Germany’s cybersecurity strategy: confronting future challenges

Scott N. Romaniuk and Michael Claus


Prior to 2005, cybersecurity had not been viewed as a national security issue. That changed in 2005, when Udo Helmbrecht, then president of Germany’s Federal Office for Information Security (Bundesamt fur Sicherheit in der Informationstechnik, BSI), penned a report in which he reasoned that Germany needed to seriously consider integrating cyber security into the state’s national security calculus, thereby preparing for imminent threats in the cyber realm. The Bundestag heeded Helmbrecht’s call for the state to assume a stronger position on the issue, incorporating cyber threats into its national security strategy (Weijlbuch) with Chancellor Angela Merkel stating in 2006 that, “Germany’s political and economic structures as well as its critical infrastructure have become more vulnerable as a result, not least where criminal activities, terrorist acts, or military attacks from or on cyberspace are concerned” (Bundesminister der Verteidigung, 2006: 17). Roughly a decade later, in 2016, Merkel emphasized the “spectrum of threats” inherent within the cyber and information domain in Germany’s 2016 Weifibuch, describing cyberspace as “increasingly becoming a theatre of conflict; the internet is not only a force for good — ideologies of hatred and violence are also spread there” (Bundesminister der Verteidigung, 2016: 37 and 7).

Germany has endeavored to secure its information technology (IT) infrastructure since 2006 with the release of the 2011 Cybersecurity Strategy for Germany and the updated version published in 2016. After 2011, Germany became a frontrunner in cybersecurity' efforts on an international scale and greatly enhanced its capabilities through the creation of new government agencies and strategic objectives. Agency creation was then followed by' deepening of security roles and action on the part of cy'bersecurity agencies and institutions. The establishment of public—private partnerships illustrates an understanding on the part of the Bundestag concerning a comprehensive approach to securing IT-infrastructure. Its commitment, however, can be interpreted as a quasi-mobilization and deployment of Bundeswehr forces with its cyber defense activities an extension of the military armed forces of the country.

Germany, due to its history, has a particularly' strongly developed set of cultural norms guiding its vision of the Internet, within the country, across the European Union (EU), and throughout Europe. These norms also permeate into how the German military approaches the cyber domain and give rise to associated legal dilemmas and public debate thus transforming the cyber and information domain as a subset of German society into a domain of tension in one sense, and a battlespace of federated cyber defense measures and ambiguously extensive cyber-offensive capabilities. At the same time, Germany has, in particular, evinced a strong discursive commitment to the protection of personal privacy, as well as its ongoing efforts to prevent and control the rise of hate speech discernable through initiatives to influence and pressure social media and tech firms in manner that curbs the effects of harmful expression online.

The evolution of Germany’s cybersecurity strategy

Germany’s cybersecurity strategy has slowly evolved over a period of approximately three decades, beginning in the early 1990s and following through to the present day. During this time, Germany’s cybersecurity strategy has gone through three distinct transformation stages, with the concept of cybersecurity undergoing a maturation process that has taken it from a basic understanding entrenched in the security of the private individual to a state-level issues of security obliging the government to create enhanced defensive and offensive cyber and information competencies.

Stage one of Germany’s cybersecurity evolution (1991-2011) - broadening the

cybersecurity compass

The initial stage of Germany’s cybersecurity strategy began in 1991, shortly after the reunification (Wiedervereinigung) of the two Germany’s, and the end of the Cold War. In 1991, the German government moved to form a subsidiary agency within the Federal Ministry of the Interior (Bundesministerium des Innen, BM1) called the Federal Office for Information Security (Bundesamt fur Sicherheit in der Informationstechnik, BSI) — Germany’s primary national cybersecurity authority — with the general task of ensuring the security of “information technology” within Germany. The emergence of technological means of communications, sharing information, and interacting via digital means, brought with it a range of risks that required government engagement to ensure that standards and responsibilities are met through the creation of sets of criteria, rules, and measures of use and abuse. The emergence of new and sophisticated technologies coincided with and upsurge of asymmetric threats such as transnational criminal organizations and terrorism. BSI was tasked with oversight of both systems and the use of such systems in everyday life. Over time, the BSI, in conjunction the federal government, set to define key terms and clarify their operationalization.

Roughly a decade after its creation, BSI was revamped vis-a-vis the Act on the Federal Office for Information Security (Gesetz zur Starkung der Sicherheit in der Informationstechnik des Bundes, BSIG), which came into effect on August 20, 2009 (BSI Act of 2009). BSI thence became the central clearinghouse for IT security with expanded responsibilities based on renewed and updated definitions, and categorizing the domain of critical infrastructure to include nine distinctive sectors within the two broad categories: “technical basic infrastructures” and “socio-economic sendee infrastructures.” Altogether, BSIG outlines 15 tasks for BSI to undertake. With the expansion of upgrading of definitions, outlining of new tasks and further responsibilities, the operational margins of BSI swelled to include broader and deeper work within and for the federal government as

well as companies in the private sector. The federal government granted DSI increased responsibility but also defined its role and areas of operability, limiting its range to information infrastructure; however, as society has become increasingly digitized and nearly every aspect of society coming to depend on digital technology in one way or another, BSl’s range of responsibility and protection has expanded.

