Berlin is busy discussing “cyber” in all its security implications. But it should think twice before abandoning its focus on IT security in search of more offensive capabilities.
These days it does not take very long for the “cyber” prefix to be dropped into any discussion on foreign policy or national security in Berlin: cyber sabotage to shut down the energy system, cyber operations to influence elections, or cyber espionage to steal secrets and intellectual property―all examples given to show that future risks to our security will emanate from cyber space.
The urgent need for strategic responses has captured Berlin’s policy circles. Endorsing “hack-backs,” Germany’s interior minister Thomas de Maizière told German media last spring that police officers should not only wear body armor but also carry guns. This is more than mere rhetoric. The interior ministry is currently building a controversial new agency that is supposed to provide hacking capabilities to domestic security agencies. Ministry officials have also warned they may need to amend the constitution to hit back at hackers targeting private companies.
Defense Minister Ursula von der Leyen, meanwhile, is pursuing her own cyber agenda with similar arguments. At a ceremony launching the military’s new Cyber Command last April, she justified counterattacks in cyber space as effective response to cyber attacks.
Both ministers argue that Germany needs to be able to better defend itself in cyber space. But what does that actually mean? We need to unpack “cyber” if we want to understand the real problems that lurk behind this increasingly catchy term. Unfortunately, cyber defense is far more complicated than many policymakers realize.
More Clarity Needed
While “Internet” remains the term of choice for talking about the global connectivity of information networks in a civilian context, the term cyber in Germany has become a catchphrase for its military and security aspects. As such, it has climbed to the top of security experts’ and officials’ agendas. But the proliferation of the word cyber often obscures more than it clarifies. For example, spreading disinformation through social networks presents an entirely different issue from securing government IT systems or protecting critical infrastructure against hacking.
What is more, cyber is often used without making the important distinction between offense and defense. The German military, for example, uses “cyber defense” to refer to both its offensive and defensive capabilities. This includes the protection of its IT systems against attacks by foreign forces as well as conducting offensive cyber operations against adversaries to breach and disrupt their IT systems.
The distinction between offensive and defensive cyber operations here is crucial, and it reveals one of the most important challenges cyber space poses for national security: Offense and defense are directly linked, but mostly as a tradeoff. Offensive capabilities often come at the expense of IT security, especially if they pertain to globally used IT systems.
In essence, offense often relies on the exploitation of software or hardware vulnerabilities. While cyber security requires that such vulnerabilities are identified and fixed, cyber offense seeks to keep knowledge of their existence secret. But leaving such vulnerabilities unpatched amplifies the risk that an adversary, be it a foreign country or a criminal, could exploit them as well. Thus, accumulating so-called cyber weapons that rely on the exploitation of undisclosed vulnerabilities also means that potential weaknesses in our own systems remain open to exploitation.
It is not only this dilemma that makes the cyber dimension of national security so complex. One of the fundamental principles of national security – the distinction between foreign and domestic – also gets blurred in cyber space. One of the core problems of any sort of cyber operation is attribution. Using a global communication network makes it possible to obscure the origins of an operation or to plant false flags that point to an uninvolved third party.
The structure of Germany’s national security agencies makes it essential, however, that we quickly identify whether the attackers are operating from German soil or from abroad, and if they are sponsored by criminals or foreign states. That information is decisive in determining which government agencies get involved and what countermeasures they will take. This does not mean that attribution is impossible. But unlike in a conventional attack, when the origin of a missile is relatively easy to detect, attribution in cyber space is complicated, and thus more contested. The process involves computer forensics as well as conventional intelligence work, and it often takes weeks or months.
It is not only difficult to pinpoint the origins of a cyber operation, its purpose is often not self-evident. In their early stages, digital espionage missions and the manipulation of IT systems, for example in order to disrupt government services, are difficult to distinguish. Digital espionage and sabotage both require infiltrating IT networks. From the perspective of the network’s defender, both kinds of intrusion initially look the same. But what is the purpose? Is it an espionage operation that seeks to access and copy information only? Or will the intruder go further and manipulate the network to cause malfunctions or a breakdown?
The answer to these questions is crucial. Espionage operations violate national laws and undermine national security, but they are generally not seen as breaches of international law. However, if a foreign state’s cyber operation disrupts energy supply or disables financial services, it could be seen as a legitimate cause for a military response according to the right to self-defense in international law. Therefore, the distinction between espionage, sabotage, and a military attack is very important. Yet in cyber space this distinction is far more nebulous.
Arms control is also much more difficult to implement in the cyber sphere. Unlike conventional arms, cyber weapons only have value if they are kept secret. A cyber weapon is essentially malware developed for use in a military context. If the malware agent is disclosed, the vulnerabilities it exploits can be reinforced, rendering the weapon useless; this also means a cyber weapon will eventually be made defunct after deployment.
All of this complicates international cooperation. Even allies are reluctant to share cyber weapons, which is a serious concern. Few things are easier to copy and distribute than lines of code. The protection of this malware is crucial, but it is also hard. Even the National Security Agency (NSA) and the Central Intelligence Agency (CIA) had their malware tools stolen and published on the Internet with disastrous consequences. Two of them were used by the ransomware worm “WannaCry” that infected more than 200,000 computers in over 150 countries.
“WannaCry” was an important reminder of the enormous damage cyber attacks can unleash. Multinational companies like Fedex or Nissan were affected, as well as the National Health Service in the United Kingdom and government agencies in Romania and Russia. Yet as the debate about creating hacking capabilities in Berlin illustrates, many government officials and MPs here believe that they can have it both ways, strengthening offensive and defensive cyber capabilities alike.
The tradeoffs involved, often ill-understood, simply work differently. The United States has great offensive capabilities. But it is reluctant to use them, and for good reason. As the US economy and society have become more digitized, there is hardly a country that is more vulnerable to cyber attacks. And after the leak of some critical offensive cyber tools, even in the US many experts are now publicly questioning whether the focus should shift from offensive cyber capabilities to policies that improve IT security.
That focus has served Germany well over the past decades. Given that its vulnerabilities are growing as it, too, digitizes its industry, the country should be wary of losing sight of this strategic priority. All the talk about cyber is important. But the discussion needs to grow more nuanced, informed, and open to secure good outcomes.