The German Cybersecurity Dilemma
Germany's post WWII ethos works fine when applied to a conventional and physical military but cyberspace acts on a different set of laws that this ethos is unable to reconcile.
The Failure to Accommodate Cybersecurity in German Defense Strategy
Germany has opted for its national security institutions and capabilities to be used purely in a defensive manner. The trouble with a purely 'defensive' posture is that the definitions of 'offense' and 'defense' take on divergent connotations in the cyber sphere. A state's security policies can often be labeled 'defensive' or 'offensive' with only some grey areas when it comes to conventional and physical concerns, but such concepts do not translate as well into cyberspace. A state like Germany, which seeks to abide by a strictly defensive posture, meaning that military operations that are used only in direct defense of the country, will have difficulty preparing, navigating, and operating in cyberspace. The nature of the domain is not the same as in the physical security that states have been used to for centuries. The German cyber-security strategy needs to accommodate the cybersphere effectively. This fact is evident in German laws.
The German military is subject to intense restrictions on what operations it may perform in cyberspace. This purely defensive attitude stems from Germany's history in the 20th century, and this outlook has been enshrined into the German constitution and the Bundeswehr mission statement. The Bundeswehr mission statement states that military action may only be taken in the following circumstances: "(a) in a defense situation, that is, in the event of an armed attack on German soil; (b) in out-of-area missions that require a parliamentary mandate; and (c) in limited circumstances for functions that are not genuinely military in nature."1
Under the German constitution, the KdoCIR (the Cyber and Information Domain Service), an arm of the Department of the Bundeswehr, has to operate in "legal gray zones that exist due to both the unclear status of cyber- and hybrid-warfare operations and the German constitution."2 Although the KdoCIR has undeniable authority for passive defense measures in cyberspace, these legal gray zones hinder the effectiveness of Germany's youngest military branch. Moreover, these legal gray zones also raise strategic questions that need to be answered and make for an incomplete strategy in cyberspace.
1 Schulze, Matthias. “German Military Cyber Operations Are in a Legal Gray Zone.” Lawfaremedia.org, April 8, 2020. https://www.lawfaremedia.org/article/german-military-cyber-operations-are-legal-gray-zone.
SSchulze, Matthias. “German Military Cyber Operations Are in a Legal Gray Zone.” Lawfaremedia.org, April 8, 2020. https://www.lawfaremedia.org/article/german-military-cyber-operations-are-legal-gray-zone.
The first legal question that arises is: what cyberattack would reach the threshold of an attack on 'German soil' and, in turn, trigger a defensive situation where the KdoCIR would engage in a military response (cyber or otherwise)? Some countries would deem their critical infrastructure to be an unacceptable target for any cyber attack, for instance. The German government does highlight the importance and risk involved in an attack on critical infrastructure, but the language in the 2023 national security strategy does not indicate that such an attack would be automatically deemed an 'attack on German soil,' nor is there any promise for active defense or counter-attack (I.e., Hack-back) for any specific type of attack.3 Without language as to what systems are off-limits or any promises for specific hack-backs, Germany lacks a strong cyber deterrence.
Within the German government, the 'hack-back debate' has been taking place for a number of years now. A hack back is a form of counter-attack where the goal is to "delete tapped data or to disable the enemy's infrastructure".4 It is a form of active cyber defense that the German government has been clear it is against.
Furthermore, Germany abides by the UN Charter article 51 for the right to self-defense. For Article 51 to be triggered in a severe cyber-attack scenario, the attack must be attributed to foreign actors. In the world of cyberspace, one must have some level of access and persistence in other systems in other countries to be able to attribute attacks. Germany's absolute defensive posture, however, means they cannot exist in other systems to any meaningful extent in the first place. Attribution is, therefore, very difficult, and without attribution, Germany cannot engage in active defense. Moreover, in cyberspace, "every deterrence strategy begins with attribution" .5 Germany may have to rely on defense partnerships to be able to attribute attacks to foreign actors, most likely the US. In a public debate in 2019, the then Chief of the Cyber and Information Domain Service, Lt. Ludwig Leinhos recognized the legal gray zone here when he noted that for hard-to-attribute hybrid operations, the KdoCIR has no legal justification to defend.6 Another issue of Germany's confused strategy is that it is that a purely defensive stance cannot be justified in the first place in cyber operations. The reason is that most cyber-attacks do
3 Federal Ministry of the Interior and Community. “Cyber Security Strategy for Germany.” Federal Ministry of the Interior and Community, November 2, 2023. https://www.bmi.bund.de/EN/topics/it-internet-policy/cyber-security-strategy/cyber-security-strategy-node.html.