Stage two of Germany’s cybersecurity evolution (2011-2016) - from government to societal cybersecurity

The “Cyber Security Strategy for Germany,” published in 2011 and updated in 2016 (representing the beginning of the third stage of Germany’s cybersecurity evolution), is the primary document and foundation for the Federal Republic of Germany’s cyber security strategy. The document, which was released in 2011 outlines potential threats, a framework for conditions, and outlines ten strategic objectives (BMI, 2011). Clear definitions are provided to standardize the use of critical vocabulary associated with the cyber domain as is the case with cyber security strategies of other countries. Within Germany, cybersecurity development comprised a stretching of digital and information security coverage resulting in a whole-of-society cybersecurity strategy. This strategic cybersecurity stretching saw all aspects (i.e., economics and many cultural elements) brought into the scope. The second stage of Germany’s cybersecurity strategy thus extends the security blanket from the government and military to the civilian realm. Under the section, “Basic principles of the Cyber Security’ Strategy,” the document states that:

[t]he Cyber Security Strategy mainly focuses on civilian approaches and measures. They are complemented by measures taken by the Bundeswehrl to protect its capabilities and measures based on mandates to make cyber security a part of Germany’s preventive security strategy.

(BMI, 20It: 3)

The document articulates the scope of the threat to include both the private and public sector, and includes organizations as well as the individual in Germany society. The introduction also expresses the complexities presented by an array of actors such as criminals, terrorists, spies, and militaries (BMI, 2011). When describing the “Framework Conditions” of the strategy, the cyber security strategy document stresses the need for the development of norms on an international scale to improve security and push it increasingly in a positive direction (BMI, 2011). Furthermore, the basic principles of the document highlights that the Strategy is primarily for the civilian sector and that a strategy from the military is supportive and serves as a compliment.

In total, 10 strategic objectives and measures serve as the epicenter of the Strategy: [1]

  • 9 Personnel development in federal authorities;
  • 10 Tools to respond to cyberattacks.

Germany’s updated National Cyber Security Strategy outlines 30 measures to improve cyber security. They can be categorized by the four following objectives: “[1| active position of GE in European and international Cyber Security policy discussion, [2] safe and self- determined action in a digitized environment, [3| powerful and sustainable Cyber Security architecture at the national level, and HI joint effort of government and industries” (Rothenpieler, 2017). The Strategy gives special attention to Germany’s commitment to encryption by expressing the government’s desire to establish “security through encryption” and to enable “security despite encryption” (Schulze, 2017).

The original and updated version of Germany’s Cyber Security Strategy includes a comprehensive approach to strengthen IT systems, aligns efforts and encourages collaboration on a domestic and international scale, and states the desire to create numerous public-private partnerships. The Strategy mentions periods of crises and the role of the National Response Centre, but does not articulate who, what organization, or what level (Federal or State) has decision-making powers for combating crises. While efforts from Germany’s military (the Bundeswehr) will compliment this; however, there are no specifics mentioned to address information and intelligence sharing, any effort for offensive operations, or the inclusion of the Bundeswehr in the National Response Center or the National Council on Cyber Security. Overall, the Strategy focuses on the government and the private sector collaborating and takes a non-military approach. Lastly, the Strategy acknowledges Germany’s willingness to assume a leadership role for the coordination of efforts and standards with multinational organizations.

Stage three of Germany’s cybersecurity evolution (2016-2020) - Germany’s “new powers” in a changing world

Germany’s adoption of its second NCSS in November 2016 marks the beginning of a third stage of Germany’s cybersecurity evolution and development. The German cabinet approved the most recent NCSS against a rise in attacks against German federal government institutions, Bundeswehr’s websites and systems, and further harmful activity within the civilian realm, including attacks against critical infrastructures and private citizens’ personal accounts and those of businesses. German authorities alongside its close partners and allies pointed to an escalation in attacks from Russia and China. Contributing to elevation of Germany’s cybersecurity architecture is the creation of a mobile Quick Reaction Force (QRF) directly within the BSI. Similar units have been scattered throughout key government and law enforcement institutions and agencies such as the federal police (Bundespolizei, BPOL) and Germany’s domestic intelligence service (Bundesamt fur Verfassungsschutz, BfV). Initiatives in this area have sought to tighten the threats of Germanys cybersecurity network within the country by bringing all sectors into closer quarters with one another, thus augmenting aggregate capabilities accomplished through data and intelligence sharing, monitoring, communications, and assessment. The matter of critical infrastructure stands out in the government’s strategy initiative given that, as mentioned previously, the digitization of society has resulted in a societal saturation technologically, leading nearly every societal function to have a relationship with digital technolog)' in some form (e.g. processes, systems, facilities, networks, and services related to health, communications, travel, finances, food/water supplies and chains, and so on).

The 2016 NCSS has also set in motion efforts to have tech-knowledge and awareness trickle down from the upper echelons of the state (i.e., government, military) to ordinary Germans in communities across the republic through school training programs. The German government paid close attention to the surge in malware targeting Germany’s IT systems. The Bundestag’s IT system was shut down in August, 2015 after a cyberattack, allegedly by Russian hacker group Sofacy/APT 28. Thomas de Maziere highlighted China as a major source of cyberattacks against Germany. The attack against the Bundestag triggered a review of the government’s systems and with called following for a complete overhaul — an enormous task to address the digital defenses of the Bundestag, which was referred to as an “open book” (Deutsche Welle, 2015). The attack sought to install a software on government computers systems that would enable the hackers to come and go as they please, and gain permanent access to the personal computers and files of politicians. In December 2019, the entire IT network in Frankfurt - home of the European Central Bank (ECB) and the Eurozone’s financial capital - was shut down after an Enrotet infection. The Frankfurt attack was the fourth of its kind in a two-week period with others having included the Justus-Liebig-University (JLU) GieBen, Bad Homburg, and the Katholische Hochschule Freiburg (Catholic University of Applied Sciences Freiburg) (Cimpanu, 2019).

