The German National Security Council has explained how Germany should defend itself against hacker attacks in the future. Clear-cut legislation will help defend against ongoing operations, while counter-attacking the hacker at the same time.
If strategically important questions or current threats are to be discussed, the Federal Chancellor’s Office issues a summons to the meeting of a specific secret committee. Very little of what is discussed during these meetings ever reaches the light of day. The committee itself is the National Security Council, with the status of a government cabinet committee, founded in 1955.
In a bug-proof room, the members of this committee debate controversial armament contracts, relations with Turkey or try to answer questions such as where the so-called Islamic State will strike next. Only a handful of top government officials are authorized to take part in these sessions, among them the Ministers of Defense, Interior and Justice. The current Chancellor holds the chairmanship. At times, however, top officials of the intelligence services and other ministries are invited to take part as well. This happens only when the matter at hand is particularly complicated.
Such was the case at the end of March, when the committee discussed a crucial and sensitive question: how Germany should defend itself in the virtual world of cyberspace. Attacks on networks in Germany have been on the rise for years. Minister of Defense Ursula von der Leyen recently spoke of some 4,500 attacks a day. And this is just those aimed against the Federal Armed Forces alone. The consequences have, so far, been containable and manageable. But concerns are rife that, sometime soon, a devastating attack may hide among the harmless ones.
The consensus reached during these discussions was that we cannot remain defenseless, with the National Security Council recommending two commissions that will lead to extensive discussions on the matter — and also, most likely, to political dissent. The National Security Council is seeking a solution that resembles a final, digital line of defense. Such legislation would allow Germany to destroy foreign servers in case hackers were to attack the German electricity network or parliamentary data systems. But only as a last resort, of course.
The government calls this “computer network operations,” or in its colloquial form “hack back.” In the future, targeted legislation is aimed at averting ongoing attacks and simultaneously counter-attacking hackers themselves. As soon as the server that facilitates the attack has been identified, it will be legally possible to infect it with malware or take it offline with any other means necessary. A cybersecurity expert at the Foreign Ministry recently explained during a discussion that the Sermon on the Mount is not applicable to international law: In other word, we should not have to turn the other cheek.
Time to act
Various scenarios involving devastating cyber crimes — such as an attack on the German electricity grid system — have been making the rounds for years. But until now, they have never come to pass. The urgency currently felt was instigated by another event: In the summer of 2015, hackers managed to infiltrate a parliament server and made off with several gigabytes of data, including emails of members of Parliament. They even managed to hack a server of the Chancellor’s office.
During the presidential election in the U.S., hackers were able to hack the mail server of the Democratic Party in a cyber attack, and the data published later on by WikiLeaks irrevocably damaged Hillary Clinton’s chances of winning. Some have accused Russian intelligence services of orchestrating the entire operation. The fear of something similar happening prior to the German parliamentary elections is causing sleepless nights among all parties, which is why the Federal Office for Information Security (BSI) is aiding parliament and all top political parties to secure their networks.
The BSI offers so-called penetration and hardening tests to identify potential weaknesses. Still, despite various protective mechanisms put in place, it is often the attackers that wind up winning the battles in cyberspace. But there is hope that these tougher measures can be applied, if necessary.
Which laws to alter?
Quite a few German institutions have already acquired the means to repel an attack. The Federal Armed Forces have one such group at their disposal, which was just recently declared as the fourth division within the Armed Forces. But the “Cyberspace and Information Commando” is only allowed to operate in case of an urgently needed shield of defense. Much like the BSI, the Federal Intelligence Services are well-respected. The Federal Office for Constitutional Protection, as well as the Federal Criminal Police Office, are also currently extending their cyber capacities.
But while the problem was being discussed by the National Security Council in the first instance, all unanimously agreed that any actions taken would have to be based on unambiguous legislation — seeing as, worst case scenario, they would not only hack into privately owned computers but also destroy the latter. In addition, these actions would most likely be applied to foreign networks and computers. Unchartered territory within the world of protection against external threats.
An expert committee, under the leadership of the Ministry of the Interior, is now scheduled to present solutions to the National Security Council by this summer, and laws will have to be altered or augmented. Above all, a decision is needed as to which department will receive the commission for potential retaliation. Interior Minister Thomas de Maizière expects this to become an issue during the next coalition negotiations. He recently stated that “we will have to make a very important decision.”
Talks will also have to be held with the respective federal states. Protection against external threats is, within the Federation, actually their individual responsibility. But the federal government is leaning towards declaring it a federal responsibility, akin to physical external defense. In that case, it would be necessary to alter the constitution. Some of the federal states have reportedly already stated that they would actually be quite glad to see the federal government take responsibility for this task.
Hacking foreign networks is anything but harmless
The toughest challenge will come, however, if an actual attack has to be averted. Allocations within cyberspace are extremely difficult, proven by the fact that, up to this day, it has not been decided who was responsible for the attack on parliament in 2015.
Another concern of equal magnitude for experts such as head of the BSI Arne Schönbohm, is the fact that the attackers “intentionally utilise servers that are particularly susceptible,” citing the example of the IT system of a neonatal ward in a hospital. “It would have dramatic consequences if they were to paralyze a system like that.”
The prospect or things going askance in implementing cyber-space security is very real: When the American whistleblower Edward Snowden made the fact public during an operation against the Syrian network, the NSA managed to, accidentally, crash the entire network. The entire country was offline.
All rights reserved: Süddeutsche Zeitung/Worldcrunch
By Georg Mascolo