if BSI will continue to host this newly formed Cyber Defense Center Plus. Operationalization may include the creation of a joint threat landscape which is currently still left to the individual ressorts.

Our take:

This is an interesting development and an attempt to bring cybersecurity expertise and cyber readiness on the state level. The approach that the BSI is setting up offices in states that need more support than others, is useful. It strengthens the agency overall. That some states create their own agency is normal in federalism and thus far not problematic if they are working closely with the BSI together. It will however raise the competition for a skillful workforce. States should really start educating their own staff.

The changes to the cyber defense center are still discussed mostly behind closed doors.  



Issue: Recent Policy Developments

1. Cybersecurity seen as a cross-cutting issue in new digital strategy

The German Federal Government recently launched its so-called “Digital Strategy” that results in a an implementation strategy based on a five-point plan covering areas, such as digital skills, infrastructure and equipment, innovation and digital transformation, society in digital change, and modern state. The content of the strategy was developed over the past year with all cabinet members. Now the focus lies on the strategic implementation. For this the government has put forth some very specific indicators and some not so specific indicators to measure the success of the strategy. It will be constantly updated and reviewed, which can be tracked on the website digital-made-in-de. Cybersecurity is seen as a cross-cutting issue. Its success indicators range from “acknowledging cybersecurity in every action of the digital implementation strategy” to the more concrete step of funding more secure IT in hospitals through a ‘hospital infrastructure fund’.

Our take:

The implementation plan of the digital strategy is basically a more transparent document that outlines specific activities that are being done by different ministries and aims to achieve holistic governance despite clear separation of government departments. There were no surprises when the plan was published. Nevertheless, it is positive that cybersecurity is seen as an important issue that spans across all policy fields and actions. However, we would have expected a more specific idea of how this looks in an implementation plan.



2. The rise of e-government as a challenge, and reason for broader cybersecurity efforts

All German government services will be available online by the end of 2022. Achieving this goal is a focal point of the digital implementation strategy and an ambitious goal for the upcoming years. It comes with two major challenges: cybersecurity and federalism. “Federal, state and municipal officials so far only know who will be responsible for 347 of the 575 administrative services destined for online. It only means they know which state or city will develop the application so everybody can use it” (Heide, 2018, in Handelsblatt). In order to ensure that this transition will run smoothly, the concern of the security of information is a focal point. Until 2021 the government wants to offer digital health records but data protection and data security experts as well as consumers and patients associations are sceptical about the security.  

Our take:

Cybersecurity in Germany becomes a prerequisite for those services to be adopted but also a reason to expand the portfolio of cyber attack responses. As State Secretary and Federal CIO at the Ministry of Interior Klaus Vitt noted the new threat landscape demands the expansion of responses, e.g. active cyber defense (see below) and the Cyber Defense Center (as was discussed before). Moreover, the challenge is also that the cybersecurity agency, BSI, has only limited legislative allowance to demand standards or assist state level authorities with cybersecurity. We may  therefore see a discussion on whether legislative action is needed that may change the current cybersecurity architecture, so that the BSI gains more authority on state level to fulfill their tasks. This needs to be discussed among federal and state representatives.



3. Active Cyber Defense

The topic of this year's annual conference of the Federal Criminal Police Office (BKA Herbsttagung 2018), which took place from Nov 21 - 23, was "Security in an Open and Digital Society". The president of the BKA, Holger Münch, announced that a new cyber crime department will be founded and the issue of active cyber defense was addressed. Not only the Federal Criminal Police Office demands a discussion on the need for active cyber defense. Horst Seehofer, German Interior Minister, supported the idea of active cyber defense during the Nuremberg Digital Summit, saying that it should exist as an option of last resort and also his State Secretary and CIO Vitt mentioned that a discussion on the issue is needed. So far, active cyber defense - or a so called hack-back - is lacking a legal base in Germany. A legal analysis by the research and legal until of the Parliament was made public and concluded that there are several issues concerning the legality of active defense when it comes to international law.  