The introduction of the 2016 NCSS coincided with the BMVg presenting its 2016 “military roadmap” as the 2016 White Paper, which stood as a major paradigm shift for Germany, just 20 years after Germany’s Federal Court of Justice (Bundesgerichtshof, BGH) permitted the German state to participate in multinational peacekeeping operations and missions abroad. This shift was, in part, a response to significant changes that have taken place in the threat environment, including the digital and information domain. The White Paper mentions the term “cyber” 76 times, “cyber security” 13 times, and refers to the necessity of developing high-value “offensive capabilities” as part of Germany’s comprehensive approach to addressing “the speed of innovation and the global nature of cyber threats” (BMVg, 2016: 93). Indeed, calls for Germany to play a stronger political and defense role in Europe and in and around the European periphery as well as further afield, in tandem with the country’s new military strategy attracted major criticism. Stem (2016) called the “White Paper 2016 on German Security Policy and the Future of the Bundeswehr” as a “step in the revival of German militarism.” Germany’s previous White Paper (from 2006) was presented when Germany faced far fewer asymmetric threats, including cyber warriors of various stripe, multinational efforts to combat a rise in transnational crime and terrorism, Hamas’ Gaza takeover, the Russo-Georgian war, Boko Haram, the Islamic State, Russia’s hybrid warfare against and within Ukraine, the “Arab Spring,” Libya, Syria, and other conflicts. Thus, the confluence of civil war, hybrid and asymmetric threats, and cyberattacks, necessitated the creation of a “whole-of-government /society” approach resembling that of the US (Chowdhry, 2016). US-Gerntany Cyber Bilateral Meetings in Washington, DC, rooted US-German cybersecurity collaboration and unified efforts in the cyber domain and as Germany deepened its aspects of its cyber defense handling at home, the Bundestag, with the support of an extensive range of constituents of German society, has sought to intensify the German states leadership in the context of multinationality and integrative cyber defensive and offensive capabilities.

International governance

The Cyber Security Strategy for Germany expresses that Germany’s national efforts in regards to cyber security will be coordinated with international organizations and that they will ensure that their priorities are “pursued” in the organizations mentioned (Department IT, 2018: 13). While introducing new domestic legislation in 2015, the Federal Minister of the Interior, Thomas de Maiziere, detailed Germany’s desire to promote their proposals through similar legislation on an EU level, stating that the “German position is also understood at [the] European level. Germany has thus taken a leading role in an area that will become increasingly important at a time when digital vulnerability is growing” (Bundesministerium des Innern, fur Bau und Heimat, BMI, 2015; BSI, 2015).

This would be indicative of the German government not only accepting and promoting efforts for international governance, but also assuming a leadership role in promoting cyber security within Europe foremost as well as beyond this immediate region and on the international level. Germany assumed the rotating, one-year chair position of the Organisation for Security and Co-operation in Europe (OSCE) in 2016. Frank Walter Steinmeier was designated as the Chair of the OSCE, who also, during the same time frame, served as Germany’s Foreign Minister (Secretariat, OSCE, 2016). During his tenure, Germany’s motto, according to Steinmeier was “renewing dialogue, rebuilding trust, restoring security” (Secretariat, OSCE, 2016).

In 2016, the OSCE passed a series of Confidence Building Measures (CBMs) that built upon “transparency measures” established in 2013. The CBMs in 2016 focused on attacks against critical infrastructure that affect multiple states and also incorporate considerations for Infonuation and Communication Technologies (ICT) (Auswartiges Amt, AA, 2016; Secretariat, OSCE, 2016). The CBMs developed in 2016 included efforts for improved regional collaboration, improved critical infrastructure protection, crisis communication channels, and public—private partnerships (Secretariat, OSCE, 2016). Additionally, in 2016, 90% of OSCE states enacted one of more cyber CBMs compared to just 61% in 2015 (Secretariat, OSCE, 2016). Furthermore, the establishment of additional CBMs in 2016 can be seen as a monumental success since the OSCE is the “only regional security organization with such a diverse constituency that has managed to reach agreement on CBMs focusing on the cyber domain” (Secretariat, OSCE, 2016).

Under the leadership of a German politician, Gunther H. Oettinger, Commissioner for the Digital Economy and Society, the EU launched a European public-private partnership on cybersecurity. After the establishment of the partnership, Oettinger expressed his support by stating that, “[w]e call on Member States and all cybersecurity bodies to strengthen cooperation and pool their knowledge, information and expertise to increase Europe’s cyber resilience” (Secretariat, OSCE, 2016).

