BONN, Germany—It was a cyberattack that showed just how vulnerable Germany’s digital infrastructure truly is. In the summer of 2017, a group of hackers infiltrated NetCom BW, a regional telecommunications provider with about 43,000 subscribers in the state of Baden-Württemberg in Germany’s southwest. Given the company’s modest size, it may not seem like a prime target. But NetCom BW is a subsidiary of EnBW, one of Germany’s biggest power utilities. EnBW is part of what the government regards as its critical infrastructure: companies that operate crucial public services, from electricity to telecommunications to health care.
When news of the breach emerged in mid-May, a spokesperson from EnBW said that the hackers only gained limited access to the provider’s networks for a few minutes before its IT team fended off the incursion. A serious cyberattack on such a provider, by contrast, could’ve caused large-scale disruption.
Still, this near miss provided little comfort. In 2014, a steel mill in Germany suffered severe damage after a cyberattack blocked a blast furnace from powering down properly. In 2015, a group linked to the Russian hackers APT28 pilfered some 16 gigabytes of data from the German parliament—the deepest breach suffered by the government. In March, news broke that authorities had been monitoring an attempted hack of government networks for a few months until word of the operation leaked to the media. According to a report in Süddeutsche Zeitung, the national daily, the hackers managed to access documents dealing with Russia. While those documents were already in the public domain, the malware used by the hackers was powerful and precise, German lawmakers said. Domestic-intelligence officials said there is a “high likelihood” of Russian involvement.
Germany’s intelligence agencies have warned that increasing cyberattacks are “ticking time bombs” that endanger critical infrastructure, and authorities are racing to fortify defenses. Yet this is new, uncomfortable terrain for a country battling to overcome a weak digital infrastructure and a history of pacifism in the postwar era. That has cast doubt over Germany’s ability to mount a more aggressive approach to cyberwar.
After the 2015 hack, Chancellor Angela Merkel’s government unveiled an updated cybersecurity strategy. It is being implemented in large part by the Federal Office for Information Security (BSI) and the National Cyber Defense Center. The German military, meanwhile, is building up its own cyberdefenses. Housed in an office complex of blue-tinted glass and beige concrete near central Bonn, the Cyber and Information Domain Service’s 250-person-strong leadership team oversees 13,500 soldiers and civilians across the country. The group, which protects military intelligence, communications, and geographic-information systems, currently consists largely of military personnel with backgrounds in IT. Lieutenant Colonel Marco Krempel, the head of the unit, likened the military’s current mission—building a cybersecurity army while also responding to ongoing challenges—to “tuning a driving car.”
One key part of the command is the Bundeswehr Cyber Security Center, which protects the armed forces’ IT systems, shields weapons technology from hacks, roots out security flaws, and dispatches emergency-response teams when incidents occur. According to the defense ministry, the Bundeswehr repelled around 2 million unauthorized attempts to access their systems last year; 8,000 of these intrusions could have compromised its systems if firewalls and surveillance software had failed.
Beefing up cyberdefense isn’t cheap. The government’s proposed budget, which will be put to a vote in early July, allots 41.5 billion euros to the defense ministry in 2019, a 12 percent increase on 2017. Setting up and staffing the cybercommand unit cost some 2.6 billion euros in 2017 alone; at the center’s unveiling, Defense Minister Ursula von der Leyen said much more money was needed to draw the best and brightest minds.
But for a country with a strong postwar tradition of pacifism, boosting defense spending is a contentious matter. The German constitution strictly limits Bundeswehr deployments at home, and parliament must approve any foreign operations. This makes cyberdefense a particular awkward arena: The adversary is unpredictable and invisible, flouting conventional military rules and challenging the Bundeswehr’s ethos of building peace and security. It may have a mandate to defend its own systems, but its legal justifications for offensive cybersecurity missions are more ambiguous.
These tensions came to a head in 2016, when Der Spiegel reported that the Bundeswehr’s Computer Network Operations, an elite team of hackers, broke into a cellphone provider’s network in Afghanistan to access information on a kidnapped German aid worker. Some lawmakers considered this an offensive action, and objected that they were not informed. Last year, von der Leyen triggered controversy when she said the Bundeswehr’s cybersecurity forces are, in fact, permitted to “offensively defend” their networks if attacked.
Florian Kling leads a military watchdog group called Darmstädter Signal. His organization, made up of former and active soldiers, believes Germany should avoid acting as the world’s policeman. An IT specialist, Kling pointed out that international law allows for preemptive attacks in self-defense if a military strike is imminent, but not preventive attacks; cybersecurity operations lie somewhere in between. “We would have to identify gaps in their security and implant a Trojan or virus so that the next time they attack, we can shut down their system,” he said. “And therein lies the problem: Is that a preemptive strike, if the opponent hasn’t yet attacked or initiated any actions?”
Attribution, or identifying the hackers behind an attack, is another challenge. Germany has strict safeguards in place to separate the powers of the police, intelligence agencies, and the military. Stefan Soesanto, a London-based cybersecurity and defense expert, told me that could hinder information-sharing between authorities charged with defending cyberspace. “Germans aren’t capable of pulling the intelligence together from the various agencies to come to an ... assessment that’s actually accurate completely,” he said.
Germany’s cybercommand in Bonn is used to such skepticism. But Krempel pointed out that perfect attribution is near impossible, and not the focus of his team’s work, anyway. The cybercommand hopes to reach full operating capacity by 2021, provided it can staff up. The defense ministry announced last year it was “desperately searching for nerds,” as it faces stiff competition from the tech industry for recruits.
Equipping the military for the future could also prove difficult in an organization notorious for its rigid bureaucracy. In a bid to circumvent cumbersome hierarchies, the ministry launched the Cyber Innovation Hub, a small team of entrepreneurs and soldiers seeking out new products in security, communication, blockchain, and digital health. Start-ups can pitch solutions for some of the armed forces’ needs—a Slack-like communication app that masks soldiers’ location, for example. Yet none of the new technologies they have acquired have actually been implemented yet. And it is still a pilot project limited to three years.
Meanwhile, it’s German industry that might stand to lose the most. German companies lost an estimated 55 billion euros a year to industrial and trade espionage in 2015 and 2016, and more than half of all German companies suffered some sort of spying or stealing of trade secrets, according to Germany’s domestic intelligence agency. Any solution to Germany’s broader cyberdefense problem, then, will almost certainly demand collaboration between the government and private industry.