Our take:

Active Cyber Defense has been debated more openly since the 2015 hacking of the German parliament. Currently, there is no legal basis for active cyber defense apart from a military cyber response when invoking self-defense or as part of a parliament approved military mission. Unfortunately, the public discussion has not evolved much in the past few years with hardliners on both sides spouting populist pseudo-arguments. We have drafted and published an overview of possible active cyber defense measures and consulted government officials and members of parliament on the issue. We expect to see concrete legislative action in Q1/Q2. While it will likely take constitutional changes (requiring a two third majority in parliament) to fully implement the active cyber defense requirements of the government, the opposition and possibly even one of the ruling parties are not expected to support the amendments. Therefore, we might see an active cyber defense bill light which doesn’t touch constitutional provisions or alternatively any changes buried deep in the new cyber security law which is supposed to be passed in Q2/Q3 this year.



4. AI & Cyber Security

In the German government, the use of AI in cybersecurity is mainly discussed from the angle of using AI to secure systems better or detect cyber threats. A team of the German Federal Office for Information Security (BSI) participated in the annual CHES (Conference on Cryptographic Hardware and Embedded Systems) Challenge and won. The BSI uses technologies of artificial intelligence and machine learning to set and further develop national and international cyber security standards. For the CHES Challenge 2018, the participants solved tasks dealing with AES (Advanced Encryption Standard) implementations and combined conventional cryptography techniques with artificial intelligence. In civil society, academia and industry experts, the negative effects of AI on cybersecurity are discussed more and more. The so-called Adversarial Machine Learning, when an adversary manipulates an AI to achieve a certain outcome or the use of AI to deploy a cyber attack is becoming a focus of some cybersecurity experts and research groups.

The new Transatlantic Cyber Forum working group will however set its focus on securing AI and machine learning against threats. This will become very important as Germany starts to implement its AI strategy.

Our take:

When it comes to machine learning and artificial intelligence, the German government is still in its infancy. That the national cyber security agency has already dedicated resources to further its research in the area is a first step in the right direction. The work of the newly formed TCF working group therefore has the potential to achieve a relevant impact.



5. Constitutional Complaint against State Trojan/Government Hacking Legislation from 2017  and Right to Encryption

In August, the data protection organization Digitalcourage and the Gesellschaft für Freiheitsrechte has filed a constitutional complaint against the use of the so-called state trojan. Shortly after, many politicians across the entire political spectrum followed and criticized the use of the state trojan as well, which allows  monitoring of communications in messenger services such as WhatsApp. In 2019 we may expect the results of the constitutional complaint. Moreover, politicians from the Liberal Party (FDP) filed a motion on the right to encryption that gained some support from the Greens and the Social Democrats.



6. Shortage of IT-security personnel

Due to the demographic shift and a shortage of skilled workers, including science and IT-related professions, the SPD has insisted on a new law, facilitating immigration for those who can fill the gaps. Since the shortage does not only affect jobs carried out by people with university degrees but also those occupations requiring qualified vocational training, the new law assesses several key issues: recognition of degrees and especially vocational training acquired abroad, employability of non-EU immigrants (companies do not have to ensure anymore whether a German or EU citizen could be employed instead), and an easier travel entry in order to search for work. One other legislation, the “Qualifizierungschancengesetz” (English: Law for Qualification), aims to make it easier and cheaper for businesses to send their employees to get qualification. The private sector however argues that this form will not be effective.

Our take:

Instead of developing a holistic and focused analysis that will lead to a strategy to tackle the shortage of cybersecurity, the German parties are debating an immigration reform. Unfortunately we cannot expect a major and holistic strategy of Germany to tackle the shortage of cybersecurity personnel in public or the private sector. The immigration reform could help short-term but looking at the global shortage of cyber security personnel, it is unlikely that Germany, especially given its fairly low wages for cybersecurity experts,  will be their first choice. Germany really needs a long-term strategy to tackle the lack of a cybersecurity workforce. The law that aims to create easier and cheaper access to further learning opportunities may also fall short of its expectations as there may be simply not enough educational courses and cybersecurity skills are not necessarily developed within the offered three to four weeks time spans. Further educational efforts and incentives may need to be implemented.



7. IT-Security Law 2.0

A new legislation that updates the original IT Security Law from 2015 is being drafted right now - the IT Security Law 2.0. The legislation is expected to broaden the application of IT security measures to a wider group of institutions and services. In order to achieve that, it is being discussed to switch from the definition of supply-critical to IT-critical. Then industries like the chemical industry which heavily rely on IT would be included. At the same time, it is being discussed to possibly lower the criteria for becoming critical infrastructure. Then the federal security agencies would have a better overview of what needs to be secured on the state level as some services are sole supplier in certain areas are not large enough to hit the supply-criticality on a national level under the current standards. Another important factor is the question of regulating supply-chain-security and the use of certification, security labels and liability. The EU Cybersecurity Act helped to set some framework under which conditions this can be legislated.