In 2016, the EU passed the “first comprehensive EU-wide legislation” on cyber security, the Directive on Security of Network and Infonuation Systems (NIS Directive) (Leisterer, 2016). This directive is aimed at creating common standards for risk mitigation and reporting for companies that conduct business throughout the EU, Genuany views the NIS Directive as the starting point for cyber regulations for the EU and rejects further proposed legislation and regulations. During the Third European Cybersecurity Forum, CYBERSEC 2017, hosted by The Kosciuszko Institute in Krakow, Poland, Germany publicly pushed back on proposals to expand the EU’s cyber efforts for expanded regulations and mandates. The head of international relations for BSI stated that,

we [the EU| should not neglect that we first need to establish, I would like to call it basic reading and writing skills in Europe, as the NIS directive tells us to, before we get to the advanced mathematics level, as intended by the cybersecurity package.

(Leisterer, 2016)

Germany’s cultural understanding

Cultural understanding of the Internet in Germany is an extension and adaptation of existing laws and approaches associated to others sectors of society, particularly as Germany has “dialed-in” over the years and become highly-digitized. The overall German cultural understanding of the Internet is defined by positions concerning privacy, efforts for collaboration to collectively increase the security of IT infrastructure, the role and use of the military for offensive cyber operations, and the censorship of hate speech (Bundesminister der Verteidigung, 2016; Laub, 2019). These factors, among others, concern Germany's population of more than 80 million people (see Figure 6.1 for Internet users in Germany) as well as the diverse businesses and industries within Germany.

Both Germany and Brazil assumed the lead to reaffirm an individual’s right to privacy at the UN, which led to the creation of UNGA Resolution 68/167. The Resolution is titled, “The Right to Privacy in the Digital Age” and was largely a reaction of the National Security Agency’s (NSA) spying on Angela Merkel. Although the document is not legally binding, it represents Germany’s attitude towards the human right of privacy by both governments and businesses (Minarik, 2014).

Understanding of protecting the privacy of individuals within Germany is also evident vis-a-vis monetary penalties integrated into laws for and the reporting of incidents by way of reports to the Bundestag. Fall-out from revelations from the Facebook scandal that erupted in April 2018 is building momentum for updating data-privacy laws in Germany primarily through the Bundesdatenschutzgesetz (BDSG) — Germany’s Federal Data Protection Act. The young Coalition government (the Fourth Merkel Cabinet since 2018) called for an ethics committee to investigate the use of open information and will most likely lead to an updated data privacy and protection law in the near future. The same

Percent of German Population Using the Internet Source

Figure 6.1 Percent of German Population Using the Internet Source: The World Bank (2020).

document outlining the Coalition’s common viewpoints and priorities, stressed the availability and access of end-to-end encryption for citizens.

The EU’s General Data Protection Regulations (GDPR) has done little to adjust or change the legal landscape surrounding data protection in Germany, though the federal government has shown a rising concern over business practices those of tech firms. Without resorting to legal action, pressure has been applied to companies that are seen as engaging in questionable practices, and skirting the lines of illegality with Facebook having been restricted from data pooling as a result of activity and data availability through some of its popular online apps such as Instagram and WhatsApp. Earlier in 2020, Facebook was also criticized for failing to ask for users’ consent prior to collecting users’ personal data - a complaint brought forward to the German courts by the Federation of German Consumer Organizations (VZBV). In 2019, The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) actioned a fine of €9.55 million against mobile services provider l&l Telecommunications for negligence with respect to the protection of customers’ personal data and information in its call centers (Leprince-Ringuet, 2019). Greater degrees of scrutiny about how big tech firms gather, collect, and share the data of private citizens who are users of tech firms’ apps in Germany are mirrored elsewhere in the EU and the world. Germany has presented itself as a leading actor in this regard, bringing stricter measures into play with respect to competition law and personal data protection with efforts on the part of the German state appearing to supported by the general population who want to enjoy using tech firms’ apps but who also want to know that their privacy is not being compromised during the course of using them.

Germany has operated military cyber units since 2006 and initially revealed the capacity to conduct offensive cyber operations in 2012 (Shalal, 2017a). This issue in Germany recently gained momentum in the press since a new cyber command was established. In March 2017, German Defense Minister Ursula von der Leyen stated that the German military has the ability to respond to cyberattacks with cyberattacks. A Rueters article communicated the debate over offensive operations citing that the civilian officials warned that Germany may lack the legal framework to retaliate due to the Bundeswehr’s status as a “parliamentary army” (Shalal, 2017b). This exchange between lawmakers, defense officials, and other civilian officials highlights Germany’s reluctance to use military force other than when specifically sanctioned by international law and the extent to which the government is willing to apply self-defense principles to the cyber and information domain, and granted to the Bundeswehr. Still, the prospect of the Bundeswehr being unrestrained in such a way has found an uncomfortable position, or rather resulted in uncomfortable positions of many in German society who see this a militarizing move and one that departs sharply with Germany’s “culture of restraint” in the military realm.”

Germany’s key cybersecurity institutions

The Federal Office for Information Security (Bundesamt fur Sicherheit in der

Informationstechnik, BSI)

The BSI was founded on January 1, 1991 and is the lead government agency for the cyber domain and to promote the security of information technology (BSI, 2009). BSI is composed of eight primary divisions3 under the direction of the president and vice- president. Each division (with the exception one division) leads its own cluster of branches, with their number varying from one division to another.

The spectrum of tasks for which BSI is responsible is enormous. Among its 15 tasks, the first and primary task is to “prevent threats to the security of federal information technology” (BSI, 2009: 2). However, the role and tasks of BSI extend well beyond the protection of federal IT systems and technolog)'. Other tasks include supporting intelligence agencies, police, and state-level organization and offices (BSI, 2009). The four divisions of the BSI in simplified English are: Cyber Security and Critical Infrastructures; Consulting for Government, the Private Sector and Society; Cryptotechnology and IT Management for Increased Security Requirements, and; Digitalisation, Certification, and Standardisation (Federal Office for Information Security, 2017).

