These tensions came to a head in 2016, when Der Spiegel reported that the Bundeswehr’s Computer Network Operations, an elite team of hackers, broke into a cellphone provider’s network in Afghanistan to access information on a kidnapped German aid worker. Some lawmakers considered this an offensive action, and objected that they were not informed. Last year, von der Leyen triggered controversy when she said the Bundeswehr’s cybersecurity forces are, in fact, permitted to “offensively defend” their networks if attacked.
Florian Kling leads a military watchdog group called Darmstädter Signal. His organization, made up of former and active soldiers, believes Germany should avoid acting as the world’s policeman. An IT specialist, Kling pointed out that international law allows for preemptive attacks in self-defense if a military strike is imminent, but not preventive attacks; cybersecurity operations lie somewhere in between. “We would have to identify gaps in their security and implant a Trojan or virus so that the next time they attack, we can shut down their system,” he said. “And therein lies the problem: Is that a preemptive strike, if the opponent hasn’t yet attacked or initiated any actions?”
Attribution, or identifying the hackers behind an attack, is another challenge. Germany has strict safeguards in place to separate the powers of the police, intelligence agencies, and the military. Stefan Soesanto, a London-based cybersecurity and defense expert, told me that could hinder information-sharing between authorities charged with defending cyberspace. “Germans aren’t capable of pulling the intelligence together from the various agencies to come to an … assessment that’s actually accurate completely,” he said.
Germany’s cybercommand in Bonn is used to such skepticism. But Krempel pointed out that perfect attribution is near impossible, and not the focus of his team’s work, anyway. The cybercommand hopes to reach full operating capacity by 2021, provided it can staff up. The defense ministry announced last year it was “desperately searching for nerds,” as it faces stiff competition from the tech industry for recruits.
Equipping the military for the future could also prove difficult in an organization notorious for its rigid bureaucracy. In a bid to circumvent cumbersome hierarchies, the ministry launched the Cyber Innovation Hub, a small team of entrepreneurs and soldiers seeking out new products in security, communication, blockchain, and digital health. Start-ups can pitch solutions for some of the armed forces’ needs—a Slack-like communication app that masks soldiers’ location, for example. Yet none of the new technologies they have acquired have actually been implemented yet. And it is still a pilot project limited to three years.
Meanwhile, it’s German industry that might stand to lose the most. German companies lost an estimated 55 billion euros a year to industrial and trade espionage in 2015 and 2016, and more than half of all German companies suffered some sort of spying or stealing of trade secrets, according to Germany’s domestic intelligence agency. Any solution to Germany’s broader cyberdefense problem, then, will almost certainly demand collaboration between the government and private industry.