6. Germany In response to the Russian invasion of Ukraine, and there are concerns of foreign dependence for Germany undertook substantial strengthening of cyber security. Through numerous public–private its cyberspace policy. Legal arrangements and a initiatives, cyber crisis-management exercises and complicated division of responsibilities between the existence of Computer Emergency Response the federal and state levels present challenges to Teams (CERTs) at various levels, Germany has laid policy governance, but the change in strategic cir- the basis for strong national resilience in the cyber cumstances is driving better coordination. German sector. Berlin has been a world leader in help- cyber-intelligence agencies have high technical ing to mobilise stronger multilateral governance skills, but their joint effectiveness is limited by legal of cyber affairs, both through the EU and multi- considerations unique to the country arising from national agencies at the global level. Germany its historical experiences of dictatorship. Germany has steadily developed its offensive cyber capa- has a powerful digital economy with some room bilities, although these are less advanced than for a faster pace of digital transformation. Its those of some of its key allies and potential main preparations for protection of critical informa- adversaries. We assess Germany to be a Tier-Two tion infrastructure remain quite underdeveloped, cyber power. Strategy and Doctrine The evolution of Germany’s strategic thinking on cyber The main consequences have been the strengthening of has been shaped by technological and geopolitical devel- German cyber security, with emphasis placed on robust opments common to many European countries, as well data and privacy protection, as well as the strengthening as by interaction with Berlin’s allies and partners. Such of parliamentary oversight over the intelligence agencies developments include the 2010 Stuxnet revelation that and the armed forces. A further implication has been to demonstrated the vulnerability of German industrial sys- place clear limits on Germany’s offensive cyber ambitions. tems to cyber attack.1 The Edward Snowden revelations To date, there have been several discernible phases in 2013 of US cyber espionage against Germany and of in the evolution of German cyber strategy.2 During the the support provided by German intelligence agencies to initial phase (1991–2011), German strategy focused on US cyber operations constituted another key influence. IT security and critical infrastructure protection, in part List of Acronyms AAFederal Foreign Office BfVFederal Office for the Protection of the Constitution BKAFederal Criminal Police Office BMIFederal Ministry of Interior and Community BMVgFederal Ministry of Defence BNDFederal Intelligence Service BSIFederal Office for Information Security CERT-BundFederal-level Computer Emergency Response Team Citizen-CERTCitizen-level Computer Emergency Response Team CIRCyber and Information Domain Service Cyber-AZNational Cyber Defence Centre Cyber-SRNational Cyber Security Council GCHQGovernment Communications Headquarters (UK) IoTInternet of Things NCSSNational Cyber Security Strategy OMCOOffensive Military Cyber Operations OSCEOrganization for Security and Co-operation in Europe UP KRITISImplementation Plan Critical Infrastructure CYBER CAPABILITIES AND NATIONAL POWER Volume 2 47 following the example set by the US on critical infrastruc- offensive cyber capabilities in close cooperation with ture protection. The second phase (2011–16) involved industry and civilian actors.8 While the white paper was the implementation of Germany’s first National Cyber vague about the kind of cyber capabilities and opera- Security Strategy (NCSS) published in 2011 which tions that the German military wished to develop, the took account of wider strategic issues.3 The document 2018 concept paper clarified that the ambition was to outlined various ‘strategic objectives and measures’ to be able to develop the full spectrum of offensive and improve the federal government’s ability to protect its defensive cyber tools, but without clarifying what this IT infrastructure and to effectively coordinate with inter- would entail.9 national and European partners in responding to cyber A new phase in the German cyber landscape argua- crime. The strategy introduced structural reforms such bly began in 2021 as Berlin adopted NCSS 2021, which as the establishment of the National Cyber Response was meant to carry forward its immediate predeces- Centre (an information-sharing platform for relevant sor while also listing several long-term objectives. The agencies)4 and the National Cyber Security Council.5 In adoption of the new strategy was ‘prompted by an 2015, Germany was the first country in Europe to intro- intensified threat situation’.10 The new strategy was duce mandatory reporting by infrastructure operators built around four overarching guidelines that empha- on IT security incidents. (These operators have to report sised a whole-of-society approach (cyber security such incidents to the Federal Office for Information as a ‘joint task’ of the public and private sector, and Security, or BSI.) That same year, Germany also set min- of society and science), ‘digital sovereignty’, ‘secure imum IT security standards across the federal govern- digitalisation’ and ‘measurability and transparency of ment and several core industries and sectors.6 [policy] targets’. The cornerstones of a third phase (2016–2021) of With a recurrent five-year strategic cycle, Germany cyber-security strategy development were the second has been developing an approach to cyber security NCSS (released in 2016), the White Paper on German that seeks to address the dynamic and shifting nature Security Policy (2016) and the Concept of the German of cyber threats and cyberspace in general. The coun- Armed Forces (2018), which marked the first time the try also acknowledged the need for a comprehensive, military aspects of cyber security were canvassed so whole-of-society approach that includes all stakehold- directly in public. The 2016 NCSS was more detailed ers in response to cyber attacks. However, German than its predecessor (48 pages compared with 20), strategy and doctrine remain somewhat low-key or and the Federal Ministry of Interior and Community non-committal on specific measures to be deployed in (BMI) drafted it with considerable input from the response to cyber attacks by foreign governments. Federal Foreign Office (AA) and the Federal Ministry The Russian aggression against Ukraine in 2022 of Defence (BMVg).7 The document more clearly out- produced a sharp reaction in Germany, and the gov- lined ends, ways and means while explicitly recognis- ernment introduced a raft of new measures thereaf- ing the need for civil and military action in the realm ter. In particular, in June 2022, Germany announced a of cyber security. At the same time, there was not a massive boost in defence spending of €100 billion, of strong sense of prioritisation nor much precision about which €21bn would be for communications systems goals and the measures taken to achieve them. The and cyber capabilities.11 A month later, the govern- second NCSS may have