Screenshot 2014-03-04 09.12.33

Germany’s Cyber Security Strategy

Germany unveiled a new cyber security strategy, a “Nationale Cyber-Sicherheitsstrategie”. The outgoing minister of the interior, Thomas de Maizière, presented the document about two weeks ago (in German, in English). It hasn’t been well-covered in English. So what’s in it? And is it any good?

Let’s have a critical look, step by step. The strategy starts off by making a few grand statements. They are notable. The government sees data security as “an existential question of the 21st century,” and maintaining it is “the central common challenge for state, business, and society” in Germany. All this needs “urgent action”, as Michael Hange said, the head of the lead-agency on information security, the Bundesamt für Sicherheit in der Informationstechnik, known as BSI. — But Germany’s strategy is coming a bit late. Despite previous initiatives, the self-branded “land of ideas” seems to be behind the UK and the United States when it comes to ideas on how to make the country safer in cyberspace.

So what does the new strategy suggest concretely? A number of things. The three most important are creating two new bodies and a “codex”.

The first body is a cyber-defence centre, a Nationales Cyber-Abwehrzentrum, with the swanky acronym NCAZ. Let’s try to cut through the bureaucratic labyrinth for a minute: the centre is supposed to be staffed mainly by the BSI, the information security agency. With ten people to start with, to be located in Bonn-Mehlem. The BSI has been around for 20 years. It was created in 1991 by breaking out a unit from Germany’s foreign intelligence agency, the Bundesnachrichtendienst, the Zentralstelle für Chiffrierwesen, loosely translated the centre for cypher affairs. It will send six experts to NCAZ. Two additional experts each will be seconded by the Verfassungsschutz, Germany’s Federal Office for the Protection of the Constitution, as well as by the Katastrophenschutz, the Federal Office of Civil Protection and Disaster Assistance. A host of other agencies will start participating over the coming months, supposedly with only very few representatives, notably the Bundeskriminalamt, Bundespolizei, Zollkriminalamt, Bundesnachrichtendienst and even the Bundeswehr. The new centre will not develop offensive capabilities.

And? — “A sham,” said Klaus Jansen, head of the Bund Deutscher Kriminalbeamter, a group that represents Germany’s criminal investigators, about the planned center for cyber-defence. Merely a dozen people mostly from the BSI would not be enough supervise what’s going on and to fend off major attacks. Indeed the staffing seems to be a bit thin. And it remains unclear what exactly the new centre will be doing, who will head it, and how much leverage it will have when cooperating with others — especially outside actors, governmental and corporate, nationally and internationally. To change effective behaviour, it needs power and political influence. It is unclear if the centre will have such leverage.

Possibly the answer to that question is the second body, a grandly named Nationaler Cyber-Sicherheitsrat, or national “cyber-security council.” The new body is set to start working soon, on 1 April. The council will be part of Merkel’s chancellery and include high-level representatives from all sorts of ministries that could be relevant, like interior, defence, justice, economy, finance, etc, and even more if necessary. It will be headed by Cornelia Rogall-Grothe, the government’s IT czar of the rank of state secretary. Citizens and businesses, she said, need the web “like the air we breathe.”

The council is an interesting idea at first glance. But at closer view it appears to be quite problematic. Credit card fraud is one thing. Then spam-spitting botnets are mentioned. But a Stuxnet-type attack on a foreign country is something entirely different. Even more different are jihadis rallying online. All this is indeed as hard to pin down as the air we breathe. Does it really make sense to have one senior council in charge of such vastly different sets of issues? Why not just give the BSI’s new centre more political clout?

The third noteworthy idea is that cyber “Kodex.” The document speaks of cyber-foreign-policy. German interests in data security, the ministry argues, would be pursued in international organisations such as the UN, the OSCE, the European Council, the OECD, and NATO — in that order.

It remains utterly unclear what that’s supposed to mean. Cyber security is handled by national agencies that are secretive, and often with justification. It requires lots of national coordination across sectors. It requires lots of expensive and hard-to-get expertise. The notion that international organisations, especially in the order above, could be the answer strikes me as rather naive, if not cynical. That doesn’t even consider the problem that whatever international norms and rules may be established, they will be broken anyway. Can cyber-espionage and even cyber-attacks really be reigned in by treaties and codices? Take out the “cyber,” and the illusion becomes obvious: “This would be as if one could achieve a global treaty for the abolition of foreign intelligence agencies,” deadpanned Christoph Hochstätter on ZDNet, a technology news service. And he’s right.

Meanwhile the opposition is absent. It is disappointing to see that other political parties and the opposition in Germany seem to be unable to mount proper, substantial critique that goes beyond the usual knee-jerk reactions. That is true of the Green party, the Liberals, and of course the far Left. Especially noteworthy is the ministry’s plan to push ISPs and producers of equipment to take more responsibility for security. But nowhere is it spelt out what that actually means. Most of the strategic document is for-official-use-only, and hence not public. That makes hiding bad ideas easier and constructive criticism harder. Which raises an important question: since expertise in cyber is so hard to find in government, let alone parliament: who will supervise the government’s work on cyber? Hello, Social Democrats and Berlin think tanks, any experts out there to step forward with some insider analysis and constructive policy suggestions?


5 thoughts on “Germany’s Cyber Security Strategy

  1. Pingback: Germany’s Cyber Security Strategy « Marvin Ammori &

  2. Pingback: World Spinner

  3. Formerly Grant says:

    Considering some of the members of the UN and OSCE I have to wonder exactly how successful Germany would be in pursuing their interests to handle cyber attacks. Furthermore, why was NATO so low on the list?

  4. Richard Pain says:

    I agree with Formerly Grant. The UN is unlikely to get anything concrete done and if so, to what end? NATO is set to bring out a new cyber strategy in June 2011 and this will likely codify the threshold for reaction, (if the problem of attribution can be conquered).

    The German cyber strategy document doesn’t mention anything about financing this. The UK is investing £650 million into cyber security over the next four years, I wonder how much Germany is putting towards theirs.

    • Clement Guitton says:

      The German cyber strategy doesn’t indeed mention any figures, but it does not seem to be as high as the UK National Cyber Security Programme.

      The Bundesministerium des Innern is allocating €10 million for the creation of NCAZ ( and I don’t think that the “Nationaler Cyber-Sicherheitsrat” will be allocated a big budget since it is under the “Beauftragte der Bundesregierung für Informationstechnik” that has an annual budget of only €2.5 million.

      However, it must still be mentioned that the £650 million are going to be distributed between 18 agencies (and the majority of it, i.e. 56%, will in fact go to the three agencies dedicated to intelligence services) and that the budget of the already existing central agency for IT-security (Bundesamt für Sicherheit in der Informationstechnik) has a budget superior to OCSIA, CESG and OGCIO&SIRO all combined together (namely, £38.9m vs €68m for the year 2010).

      Regarding the UN, it set up in 2008 IMPACT ( that it qualifies as “the cybersecurity executing arm of the UN”. It is, i.a., an information sharing center for cyber-threats where different CERTs/organisations can exchange their most up to date data about the current status of cyber threats (cf. the Global Response Center). And that seems to be in the best interests of any states interested in Computer Network Defense, including Germany.

Leave a Reply

Your email address will not be published. Required fields are marked *