CyberWarfare / ExoWarfare

The Atlantic: Cyberattacks Are ‘Ticking Time Bombs’ for Germany

Soldiers of Germany’s Cyber and Information Space Command
attend the group’s inauguration in Bonn, Germany, in April 2017


Its pacifist tradition poses a dilemma for those charged with protecting the country from hackers.

BONN, Germany—It was a cyberattack that showed just how vulnerable Germany’s digital infrastructure truly is. In the summer of 2017, a group of hackers infiltrated NetCom BW, a regional telecommunications provider with about 43,000 subscribers in the state of Baden-Württemberg in Germany’s southwest. Given the company’s modest size, it may not seem like a prime target. But NetCom BW is a subsidiary of EnBW, one of Germany’s biggest power utilities. EnBW is part of what the government regards as its critical infrastructure: companies that operate crucial public services, from electricity to telecommunications to health care.

When news of the breach emerged in mid-May, a spokesperson from EnBW said that the hackers only gained limited access to the provider’s networks for a few minutes before its IT team fended off the incursion. A serious cyberattack on such a provider, by contrast, could’ve caused large-scale disruption.

Still, this near miss provided little comfort. In 2014, a steel mill in Germany suffered severe damage after a cyberattack blocked a blast furnace from powering down properly. In 2015, a group linked to the Russian hackers APT28 pilfered some 16 gigabytes of data from the German parliament—the deepest breach suffered by the government. In March, news broke that authorities had been monitoring an attempted hack of government networks for a few months until word of the operation leaked to the media.

According to a report in Süddeutsche Zeitung, the national daily, the hackers managed to access documents dealing with Russia. While those documents were already in the public domain, the malware used by the hackers was powerful and precise, German lawmakers said. Domestic-intelligence officials said there is a “high likelihood” of Russian involvement.

Germany’s intelligence agencies have warned that increasing cyberattacks are “ticking time bombs” that endanger critical infrastructure, and authorities are racing to fortify defenses. Yet this is new, uncomfortable terrain for a country battling to overcome a weak digital infrastructure and a history of pacifism in the postwar era. That has cast doubt over Germany’s ability to mount a more aggressive approach to cyberwar.After the 2015 hack, Chancellor Angela Merkel’s government unveiled an updated cybersecurity strategy. It is being implemented in large part by the Federal Office for Information Security (BSI) and the National Cyber Defense Center.

The German military, meanwhile, is building up its own cyber defenses. Housed in an office complex of blue-tinted glass and beige concrete near central Bonn, the Cyber and Information Space Command’s 250-person-strong leadership team oversees 13,500 soldiers and civilians across the country. The group, which protects military intelligence, communications, and geographic-information systems, currently consists largely of military personnel with backgrounds in IT. Lieutenant Colonel Marco Krempel, the department head, likened the military’s current mission—building a cybersecurity army while also responding to ongoing challenges—to “tuning a driving car.”

One key part of the command is the Bundeswehr Cyber Security Center, which protects the armed forces’ IT systems, shields weapons technology from hacks, roots out security flaws, and dispatches emergency-response teams when incidents occur. According to the defense ministry, the Bundeswehr repelled around 2 million unauthorized attempts to access their systems last year; 8,000 of these intrusions could have compromised its systems if firewalls and surveillance software had failed.Beefing up cyber defense isn’t cheap. The government’s proposed budget, which will be put to a vote in early July, allots 41.5 billion euros to the defense ministry in 2019, a 12 percent increase on 2017.

Setting up and staffing the cyber command unit cost some 2.6 billion euros in 2017 alone; at the center’s unveiling, Defense Minister Ursula von der Leyen said much more money was needed to draw the best and brightest minds.

But for a country with a strong postwar tradition of pacifism, boosting defense spending is a contentious matter. The German constitution strictly limits Bundeswehr deployments at home, and parliament must approve any foreign operations. This makes cyber defense a particular awkward arena: The adversary is unpredictable and invisible, flouting conventional military rules and challenging the Bundeswehr’s ethos of building peace and security. It may have a mandate to defend its own systems, but its legal justifications for offensive cyber missions are more ambiguous.

These tensions came to a head in 2016, when Der Spiegel reported that the Bundeswehr’s Computer Network Operations, an elite team of hackers, broke into a cellphone provider’s network in Afghanistan to access information on a kidnapped German aid worker. Some lawmakers considered this an offensive action, and objected that they were not informed. Last year, von der Leyen triggered controversy when she said the Bundeswehr’s cyber forces are, in fact, permitted to “offensively defend” their networks if attacked.Florian Kling leads a military watchdog group called Darmstädter Signal. His organization, made up of former and active soldiers, believes Germany should avoid acting as the world’s policeman.

An IT specialist, Kling pointed out that international law allows for preemptive attacks in self-defense if a military strike is imminent, but not preventive attacks; cyber operations lie somewhere in between. “We would have to identify gaps in their security and implant a Trojan or virus so that the next time they attack, we can shut down their system,” he said. “And therein lies the problem: Is that a preemptive strike, if the opponent hasn’t yet attacked or initiated any actions?”

Attribution, or identifying the hackers behind an attack, is another challenge. Germany has strict safeguards in place to separate the powers of the police, intelligence agencies, and the military. Stefan Soesanto, a London-based cybersecurity and defense expert, told me that could hinder information-sharing between authorities charged with defending cyberspace. “Germans aren’t capable of pulling the intelligence together from the various agencies to come to an … assessment that’s actually accurate completely,” he said.