The Cyber Security Strategy highlights the importance of The National Cyber Security Council and The National Cyber Response Center. The National Cyber Security Council (NCSC), charter is to “advise businesses, government agencies, and policy makers on issues relating to cyber security and to strengthen the fight against cyber crime” (Cyber-Security Council Germany, n.d.). The organization is designed as a forum to collaborate and exchange ideas between industry, policy makers, academia, federal ministries, and international entities (Cyber-Security Council Germany, n.d.). It therefore brings together a large community of experts and knowledgeable personnel for the purpose of providing information and support. The NCSC was established in the original Cyber Security Strategy For Germany in 2011 and is led by three government agencies: the BSI, The Federal Office for the Protection of the Constitution, and the Federal Office of Civil Protection and Disaster Assistance. The role of the NCSC is to facilitate crisis response among government agencies to include the Germany military and Computer Emergency Response Teams (CERTs) (Hunton Privacy Blog, 2011).

National Cyberdefence Centre (Nationales Cyber-Abwehrzentrum, Cyber-AZ)

Germany’s National Cyberdefence Centre in came into force as part of the state’s broader cyber and security defense architecture in 2011 to “optimise operational cooperation between all state authorities and to improve the coordination of protection and response measures for IT incidents...” (ENISA, 2011: 5). This is done through a complete and sweeping integration of agencies and authorities (law enforcement, intelligence, and military organizations), as well state information infrastructure, and their skills. The overall objective is to bring into alignment the range of German cyber and security competencies and match them with the existing and emerging threats in the cyber and infonnation domain - referring to any within the German state and well beyond that might and will eventually pose a threat to Germany, its citizens, business, industry, and armed forces, among other aspects of the German state. Rapid assessment of threats and fitting responsive and countermeasure capabilities with them is intended to facilitate equally rapid state response to them like an integrated meshwork and protection services, defenses, and action-based agencies and divisions.

The holistic approach to cybersecurity can amplify state response options and capacities by bringing into focus varying, whether competing or reinforcing, perspectives that enable efficacious reactions and possibly the expansion and fine-tuning of existing structures and forces. A “pooling” of knowledge can thus take place that yields exponential benefit across the agency and authority landscape. As BSI (n.d.: n.p.) describes the process, “[t]he BfV, the MAD and the BND rate it from an intelligence perspective. The BKA, the ZKA and the BPOL assess him from a police perspective. Finally, the BBK evaluates the aspects of disaster preparedness and critical infrastructure issues.” This process has been established through a leadership cognizance that threats in the security environment are constantly changing and presenting authorities with new challenges. Cyber-AZ is therefore an embodiment of that threat-transmutation awareness, having evolved from a body that centered on a single function with broad purpose to what BSI (n.d.) characterizes as a “central cooperation platform of the IT security authorities.”

Central Office for Information Technology in the Security Sphere (Zentrale Stelle fiir Informationstechnik im Sicherheitsbereich, ZITiS)

In April 2017, Germany’s Interior Minister, Thomas de Maiziere, founded its new cyber surveillance agency (receiving an initial €10 million financial infusion) with the purpose of establishing an independent resource from police and the secret service to conduct digital forensics to fight cybercrime and digital espionage, essentially the hacking agency for the German Government (Bundeskriminalamt, BKA, 2016; Bundesministerium der Verteidigung, n.d.). The agency also enables the promotion of Germany’s dedication to encrypted services and communications. Within less than one year, the Agency experienced its first controversy when it was accused of identifying security flaws in commercial software and passing along this information to espionage agencies for exploitation (Heide, 2017). The establishment of ZITiS has also renewed the debate over the legal authority to conduct hack backs in Germany (Reuters, 2017). Independent of Germany’s police and secret sendees, in principle ZITiS has the ability to conduct watch over virtually anyone in Germany via mass telecommunication surveillance, data encryption, and mass data collection practices. Implementation of ZITiS and allowing it to operate as a near-completely independent agency, sending the interest of the Germany state, fortifies the perspective that Germany has taken a step in the direction of centralizing state security practices.

Cyber and Information Space Command (Kommando Cyber- und Informationsraum, Kdo CIR)

The Bundeswehr launched a new Cyber Command in 2017 with its headquarters established in Bonn and headed by Lt. Gen. Ludwig Leinhos. Germany's Ministry of Defense (Bundesminister der Verteidigung, BMVg) reported that the Bundeswehr’s IT systems were the subject of some 280,000 attacks in the first nine weeks of 2017 with Russian state-sponsored hackers suspected of contributing to a large portion of attacks (Delcker, 2017). Leinhos (quoted in Paganini, 2017) stated that German defense authorities “are in a constant race between the development of attack options and defensive capabilities.” The Cyber and Information Space Command (Kommando Cyber- und Informationsraum, Kdo CIR) will reach full operational status in 2021 with a staff of over 13,500 and will include an innovation hub connecting the military to tech start-ups (Werkhauser, 2017). Overall, Germany’s primary institutions to conduct research, respond to threats, conduct research, and policy development fall under the responsibility of the BSI. The umbrella organizations are structured to integrate multiple government agencies and the private sector for both inputs and to exchange information (see Figure 6.2).

