Germany unveiled a new cyber security strategy, a “Nationale Cyber-Sicherheitsstrategie”. The outgoing minister of the interior, Thomas de Maizière, presented the document about two weeks ago (in German, in English). It hasn’t been well-covered in English. So what’s in it? And is it any good?
Let’s have a critical look, step by step. The strategy starts off by making a few grand statements. They are notable. The government sees data security as “an existential question of the 21st century,” and maintaining it is “the central common challenge for state, business, and society” in Germany. All this needs “urgent action”, as Michael Hange said, the head of the lead-agency on information security, the Bundesamt für Sicherheit in der Informationstechnik, known as BSI. — But Germany’s strategy is coming a bit late. Despite previous initiatives, the self-branded “land of ideas” seems to be behind the UK and the United States when it comes to ideas on how to make the country safer in cyberspace.
So what does the new strategy suggest concretely? A number of things. The three most important are creating two new bodies and a “codex”.
The first body is a cyber-defence centre, a Nationales Cyber-Abwehrzentrum, with the swanky acronym NCAZ. Let’s try to cut through the bureaucratic labyrinth for a minute: the centre is supposed to be staffed mainly by the BSI, the information security agency. With ten people to start with, to be located in Bonn-Mehlem. The BSI has been around for 20 years. It was created in 1991 by breaking out a unit from Germany’s foreign intelligence agency, the Bundesnachrichtendienst, the Zentralstelle für Chiffrierwesen, loosely translated the centre for cypher affairs. It will send six experts to NCAZ. Two additional experts each will be seconded by the Verfassungsschutz, Germany’s Federal Office for the Protection of the Constitution, as well as by the Katastrophenschutz, the Federal Office of Civil Protection and Disaster Assistance. A host of other agencies will start participating over the coming months, supposedly with only very few representatives, notably the Bundeskriminalamt, Bundespolizei, Zollkriminalamt, Bundesnachrichtendienst and even the Bundeswehr. The new centre will not develop offensive capabilities.
And? — “A sham,” said Klaus Jansen, head of the Bund Deutscher Kriminalbeamter, a group that represents Germany’s criminal investigators, about the planned center for cyber-defence. Merely a dozen people mostly from the BSI would not be enough supervise what’s going on and to fend off major attacks. Indeed the staffing seems to be a bit thin. And it remains unclear what exactly the new centre will be doing, who will head it, and how much leverage it will have when cooperating with others — especially outside actors, governmental and corporate, nationally and internationally. To change effective behaviour, it needs power and political influence. It is unclear if the centre will have such leverage.
Possibly the answer to that question is the second body, a grandly named Nationaler Cyber-Sicherheitsrat, or national “cyber-security council.” The new body is set to start working soon, on 1 April. The council will be part of Merkel’s chancellery and include high-level representatives from all sorts of ministries that could be relevant, like interior, defence, justice, economy, finance, etc, and even more if necessary. It will be headed by Cornelia Rogall-Grothe, the government’s IT czar of the rank of state secretary. Citizens and businesses, she said, need the web “like the air we breathe.”
The council is an interesting idea at first glance. But at closer view it appears to be quite problematic. Credit card fraud is one thing. Then spam-spitting botnets are mentioned. But a Stuxnet-type attack on a foreign country is something entirely different. Even more different are jihadis rallying online. All this is indeed as hard to pin down as the air we breathe. Does it really make sense to have one senior council in charge of such vastly different sets of issues? Why not just give the BSI’s new centre more political clout?
The third noteworthy idea is that cyber “Kodex.” The document speaks of cyber-foreign-policy. German interests in data security, the ministry argues, would be pursued in international organisations such as the UN, the OSCE, the European Council, the OECD, and NATO — in that order.
It remains utterly unclear what that’s supposed to mean. Cyber security is handled by national agencies that are secretive, and often with justification. It requires lots of national coordination across sectors. It requires lots of expensive and hard-to-get expertise. The notion that international organisations, especially in the order above, could be the answer strikes me as rather naive, if not cynical. That doesn’t even consider the problem that whatever international norms and rules may be established, they will be broken anyway. Can cyber-espionage and even cyber-attacks really be reigned in by treaties and codices? Take out the “cyber,” and the illusion becomes obvious: “This would be as if one could achieve a global treaty for the abolition of foreign intelligence agencies,” deadpanned Christoph Hochstätter on ZDNet, a technology news service. And he’s right.
Meanwhile the opposition is absent. It is disappointing to see that other political parties and the opposition in Germany seem to be unable to mount proper, substantial critique that goes beyond the usual knee-jerk reactions. That is true of the Green party, the Liberals, and of course the far Left. Especially noteworthy is the ministry’s plan to push ISPs and producers of equipment to take more responsibility for security. But nowhere is it spelt out what that actually means. Most of the strategic document is for-official-use-only, and hence not public. That makes hiding bad ideas easier and constructive criticism harder. Which raises an important question: since expertise in cyber is so hard to find in government, let alone parliament: who will supervise the government’s work on cyber? Hello, Social Democrats and Berlin think tanks, any experts out there to step forward with some insider analysis and constructive policy suggestions?