Our Take

No draft has been publicly circulated yet, therefore it is difficult to assess this legal approach in detail. For most parts that have been discussed so far, it seems like a reasonable addition to the existing IT Security Law. However, there are two shortcomings that we can see so far. First, the current version of the draft appears not to cover additional security measures for voting IT-infrastructure and political parties, something that we have been advocating for. Things might however change with the fallout of the leak/doxxing of German politicians that was discovered in early January 2019. Secondly, it is possible that amendments which do not directly relate to the official  intention of the law, for example active cyber defense provisions, will be buried somewhere inside the proposal.



8. Vulnerability Management System

In 2018, the Ministry of the Interior, Building and Community started developing a national vulnerability assessment and management process, similar to the Vulnerability Equities Process (VEP) in the US. Though not much is known about the process yet, the Ministry officially announced the process in June 2018 during a conference jointly organized by the Federal Academy for Security Policy and the Stiftung Neue Verantwortung.

Our Take

The first draft of the concept is supposed to be shared with the respective Ministries and security agencies shortly, if it has not been circulated already. We are expecting to see the concept go (more) public within the next couple of months. The development of the process has been inspired inter alia by the UK and US counterparts as well as likely by the work that the Stiftung Neue Verantwortung has done within the Transatlantic Cyber Forum.


Authors: Sven Herpig and Julia Schuetze, assistance Clara Bredenbrock


Transatlantic Cyber Forum

Policy Debates | April 8, 2019

Issue: “The National Cyber ​​Defense Center"

Track: All TCF tracks


Political framework

The creation of the National Cyber ​​Defense Center (German: Nationales Cyber-Abwehrzentrum, „Cyber-AZ“) in Germany was announced as part of the Cyber ​​Security Strategy adopted in 2011. It is an information and cooperation platform for several authorities with the aim to prevent and counter cyber-attacks through intensified cooperation. The Cyber-AZ, with headquarters in the German Federal Office for Information Security (BSI) in Bonn, is not an independent authority, but rather an association of various authorities, exchanging information on (operative) cyber security in Germany while remaining within their respective area of ​​responsibility/competence. The cooperation itself is regulated by administrative arrangements between the authorities. The agreements can be retrieved online, based on a request under the Freedom of Information Act (IFG).[41]

In the coalition agreement signed in 2013, the CDU/CSU and SPD agreed to expand the capacities of Cyber-AZ. However, details of what this expansion might look like were only addressed in the Cyber ​​Security Strategy for Germany adopted in 2016. It states: "As a joint institution, it will be further developed into a central cooperation and coordination platform. In the future, the Cyber-AZ should be equipped with own assessment and evaluation capabilities and create an up-to-date report on the cyber security situation in Germany.“

To what extent this project has been implemented is hard to estimate based on the publicly available information. Moreover, it was in the context of the Cyber Security Strategy of 2016, that the involvement of the German federal states was explicitly mentioned for the first time.

In the coalition negotiations in 2017, the topic was addressed again, but the 2018 agreement remains very vague in its demands. The position of the BSI should be strengthened and likewise the "security authorities in the prosecution and prevention of cyber crime [through the] creation of a necessary legal, organizational as well as technical framework“. The claim to strengthen the Cyber ​​Defense Center was not discussed again until the beginning of 2019, when the personal data of different Members of the German Bundestag were leaked. 


Structure and mode of operation

Members working together in the Cyber-AZ include representatives from the Federal Office for Information Security (BSI), the Federal Office for the Protection of the Constitution (BfV), the Federal Office for Civil Protection and Disaster Assistance (BBK), the Federal Criminal Police Office (BKA), the Federal Police, the Customs Criminal Office, the Federal Intelligence Service (BND), the German Armed Forces (Bw), the Military Counterintelligence Service (BAMAD), and the Federal Financial Supervisory Authority (BaFin). The authorities are staffed by representatives of these ministries, either as permanent staffers of the Cyber-AZ, or as rotating staff. With 8 employees, the largest representation is sent by the BSI. The supervising operators of critical infrastructures (KRITIS) are also part of Cyber-AZ. The Cyber-AZ spokesperson is BSI President Arne Schönbohm. In its structure, Cyber-AZ is similar to the Joint Counter-Terrorism Centre.

The cooperation of the authorities in Cyber-AZ is characterized by its own perception as an information and cooperation platform. The participating authorities contribute insights and perspectives from their respective fields in order to avoid cyber attacks at an early stage. They discuss topics such as weaknesses of IT products, vulnerabilities, different forms of cyber-attacks and criminal profiles.

By exchanging information and knowledge, risks related to cyberspace can be analyzed and evaluated holistically. At the end of this collaborative process, a recommendation for actions to be taken is formulated based on the experience and knowledge of the authorities involved. Products developed by the Cyber-AZ include the „Cyber-Lage“, a daily situation report on cyber security, as well as an annual report. Additionally, analyses of specific cases are conducted as well. 

Moreover, the „Cyber-Sicherheitsrat“, Cyber Security Council, (Cyber-SR) periodically receives recommendations from the Cyber-AZ. The analyses conducted by the Cyber-AZ include both intelligence and police information.

Since its creation in 2011, both the operation and structure of the Cyber-AZ have evolved. The forms of cooperation include daily briefings, working groups, project based groups and workshops - depending on the duration of the task and the topic. In the course of becoming more and more a platform for cooperation, the initial structure of associated and core authorities (shell model) has been replaced. Instead, a steering committee decides the focus of the work and sets up the working groups.

The Cyber ​​Defense Center plays a significant role in Germany's cyber security architecture. Similar to the Cyber ​​Security Council, which brings together relevant actors on a political and strategic level, the Cyber-AZ provides an inter-agency platform for operational cooperation. It fulfills an essential function in terms of coordination and communication between the multitude of authorities that provide cyber security in Germany. Before the creation of the Cyber ​​Defense Center, such a platform did not exist, and activity in the field was highly siloed.



Previously, the Cyber-AZ has been criticized for both its products as well as the coalition itself. The cooperation of different authorities may lead to a mixing of police and intelligence services and is therefore regarded as a violation of the so-called principle of division of authorities („Trennungsgebot“). 

Furthermore, in an internal report of the Federal Audit Office in 2014, the Cyber-AZ was strongly criticized as well. Not only was the platform insufficiently staffed to meet its objectives, it was also questionable what the concrete result of the collaboration was. Additionally, there was a lack of competence witnessed and it was unclear what actually happened in the case of a cyber attack. The criticism expressed can also be attributed to the fact that since its creation, the Cyber-AZ not only tries to unite the different expectations of the authorities involved, but also their different ways of working, their "cultures" and their willingness to share their knowledge. Conflicting approaches in dealing with cyber attacks (including "counseling culture" versus "culture of persecution") make cooperation difficult, as well as a restrained willingness to share one's own knowledge and information. Furthermore, in terms of structures and public perception, the BSI's great influence became apparent. Not only does the BSI make up a large proportion of the workforce, the one-sidedness of the input was also frequently criticized. BfV and BBK reportedly provided very little information; about 98% of information contributed was done so by the BSI at the beginning. Though it can be questioned whether solely the BSI can be held responsible for this, it illustrates the potential for improvement of the Cyber-AZ in its role as an information and exchange platform with a number of different agencies, not only the BSI.

In the overall view of these criticisms, it becomes clear that the collaboration of several authorities in Cyber-AZ is a balancing act between compliance with the „Trennungsgebot“ on the one hand and an effective and balanced flow of information on the other.

Finally, the question regarding the cooperation with and dissociation from other institutions within the BSI, such as the „CERT-Bund“, Computer Emergency Response Team (CERT) for federal agencies, and the „IT-Lagezentrum“, IT Situation Centre, (IT-LZ) has been raised. Due to similar work areas, there was a risk of redundancies and duplications in the structure. However, the focus of the „CERT-Bund“ and the „IT-Lagezentrum“ is the immediate, specific response to incidents, handling the situation, as well as technical restoration. The Cyber-AZ, on the other hand, focuses more on information sharing and coordination of actions.


The Cyber ​​Defense Center Plus

Since the founding of the Cyber-AZ, the challenges as well as the authorities have further developed. It is, therefore, a logical next step to expand the Cyber Defense Center and turn it into a Cyber ​​Defense Center Plus. The envisaged increased connection between the federal and state levels, as well as the cooperation with selected companies are both useful strategies. The former could also be a way to prevent some of the federal states from creating their own offices for Information Security, so-called Landesämter für Sicherheit in der Informationstechnik, (LSI). While computer emergency response teams (CERTs) are an important (technical) point of connection on the state level, the creation of independent LSIs threatens to worsen the already existing lack of specialists in public administration and create parallel structures.