had a stronger eye on raising ment announced a new cyber-security strategy that societal awareness (and thus resilience) and promot- foreshadowed upgrades across the broad, in structures ing the whole-of-society approach, albeit with a strong and hardware, including in the domestic intelligence industrial focus as well as a multilateral approach on agency and police.12 The government saw the situa- the international stage. tion as a ‘historical turning point’, having declared a The 2016 white paper introduced a strong new focus national emergency in cyberspace for the first time in on cyber threats for the German Armed Forces. It argued response to Russian attacks on Ukraine that caused that the Bundeswehr must develop defensive and collateral damage to Germany’s wind farms.13 The 48 The International Institute for Strategic Studies sentiments were reflected in the annual cyber-security The defence ministry is responsible for protecting update released in October 202214 and the opening of the its own systems and carrying out other tasks within Bundeswehr’s Centre for Digitisation and Capability the cyber-security ecosystem. It is in principle respon- Development around the same time.15 In September sible for all aspects of state defence, including cyber. 2022, a German newspaper revealed that the country However, any operation by the armed forces ‘out of area’ had been supplying cyber intelligence to Ukraine since requires parliamentary approval, and this is understood May, following a legal determination that the ‘transfer to apply in principle at least to non-defensive cyber of such information is in accordance with the law and operations. Yet while parliament decides on whether the does not mean that Germany has entered into a mili- Bundeswehr engages in a specific mission, it does not tary conflict’.16 decide on the type of capabilities brought to a foreign mission – which can include cyber means. Governance, Command and Control In 2017, the BMVg set up the Cyber and Information Germany’s cyber-security architecture is complex.17 At Domain Service (CIR) as the fourth branch of the the political level, the BMI and the state-level ministries German armed forces, and in November 2022 its estab- of interior affairs are in control of the police forces and lishment stood at around 14,500 personnel.22 This body domestic intelligence services respectively at the federal bundles all cyber, IT, operational communications, and state level.18 The BMI (including the Central Office geo-information and military intelligence units of the for Information Technology in the Security Sector) is Bundeswehr under one commander. The CIR is tasked usually seen as the lead ministry on cyber-protection with ensuring the operation and protection of its com- issues and has been the coordinator for the NCSS. munication services, as well as carrying out reconnais- The Federal Office for Information Security (BSI), sance and effects in the cyber and information space.23 set up in 1991, has broad responsibilities as the central The Joint Intelligence Centre, a central element of cyber-security authority.19 Its core tasks are setting IT German military intelligence created in 2020, is subor- security standards, issuing IT guidelines and super- dinate to the CIR. 24 There is a plan by the CIR to estab- vising cyber-security measures at the federal level lish a Cyber and Information Domain Warfare Centre (including critical infrastructure). The office is further to serve as the focal point for developing concepts and empowered to oversee all digital service providers. In capabilities in this area for the Bundeswehr. In 2022, addition, the BSI maintains several liaison offices in the Bundeswehr announced the opening of a new cen- different states and hosts the National Cyber Defence tre with several distinct functions, both technical and Centre (Cyber-AZ), which seeks to coordinate the work policy related, under the name Centre for Digitisation of all relevant government authorities in the realm of of the Bundeswehr and Capability Development for cyber defence. Overall, the BSI has a staff of some 1,441 Cyber and the Information Space.25 employees20 and in 2021 had an annual budget of over €197 million.21 In addition, the Computer Network Operations Centre – a military unit – is involved in offensive cyber At the national level, the National Cyber Security operations. In 2016, the first actions of the unit were Council (Cyber-SR), set up in 2011, coordinates the publicised as it helped conduct a cyber operation in cyber-security policy of the federal government as well Afghanistan related to freeing a German hostage.26 as oversees the relationship between the public and private sectors. Chaired by the envoy of the federal Core Cyber-intelligence Capability government for IT security, Cyber-SR contains eight The Federal Intelligence Service (BND) is Germany’s key ministries (including the Chancellery, BMI, BMVg primary foreign intelligence agency. Like the French and AA) as well as representatives of selected states. In Directorate-General for External Security, it covers addition, Cyber-SR has associated members from key both human and signals intelligence (SIGINT).27 The business and sectoral associations and is supported by BND employs around 6,500 people28, which is similar a standing working group. to the United Kingdom’s Government Communications CYBER CAPABILITIES AND NATIONAL POWER Volume 2 49 Headquarters’ (GCHQ) total strength, though the lat- as the best team in their category for the fourth time ter has a much narrower function than the BND by in a row as part of NATO’s Exercise Locked Shields.35 not holding responsibility for human intelligence as The media has also reported on at least one inci- the German entity does. Cyber-intelligence operations, dent where the Bundeswehr hacked into the Afghan which have become largely synonymous with SIGINT mobile network for intelligence purposes in con- operations, are conducted by only one of at least six or nection with Germany’s peacekeeping operation seven BND departments.29 The BND therefore has sig- in Afghanistan.36 nificantly fewer people devoted to cyber intelligence than GCHQ. The federal government has progressively widened the ability of police and intelligence agencies to hack The BND operates under a unique regime shaped computers and smartphones nationwide. Since 2009, by a range of complex hacking provisions and a the Federal Criminal Police Office (BKA) has been Constitutional Court finding in 2020 that found bulk allowed to use hacking to prevent terrorist attacks. A interception of communications of non-German citi- change in the law in 2017 expanded these powers to zens abroad as unlawful.30 The national parliament has include other police forces and widened the scope as to addressed the lack of safeguards from unlawful inter- when devices can be hacked.37 In 2020, the parliament ception to some degree; as a result, the BND’s legal adopted the so-called Quellen-TKÜ law, which gave all authorities for cyber-intelligence operations are more 19 intelligence services the power to hack devices.38 limited than some of its peer agencies in other NATO German officials have in this context explored cooper- member