With the expansion of Germany’s cybersecurity agencies and institutions, much debate has taken pace about the possible continued expansion and the instruments at the German government’s disposal to operate in the cyber domain. In spite of palpable expansion that has taken place in over the past decade, German cybersecurity authorities, an extension of the German Armed Forces, remain restricted by firm legal rules and currently in place. The

The Structure of the Cyber and Information Space Command (Kommando Cyber- mid Informa- tionsraum, Kdo CIR) ot the Bundeswehr

Figure 6.2 The Structure of the Cyber and Information Space Command (Kommando Cyber- mid Informa- tionsraum, Kdo CIR) ot the Bundeswehr

Source: Authors’ illustration based on data from (2016), Gotkowska (2017), Schall- bruch and Skierka (2018), and the German government and Bundeswehr documents.

Bundeswehr is granted the powers to defend the German state and its people but has not been given a green light to operate freely and at its own discretion. The Bundeswehr’s presence while having been expanded in the cyber and information domain, can still be seen as relatively limited in terms of its numbers. In the fullness of time, the parameters of the Bundeswehr’s operationally will almost certainly be tested as its responsibilities are likely to cover new areas and threats. As mandates from the federal level and in the context of international partnerships and agreements, Gemiany’s cybersecurity and cyber defense authorities will be tested and undergo further developmental and maturation processes. The Bundeswehr, however, has been unable to operate without the explicit approval of the Bundestag and beyond the confines of the German state and in defense of the German people.

The role of the private sector

Germany’s private sector plays a critical role in ensuring the collective security of IT infrastructure in Germany. The Government works closely with industry through privatepublic partnerships and initiatives such as “IT Security made in Germany” and “Industry 4.0.” Both initiatives aim to increase the relevance of Germany’s IT research and manufacturing capabilities ensuring that Germany remains competitive.

In the aftermath of the 2013 revelations that the NSA had conducted online surveillance against Germany’s leaders and citizens - often with the collaboration of US-based private organizations like Google and Facebook — German private corporations led initiatives for so-called “data localization initiatives.” In particular, Deutsche Telekom led an effort to create an internet network that would reside entirely in Germany (Dohmen, 2013). Deutsche Telekom lobbied the German Government to provide a legal framework that would prevent “lawsuits claiming discrimination or the curtailment of data traffic” (Dohmen & Traufetter, 2013). German internet providers perceived that American companies were not subject to the same privacy standards that German companies were subject to. Although efforts to create a national internet system in Germany did not come to fruition, Deutsche Telekom did create a European Cloud Sendee that they claim is “100% out of the reach of the US authorities” (Financial Times, 2015). The EU NIS Directive passed in 2016 which will be enforced in 2018 mandates that all companies that are considered operators of essential services or digital service provides, without a “physical presence” in the EU adhere to the data privacy laws in Europe and was seen as a way to limit competition from Silicon Valley firms (Financial Times, 2015; Katz & Larose, 2016). According to the Global Policy Institute, Germany “has become ground zero in the global regulatory battle on how to deal with hate speech on social media platforms” (Benner & Hohmann, 2017).

Private firms such as Google and Facebook are active in this debate and are vocal on policy positions. The most recent example is Facebook’s vocal resistance to the Network Enforcement Act in Germany passed in 2017 and enacted in January 2018. The law was challenged in court months after going into force after Facebook deleted comments that were against its community standards for a somewhat inflammatory political post. The court ruled that Facebook was in the wrong for deleting the comments and blocking the user. The case is an early test for the law and evokes additional national debates on what is considered hate speech and the role of private companies to enforce such standards.


In the past three years, Germany has passed three major pieces of legislation pertaining to IT and cyber systems as well as for the regulation of the internet. Data and privacy protection laws evolved and were amended with increasing technology and the widespread use of the internet. In April 2017, Germany passed a replacement for the Federal Data Protection Act that partially regulated data protection for the Internet (Hunton Privacy Blog, 2017). The new German Federal Protection Act (BDSG) incorporates changes and regulations contained in the EU General Data Protection Regulation (GDPR), which goes into effect in 2018 (Hunton Privacy Blog, 2017). Among many, the BDSG contains new provisions that dictate the appointment of a Data Protection Officer (DPO), establishes rights of data subjects, and establishes fines and jail times for the intentional misuse of personal data (Schonhofen & Hardinghaus, 2017). The new law was enacted in 2018 when the GDPR came into effect (Schonhofen & Hardinghaus, 2017). Germany also passed the Network Enforcement Law in April 2017 which forces social media platforms and search engines such as Facebook and Google to remove “fake news” and hate speech in a 24-hour time span or face steep fines up to €50 million (Tworek, 2017).

Primarily for the protection of critical infrastructure, Germany enacted the IT Security' Act of 2015. The IT Security Act of 2015 also amended past laws such as the German Telemedia Act of 2003 and the now updated Federal Data Protection Act that both regulated online activates to a certain extent (Kuschewsky, 2015). The law passed in 2015 created certain minimum requirements for IT security, included a provision to mandate reporting requirements to the BSI, and required the designation of a single point of contact to the BSI (Heun, Niemann, Duisberg & Hinzen, 2015). The law is applicable to critical infrastructure and includes industries such as: energy, IT and telecommunications, transport and traffic, health, water, food, finance, and insurance (Heun, Niemann, Duisberg & Hinzen, 2015).