An extension of the Cyber-AZ is most effective when the Cyber-AZ remains in the Federal Office for Information Security (BSI), which - according to the legal framework - is „the central reporting institution for cooperation of the national authorities in matters of security in information technology“.

The limited personnel resources of the Cyber-AZ are outweighed by its access to the broad and in-depth technical expertise of BSI professionals. Plus, the IT Situation Center is located in the BSI as well and in case of a crisis, it becomes the IT Crisis Response Center, a central element for the technical processing and coordination of IT security incidents.

Currently, various models and connections of Cyber Defense Center Plus are discussed. An affiliation of the Cyber-AZ Plus to the Bundeswehr, intelligence services or police is not recommended - not only due to a less developed expertise, but also because of a possible loss of trust of important cooperation partners in the industry, academia, civil-society and even other authorities. The cultural and legal frameworks of the police and intelligence services can pose another challenge. While the police, during the acquisition of information about an offense, is obliged to immediately initiate investigations (Legalitätsprinzip), intelligence services often hold back information to either facilitate the process of solving a crime or to make counterintelligence possible. None of the aforementioned aspects are true for the BSI, whose mission is to strengthen IT security. A possible affiliation of the Cyber-AZ Plus to the Bundeswehr is also not possible simply because no cyber attack on Germany has passed the threshold for a military reaction. Because the BSI guarantees IT security at a technical level, they should be the starting point of any Cyber-AZ Plus process. German cyber ​​security policy has been shaped by its focus on IT security and a strict separation of the civil and military domain. The protection of IT systems and networks should clearly be prioritized over solving crimes, law enforcement or other repressive measures.

Therefore, the extension process into a Cyber Defense Center Plus has to take into account the criticism. It is in many ways reasonable and in some areas, the problems are „homemade“ by the federal government. Naming an information and cooperation platform (at the time of the creation in 2011) a "Defense Center" raises unfulfillable expectations – especially given past and current resources and task allocations. It was never the goal of this institution to repel a cyber attack. There are authorities currently responsible for this, such as the Federal Office for Information Security, the Federal Criminal Police Office, the Bundeswehr or even the Federal Office for the Protection of the Constitution. All these authorities are members of the Cyber-AZ. The primary focus of Cyber-AZ so far has been bringing together the most important actors in order to facilitate the exchange between them. This is a key task, and it is difficult to judge whether the Cyber-AZ has been able to fulfill it. The exchange between authorities can also be viewed critically: How is the cooperation between police authorities and intelligence services in the Cyber ​​Defense Center in compliance with the „Trennungsgebot“? There is no public information accessible to answer this question. More transparency around cooperation of the authorities participating in the Cyber ​​Defense Center is necessary.


Conclusion and legal framework

Similar to the Central Office for Information Technology in the Security Sector (ZITiS), there is also no legal mandate for the Cyber ​​Defense Center. The representatives of the authorities involved in the Cyber ​​Defense Center act according to the legal basis of their respective authorities. This is the case for the technical and legal supervision, as well as the parliamentary and legal control. An establishing legislation would presumably be limited to a minimum level of competences and powers, as these are already granted to the relevant authorities.


The focus of such a law would therefore be the legal establishment of the Cyber-AZ Plus as well as the structural cooperation between the various authorities (including, inter alia, scope and modus operandi of the information exchange). The creation of an agency under law would presumably require a change in the constitution (eg. transferring of the process of emergency response in cyberspace from state to national level). In order to promote transparency and facilitate the embedding of the Cyber Defense Center in the existing architecture of authorities, it would make sense to create a clear legal basis for executive actions. Moreover, this would certainly improve understanding and the public perception of the role and work of Cyber-AZ. This is especially important when the cooperation with actors from industry and countries is expanded as part of the Cyber-AZ Plus conception and thus the Cyber-AZ can fulfill its important role in the heart of the German cyber security architecture.

41: Special thanks to Anna Biselli and Andre Meist for the IFG inquiries.