states. Nevertheless, the BND has a strong track ation with foreign tech firms NSO Group and Gamma. record on cyber espionage. The agency has regularly While they have taken onboard Gamma’s FinFisher intercepted communications of foreigners through the spyware to hack devices, NSO’s Pegasus spyware was DE-CIX internet exchange point in Frankfurt, which is deemed illegal.39 Controversially, the law also obliges one of the world’s biggest (13.65 Tbit/s on 1 November network providers to assist the intelligence agen- 2022).31 In this regard, the BND scans for indicators of cies with spying efforts despite the firms’ objections. compromise and malware indicators but also gathers Quellen-TKÜ nonetheless only allows monitoring of information on foreign individuals.32 The BND can also ongoing conversations and not anything exchanged in monitor the systems of telecom providers and foreign the past. There is also the extension to conduct ‘online IT companies in Germany.33 house raids’, which allows agencies to search through The Federal Office for the Protection of the everything stored on mobile phones. Constitution (BfV) is Germany’s domestic intelli- Since 2013, the BND has seen a considerable boost in gence agency. It collects intelligence and information funding to about €1bn to date40 with the aim of increas- on political extremism and terrorism, and is responsi- ing the independence of Germany’s intelligence services ble for counter-intelligence functions, which includes from its US counterparts and the Five Eyes Alliance.41 some cyber-security and cyber-espionage functions. As part of this, the BND is working on the acquisition of The BfV plays a role in cyber defence, but has no its own electro-optical reconnaissance satellite network powers to carry out searches and arrests or exercise codenamed Project GeoORG, which is capable of world- other policing powers.34 The agency has a directo- wide monitoring. Production difficulties have seen the rate for cyber defence dealing with cyber security. planned launch date pushed out beyond 2022.42 The Germany’s Military Counter-Intelligence Service is network will consist of two latest-generation satellites solely responsible for defending against attacks on operated through one of the two Bundeswehr ground the German armed forces, its members and its assets. stations, with a third satellite to be added to the con- It assumes a more limited role in the overall scheme stellation following the launch of the first two. The of things. Additionally, the German military’s com- Bundeswehr itself currently operates a military satellite puter forensic experts are well regarded internation- observation network consisting of five SAR-Lupe mini- ally, with the Bundeswehr team being chosen in 2019 satellites. They will be replaced following the planned 50 The International Institute for Strategic Studies launch of three synthetic aperture radar satellites, the though not its antenna networks.51 The Russian threat first of which was launched in June 2022.43 to German economic security revealed through the Ukraine war has had flow-on effects in Germany’s secu- Cyber Empowerment and Dependence rity relations with China, with three intelligence chiefs Germany has set itself the goal of becoming the lead- appearing before the parliament to caution against the ing European country with regard to digital growth naivete of the government in deepening commercial and profiles itself as an ‘encryption champion’.44 While ties with Beijing.52 several international reports list Germany as a rising In terms of military communications, the Bundeswehr digital powerhouse, the European Centre for Digital has operated two communication satellites since 2011. Competitiveness argued in a 2021 report that Germany These satellites provide global secure communications had a slower pace of digitalisation than many oth- and internet access for the German military.53 ers in Europe.45 This analysis was confirmed in a 2022 To enhance German technological sovereignty, Deutsche Bank report which replayed EU analyses the federal government created a Federal Agency for showing Germany performing below the EU average Innovation in Cyber Security, or Cyberagentur, in 2018. in digital skills, digital transformation in business and Widely hailed as the Germany’s Defense Advanced digital public services.46 Research Projects Agency, the entity was launched in A focus for the federal government and German August 2020 with an initial budget of €282.5m until businesses has been the development of the Industry 2023. The Cyberagentur funds and develops research 4.0 initiative, which seeks to integrate digital technolo- projects and innovations, working with the federal gov- gies with industrial manufacturing processes. Central ernment and the German private sector. The BMI and to this project is the development of Internet of Things the BMVg jointly direct the Cyberagentur. The agency (IoT) technologies, with German companies planning to had been suffering from internal turmoil and a restruc- invest some €40bn per annum in these technologies.47 turing of its leadership before the formation of a new Germany is seen as the European IoT champion and German government in 2021, likely impacting its per- also the third-largest IoT market by revenue globally.48 formance during that period.54 The issue of ‘digital sovereignty’ has been an ongo- At the same time as setting up its own research agency ing and growing concern for Germany. The most recent on cyber issues, Germany has reportedly made efforts to focus of this debate has been the role of Chinese pro- develop its own cyber-intelligence industry. According vider Huawei in the construction of the 5G mobile net- to a 2020 article in Intelligence Online, Germany has work in Germany. The country’s existing 4G network encouraged several German/Israeli interception compa- already relies heavily on Huawei components. By nies to set up offices to boost local capacities.55 December 2019, Telekom Deutschland’s 4G network Germany displays strengths in artificial-intelligence had a Huawei footprint of 65%, with the figures for research, broadly on a par with the UK and Canada, but Vodafone and Telefónica 55% and 50% respectively.49 well behind the US and China. Germany is in the top- As the federal government had no legal mechanism five or six countries in the world in various aspects of AI. to ban Huawei from selling its equipment to German It is probably a world leader in terms of its intent to edu- providers, the focus of the debate had been on a sec- cate the public on how to manage trust in AI algorithms. ond IT-security law passed in April 2021. The law does By measure of the relative cumulative venture capital not necessarily exclude Huawei from 5G contracts, but investment in AI from 2012 to 2022, Germany ranks it will require a technical and political review as well fourth at US$16.8bn, comparable to the levels of invest- as public guarantees, which will disincentivise the use ment in Canada (US$12.4bn) and the UK (US$25bn), of Huawei’s components and may lead to its formal but well behind China (US$198bn) which is quite a way exclusion by the federal government.50 By November behind the US (US$361bn).56 In a 2022 research