Impressions from the core course: critical questions of cybersecurity - in 30 seconds. And for all those who want to learn more, Henrike Stein-Ratjen, who attended the course, provides supplementary details.
We are right in the middle of the digital age and the threats of cyber espionage and cyber sabotage have become a familiar occurrence. But only major cyberattacks such as the hacking of Germany’s Parliament, the Bundestag, in May 2015, for instance, will stir up the media and make the public sit up and take notice. Future scenarios and options for action in cybersecurity policy, however, continue to be largely absent from the public discussion, one reason surely being that we are not (yet) a society of digital natives. This is why it is all the more important to provide the public with some basic knowledge necessary for the discussion of cybersecurity policy.
Yet, who has the time and patience nowadays to deepen their knowledge and understanding of new subject matters in a digitized environment? It is during the first 30 seconds on the internet that the digital visitor will decide whether he or she will direct their attention to a media report or will continue to surf. In a media training, which was part of the core course, we experienced first-hand the challenges of presenting complex subject matters to a media representative in said short time frame. Is it actually possible to provide a meaningful, tangible 30-second outline of core issues of cybersecurity policy? Let’s give it a try: Germany is faced with a significant number of cyber assaults. IT security solutions alone are like thick walls. All you can do is hope that they will hold up. The government’s protection task goes beyond that. It includes fighting the causes, which means finding the attackers – preferably prior to the deed. Is the state ready for this task? What if the walls will not hold up and the attacker(s) cannot be identified? Is counterattack against foreign cyberattacks an option? Those are burning questions which need to be dealt with before we have reached the point where all we can do is react. Now the 30 seconds are over, I believe. To learn more, you are welcome to continue reading.
Are we prepared? – The Federal Government’s cybersecurity architecture
At the federal level, Germany’s cybersecurity architecture comprises the Federal Office for Information Security, the Federal Office for the Protection of the Constitution, the Federal Intelligence Service, the Federal Criminal Police Office, the Bundeswehr and the Military Counterintelligence Service, all of which are represented at the National Cyber Response Center in Bonn, a platform for fast exchange of information and for coordination. Course participants shook their heads in disbelief when they learned that Germany maintained an extra agency going by the name of Central Office for Information Technology in the Security Sector. At first sight, it is often only experts who seem to understand Germany's cybersecurity architecture.
The Central Office for Information Technology in the Security Sector provides support, advice and research to the Federal Criminal Office, the Federal Police and the Federal Office for the Protection of the Constitution in the areas of digital forensics, telecommunications surveillance technology, cryptoanalysis and Big Data. Encryption techniques for online communication protect the communication of potential attackers and make the timely detection of criminal acts, assault preparations, the creation of networks or recruiting activities alarmingly difficult for security agencies. The Central Office for Information Technology in the Security Sector is the Interior Ministry’s response to this challenge and to the necessity of pooling resources. However: Despite their knowhow, government agencies are only as effective as the powers of intervention accorded them by the legislator. Looking at other democracies in Europe, we feel that society and politics in Germany could – and from the point of view of the security agencies – should dare grant more powers for intervention to protect Germany’s citizens against criminal acts.
Active cyber defense?
The Federal Ministry of Defense has established a Cyber and Information Domain Service as a separate major organizational element. Thus, cyberspace – like the ground, air and sea – is regarded as a distinct area of operations. In the international context as well, the Bundeswehr is actively involved in the cyberspace sector and participates with other German security agencies in NATO’s Locked Shields cyber exercise which is staged periodically and which was introduced to the core course at the NATO Cooperative Cyber Defence Centre of Excellence in Estonia. The crucial question now is whether a cyberattack against a country without concomitant use of conventional weapons marks a state of defense. And if the answer is yes, what point or level of intensity of a cyberattack would mark the threshold? European decision-makers are extremely cautious when dealing with this question. Attributing cyberattacks to the respective perpetrators is difficult and, especially in case of state-sponsored attacks, rarely produces evidence that will hold up in a court of law.
But what if the perpetrators are unknown and the effects of their cyberattacks are far-reaching and serious? Imagine a scenario in which someone evidently sabotages critical infrastructure in Germany via servers located on foreign territory, and the foreign state in question is unwilling or unable to neutralize the respective servers rapidly. In times of peace, no German government agency has the right to strike back and launch own cyberattacks to disable the attacking systems. The stakes are high: Proponents of “active cyber defense” criticize the defenselessness in such a scenario, while critics point to the risks of collateral and unintended escalation. The Foreign Office accompanies these cybersecurity policy considerations with foreign policy de-escalation mechanisms such as maintaining diplomatic communication channels and taking part in pertinent committees of international organizations. Germany, moreover, advocates the support of countries that are not sufficiently equipped to protect themselves or others against cyberattacks launched from their territory.
The bottom line is that we are faced with an ambiguous situation: Today, German IT knowhow is an internationally recognized good. This knowhow which exists in our security structures needs to be further developed and future scenarios and options for action must be thought through, also taking military action as a last resort into consideration. The pertinent legislation must undergo very critical scrutiny regarding the question of whether it is fortified well enough against the risks inherent in digitization and whether it has provided the police and intelligence services with sufficient authority to take steps to confront criminals, extremists, terrorists and cyber-aggressive states effectively.
Author: Henrike Stein-Ratjen