Authors: Sven Herpig and Clara Bredenbrock


Transatlantic Cyber Forum

Policy Debates | May 15, 2019

Issue: Active Cyber Defense

Track: All Tracks


The German Ministry of the Interior, Building and Community has been very active drafting bills lately. At the end of March, Netzpolitik, a news outlet focusing on digital rights and internet policy, leaked the Bill to Harmonize Constitutional Protection Law[42] (domestic intelligence law). In the beginning of April, the draft IT-Security Law 2.0[43] followed. Both bills aim to massively expand the security agencies’ authorities. And they have another thing in common: Both laws bring active cyber defense back to the negotiation table.

For about two years, a simplified active cyber defense “model” has been discussed in official security circles. This model gives an overview of the digital options when reacting to cyber attacks – sorted by their level of intensity. The first stage is about support to impede attacks. In stage two, concrete threats shall be spotted and attackers trapped, e.g. by using honeypots. Stage three foresees the tracking of data extracted by adversaries. Stage four would allow security agencies to hack attackers’ devices and change or delete data saved on them. The last stage would enable the government to respond through Distributed Denial-of-Service (counter) attacks with the goal to deactivate the attacker’s IT-infrastructure.

There is already a legal basis for some of the corresponding measures for the first three stages. The IT-Security Law 1.0[44], passed in 2015, requires Internet Service Providers to inform their clients in case their computers have been infected with malware. Since corresponding EU provisions [45] have been implemented, Internet Service Providers can deny Internet access to devices[46] that are, for example, infected with malware.

Although the recent public parliamentary hearing on information security[47] also touched upon the active cyber defense model, it has still not been circulated publicly. The Office for Criminal Investigations (German FBI) developed this classified model.



To shed light on the opaque policy making process and push for a more nuanced public debate, we have published our own “Model for Explaining Active Cyber Defense Measures”[48] with information we were able to gather from the government and related expert discussions. According to this definition, active cyber defense is “an active countermeasure in the cyber domain, below the threshold for armed conflict, that is designed to defend against and/or attribute a cyber attack”. Based on currently available information, this definition is similar to the one used by the German government internally.


IT-Security Law

The government wants to introduce several competencies for active cyber defense through the new IT-Security Law[49]. According to the draft bill, the Federal Office for Information Security (civilian and purely defensive version of the NSA, tasked inter alia with protecting government networks and critical infrastructures) will be allowed to use sinkhole servers[50] to reroute botnet traffic and set up honeypots[51]  to better study attack techniques. Furthermore, the bill will authorize the Federal Office for Information Security to mandate Internet Service Providers to limit, reroute or halt their services in case of disruptions.  If, for example, a system is disrupted due to a Denial-of-Service attack, the agency could command the Internet Service Providers to reroute this harmful data traffic or suppress it. If the bill passes unaltered, the Federal Office for Information Security can also instruct Internet Service Providers, if certain conditions are met, to purge infected IT systems (e.g. through remote patching or removing malware). Technical details on how that is supposed to work operationally are murky at best.

The bill also includes new regulations in case illegally obtained or published data is transferred through the networks of telecommunication providers and platforms. When providers become aware of it, they must inform the Office for Criminal Investigations immediately, block access to the data and delete them where appropriate. These measures can also be ordered by responsible authorities like police.


Domestic Intelligence Law

The new competencies for domestic and foreign intelligence services in the new domestic intelligence law[52] weigh even heavier. The Federal Office for the Protection of the Constitution (German domestic intelligence agency) will be given authority to use malware to collect data from domestically based IT systems and infrastructures, including for attribution purposes. Similarly, this shall also apply to the Federal Intelligence Service (German foreign intelligence agency). There is one caveat: if the bill passes unchanged, the Federal Intelligence Service will be able to conduct government hacking operations abroad as well as in Germany against German targets.


Conclusion and Outlook

Apparently, the coalition treaty, a non-binding yet politically powerful agreement between the governing parties, was ignored during the drafting of both laws. The treaty states that when competencies of security agencies are to be broadened, this must be accompanied by parallel and appropriate expansion of parliamentary oversight[53]. Additionally, the minimum standards for government hacking which have been developed by the Transatlantic Cyber Forum and published last year[54] have been ignored so far. While the standards have been presented to the government, and several of them are already being implemented, the new bills do not include the remaining ones. That would be a necessary requirement for prudently limiting the new powers given to the security agencies by these laws.

The legal basis for even more invasive measures like the take-over of attacker infrastructures or Distributed Denial-of-Service counterattacks will likely be included in another legislative package later this year.