Its pacifist tradition poses a dilemma for those charged with protecting the country from hackers.
Still, this near miss provided little comfort. In 2014, a steel mill in Germany suffered severe damage after a cyberattack blocked a blast furnace from powering down properly. In 2015, a group linked to the Russian hackers APT28 pilfered some 16 gigabytes of data from the German parliament—the deepest breach suffered by the government. In March, news broke that authorities had been monitoring an attempted hack of government networks for a few months until word of the operation leaked to the media. According to a report in Süddeutsche Zeitung, the national daily, the hackers managed to access documents dealing with Russia. While those documents were already in the public domain, the malware used by the hackers was powerful and precise, German lawmakers said. Domestic-intelligence officials said there is a “high likelihood” of Russian involvement.
One key part of the command is the Bundeswehr Cyber Security Center, which protects the armed forces’ IT systems, shields weapons technology from hacks, roots out security flaws, and dispatches emergency-response teams when incidents occur. According to the defense ministry, the Bundeswehr repelled around 2 million unauthorized attempts to access their systems last year; 8,000 of these intrusions could have compromised its systems if firewalls and surveillance software had failed.
Beefing up cyber defense isn’t cheap. The government’s proposed budget, which will be put to a vote in early July, allots 41.5 billion euros to the defense ministry in 2019, a 12 percent increase on 2017. Setting up and staffing the cyber command unit cost some 2.6 billion euros in 2017 alone; at the center’s unveiling, Defense Minister Ursula von der Leyen said much more money was needed to draw the best and brightest minds.
But for a country with a strong postwar tradition of pacifism, boosting defense spending is a contentious matter. The German constitution strictly limits Bundeswehr deployments at home, and parliament must approve any foreign operations. This makes cyber defense a particular awkward arena: The adversary is unpredictable and invisible, flouting conventional military rules and challenging the Bundeswehr’s ethos of building peace and security. It may have a mandate to defend its own systems, but its legal justifications for offensive cyber missions are more ambiguous.
Attribution, or identifying the hackers behind an attack, is another challenge. Germany has strict safeguards in place to separate the powers of the police, intelligence agencies, and the military. Stefan Soesanto, a London-based cybersecurity and defense expert, told me that could hinder information-sharing between authorities charged with defending cyberspace. “Germans aren’t capable of pulling the intelligence together from the various agencies to come to an … assessment that’s actually accurate completely,” he said.
Germany’s cyber command in Bonn is used to such skepticism. But Krempel pointed out that perfect attribution is near impossible, and not the focus of his team’s work, anyway. The cyber command hopes to reach full operating capacity by 2021, provided it can staff up. The defense ministry announced last year it was “desperately searching for nerds,” as it faces stiff competition from the tech industry for recruits.
Equipping the military for the future could also prove difficult in an organization notorious for its rigid bureaucracy. In a bid to circumvent cumbersome hierarchies, the ministry launched the Cyber Innovation Hub, a small team of entrepreneurs and soldiers seeking out new products in security, communication, blockchain, and digital health. Start-ups can pitch solutions for some of the armed forces’ needs—a Slack-like communication app that masks soldiers’ location, for example. Yet none of the new technologies they have acquired have actually been implemented yet. And it is still a pilot project limited to three years.
Meanwhile, it’s German industry that might stand to lose the most. German companies lost an estimated 55 billion euros a year to industrial and trade espionage in 2015 and 2016, and more than half of all German companies suffered some sort of spying or stealing of trade secrets, according to Germany’s domestic intelligence agency. Any solution to Germany’s broader cyber defense problem, then, will almost certainly demand collaboration between the government and private industry.