Germany Develops Offensive Cyber Capabilities Without A Coherent Strategy

Uploaded on 2018-12-12 in NEWS-Cybersecurity News, GOVERNMENT-Defence, FREE TO VIEW

There is a reoccurring debate in German national security and foreign policy whether Germany suffers from “Strategieunfähigkeit”, an inability to develop and implement strategy. 

The historic trauma of two lost World Wars created a pacifist culture that always struggled with formulating national security interests and defining strategy. 

The so-called “culture of reluctance” regarding the use of hard power has bled into Berlin’s thinking about cyber issues, especially as it rushes to develop capabilities without an overarching strategy on how to use them. Until recently, Germany has prioritised defense over offense in cyberspace. 

The Federal Office for Information Security (BSI), Germany’s cybersecurity agency, has a strictly non-military defensive mandate and is a vigilant advocate of strong encryption and full disclosure of zero-day vulnerabilities to vendors. 

Germany’s foreign intelligence agency (BND) has historically had a relatively small cyber espionage budget.

Germany’s defensive posture began to shift in 2015, after the internal network of the German Bundestag was successfully compromised by Russian state-backed operators. That led the country to revise its cybersecurity strategy, issuing a more offensive-minded document in 2016. It called for the development of cyber teams in the intelligence agencies. 

It also might have been a contributing factor to the creation of a specialised agency, called the Central Office for Information Technology in the Security Sphere (ZITiS), to develop innovative techniques to break into encrypted devices, develop exploits and malware for real time interception and accessing data at rest, as well as identify or purchase zero-days to support offensive capabilities.

As Germany rolled out its 2016 strategy, the German military (Bundeswehr) centralised its cyber capacity by consolidating around 14,000 soldiers and IT personnel into a unified cyber command (CIR), loosely modelled on US Cyber Command. CIR wants to achieve full operational capacity by the early 2020s and plans to perform strategic and tactical cyber operations against enemy assets. 
Usage scenarios include disrupting enemy military assets, battlefield support and reconnaissance on adversary IT assets.

Through the new strategy, the meaning of cybersecurity in Germany shifted from strengthening IT-security to improving public safety through the use of offensive cyber operations.

Berlin’s latest move favoring offensive cyber activity is the creation of a cyber innovation agency, akin to the United States’ DARPA, announced in August 2018. Its mandate is to conduct market research and sponsor promising projects with potential value for cyber offense and cybersecurity. 

Over the next five years, the agency is supposed to be equipped with a budget of €200 million (roughly $227 million), 80 percent of which will fund research projects, a substantial sum considering that the entire budget of the BSI is only €120 million per year.

These developments over the last three years point to a build-up of Germany’s offensive cyber capability. Interestingly, these new capabilities have been created without having a clearly defined strategic purpose, a problem that has plagued German national security policy in the past. 

For example, during the 2001 NATO mission in Afghanistan, Bundeswehr capabilities, designed for territorial defense from invasion, was not well adapted or flexible enough for an expeditionary mission.

This mismatch between strategy and capabilities plagues Berlin’s approach to cyberspace. There is currently no strategic debate about what German policymakers want to achieve with its new offensive capabilities. Questions about attribution and appropriate responses have apparently not yet been discussed. 

It is further unclear whether the political will exists to use these offensive capabilities in a time of crisis. For example, if deterring cyberattacks by punishment is a goal, strategy should make clear what means, including non-cyber options, would be most suitable. Is offensive cyber activity more useful in deterring adversarial cyber operations as say indictments or economic sanctions? 

Currently government officials seem to simply assume that cyber capabilities alone have a deterrent effect without taking into consideration the strategic requirements that come with deterrence by punishment, namely credibly holding assets at risk and signaling desired behavior while being willing to face consequences in case of an escalation. 

Will Germany indeed launch a retaliatory cyberattack against adversaries that provoke it and in turn face the potential consequences of entering an escalation cycle with, say, Russia or China?

As Germany tries to flex its muscles in cyberspace, allies and adversaries alike will be left to wonder what to expect absent an overall strategy. 

German policymakers should start a strategic discussion about the country’s role in a contested cyberspace. It needs to explain to its allies how its new offensive tools will work to support multilateral frameworks like NATO, the EU and the UN. 

Germany also needs to signal to hostile cyber actors what behavior it deems inappropriate, and how it will likely respond if certain red-lines are crossed.

Council on Foreign Relations:

You Might Also Read:

Germany Wants A Legal Framework For Cyberwar

« Review Your Cybersecurity Awareness
Cybercrime Is The Biggest Evolving Source Of Crime In The UK »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Digital Shadows

Digital Shadows

Digital Shadows is a cyber threat intelligence company that helps clients discover sensitive data exposed through social media, cloud services and mobile devices

International Security Management Association (ISMA)

International Security Management Association (ISMA)

ISMA is an international security association of senior security executives from major business organizations located worldwide.

Phoenix Contact Cyber Security

Phoenix Contact Cyber Security

Phoenix Contact Cyber Security is a leading manufacturer of network security appliances for use in industrial environments.

Skkynet Cloud Systems

Skkynet Cloud Systems

Skkynet is a leader in real-time data systems for the secure management and control of industrial processes (SCADA) and embedded devices (M2M).

Array Networks

Array Networks

Array Networks, the network functions platform company, develops purpose-built systems for hosting virtual networking and security functions with guaranteed performance.

Ergon Informatik

Ergon Informatik

Ergon Informatik AG is Switzerland's leading provider of customised software solutions and software products including fraud detection and the Airlock web security suite.

Aricoma

Aricoma

Aricoma are Architects of Digital. We aim to become a major player in end-to-end IT services and digital transformation in Europe.

Rippleshot

Rippleshot

Rippleshot is a fraud analytics firm that detects mass card compromises faster, allowing issuers to execute more proactive fraud detection strategies.

Cobalt Iron

Cobalt Iron

Cobalt Iron is a global leader in SaaS-based enterprise backup and data protection technology.

Soffid

Soffid

Soffid provides full Single-Sign-On experience and full Identity and Access Management features by policy-based centralised orchestration of user identities.

Synamic Technologies

Synamic Technologies

Synamic Technologies was founded in 2018 as a start-up to automate cyber security processes. Our CISOSCOPE product automates vulnerability management, risk management and compliance.

Stone Forest IT (SFIT)

Stone Forest IT (SFIT)

Stone Forest IT specialises in providing advisory, implementation and managed services for IT infrastructure, IT security solutions, business applications (ERP and CRM) and business analytical tools.

Center for Information Technology Policy (CITP) - Princeton University

Center for Information Technology Policy (CITP) - Princeton University

The Center for Information Technology Policy at Princeton University is a nexus of expertise in technology, engineering, public policy, and the social sciences.

Devolutions

Devolutions

Devolutions make best-in-class Privileged Access Management, Password Management, and Remote Connection Management solutions available to ALL organizations — including SMBs.

Guardey

Guardey

Guardey protects thousands of SME's environments. Whether your team works at the office, at home, at the customer or remotely. We protect your business. We do this in an accessible and affordable way.

Olympix

Olympix

Dev-first Web3 security that starts at the source. Olympix is a pioneering DevSecOps tool that puts security in the hands of the developer by proactively securing code from day one.