Germany’s efforts and desire to combat cyber threats in the public and private sector continue to evolve as threats evolve. In addition, Germany is an active participant in efforts to clarify international law’s application to the cyber domain and are deeply dedicated to following and perseverance of international law. Most importantly, the Bundestag from a very early stage understood that efforts to protect IT infrastructure, the basis of cyber security, is the collaboration between all private corporations, government agencies, and multinational organizations. Germany’s current administration clearly realizes the essential role of the private sector and developed numerous private—public partnerships and established multiple strategic objectives to ensure German that manufacturing and technology sectors are capable to lead Europe. This again illustrates their comprehensive understanding of the required actions needed to properly ensure high levels of cyber security within Germany, the EU environment, in an interconnected global domain, and to limit the dominance of US Internet firms.

Legislation in Germany ensures that cultural priorities such as limiting hate speech, extremism, and, efforts divide society, and the protection of privacy is extended to the Internet. Their efforts to maintain high levels of privacy have not hampered or interfered with the private sector’s development of encryption technologies impenetrable to hackers. This demonstrates the delicate balance of maintaining the capability of conducting investigations or to conduct anti-terrorism operations while respecting the privacy of German citizens and the free nature of the Internet. Germany, through its various efforts and continuous refinement of policies, regulations, and legislation, is currently poised to address challenges and threats inherent within the cyber domain. The forward-thinking nature of Germany’s collective efforts presents the country a leader in the EU and on the global stage.


  • 1 BSI is identified as the descendant of the Germany’s Federal Intelligence Service (Bundesnachrich- tendienst, BND) created in 1956 by the West German government. Responsible for foreign intelligence and reporting to the intelligence coordinator, the BND was once staffed by 7,500 personnel during the Cold War, though serious reductions in staff numbers followed with the end of the Cold War.
  • 2 For an elucidating article on the topic, see Baumann and Hellmann’s (2001) “Germany and the use of military force: ‘total war,’ the ‘culture of restraint’ and the quest for normality.”
  • 3 BSI’s organization chart (BSI, 2016) can be accessed at:


Suggested reading

Bundesministerium fur Bildung und Forschung (BMBF) (Federal Ministry of Education and Research), (n.d.). “Cybersecurity research to boost Germany’s competitiveness.” ity-research-to-boost-gemiany-s-competitiveness-1418. html

CisoMag. (2019, October 7). “Negligent users are biggest cybersecurity threat to German Organizations: survey.” tions-survey/

Deutsche Welle, (n.d.). “German cyber defense blends military and commerce.” german-cyber-defense-blends-military-and-commerce/a-45636325

Gordon, J. (2019, February 24). “What ‘God’ taught us about Germany’s cybersecurity.” Raconteur.

Guitton, C. (2013). “Cyber insecurity as a national threat: overreaction from Germany, France and the UK?” European Security, 22(1): 21-35.

Schallbruch, M. & Skierka, I. (2018). Cybersecurity in Germany. Cham: Springer.

Sprenger, S. (2020, February 4). “Germany moves to protect its military-cyber industry,” Fifth Domain. its-military-cyber-industry/


AA. (2016, March 24). “Joint statement on U.S.-Germany cyber bilateral meeting.” www.auswaertiges- Benner, T. & Hohmann, M. (2017, April 20). Internet Companies Cannot Be Judged of Free Speech. Berlin, Germany: Global Public Policy Institute, icle/intemet-companies-cant-be-judges-of-free-speech/

Bundeskriminalamt (BKA). (2016, July 1). Cybercrinte. Berlin, Germany.

BM1. (2011, February). “Cyber security strategy tor Germany.” iterns/ german-cyber-security-strategy-2011-1

BMI. (2015, March 16). “Improving IT security in Germany and the EU.” dDocs/Kurzmeldungen/EN/2015/03/exchange-with-eu-commissioner-oettinger-to-cyber-security. html

BMVg. (n.d.). “Entwicklung des Organisationsbereichs bei der Bundeswehr.” cybersicherheit/cyber-verteidigung/entwicklung-des-org-bereich-bei-der-bw BMVg. (2006). “White Paper on Gernran Security Policy and the Future ot the Bundeswehr.” www. /Germany%202006%20white%20paper.pdf BMVg. (2016). “White paper on security policy and the future of the Bundeswehr.” file/8970/download

BS1. (2009, August 14). “Act to strengthen the security of federal information technology.” www.

File&v= 1

BSI. (2015). “The state of IT security in Germany 2015.” E N/BSl/Publicat ions/Securitysituation/lT-Security-Situation-in-Germany-201 5.pdf? _blob=publicationFile&v=2

BSI. (2016, November). “BSI organisation chart.”