4 Clasen, Alina. “German National Security Strategy Leaves out Cyber Counter-Attacks.” www.euractiv.com, June 14, 2023. https://www.euractiv.com/section/cybersecurity/news/german-national-security-strategy-leaves-out-cyber-counter-attacks/.
5 Buchanan, Ben. “Cyber Deterrence Isn’t MAD; It’s Mosaic.” Georgetown Journal of International Affairs, 2014, 130–40. http://www.jstor.org/stable/43773656.
6 Schulze, Matthias. “German Military Cyber Operations Are in a Legal Gray Zone.” Lawfaremedia.org, April 8, 2020. https://www.lawfaremedia.org/article/german-military-cyber-operations-are-legal-gray-zone.
not amount to full attacks that require immediate response, and "states intentionally design their aggressive cyber operations so as to not trigger a conventional escalation".7
Moreover, cyberattacks of varying devastation are often used as initial strikes that are then followed up with military operations using physical military assets like soldiers, tanks, planes, etc. For instance, a DDoS attack on a telecommunications firm can be followed up by an armed invasion or bombing campaign. The fact that a cyber-attack typically precedes and is separate from the physical attack means that German defenses would be in an ambiguous situation and unsure of using hack-backs until the physical attack occurs.
A second legal issue revolves around the stipulation for the Bundeswehr that an out-of-area mission requires a parliamentary mandate. It raises the question: what kind of cyberattack or active defense measure by the KdoCIR would be considered "an 'out of area' deployment of military force and thus require a mandate by the parliament"?8 A report by Matthias Schulze in Lawfare notes there exists a legal debate on these issues amongst scholars and two crucial unanswered questions are said to be the source of ambiguity in German cyber operations; "First, whether or what type of exploits qualify as arms or military weapons? Second, are cyber conflicts inherently escalatory so that an armed engagement can be expected?".9 These are questions of strategy and of comprehension of cyber operations. Therefore, there are significant strategic implications from these unanswered questions, which put German cyber operations in a poor position.
In the first question, the issue here is that there is no clear-cut list of cyber exploits or situations where cyber exploits may be deemed as the use of arms. A definition of specific exploits in the cyber sphere that constitute an equivalent to military weapons is necessary not just for creating an appropriate response to attacks on German soil but also for whether a German cyber attack/counter-attack would need parliamentary approval and be necessary. The second question is important for two reasons. The first is that, according to the Parliamentary Participation Act of 2006, parliament must approve cyber operations if an 'armed engagement is expected'.10 Secondly, it is crucial because cyber operations always begin with reconnaissance and intrusion, which then escalate based on the momentum of the operation. The German government does not specify what it means to 'expect an armed engagement' and what operations
7 Schulze, Matthias. “German Military Cyber Operations Are in a Legal Gray Zone.” Lawfaremedia.org, April 8, 2020. https://www.lawfaremedia.org/article/german-military-cyber-operations-are-legal-gray-zone.
8 Schulze, Matthias. “German Military Cyber Operations Are in a Legal Gray Zone.” Lawfaremedia.org, April 8, 2020. https://www.lawfaremedia.org/article/german-military-cyber-operations-are-legal-gray-zone.
9 Schulze, Matthias. “German Military Cyber Operations Are in a Legal Gray Zone.” Lawfaremedia.org, April 8, 2020. https://www.lawfaremedia.org/article/german-military-cyber-operations-are-legal-gray-zone.