ranking 2022, Deutsche Telekom was in the process of remov- of publications in the two most prestigious AI research ing Huawei equipment from its core infrastructure, conferences, Germany was fourth, which was in between CYBER CAPABILITIES AND NATIONAL POWER Volume 2 51 the UK (third) and Canada (fifth).57 Germany also coop- federal government and its institutions.62 Germany also erates with the US and 14 other allies and like-minded has a Citizen-CERT to assist private individuals as well countries in the AI Defense Forum. as a separate team responsible for the Bundeswehr. Furthermore, individual German states maintain their Cyber Security and Resilience own CERTs, as do several large German companies There is a very broad and active exchange between such as Bosch, BMW and Siemens. Bitkom, Germany’s the public and the private sectors on cyber-security digital association, has also set up a CERT to cater to the issues in Germany, but it is of relatively recent vintage. needs of small- and medium-sized companies.63 The first such cooperative effort between the federal The BSI issues an annual report on the state of IT government and private sector is the Implementation security in Germany. The latest report, which was pub- Plan Critical Infrastructure (UP KRITIS) launched lished in 2022, painted a grim picture about the level of in 2016, some 18 years after the US launched a simi- cyber threats compared with Germany’s preparedness: lar effort.58 UP KRITIS has progressively expanded the ‘threat level in cyberspace is higher than ever.’64 The in scope and responsibilities and has a member- report cited three causes: ‘ongoing cybercrime activi- ship of several hundred companies across all critical ties, cyber attacks in the context of the Russian war infrastructure sectors. The initiative allows for the against Ukraine and, in many cases, inadequate prod- establishment of crisis-management procedures, the uct quality of IT and software products’. The BSI also agreement of joint standards as well as the carrying out of regular joint exercises between government and companies.59 UP KRITIS is widely regarded as a successful model for cyber-security cooperation. In addition to this long-standing called out the specific threats arising Germany has a Citizen-CERT to assist private individuals effort, Germany has set up various from the Russian war in Ukraine: the increased risk of cyber attacks, increased hybrid threats (such as disninformation) and more serious threats to ctirical infrastructure.65 In response, the BSI announced that it would improve and expand private–public cyber-security cooperation structures since its mechanisms for federal/state cooperation, pay 2016. Some of the more significant initiatives in this respect more attention to ensuring the resilience of small and include the Alliance for Cyber Security, Germany Safe medium-sized businesses, and set up an information Online and the G4C German Competence Centre against sharing portal on attacks as they happen. Cyber Crime.60 The federal government also maintains an The 2020 annual BSI report showed that the num- active and constructive dialogue with network providers, ber of incidents reported by providers of critical infra- with whom there is a history of cooperation. structure had risen rapidly: from 145 in 2018 to 252 in Beyond exchanges and public education, the govern- 2019 and to 419 in 2020.66 Almost half of these incidents ment and critical infrastructure providers carry out the related to providers in the energy and health sectors.67 LÜKEX exercises every two years. These strategic cri- In 2021, the BSI reported that the number of mal- sis-management exercises convene stakeholders from ware infections in German networks more than dou- various levels to work through different issues and sce- bled from the year before, from 7m to about 14.8m.68 narios.61 Germany (through its Cyber and Information Another critical concern remains IT security amongst Space Command) is also active in NATO cyber exer- the German Mittelstand – the family-owned small cises. Bilaterally, Berlin took part in initiatives such as and medium enterprises underpinning the German the Multi-Lateral Cyber Defence Exercise 20 with Austria, economy – which is lagging in terms of developing Switzerland and Israel in 2020. organisational IT defences against cyber threats.69 Germany has a mature nation-wide system of Like many other states, Germany suffers from a lack CERTs. At the federal level, the CERT-Bund is respon- of qualified IT personnel. The pandemic made clear sible for incident management and response for the that the country is also far behind in digitalisation of 52 The International Institute for Strategic Studies schools and providing a basic IT education to pupils revelations, Germany began to take a more active and and students.70 political role in UN negotiations. Most notably, this led In August 2022, German critical infrastructure was to the adoption of a UN General Assembly resolution subjected to a wave of DDoS attacks similar to the ones (68/167) in 2013, sponsored by Germany and Brazil, on that plagued Estonia in the same month.71 The govern- the right to privacy that is considered a significant con- ment raised concerns regarding the rise of state spon- tribution to shaping the global cyber environment.76 sored/motivated attacks by calling out Russian ‘sabotage In subsequent years, Germany continued to play an disinformation and spying attacks’, all of which it said increasingly active role on cyber-security issues at the have increased after Germany’s support of Ukraine and Organization for Security and Co-operation in Europe the introduction of sanctions. The German govern- (OSCE), UN and EU. Under German chairmanship, ment announced a heightened security situation and the OSCE adopted various cyberspace confidence- increased protective measures – particularly in cyber- building measures in 2016.77 Within the EU, Germany space. In August 2022, Germany also had to appoint a was influential in pushing for the adoption of the EU new cyber-security chief after accusations were levelled Cyber Diplomacy Toolbox in 2017, and in summer 2020 against the former president of the BSI who came under it was the first country to propose EU cyber sanctions scrutiny for his connections to a company associated drawing on that toolbox.78 The sanctions, adopted in with Russian intelligence.72 autumn 2020, targeted Russian hackers thought to be The 2020 UN International Telecommunication Union Global Cybersecurity Index ranked Germany 13th glob- responsible for the 2015 cyber attacks aimed at the German parliament.79 ally and seventh in Europe for cyber preparedness, Cyber was a priority for Germany when it was EU though Germany scored relatively poorly compared president in the second half of 2020, and this involved with some of its smaller and relatively poorer European driving the issue of Europe’s digital sovereignty peers.73 A similar picture was painted in the 2022–23 through various initiatives.80 As EU president, Germany issue of the Cyber Defense Index produced by the MIT also pushed for greater compromise between the needs Technology Review Insights team.74 It cited evidence that of privacy and security when it comes to ubiquitously ‘German cybersecurity decision makers rate themselves used strong encryption, under the principle ‘secu- poorly in five out of seven confidence indicators’.75 rity through encryption and security despite encryp- The initiatives launched by the federal government tion’, leading to a council resolution on the issue.81 to engage with private industry have given Germany In November 2020, Germany, together with Estonia, a solid basis for national resilience in the cyber sec- France, Poland, Portugal and Slovenia, issued an infor- tor. This state of affairs is enhanced by the numerous mal document on future common EU cyber diploma- cyber crisis-management exercises conducted within cy.82 And in 2021, Germany published a position paper Germany and the existence of CERTs at various lev- on the applicability of international law to the cyber els of engagement. However, Germany lags behind its domain.83 Within NATO, Germany served as chair of EU peers and the US. The extent of the federal govern- the Cyber Commanders Forum from 2018 to 2019.84 ment’s broadening of public education on cyber threats and vulnerabilities is limited. Since the Russian invasion of Ukraine in February 2022, Germany has sought for the most part to coordinate its cyber diplomacy with its EU partners and NATO Global Leadership in Cyberspace Affairs allies. For example, in late 2022, the EU (with Germany’s Since the early 1990s, Germany has taken an active role support) moved to shore up Ukraine’s cyber military in international cyber diplomacy coupled with multi- defences against further Russian attacks. The meas- lateral discussions on internet governance. Berlin’s ini- ure involved setting up a cyber lab for the Ukrainian tial focus in this area was mainly technical in nature. Armed Forces at a cost of €31m.85 In its early responses This changed after the Snowden leaks revealed large- to the invasion, Germany joined other EU member scale spying on German policymakers. Following the states in adopting a range of sanctions on dual-use and CYBER CAPABILITIES AND NATIONAL POWER Volume 2 53 advanced-technology items, such as semi-conductors of OMCO operations.93 Therefore, while Germany’s ini- or software for encryption devices, to weaken Russia’s tial ambitions were rather constrained, the Bundeswehr cyber power.86 Germany has also taken some bilateral has over the years considerably expanded its objectives initiatives directly with Ukraine, most notably mak- to cover the full spectrum of potential cyber operations.94 ing a commitment in late 2022 to provide over €1bn to However, despite the expanding focus of the Ukraine to help it improve its cyber defences and to Bundeswehr on offensive cyber, German constitutional document Russian war crimes.87 In 2023, German police limitations constrain its cyber operations. According to worked directly with Ukrainian police to disrupt the the German constitution, the parliament must approve cyber operations of two Russian ransomware groups.88 all foreign operations of the Bundeswehr, which are sig- All in all, Germany is a leading country in its engage- nificantly limited by law. Operations outside Germany ment on issues relating to cyber security, both on a by the Cyber and Information Domain Service also global level and within the EU. Given Germany’s active need parliamentary approval.95 Strategic military cyber role in global cyber affairs and the success it has had in operations in peacetime by the Bundeswehr, including advancing several initiatives on cyber governance, this the US-style ‘persistent engagement’, remain for now area illustrates one of Germany’s strongest assets when illegal under German law, hence reducing the effective- it comes to cyber power. ness of German defensive cyber operations. The CIR can nonetheless launch cyber operations when they are Offensive Cyber Capability part of a mandated, out-of-area mission. In 2012, the federal government publicly confirmed for Germany’s ability to carry out cyber counter-attacks the first time its possession of offensive cyber capabili- in response to hostile cyber actions below the level of a ties. However, Berlin provided no concrete public infor- conventional attack remains within a legal grey zone.96 mation about the purpose, use and rules of engagement Countering cyber incursions with cyber operations has for such operations, adding that it had not yet used any been debated since the 2015 cyber attack on the German offensive cyber tool.89 Nevertheless, a succession of doc- parliament. However, several elements remain unre- uments that has entered the public domain both legally solved due to the distribution of responsibilities between and otherwise (including documents from federal min- federal and state authorities. While protection against istries) provide a general sense of Germany’s thinking threats falls under the jurisdiction of the states’ secu- on offensive military cyber operations (OMCO). rity agencies, they are not allowed to operate abroad.97 A report by the BMVg to the Parliamentary Defence In late 2022, a German think tank called on the govern- Committee in 2014 identified three potential uses of ment to ‘more prominently declare that it has offensive such operations: defence in case of military attack; sup- cyber capabilities’ and commit publicly to their use ‘for port for out-of-area operations; and defence in domes- defensive purposes in accordance with international tic emergency situations.90 Germany’s Cyber Defence law’.98 It also recommended that the government share Strategic Guidelines published in a leaked version in its offensive cyber capabilities ‘with trusted partners, 2015 ruled out the use of OMCO for strategic cyber wars if requested, in crisis situations’. The analysis identi- that attack civilian infrastructure, but it allowed for fied what it called a ‘discrepancy in boldness’ between OMCO in intelligence, surveillance and reconnaissance, Germany and key allies, such as the US and UK. as well as denial and disruption activities.91 A 2016 Through the efforts of the BND and Bundeswehr, BMVg report included the possible use of OMCO for Germany has gained strength in developing offensive information-dominance operations, but only within the cyber concepts and doctrine, and probably some capa- framework of joint-force operations.92 Finally, as of 2018, bility, but is limited by its unique constitutional provi- the Bundeswehr Concept allowed for the full spectrum sions when it comes to the use of offensive operations. 54 The International Institute for Strategic Studies Notes 1 The Stuxnet attack involved targeting German firm Siemens’ Security’, 8 September 2021, https://www.bundesregierung. the speed of nuclear centrifuges. See Kim Zetter, ‘An de/breg-en/news/new-cyber-security-strategy-1958688. 4 11 Peter Hille and Nina Werkhauser, ‘The German Weapon’, Wired, 3 November 2014, https://www.wired. Military’s New Shopping list’, Deutsche com/2014/11/countdown-to-zero-day-stuxnet/. Welle, 3 June 2022, https://www.dw.com/en/ Martin Schallbruch and Isabel Skierka, Cybersecurity in how-will-the-german-military-spend-100-billion/a-62020972. Germany (Berlin: Digital Society Institute, 2018), p. 17, http:// 3 Federal Cabinet‚ ‘Goals Adopted in the Area of Cyber industrial control systems which controlled and monitored Unprecedented Look at Stuxnet, the World’s First Digital 2 10 12 Deutsche Welle, ‘Germany Bolsters Defences Against Russian static.esmt.org/publications/other/2018-msch-cybersecurity- Cyber Threat’, 12 July 2022, https://www.dw.com/en/germany- in-germany-manuscript.pdf. bolsters-defenses-against-russian-cyber-threats/a-62442479. Federal Ministry of the Interior and Community, 13 Janosch Delcker, ‘Germany Gets Serious About Cyber ‘Cybersecurity Strategy for Germany‘, 2011, Threats’, Deutsche Welle, 12 July 2022, https://www. https://www.enisa.europa.eu/media/news-items/ dw.com/en/opinion-germany-finally-gets-serious-about- german-cyber-security-strategy-2011-1. tackling-cyber-threats/a-62446715. See Federal Criminal Police Office, Das Nationales Cyber- 14 Federal Office for Information Security, ‘Die Lage der Abwehrzentrum‘ [The National Cyber Response Centre], IT-Sicherheit in Deutschland 2022’ [The State of IT Security in https://www.bka.de/DE/UnsereAufgaben/Kooperationen/ Germany 2022], 2022, https://www.bsi.bund.de/SharedDocs/ NCAZ/ncaz_node.html. Downloads/DE/BSI/Publikationen/Lageberichte/ 5 Ibid., pp. 4–6. Lagebericht2022.pdf?__blob=publicationFile&v=5. 6 Federal Law Gazette, ‘Gesetz zur Erhöhung der Sicherheit 8 [Digitisation Centre Set Up], Behorden Spiegel, 22. [Law to Increase Security of Information Technology September 2022, https://www.behoerden-spiegel. Systems (IT Security Law)], 17 July 2015, pp. de/2022/09/22/zentrum-digitalisierung-aufgestellt/. 16 Holger Stark, ‘Hilfe, die zum Ziel führt’ xav?startbk=Bundesanzeiger_BGBl&jumpTo=bgbl115s1324. [Help that Leads to the Goal]’, Die Zeit, 28 pdf#__bgbl__%2F%2F*%5B%40attr_id%3D%27bgbl115s1324. September 2022, https://www.zeit.de/2022/40/ pdf%27%5D__1627095412670. ukraine-russland-krieg-bnd-geheimdienstinformationen. Federal Ministry of Interior, ‘Cyber-Sicherheitsstrategie 17 For an overview of the complexity of Germany’s cyber- für Deutschland’ [Cyber Security for Germany], security responsibilities, see Rebecca Beigel and Sven 2016, https://www.bmi.bund.de/SharedDocs/ Herpig, ‘Germany’s Cybersecurity Architecture (Translation downloads/DE/publikationen/themen/it-digitalpolitik/ of the 6th German Edition)’, Stiftung Neue Verantwortung, cybersicherheitsstrategie-2016.pdf. March 2021 https://www.stiftung-nv.de/sites/default/ Federal Ministry of Defence, ‘Weissbuch 2016 Zur files/eng_impulse-germanys_cybersecurity_architecture_ Sicherheitspolitik Und Zur Zukunft Der Bundeswehr’ [2016 translation_of_the_6th_german_edition_0.pdf. White Paper on Security Policy and Future of the German 9 Matthias Lorenz, ‘Zentrum Digitalisierung aufgestellt’ informationstechnischer Systeme (IT-Sicherheitsgesetz)’ 1325–1326, https://www.bgbl.de/xaver/bgbl/start. 7 15 18 Germany has a federal system of government and is made Armed Forces], 2016, p. 93, https://www.bmvg.de/ up of 16 states each with their own parliament and regional resource/blob/13708/015be272f8c0098f1537a491676bfc31/ government. Responsibilities of the state governments weissbuch2016-barrierefrei-data.pdf. include policing and countering cime. Federal Ministry of Defence, ‘Konzeption der Bundeswehr’ 19 Federal Office for Information Security, ‘Kurzprofil des BSI’ [Brief [Concept of the German Armed Forces], July 2018, p. 43, Profile of the BSI], 1 February 2021, https://www.bsi.bund.de/ https://www.bmvg.de/resource/blob/26544/9ceddf6df2f48ca DE/Das-BSI/Auftrag/BSI-Kurzprofil/kurzprofil_node.html. 87aa0e3ce2826348d/20180731-konzeption-der-bundeswehrdata.pdf. 20 Federal Office for Information Security, ‘Organisation and Structure’, https://www.bsi.bund.de/EN/Das-BSI/ CYBER CAPABILITIES AND NATIONAL POWER Volume 2 55 Organisation-und-Aufbau/organisation-und-aufbau_node. german-intelligence-cant-spy-on-foreigners-outside- html, accessed on 1 July 2023. germany/a-53492342. 21 Federal Office for Information Security, ‘Kurzprofil des BSI’. 22 Ömer Bekar, ‘Bundeswehr Cyber Kommando: Das kommt auf Überwachungsbefugnisse wie noch nie’ [Federal Intelligence Dich zu’ [Bundeswehr Cyber Command: Coming for You], Service Receives More Surveillance Powers Than Ever BundeswehrTest, 4 January 2022, https://bundeswehrtest.de/ Before], Netzpolitik.org, 26 March 2021, https://netzpolitik. bundeswehr-cyber-kommando-das-kommt-auf-dich-zu/. org/2021/bnd-gesetz-bundesnachrichtendienst-erhaelt-so- Lieutenant General Ludwig Leinhos, ‘Cyber Defence viele-ueberwachungsbefugnisse-wie-noch-nie/. 23 in Germany: Challenges and the Way Forward for the 24 25 26 28 34 Andre Meister, ‘Bundesnachrichtendienst erhält so viele Federal Office for the Protection of the Constitution, Bundeswehr’, Connections: The Quarterly Journal, Vol. 19, No. ‘Cyberabwehr’ [Cyber Defence], https://www. 1, 2020, p. 13, http://connections-qj.org/article/cyber-defence- verfassungsschutz.de/DE/themen/cyberabwehr/ germany-challenges-and-way-forward-bundeswehr. cyberabwehr_node.html. Federal Ministry of Defence, ‘Eckpunkte für die Bundeswehr 35 Ludwig Leinhos, ‘Cyber Defence in Germany: Challenges der Zukunft’ [Cornerstones for the Bundeswehr of the and the Way Forward for the Bundeswehr’, Connections, Future], May 2021, p. 24, https://www.bundeswehr.de/ Vol. 19, No. 1, Winter 2020, https://www.pfp-consortium. resource/blob/5092728/7059f0f9af27786b4eac7118e0c5ca23/ org/articles/cyber-defence-germany-challenges-and-way- eckpunkte-final-data.pdf. forward-bundeswehr. Bundeswehr, ‘Zentrum Digitalisierung der Bundeswehr 36 Matthias Gebauer, ‘Bundeswehr-Hacker knackten afghanisches aufgestellt’ [Bundeswehr Digitalisation Centre Set Up], Mobilfunknetz’ [Bundeswehr Hackers Cracked Afghan 16 September 2022, https://www.presseportal.de/ Mobile Network], Der Spiegel, 23 September 2016, https:// pm/129406/5322521. www.spiegel.de/politik/ausland/cyber-einheit-bundeswehr- Matthias Gebauer, ‘Bundeswehr-Hacker knackten afghanisches hackte-afghanisches-mobilfunknetz-a-1113560.html. Mobilfunknetz’ [Bundeswehr Hackers Cracked Afghan 27 33 37 Andre Meister, ‘Bundestag hat das krasseste Mobile Network], Der Spiegel, 23 September 2016, https:// Überwachungsgesetz der Legislaturperiode beschlossen’ www.spiegel.de/politik/ausland/cyber-einheit-bundeswehr- [Bundestag Passes Most Blatant Surveillance Law of hackte-afghanisches-mobilfunknetz-a-1113560.html. Legislative Period], netzpolitik.org, 19 June 2017, https:// The BND is an active partner of leading Western netzpolitik.org/2017/staatstrojaner-bundestag-beschliesst- intelligence agencies, and about ten per cent of its staff are diese-woche-das-krasseste-ueberwachungsgesetz-der- military personnel. legislaturperiode/. Federal Intelligence Service, ‘Our Organisation’, 2023, 38 Andre Meister, ‘Bundesregierung beschließt Staatstrojaner https://www.bnd.bund.de/EN/About-BND/organisation/ für alle Geheimdienste’ [Federal Government Adopts State organisation_node.html. Trojans for All Secret Services], netzpolitik.org, 21 October 29 Ibid. 2020, https://netzpolitik.org/2020/bundesregierung- 30 Federal Constitutional Court, ‘Ausland-Ausland- beschliesst-staatstrojaner-fuer-alle-geheimdienste/. Fernmeldeaufklärung nach dem BND-Gesetz verstößt in 31 32 39 Kai Biermann and Holgre Stark,‘Die Superwaffe und derzeitiger Form gegen Grundrechte des Grundgesetzes’ [Foreign die Deutschen’ [The Super Weapon and the Germans], Telecommunications Surveillance According to BND Act Zeit Online, 19 July 2021, https://www.zeit.de/politik/ Violates Fundamental Rights of Basic Law in Its Current ausland/2021-07/ueberwachungsaffaere-spionage-software- Form], 19 May 2020, https://www.bundesverfassungsgericht. pegasus-einsatz-deutschland-bundeskriminalamt- de/SharedDocs/Pressemitteilungen/DE/2020/bvg20-037.html. handydaten-rechtsstaat. See DE-CIX, ‘Frankfurt Traffic Statistics’, https://de-cix.net/ 40 Heise Online, ‘Bundeshaushalt: Deutlich mehr Geld für Polizei en/locations/frankfurt/statistics. und Geheimdienste’ [Federal Budget: Significantly More Ben Knight, ‘German Intelligence Can’t Spy Money for Police and Secret Services], 13 December 2020, on Foreigners Outside Germany’, Deutsche https://www.heise.de/news/Bundeshaushalt-Deutlich-mehr- Welle, 19 May 2020, https://www.dw.com/en/ Geld-fuer-Polizei-und-Geheimdienste-4988155.html. 56 The International Institute for Strategic Studies 41 42 Kai Biermann and Holger Stark, ‘Merkels fliegende Augen’ Difficult for Huawei to Access 5G Network], Handelsblatt, [Merkel’s Flying Eyes], Zeit Online, 15 February 2018, 20 November 2020, https://www.handelsblatt.com/ https://www.zeit.de/2018/08/ueberwachung-bnd-satelliten/ politik/deutschland/neues-it-sicherheitsgesetz-regierung- komplettansicht. erschwert-huawei-den-zugang-zum-5g-netz/26645582. Jonas Muelle-Töwe, ‘BND hat Probleme mit Spionage- html?ticket=ST-5173938-lriUW3ydkBeMhZjllpcm-ap2. Satelliten‘ [BND Has Problems With Spy Satellites], T-online, 43 Too Little to Limit Huawei’s Participation in 5G’, 25 October deutschland/id_91043418/bnd-hat-probleme-mit-spionage- 2022, https://www.agenzianova.com/en/news/germania- satelliten-prestige-projekt-des-geheimdienstes.html. cina-il-governo-federale-fa-troppo-poco-per-limitare-la- Stephen Clark, ‘SpaceX Launches German Military Radar partecipazione-di-huawei-al-5g/. german-military-radar-satellite-from-california/. china-spying-on-germany-say-intelligence-chiefs/a-63467038. Stefan Krempl, ‘Digitale Agenda der Bundesregierung: Land’ [Digital Agenda of the Federal Government: Germany Welle, 13 July 2021, https://www.dw.com/de/ as Encryption World Champion and Broadband Country], bundeswehr-startet-weltraumkommando/a-58253666. 50 54 MDR, ‘Cyberagentur in Halle hat einen neuen Chef – zumindest newsticker/meldung/Digitale-Agenda-der-Bundesregierung- übergangsweise‘ [Cyber Agency in Halle has a New Boss – At Deutschland-als-Verschluesselungsweltmeister-und- Least Temporarily], 15 June 2021, http://web.archive.org/ Breitband-Land-2265119.html. web/20210625164820/https://www.mdr.de/nachrichten/ European Center for Digital Competitiveness, ‘Digital sachsen-anhalt/cyberagentur-bund-halle-neuer-chef-100.html. 55 Intelligence Online, ‘Berlin in Two Minds About Curbing digitalriser/. Cyber Freedoms or Fostering Cyber Industry’, 18 November Deutsche Bank, ‘Digital Awakening for Germany’, 25 2020, https://www.intelligenceonline.com/government- October 2022, pp. 8 –9, https://www.dbresearch.com/ intelligence/2020/11/18/berlin-in-two-minds-about-curbing- PROD/RPS_EN-PROD/PROD0000000000525257/Digital_ cyber-freedom-or-fostering-cyber-industry,109622036-art. 56 OECD.AI Policy Observatory, ‘VC Investments in AI by Federal Ministry for Economic Affairs and Energy, ‘Digitale Country’, https://oecd.ai/en/data?selectedArea=investments- Transformation in der Industrie’ [Digital Transformation in-ai-and-data&selectedVisualization=vc-investments-in-ai- in Industry], https://www.bmwi.de/Redaktion/DE/Dossier/ by-country. 57 Thundermark Capital, ‘AI Research Rankings 2022: Sputnik Centre for Promotion of Imports, ‘The European Market Moment for China?’, 20 May 2022, https://thundermark. Potential for (Industrial) Internet of Things’, 7 June 2022, medium.com/ai-research-rankings-2022-sputnik-moment- https://www.cbi.eu/market-information/outsourcing-itobpo/ for-china-64b693386a4. industrial-internet-things/market-potential. 49 Peter Hille, ‘Bundeswehr startet Weltraumkommando‘ [Bundeswehr Launches Space Command], Deutsche industrie-40.html. 48 53 Deutschland als Verschlüsselungsweltmeister und Breitband- awakening_for_Germany%3A_Digital_Strategy_of.pdf. 47 Deutsche Welle, ‘China Spying on Germany, Say Intelligence Chiefs’, 17 October 2022, https://www.dw.com/en/ Riser Report 2021’, p. 5, https://digital-competitiveness.eu/ 46 52 https://spaceflightnow.com/2022/06/18/spacex-launches- Heise Online, 23 July 2014, https://www.heise.de/ 45 Nova.news, ‘Germany–China: Federal Government Does 21 October 2021, https://www.t-online.de/nachrichten/ Satellite from California’, Spaceflight Now, 18 June 2022, 44 51 58 In 1998, US President Bill Clinton issued Presidential Ken Wieland, ‘Vodafone Germany CEO Ametsreiter on 5G Decision Directive 63 to set up an information-sharing Ramp-up Mission’, TelcoTitans, 12 December 2020, https:// system between the government and the private sector. www.telcotitans.com/vodafonewatch/vodafone-germany- See Greg Austin, ‘US Policy from Cyber Incidents to ceo-ametsreiter-on-5g-ramp-up-mission/2657.article. National Emergencies’, in Greg Austin (ed.), National Cyber Laurens Cerulus, ‘Germany Falls In Line with EU on Emergencies: The Return to Civil Defence (London: Routledge, Huawei’, PoliticoEU, 23 April 2021, https://www.politico. 2020), p. 34. eu/article/germany-europe-huawei-5g-data-privacy- 59 Federal Office for Information Security, ‘UP KRITIS: cybersecurity/; and Moritz Koch, ‘Regierung erschwert Öffentlich-Private Partnerschaft zum Schutz Kritischer Huawei den Zugang zum 5G-Netz’ [Government Makes it Infrastrukturen in Deutschland’ [UP CRITIS: Public–Private CYBER CAPABILITIES AND NATIONAL POWER Volume 2 57 Partnership to Protect Critical Infrastructure in Germany], 70 Jens Thurau, ‘OECD: German Schools Falling Behind in http://web.archive.org/web/20220101223833/https://www. Digitalization’, Deutsche Welle, 15 April 2021, https:// bsi.bund.de/SharedDocs/Downloads/DE/BSI/KRITIS/Flyer_ www.dw.com/en/oecd-german-schools-falling-behind-in- UP_KRITIS.pdf?__blob=publicationFile&v=1. digitalization/a-57209127. 60 See the webpage of the G4C at: https://www.g4c-ev.de. 61 Federal Office for Civil Protection and Disaster Assistance, ‘Heightened Security Situation in Germany’, https://www. ‘LÜKEX – Krisensimulation für den Bevölkerungsschutz’ [LÜKEX: bmi.bund.de/SharedDocs/schwerpunkte/EN/ukrain/ Crisis Exercise for Civil Protection], https://www.bbk.bund.de/ security_meldung.html. DE/Themen/Krisenmanagement/LUEKEX/luekex_node.html. 62 63 65 66 72 Federal Ministry of the Interior and Community, Michael Nienaber and Laura Malsch, ‘Germany Picks First Federal Office for Information Security, ‘CERT-Bund’ Female President of BSI Cybersecurity Agency’, Bloomberg, [CERT Association], https://www.bsi.bund.de/DE/Themen/ 7 February 2023, https://www.bloomberg.com/news/ Unternehmen-und-Organisationen/Cyber-Sicherheitslage/ articles/2023-02-07/germany-picks-first-female-president-of- Reaktion/CERT-Bund/cert-bund_node.html. bsi-cybersecurity-agency#xj4y7vzkg. Bitkom, ‘Sicherheit für Systeme und Netze in Unternehmen‘ 73 International Telecommunication Union, ‘Global [Security for Systems and Networks in Companies], p. Cybersecurity Index 2020’, pp. 25, 30, https://www.itu.int/ 37, https://www.bitkom.org/sites/default/files/file/import/ dms_pub/itu-d/opb/str/D-STR-GCI.01-2021-PDF-E.pdf. ACF897.pdf. 64 71 74 MIT Technology Review Insights. ‘Cyber Defense Index Federal Office for Information Security, ‘Die Lage der 2022/23’, 2022, https://mittrinsights.s3.amazonaws.com/ IT-Sicherheit in Deutschland 2022’ [The State of IT Security CDIreport.pdf. in Germany in 2022], p. 7, https://www.bsi.bund.de/ 75 Ibid., p. 11. SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/ 76 Schallbach and Skierka, Cybersecurity in Germany, p. 56. Lagebericht2022.pdf?__blob=publicationFile&v=5. 77 Tomas Minarik, ‘OSCE Expands Its List of Confidence- Federal Office for Information Security, ‘Heightened building Measures for Cyberspace: Common Ground Security Situation in Germany‘, https://www.bmi.bund.de/ on Critical Infrastructure Protection’, Cooperative SharedDocs/schwerpunkte/EN/ukrain/security_meldung. Cyber Defence Centre of Excellence, https://ccdcoe.org/ html‚ accessed on 1 July 2023. incyder-articles/osce-expands-its-list-of-confidence- Federal Office for Information Security, ‘Die Lage der building-measures-for-cyberspace-common-ground-on- IT-Sicherheit in Deutschland 2020’ [The State of IT Security critical-infrastructure-protection/. in Germany 2020], 2020, p. 36, https://www.bsi.bund. 78 Kristie Pladson, ‘Germany Proposes First-ever Use of EU Cyber de/SharedDocs/Downloads/DE/BSI/Publikationen/ Sanctions Over Russia Hacking’, Deutsche Welle, 12 July 2020, Lageberichte/Lagebericht2020.pdf. https://www.dw.com/en/germany-proposes-first-ever-use-of- 67 Ibid., p. 54. eu-cyber-sanctions-over-russia-hacking/a-54144559. 68 Federal Office for Information Security, ‘Die Lage der IT-Sicherheit Alice Tidey, ‘EU Sanctions Two Russian Military Officers in Deutschland 2021‘ [The State of IT Security in Germany 2021], Over Cyber Attack Against German Parliament’, euronews, 2021, p. 43, https://www.bsi.bund.de/SharedDocs/Downloads/ 23 October 2020, https://www.euronews.com/2020/10/23/ DE/BSI/Publikationen/Lageberichte/Lagebericht2021. eu-sanctions-two-russian-military-officers-over-cyber-attack- pdf;jsessionid=249149546E6817A6503DBA621EA6E822. against-german-parliament. internet481?__blob=publicationFile&v=3https:// 80 Euro2020.de, ‘Expanding the EU’s Digital www.bsi.bund.de/SharedDocs/Downloads/DE/ Sovereignty’, https://www.eu2020.de/eu2020-en/ BSI/Publikationen/Lageberichte/Lagebericht2021. eu-digitalisation-technology-sovereignty/2352828. pdf;jsessionid=249149546E6817A6503DBA621EA6E822. 69 79 81 European Council and Council of the European internet481?__blob=publicationFile&v=3. Union, ‘Encryption: Council Adopts Resolution on Annabelle Theobald, ‘Companies Often Lack Sufficient Security Through Encryption and Security Despite Awareness of Cybersecurity Risks’, CISPA, 4 May 2022, Encryption’, 14 December 2020, https://www. https://cispa.de/en/sme-security. consilium.europa.eu/en/press/press-releases/2020/12/14/ 58 The International Institute for Strategic Studies 82 83 encryption-council-adopts-resolution-on-security-through- MAT_A_BMVg-1/MAT%20A%20BMVg-1-2/MAT%20A%20 encryption-and-security-despite-encryption/. BMVg-1-2a_2.pdf. Federal Foreign Office, ‘Non-Paper on EU Cyber Cyberwar und offensive digitale Angriffe‘ [Ministry of Defence amt.de/blob/2418986/206b3bf9aa4ef45a28873992318 Allows Bundeswehr Cyberwar and Offensive Digital Attacks], 40d23/201119-non-paper-pdf-data.pdf. 30 July 2015, https://netzpolitik.org/2015/geheime-cyber-leitlinie- The Federal Government, ‘On the Application of verteidigungsministerium-erlaubt-bundeswehr-cyberwar-und- International Law in the Cyber Domain’, March 2021, offensive-digitale-angriffe/#5-2-Cyberverteidigung. 92 und Informationsraum‘ [Final Report: Cyber and Information law-in-cyberspace-data.pdf. Space Development Team], April 2016, p. 13, http://docs.dpaq. Lieutenant-Colonel Michael Backhaus, ‘Cyber Commanders de/11361-abschlussbericht_aufbaustab_cir.pdf. 93 https://euro-sd.com/wp-content/uploads/2019/06/ESD_ Spotlight_No_102.pdf. 86 Forces‘, p. 43. 94 Up a Cyber Lab for the Ukrainian Armed Forces’, 2 Cyber Operations: Benefits, Limitations and Lessons for December 2022, https://www.eeas.europa.eu/eeas/ Germany], Stiftung fur Wissenschaft und Politik, 2020, p. ukraine-eu-sets-cyber-lab-ukrainian-armed-forces_en. 17, https://www.swp-berlin.org/publications/products/ European Commission, ‘EU Sanctions Against studien/2020S15_she_CyberOperationen.pdf. 95 Operations are in a Legal Gray Zone’, Lawfare, stronger-europe-world/eu-solidarity-ukraine/ 8 April 2020, https://www.lawfareblog.com/ eu-sanctions-against-russia-following-invasion-ukraine_en. german-military-cyber-operations-are-legal-gray-zone. Reuters, ‘Germany Allocates Extra 1 Bln Euros to Ukraine 96 Schulze, ‘German Military Cyber Operations are in a Legal Gray Zone’. 97 See, for example, Federal Parliament, ‘Verfassungsmäßigkeit allocates-extra-1-bln-euros-ukraine-cyber-defence- von sog. ‘‘Hackbacks’’ im Ausland‘ [Constitutionality documenting-war-crimes-2022-11-11/. of So-called Hackbacks Abroad], 8 June 2018, Europol, ‘Germany and Ukraine Hit Two High-value https://www.bundestag.de/resource/blob/560900/ Ransomware Targets’, 6 March 2023, https://www.europol. baf0bfb8f00a6814e125c8fce5e89009/wd-3-159-18-pdf-data. europa.eu/media-press/newsroom/news/germany-and- pdf; and Federal Parliament, ‘Testimony of Sven Herping on ukraine-hit-two-high-value-ransomware-targets. Legal Issues in Military Cyberspace Realm‘, 14 December Atlantic Council, ‘Germany Reveals Offensive 2020, p. 4, https://www.bundestag.de/resource/blob/812030/3 Cyberwarfare Capabilities’, 8 June 2012, https:// 7cd9ce216d96f75760c79218bbf187b/stellungnahme-Dr-Sven- www.atlanticcouncil.org/blogs/natosource/ Herpig_14-12-2020-data.pdf. germany-reveals-offensive-cyberwarfare-capability/. 90 Matthias Schulze, ‘German Military Cyber ec.europa.eu/info/strategy/priorities-2019-2024/ 2022. https://www.reuters.com/world/europe/germany- 89 Matthias Schulze, ‘Militärische Cyber-Operationen: Nutzen, Limitierungen und Lehren für Deutschland’ [Military Cyber-defence, Documenting War Crimes’, 12 November 88 Federal Ministry of Defence, ‘Concept of the German Armed European External Action Service, ‘Ukraine: EU Sets Russia Following the Invasion of Ukraine’, https:// 87 Federal Ministry of Defence, ‘Abschlussbericht Aufbaustab Cyber- 10b74fb17204c54665bdf0/on-the-application-of-international- Forum’, European Security & Defence, 25 October 2018, 85 Netzpolitik, ‘Verteidigungsministerium erlaubt Bundeswehr Diplomacy’, 19 November 2020, https://www.auswaertiges- https://www.auswaertiges-amt.de/blob/2446304/32e7b2498e 84 91 98 Valentin Weber, ‘A Reliable Global Cyber Power: Cyberspace Federal Ministry of Defence, ‘Bericht zum Themenkomplex and Germany’s National Security Strategy’, DGAP, Cyber-Verteidigung’ [Report on the Topic of Cyber Defence), October 2022, https://dgap.org/en/research/publications/ pp. 22–23, https://wikileaks.org/bnd-inquiry/docs/BMVg/ reliable-global-cyber-power. CYBER CAPABILITIES AND NATIONAL POWER Volume 2 59 60 The International Institute for Strategic Studies