Chowdhry, A. (2016, March 28). “U.S. and Germany expand cyber cooperation,” Federal Computer Week, Cimpanu, C. (2019, December 19). “Frankfurt shuts down IT network following Ernotet infection,” ZDNet. Cyber-Security Council Germany, (n.d.). “About us.” (2016, April 27). “Details zum Abschlussbericht des Aufbaustab Cyber- und Informationsraum” [“Details on the final report of the Cyber and Information Space Command expansion team”),

Delcker, J. (2017, March 20). “Germany fears Russia stole information to disrupt election.” POLITICO. politico, eu/article/hacked-information-bomb-under-germanys-election/

Deutsche Welle. (2015, August 8). “Bundestag IT system shut down after hacker attack.” bundestag-it-system-shut-do wn-after-hacker-attack/a-18659654 Dohmen, F. & Traufetter, G. (2013, November 12). “Deutsche telekom pushes for all-German Internet,” Dcr Spiegel, intemet-safe-from-spying-a-933013.html

European Commission. (2016, July). Commission Signs Agreement with Industry on Cybersecurity and Steps Up Efforts to Tackle Cyber-Threats. Brussles, Belgium. 2321_en.htm

European Union Agency for Cybersecurity (ENISA). (2011). “Cyber Security Strategy for Germany.” Federal Office for Information Security. (2017). “The German IT Security Certification Scheme.” www. Financial Times. (2015, December). “Deutsche Telekom to offer ‘secure’ cloud storage.” content/2b5928dc-9cca-11 e5-b45d-4812f209f861 Gebauer, M. & Gruber, A. (2016, Janurary 8). “eBundesregierung sucht Nerds,” Der Spiegel.

Gotkowska, J. (2017). “Obszar cybernetyczno-informacyjny: Nowaformacja w Bundeswehrze” "'1Ъе Cyber and Information Space: A New Formation in the Bundeswehr”]. Warsaw, Poland: Osrodek Studiow Wschodnich (Centre for Eastern Studies), cyber-and-information-space-a-new-formation-bundeswehr Heide, D. (2017, December 6). “Cybersecurity agency criticized as a double agent.” https://global.han Heun, S. E., Niemann, F., Duisberg, A., & Hinzen, S. (2015, July 29). Germany Enacts IT-Security Act. London, United Kingdom: Bird & Bird Lawfirm. many/july/germany-enacts-it-security-act

Hunton Privacy Blog. (2011, July 11). “Germany launches national cyber defense center.” www.hunton pri

Hunton Privacy Blog. (2017, April 28). “German federal parliament passes new German data protection act.” data-protection-act/

Katz, M. & Larose, C. (2016, July 11). “EU adopts cybersecurity directive: what US companies need to know,” Lexology. fc29d097c826

Kuschewsky, M. (2015, September 14). “What you need to know about Germany’s cybersecurity law. ” ity-law/

Laub, Z. (2019, June 7). Flate Speech on Social Media: Global Comparisons. New York: Council on Foreign Relations, Leisterer, H. (2016, July 14). “New EU cyber security legislation: A Q & A with Andreas Schwab,” Policy Renew, schwab/411

Leprince-Ringuet, D. (2019, December 12). “Data privacy: Germans dish out one of the biggest GDPR fines yet over lax call centers,” ZDNet. biggest-gdpr-fines-yet-over-lax-call-centers/

Minarik, T. (2014, December 18). “New UN resolution amplifies call for right to privacy in the light of mass surveillance.” veillance.html

Paganini, P. (2017, April 1). “German military to launch the Bundeswehr’s new cyber and information space command,” Security Affairs, and-infomiation-space-command.html

Reuters. (2017, November 22). “German cyber agency calls for authority to hack back.” www.reuters. com/article/us-gerniany-cyber/german-cyber-agency-calls-for-authority-to-hack-back-spiegel- idUSKBN 1 DM 1 XU

Rothenpieler, S. (2017, April 26). “National cyber security strategy 2016,” BSI. about-enisa/structure-organization/national-liaison-office/meetings/april-2017 /170426-bsi-enisa- nlo-presentation-v2.pdf

Schallbmch, M. & Skierka, I. (2018). Cybersecurity in Germany. Cham: Springer.

Schonhofen, S. & Hardinghaus, A. (2017, April 28). “German parliament voted ‘yes’ on new Data Protection Act to implement the GDPR.” www.technologylawdispatch.ccm/2017/04/privacy-data- protection/german-parliament-voted-yes-on-new-data-protection-act-to-implement-the-gdpr/ Schulze, M. (2017, August). Encryption under Threat. Berlin, Germany: Stiftung Wissenschaft und Politik (German Institute for International and Security Affairs), products/comments/2017C31_she.pdf

Secretariat, OSCE. (2016, March 10). “OSCE participating states, in landmark decision, agree to expand list of measures to reduce risk of tensions arising from cyber activities.” Shalal, A. (2017a, April 5). “German military can use ‘offensive measures’ against cyber attacks: minister,” Renters, 1771 MW Shalal, A. (2017b, May 3). “Germany sees rise in cybercrime, but reporting rates still low,” Rueters. Stem, J. (2016, July 15). “White Paper 2016: another step in the revival of German militarism,” World Socialist Web Site, The World Bank. (2020). “Individuals using the Internet (% of population) — Germany.” https://data. Tworek, H. (2017, May 16). “How Germany is tackling hate speech,” Foreign Affairs, www.foreignaf Werkhauser, N. (2017, April 1). “German army launches new cyber command,” Deustche Welle, www.

  • [1] Protection of critical information infrastructure; 2 Securitization of IT systems; 3 Strengthening of IT security in the public administration; 4 Creation of a National Cyber Response Centre; 5 Creation of a national Cyber Security’ Council (CSC); 6 Effective control of cybercrime; 7 Effective coordinated action to ensure cyber security in Europe and worldwide; 8 Use of reliable and trustworthy information technolog)';
< Prev   CONTENTS   Source   Next >