10 “Gesetz Über Die Parlamentarische Beteiligung Bei Der Entscheidung Über Den Einsatz Bewaffneter Streitkräfte Im Ausland (Parlamentsbeteiligungsgesetz).” ParlBG - Gesetz über die parlamentarische Beteiligung bei der Entscheidung über den Einsatz bewaffneter Streitkräfte im Ausland, March 18, 2005. https://www.gesetze-im-internet.de/parlbg/BJNR077500005.html.
or steps of an operation would likely lead to this scenario. Another question is: would active defense on the part of German defense institutions bring about an 'armed engagement'? These ambiguities of law and additional unanswered questions that arise have implications in the strategic realm of operations that significantly undermine German cybersecurity effectiveness.
A key takeaway from this is that under the current circumstances of the law, German cyber security cannot be used for the preparation of the environment. At best, preparation of the environment would rest on a thin legal line and can be shut down at any time. At worst, preparation of the environment is impossible for German cybersecurity organizations. Preparation of the environment is an important step in cybersecurity as it entails observation and the implementation of pre-planned backdoor access. Moreover, continued access will give an intruder familiarity with the systems and planning time to find vulnerabilities and prepare attacks. The steps of creating strong cyber-deterrence take time to test, develop and implement. To be able to attack or deter an adversary, it is necessary to exist in the adversaries' systems. Germany has locked itself out of ever being able to have a strong cyber deterrence by refusing to exist in other systems and only allowing access at a time of escalation. This is a lopsided strategy that benefits the attacker. Moreover, it is a strategy that does not fully understand and accommodate the nature of cyber operations. This stems from Germany retroactively applying old laws to a new domain of warfare.
It is possible that the German attitude also stems from the worry of the cyber-security dilemma, a concept that posits "network intrusions undertaken for defensive purposes are easily misunderstood as preparation for an attack, creating the risk of escalation and use of force."11 However, the German strategy is an overreaction and weakens Germany‘s overall cybersecurity. The ambiguity in German strategy, evident and made worse by German law, creates significant holes in German cyber-security strategy.
11 Slayton, Rebecca. “What Is the Cyber Offense-Defense Balance? Conceptions, Causes, and Assessment.” International Security 41, no. 3 (January 1, 2017): 72–109. https://doi.org/10.1162/isec_a_00267.
Bibliography:
Buchanan, Ben. “Cyber Deterrence Isn’t MAD; It’s Mosaic.” Georgetown Journal of International Affairs, 2014, 130–40. http://www.jstor.org/stable/43773656.
Clasen, Alina. “German National Security Strategy Leaves out Cyber Counter-Attacks.” www.euractiv.com, June 14, 2023. https://www.euractiv.com/section/cybersecurity/news/german-national-security-strategy-leaves-out-cyber-counter-attacks/.
Federal Ministry of the Interior and Community. “Cyber Security Strategy for Germany.” Federal Ministry of the Interior and Community, November 2, 2023. https://www.bmi.bund.de/EN/topics/it-internet-policy/cyber-security-strategy/cyber-security-strategy-node.html.
“Gesetz Über Die Parlamentarische Beteiligung Bei Der Entscheidung Über Den Einsatz Bewaffneter Streitkräfte Im Ausland (Parlamentsbeteiligungsgesetz).” ParlBG - Gesetz über die parlamentarische Beteiligung bei der Entscheidung über den Einsatz bewaffneter Streitkräfte im Ausland, March 18, 2005. https://www.gesetze-im-internet.de/parlbg/BJNR077500005.html.
Schulze, Matthias. “German Military Cyber Operations Are in a Legal Gray Zone.” Lawfaremedia.org, April 8, 2020. https://www.lawfaremedia.org/article/german-military-cyber-operations-are-legal-gray-zone.
Slayton, Rebecca. “What Is the Cyber Offense-Defense Balance? Conceptions, Causes, and Assessment.” International Security 41, no. 3 (January 1, 2017): 72–109. https://doi.org/10.1162/isec_a_00267.