Germany’s cyber command in Bonn is used to such skepticism. But Krempel pointed out that perfect attribution is near impossible, and not the focus of his team’s work, anyway. The cyber command hopes to reach full operating capacity by 2021, provided it can staff up. The defense ministry announced last year it was “desperately searching for nerds,” as it faces stiff competition from the tech industry for recruits.

Equipping the military for the future could also prove difficult in an organization notorious for its rigid bureaucracy. In a bid to circumvent cumbersome hierarchies, the ministry launched the Cyber Innovation Hub, a small team of entrepreneurs and soldiers seeking out new products in security, communication, blockchain, and digital health. Start-ups can pitch solutions for some of the armed forces’ needs—a Slack-like communication app that masks soldiers’ location, for example. Yet none of the new technologies they have acquired have actually been implemented yet. And it is still a pilot project limited to three years.

Meanwhile, it’s German industry that might stand to lose the most. German companies lost an estimated 55 billion euros a year to industrial and trade espionage in 2015 and 2016, and more than half of all German companies suffered some sort of spying or stealing of trade secrets, according to Germany’s domestic intelligence agency. Any solution to Germany’s broader cyber defense problem, then, will almost certainly demand collaboration between the government and private industry.




Zu Land, zu Wasser, in der Luft – und im Internet

Jeden Tag werden die Computernetzwerke des Bundes 6500 Mal attackiert. Auch wenn große Schäden selten sind: Verteidigungsministerin von der Leyen will die Bundeswehr besser gegen die digitale Bedrohung rüsten.
Eine Cyber-Armee der Bundeswehr soll künftig für Deutschlands Sicherheit im digitalen Raum sorgen.
(Foto: dpa)

Berlin — Bis vor nicht allzu langer Zeit war die Welt der Militärs klar strukturiert. Der Feind näherte sich über Land, von See oder aus der Luft. Dafür stellte man ein Heer, eine Marine und eine Luftwaffe auf. Die Erschließung des Weltraums für militärische Zwecke, zum Beispiel die Platzierung und Nutzung von Satelliten, machte die Lage schon etwas komplizierter. Das ist aber noch gar nichts gegen das, was ein verfeindetes Land online anrichten kann.

Das Internet ist bereits ein digitales Schlachtfeld. Die Netze des Bundes werden täglich 6500 Mal attackiert. Im vergangenen Jahr drang ein Trojaner in den Bundestag ein und zweigte große Datenmengen ab. Es wird gemutmaßt, dass er von russischen Hackern losgeschickt wurde.

Es könnte aber noch viel schlimmer kommen: Die Stromversorgung kann lahmgelegt, Atomkraftwerke angegriffen oder Krankenhäuser abgeschaltet werden. Viele Länder haben auf solche Bedrohungen bereits militärisch reagiert – die USA bauen schon seit vielen Jahren gezielte Spezialkräfte für den Cyber-Krieg auf. Aber auch Länder wie Israel oder das kleine Estland sind viel weiter als Deutschland.

Bei der Bundeswehr gibt es zwar auch schon lange IT-Spezialisten. Bisher sind sie aber in vielen unterschiedlichen Abteilungen untergebracht. Das soll sich jetzt ändern. Verteidigungsministerin Ursula von der Leyen will eine Cyber-Armee mit rund 13.500 Soldaten und Zivilisten aufbauen.

Sie wird die kleinste von dann sechs Organisationseinheiten der Bundeswehr sein. Neben Heer, Marine und Luftwaffe gibt es jetzt schon die Streitkräftebasis für Logistik und den Sanitätsdienst. Kleinste Teilstreitkraft ist bislang die Marine mit rund 16.000 Soldaten.

Eine eigene Uniform soll die neue Cyber-Truppe nicht bekommen. Aus rein traditionellen Gründen darf sie sich auch nicht Teilstreitkraft nennen. Sie hat aber den gleichen Stellenwert und einen eigenen militärischen Chef, der sich wie die Spitzen von Heer, Luftwaffe und Marine Inspekteur nennen darf.

Die Truppe soll das eigene Informationsnetzwerk überwachen, das täglich 1,1 Millionen E-Mails produziert. Aber auch die mit digitaler Technik vollgestopften modernen Waffensysteme sollen geschützt werden.

Die Rekrutierung des Personals wird nicht ganz einfach werden. „Jetzt suchen wir nicht mehr nur Sportskanonen, wir suchen inzwischen händeringend Nerds“, heißt es im Ministerium.

800 Zivilisten und 700 Soldaten würde die Bundeswehr gerne jedes Jahr als IT-Experten einstellen. Die Konkurrenz in diesem Bereich ist aber groß. Von der Leyen will die Bundeswehr deswegen selbst Spezialisten ausbilden lassen. An der Bundeswehr-Universität in München soll bis 2018 ein Studiengang für 70 Studenten angeboten werden.

Von der Leyen ist sich im klaren, dass der Nachholbedarf der Bundeswehr im digitalen Bereich groß ist. „Entscheidend ist jetzt vor allem, Strecke zu machen“, sagt sie. Die neue Abteilung soll deswegen schon im Herbst ihre Arbeit aufnehmen und 2021 dann voll einsatzfähig sein.


see also: