German Cyber Security Policy: Focus and Approach

German Cyber Security Policy:

Focus and Approach

Oliver Schmidt-Voss

Student number: 1236148

Word count: 15221

10 June 2018

Master Thesis

Crisis and Security Management

Thesis supervisor: Dr. Myriam Benraad

Second reader: Dr. Ernst Dijxhoorn

Leiden University

Acknowledgements

In memory of my beloved father.

With deepest gratitude, I would like to thank dr. Myriam Benraad and dr. Joey

Mathys for their unconditional support.

I would like to acknowledge Mr. Sergei Boeke for introducing me to the field of

cyber security and sparking my fascination for a topic I wish to engage with in my

future path.

Table of Contents

Acknowledgements ... 2

Abbreviations ... 4

1. Introduction ... 5

Relevance ... 6 Research Question ... 6 Aim ... 7 2.1 Cyber Security & Cyber Threats ... 7 Malware ... 9

Hackers ... 10

Complexity ... 12

2.2 Securitizing the Cyber Domain ... 12 Cyber Security in Germany ... 13

2.3 Cyber Security Policy ... 15 Whole of Government and Public-Private Partnerships ... 15

Cyber Defense ... 15

Section Summary ... 17

3. Research Design & Methodology ... 18

3.1 Single case study ... 18 3.2 Document analysis ... 18 3.3 Interviews ... 20 Email questionnaire ... 20

Expert interviews ... 20

4. Analysis ... 21

Preventative Measures & Civilian Agencies ... 22 Protection and Resilience ... 22

Economy ... 24

Private Sector ... 25

Incident response ... 27

Section summary ... 29

Active Cyber Defense & Security Agencies ... 30 Law enforcement & Security Agencies ... 30

Hacking Back ... 35

Bundeswehr ... 38

5. Conclusion ... 39

6. Further Research ... 40

References ... 41

Abbreviations

AA

Federal Foreign Office

BBK

Federal Office for Civil Protection and Disaster Assistance

BfV

Federal Office for the Protection of the Constitution

BKA

Federal Crime Police Office

BMI

Federal Ministry of Interior

BMVg

Federal Ministry of Defense

BMWi

Federal Ministry of Economic Affairs and Energy

BND

Federal Intelligence Service

BRH

Federal Court of Auditors

BSI

Federal Office of Information Security

Cyber-AZ

National Cyber Defense Center

Cyber-SR

National Cyber Security Council

MAD

Military Counter-Intelligence Service

1. Introduction

The German government is exposed to cyber attacks on the private sector, the economy, and public administration on a daily basis (BSI, 2017: 7). According to the Federal Ministry of Information Security (Bundesamt für die Sicherheit in der Informationstechnik, abbr. BSI) the possibilities to conduct cyber attacks are evolving continuously. With the growing digitalization of society, the economy and government institutions, there is also a congruent development of the attack methods and mediums. The Internet as platform to conduct cyber attacks facilitates the anonymity and impunity of perpetrators. Cyber attacks can be mounted with limited resources, simply a computer and an Internet connection is necessary. Instructions on how to administer these attacks can be found online on the darkweb (Zedler, 2016: 2). The increasing necessity to address the cyber threat situation in Germany is also thematized in the media like the hacking of the government network in February 2018 and the Bundestag in May 2015 (Beuth et al., 2015) or the disruption of the Internet for 1.25 million users in November 2016 (Baumgärtner et al.:

2017, November 24)

. With these incidents cyber security has gained increasing attention in Germany.

The increasing amount of devices connected to the Internet is creating what has been described as the Internet of Things. A new source of danger has developed for cyber security. The devices are easily targetable as in the production process as well as in the decision to purchase consideration for IT-security do not play a sufficient role (BSI, 2017: 23). The failure or disruptions of industrial control systems - particularly in the critical infrastructure sector - can have grave physical impact leading in the form of electricity breakdown or production processes. Furthermore, a recent phenomenon has been cyber-espionage of government institutions with the purpose to leak the acquired information in order to manipulate the democratic process. The reputation of a candidate is hampered influencing public opinion (BSI, 2017: 74-75).

In recent years several developments have taken place in regard to Germany’s cyber security policy. In 2015 the IT-Security Law was passed aiming to establish protection for critical infrastructure. The same year the German government announced the development of a cyber command within the armed forces (BMVg, 2015). In November 2016 a new cyber security strategy was published (BMI, 2016), a document much more elaborative and broader in scope than the previous strategy (BMI, 2011). Furthermore, in the course of 2017 a political debate ensued on the potential use of offensive cyber capabilities as part of Germany cyber security policy (Reinhold & Schultz, 2017). The study thereby aims to examine how Germany is dealing with the cyber threat landscape it faces and how these recent developments figure into Germany’s cyber security policy.

Relevance

The study has academic relevance as to date there has not been an extensive study on Germany’s cyber security strategy of 2016. Furthermore, while previous studies have dealt with Germany’s cyber security policy (Kullik, 2014; Zedler, 2016; Steller, 2017) these have not focused on the institutional structures but have not examined how Germany engages with cyber security on a political level. There is thereby a significant knowledge that this study attempts to address. These insights attain particular relevance in light of the recent developments depicted in the previous paragraphs. The research touches upon how Germany has expanded its focus beyond the protection of critical infrastructure towards society, the larger economic sector and government institutions. Entailed in these developments has been an evolution in its approach from preventative measures to a more active engagement with the cyber threat landscape as the inauguration of the cyber command within the armed forces and the emerging discussion on potential cyber counter-operations reveal. The second broader contribution of the study is thereby an examination of how these developments figure into Germany’s cyber security policy. The findings are not only relevant to gain an understanding of Germany’s approach but also on a broader scale as it indicates how governments are dealing with and enacting the militarization of the cyber domain (Deibert, 2008; Dunn Cavelty, 2012). Germany is an insightful case study in this regard as it has to come to terms with its historical experience leading to an aversion for the increase in military and security agency capabilities (Kriesel and Kriesel, 2011). Part thereof is how countries are dealing with the friction between offensive and defensive cyber security measures as well as the friction between cyber security and public security.

The societal relevance lies in its contribution to the current political debate on how to address cyber security. This discussion has attained particular political salience in the aftermath of the hacking of the government network in February 2018. The study touches upon the pertinent questions the German parliament and other policy makers are dealing with. Beyond a depiction of the political engagement of cyber security the focus on the policy level allows an examination of the inconsistencies in Germany’s approach. The study may thereby contribute to the elevation of certain ambiguities in Germany’s cyber security policy. The study aims to create an up-to-date reference point for professionals on Germany’s cyber security policy. Lastly, is provides a scantly available English language account of Germany’s cyber security policy.

The study takes a security political perspective and poses the research question: How is Germany devising its cyber security policy to defend against cyber threats? Three sub-questions are derived from the research question: 1) what vulnerabilities and threats in the cyber domain is Germany addressing? 2) What policy goals and measures are German government officials devising to mitigate vulnerabilities and avert threats? 3) How is Germany grappling with friction between offensive and defensive cyber security measures?

Aim

The aim of the study is to examine Germany’s cyber security policy on a political level. The focus thereby relies on the policy documents and parliamentary debates. This allows gaining an understanding of how Germany is currently addressing the challenges it faces in the cyber domain.

2. Body of knowledge

The review of the body of knowledge has three parts. First, the conceptualization of cyber security provides a reference point for the further discussion. A depiction of the different threat clusters (malware, hackers and complexity) allows to envision the different angles cyber security policy can take. The second part addresses how cyber threats are dealt with in security policy drawing attention to securitization theory. Furthermore, Germany’s approach to cyber security is historicized showing that its focus relies on the protection of critical infrastructure. The last part demonstrates how cyber security policy can be studied and the various shapes it can take. This serves as a basis to orientate the discussion.

2.1 Cyber Security & Cyber Threats

The German government defined cyber security in 2011 as: “the desired objective of the IT security situation, in which the risks of the German cyberspace have been reduced to an acceptable minimum” (BMI, 2011: 15). While the conceptualization accentuates that cyber security is a dynamic process dependent on the threat landscape, the characterization ‘risks of the German cyberspace’ is ambiguous and thereby does not serve as a useful reference point for the analysis. Furthermore, in subsequent policy documents Germany has refrained from providing a definition for cyber security. This seemingly retracts from the added value of using the conceptualization when examining Germany’s cyber security policy.

The various policy documents and parliamentary debates explored in the analysis make use of the concept cyber security, information security and IT-security while attempting

to address the same policy field. Von Solms and van Niekerk (2010: 10) define cyber security as:

“the protection of cyberspace itself, the electronic information, the ICTs that support cyberspace, and the users of cyberspace in their personal, societal and national capacity, including any of their interests, either tangible or intangible, that are vulnerable to attacks originating in cyberspace.”

The conceptualization is useful as it emphasizes that cyber security encompasses IT-security entirely and information security to the extent that information is stored or transmitted using technology-based systems. Figure 1 depicts the relationship between the three concepts. Cyber security is concerned with the protection of different information-based and non-information based assets or in other words it is concerned with minimizing the risks ‘to’ or mounted ‘through’ IT-infrastructure (Deibert & Rohozinski, 2010: 16-17). The referent object in need of protection in cyber security moves between the lines of individual and collective, private and public, or economic and governmental. Cyber security does not relate to separate referent objects but to a constellation thereof. It may be described as the underlying security sector in which the other security sectors – military, environmental, economic, societal, and political – converge (Hansen & Nissenbaum: 1157-1163).

Figure 1 (von Solms & van Niekerk, 2010: 101)

Dunn-Cavelty (2013) distinguishes between three cyber threat clusters which can broadly be described as the means, actors and impact involved or pertaining to a cyber incident. The first is technological referring to malign software (malware) used to influence or intrude a computer network system. The second is socio-political referring to state and

non-state human threat actors. The third is concerned with the human-machine interaction and the consequential complex vulnerability of potential impacts of a cyber attack. The categorization serves to provide an understanding for the different angles cyber security policy can take. The desired cyber security situation can be maintained by impeding the distribution of malware, persecuting the actors involved, or establish the necessary protection and resilience measures against cyber attacks.

Malware

Policy makers have to address a spectrum of malware ranging from generic striving on the mass-exploitation of software vulnerabilities to highly specific Advanced Persistent Threats (APTs). The BSI defines APTs as: “targeted cyber attacks on selected institutions and organizations, in which attackers gain long-term access to a network and then spread the attack to additional systems.“ (BSI, 2016: 64). An example for such an operation is Stuxnet conducted by the U.S. and Israel. The operation required intelligence of the on going processes on-site, advanced knowledge of industrial control systems, and highly specified code to disrupt Iran’s nuclear enrichment facility (Lindsay, 2013). The intruders may also aim to exfiltrated information or place a ‘logic bomb’, which refers to a malware installed within the computer network system to be activated at a later time and cause the disruption (Rid & McBurney, 2012: 10-13). APTs are designed to bypass firewalls and automatic intrusion detection systems using a multitude of software vulnerabilities and thereby pose a challenge to policy makers as IT-security measures are not sufficient.

Common procedures to gain initial access to a server are spear-phishing or water holing (BfV, 2017). Spear phishing describes the sending of an email with an attachment or link to a website containing malware. Water holing is the strategy of embedding a malware into a website. Upon access it is downloaded onto the server. The targets of such procedures range from generic to specific. The latter may incur social engineering adding the human factor to the complexity of averting cyber threats. Another method that does rely on a software vulnerability to gain access is the use of an external device such as an USB-stick to upload the malware to the computer network system. This was the case during the Stuxnet incident (Lindsay, 2013: 34-37).

The WannaCry ransomware wave in 2017 disrupted network systems worldwide by using software vulnerabilities in the Microsoft Windows computer operating system (Nakashima & Timberg, 2017). Ransomware is a type of malware that locks the data of a computer system requesting the victim to pay a certain amount of money. The WannaCry ransomware was created in part on the basis of the leaked source code of the EthernalBlue program developed by the U.S. National Security Agency (NSA). The incident is an example

for (1) the increasing professionalization of malware and (2) proliferation of malware on the darkweb.

The increasing amount of devices connected to the Internet creating what has been described as the ‘Internet of Things’ poses an increasing challenge (BSI, 2017: 75). It facilitates and increases the disruption potential of the distribution of malware, however it also allows aggressors for more potential to tie these networks into a web – a botnet – that can be employed to overload data traffic onto a server causing the inaccessibility of a website. These enterprises are referred to as Distributed Denial of Service (DDoS) attacks (Rid & McBurney, 2012: 7-8). As such the BKA finds that malware is not only becoming increasingly more sophisticated but it has also become easier to administer disruptions of computer network systems.

Hackers

The socio-political dimension of cyber threats refers to the human actors such as cyber criminals, foreign intelligence services, cyber terrorists or military cyber commands. State and non-state actors may have different intentions: financial gain/damage, intellectual property theft, sabotaging working processes, or subverting public and private entities. They profit from absence of law enforcement and security agency capabilities to detect, attribute and take legal measures against them. The cyber domain allows perpetrators to hide behind a veil of anonymity and impunity.

A study by the German Institute for Economic Research of 2015 found that cybercrime affected 14.6 million consumers in Germany causing a financial damage of €3.4 billion (DIW, 2015: 3-4). A U.S. research study by Norton of Symantec in 2017 found that the total amount of consumers affected by cybercrime was €23.3 million causing a financial damage of €2.2 billion (Norton, 2017). Another representative study by bitkom found that in the year 2016/2017 cybercrime affected 49% of Germans (bitkom: 2017, October 10). The studies differ in their research parameters however their findings become particularly revealing in contrast to the number of accounted cybercrimes by the BKA. The agency recorded 82.649 cybercrimes and 253.290 crimes using the internet as medium in the year 2016 (BKA, 2017: 5). The BKA draws attention to the low clearance rate of 38,7% (Ibid: 4). As an indication, the crime clearance rate for all accounted crimes the same year was 56,2% (PKS, 2017: 50). Besides the financial damage caused by cyber crime in Germany the central aspect of these figures is that there is seemingly a vast discrepancy between the amount of cyber crime affecting German citizens and the accounted cyber crimes by the BKA. Secondly, only four out of ten accounted cyber crimes lead to a persecution. It demonstrates the enforcement deficit of the German police in the cyber domain.

The BfV’s annual report on the 2016 emphasizes that cyber espionage has “increased in intensity many times over” (BfV, 2017: 33). According to the BfV there is a strategic attempt to spy out policy makers and the federal administration. Main targets include the Federal Foreign Office and its diplomatic missions abroad, the Federal Ministry of Finance, and the Federal Ministry of Economic Affairs and Energy. Attackers also focus on the Federal Chancellery and Bundeswehr offices. Additionally, the economic sector and research institutions are increasingly becoming subject to cyber-espionage enterprises. A representative study of bitkom found that 53% of the surveyed businesses were victim of industrial espionage, sabotage and data theft causing a financial damage of €55 billion. In 2015 the percentage of affected business was 51% with a financial damage of €51 billion. Furthermore, only 31% of these businesses informed law enforcement agencies (bitkom: 2017, July 21).

A major incident is the hacking of the German parliament in May 2015. For three weeks the intruders had access to the parliaments computer system

(Beuth et al., 2017 May

16). During the election campaign in 2017 the coalition parties affiliated think tanks,

the Konrad-Adenauer Stiftung (Christian democrats) and the Friedrich-Ebert Stiftung

(Social Democrats) had been the target of attempted intrusions (BSI, 2017 April 27).

The leak of information and influence on the election was anticipated however in the

end the fears of German government officials did not materialize.

The underlying structure of the Internet makes it difficult for law enforcement and intelligence services to assign responsibility for a cyber incident. In the literature this is referred to as the attribution problem (Rid & Buchanan, 2015). Possibilities for deception are numerous: using botnets or concealment software, false flag operations, channeling an operation through another server, or consciously using methods associated with another actor (Gartzke & Lindsay, 2015: 326-327). For example, if a perpetrator channels an attack through another server the target can only identify the IP-address of the third party. Technical prowess can allow the identification of the originator’s IP-address (technical attribution) but the investigator does not know who sits behind the computer (social attribution). The attribution of a cyber attack thereby takes time and needs to be corroborated with additional evidence including analysis and evaluation procedures. Davis et al. (2017: 24) found that an attribution of an APT-attack (e.g. cyber-espionage or sabotage of governmental institutions) takes on average 150-200 days. Critics argue that a complete attribution is never possible (Singer & Friedman, 2014). Besides the attribution problem there is also a lack of legal frameworks to prosecute perpetrators.

Cyber criminals can act transnationally requiring law enforcement cooperation. National laws on cyber crime are not harmonized however potentially leading to safe havens for perpetrators (Koops, 2011: 746-747). The Budapest Convention (2004) has been signed by states worldwide. There is no international institutions enforce the indictment nor are there norms of behaviour that could restrict state-led enterprises (Bendiek, 2012).

Complexity

The third threat cluster comprises the complexity of the human-machine relationship. The increasing dependence on IT-infrastructure make society more vulnerable and the complexity leads to an unknowability and inevitability of mistakes that can jeopardize essential pillars of modern life. Society and technology have become inseparable and thereby risks to critical infrastructures are risks to the modern way of life and being (Dunn-Cavelty, 2013: 114-115).

The urgency is underpinned by the interdependencies between critical infrastructures. For example, water and telecommunication systems require a continuous supply of electricity to stay operational and electric power systems need a provision of water and telecommunication services for power generation and delivery. (Ouyang, 2014: 44). The failure of one of these services would jeopardize all three. The problematic amplified by the necessity to identify the critical infrastructures. A study by Bitkom Research found that only 53% of the KRITIS critical infrastructure has established an emergency response plan (Bitkom Research (2017, September 1). KRITIS critical infrastructure as defined by the German government is As Picture 1 graphically demonstrates, Germany distinguishes between nine sectors of critical infrastructure: 1) energy, 2) health care, 3) IT and communication, 4) transport and traffic, 5) media and culture, 6) water, 7) finance and insurance, 8) nutrition, and 9) government and public administration (UP KRITIS, 2014: 5-6). The German government does not have regulatory competency for the sector media and culture. KRITIS critical infrastructure addresses the remaining seven sectors. Particularly vulnerable are industrial control systems as they rely on a multitude of telecommunications technology. An example of such an event is the attack on the Ukrainian power grit causing over millions household to have no access to electricity (Greenberg, 2017 July 20). Disruptions of critical infrastructure can have cascading effects for society, the economy and government institutions and are thereby perceived as a central threat to modern life and being.

2.2 Securitizing the Cyber Domain

Threat perceptions rather than actual threat levels define security politics. In the cyber domain seems to hold particularly true. A challenge for policy makers in the cyber security

domain is to attain an understanding for the actual threat landscape. Empirical evidence necessary to conduct an evaluation is limited by large numbers of undisclosed or unknown cyber incidents, the secrecy of adversary capabilities or the rapid technological development (Steller, 2017: 17-19). This makes it difficult to devise a fitting cyber security policy.

Securitization theory postulates that a security issue is constructed through political discourse. A security actor frames a referent object to be in urgent need of protection from a threat subject. The securitizing act evokes a necessity to prioritize and accelerate political action. Successful securitization depends on the audience regarding the security actor as legitimate and accepting the securitizing notion. Successful securitization occurs through the identification of an existential threat, emergency action, and the breaking free of rules. Securitization is a process through which an issue moves from the un-political, to the politicized, to the securitized (Buzan et al., 1998: 24-27). Bastl et al. (2015: 49-51) find that due to the top-down governmental conceptualization of cyber security as a national security issue it did not go through a securitizing process but was securitized from the start. Similarly, through the common use of references to disaster scenarios and cyber warfare the un-politicized and un-politicized are bypassed leading to the securitization of cyber security (Hansen & Nissenbaum, 2009: 1157). Scholars of cyber security discourse have found the salience of prospective and hypothetical threat representations (Dunn Cavelty, 2007: 24-28; Brito & Watkins, 2011; Lawson, 2013).

The following outlines discursive approaches in cyber security debates. The review is brief as the aim of the study is not how Germany securitizes cyber security issues but what issues are being addressed. As such these discursive tools are used as reference points to support the analysis. Hansen and Nissenbaum (2009) point towards two securitizing acts in cyber security discourse useful for the analysis. Hyper-Securitization draws on hypothetical and multi-dimensional cyber disaster scenarios. Everyday securitization places the responsibility to protect computer network systems onto the individual. A moral responsibility is conferred upon the individual that might move the subject from “helpless to careless to dangerous.” (Ibid.: 1166). Dunn Cavelty (2014) as well as Betz and Stevenson (2013) remark that the cyber security discourse uses metaphors and analogies (e.g. virus/infection, weapon or ‘digital 9/11’). These are discursive tools move the securitization process forward.

Cyber Security in Germany

Klick et al. (2015) found that a central motivator was a report in 1997 of U.S. President Clinton’s Commission for the Protection of Critical Infrastructure thematizing the vulnerability of networked IT-systems. Consequentially the German government inaugurated

the working group KRITIS (kritische Infrastrukturen) to examine potential threat scenarios and action requirements. Nevertheless, the financial resources necessary for the proposed recommendations discouraged their political implementation (: 67-68). The threat inflation and budget increases in subsequent years in the U.S. re-catalyzed Germany’s efforts towards cyber security (Guitton, 2013: 23-24). Building onto the findings of the working group in 2005 the National Plan for the Protection of Information infrastructure (NPSI) was established. It is Germany’s first national cyber security policy (BMI, 2005). It is also in 2005 that the BSI published its first report on the IT-situation in Germany insisting that cyber security has to be understood as a national task (BSI, 2005: 6). The following year the ministry of defense included cyber security in Germany’s security and defense policy (BMVg, 2006: 19). Cyber security and the protection of critical infrastructure had become a national security issue without prior incidents. The simultaneous process to address cyber security and the protection of critical infrastructure led to a congruent understanding of the two. As such cyber security is understood as critical infrastructure protection and synonymous with national security (Klimburg et al. 2012: 68).

Steller’s (2017) analysis of the strategic objectives and policy delineations of Germany’s second cyber security strategy in 2011 reveals, it is effectively a policy geared towards critical infrastructure protection. Stellar (2017) and Guitton (2013) emphasize that other more tangible issues such as cyber crime have been neglected due to the securitization of vulnerabilities to disruptions of critical infrastructure. Ruhmann (2015) found that there is an unequal budget allocation of 1:6 between law enforcement and the national security agencies. A forthcoming study has reconfirmed these findings, as indicating that the rate has even increased to 1:10 (Schulziki, 2018). The development of elevating cyber security to a national security issue and focusing on the protection of critical infrastructure has thereby been a consequence of U.S. threat inflation. Despite the apparent securitization of cyber security in Germany the findings of Bötticher (2015: 37), Kullik (2014: 13) and Zedler (2016: 22-25) suggest a lack of political will to address the pertaining issues of critical infrastructure protection such as governmental institutions. Germany’s policy has focused on KRITIS critical infrastructure.

Germany’s cyber security policy angle thereby seems to be driven by an attempt to address the vulnerability i.e. the third threat cluster identified by Dunn-Cavelty (2013) indicated in the previous section. Part of the research is thereby to explore in what way Germany has shifted its focus on the anonymity and impunity with which aggressors can act. This would imply an increasing focus on cybercrime and cyber espionage: has Germany’s principal understanding of cyber security evolved beyond the protection of critical infrastructure? Have the focal points of Germany’s cyber security policy evolved? As an

analytical tool the analysis draws on the securitization framework. It allows locating the political will of the German government.

2.3 Cyber Security Policy

Whole of Government and Public-Private Partnerships

The encompassing nature of cyber security connected various security sectors and the technological, socio-political, and complexity challenges policy needs to address require a whole of government approach including public private partnerships. These governmental structures are the underlying conditions enabling to combat cyber threats (Klimburg et al., 2012: 63). Luijf et al. (2013) found that creating a networked approach and strengthening the ties between the public and private sector is a common denominator across 19 cyber security strategies. A method to study how a country is addressing cyber security is thereby the security governance approach. These studies are principally focused on the organizational structures and division of responsibilities. Kullik (2014) examines whether Germany has an identifiable and consistent cyber security policy by looking and the political structures and legal parameters. Zedler (2016) builds on Kullik’s findings and pays closer attention to the governmental institutional ties including connections to the private sector. Similarly Bötticher (2015) maps the German cyber security governance structures domestically and with the European Union. The findings demonstrate that Germany cyber security governance lacks inclusiveness (Kullik, 2014) and that its remains fragmented with ill-defined responsibilities (Bötticher, 2015; Zedler, 2016). The study aims to move beyond the security governance approach and contribute to the literature by focusing on the political understanding of cyber security and the consequential policy approach. A deficiency in the security governance analysis is that it does not address the policy makers and documents. The German parliament is only indirectly involved in the analysis. The following section provides an indication of the spectrum cyber security policy measures can take.

Cyber Defense

The literature shows that Germany has rested primarily on a preventative approach based on civilian agencies. The aim of Germany’s cyber security policy was the protection of its KRITIS critical infrastructure in an attempt to reduce the vulnerability to cyber threats. It has engaged in locating and prioritizing the critical infrastructure (Freiberg, 2015: 103-107). However, as Bologna et al. (2013) the mere protection of potential targets is insufficient. They advocate that cyber security policy should strive towards a ‘resilience mentality’. Resilience goes beyond passive cyber defense measures such as firewalls, anti-virus software

or automatic intrusion detection and prevention systems. It includes the establishment of risk management procedures and setting up Computer Emergency Response Teams (CERTs). Furthermore, Singer and Friedman (2014: 211-216) point towards distributing best practice guidelines, awareness building, and educational programs. Beyond protection resilience binds society into the project of cyber defense. Resilience is understood as the capability to respond and recover from a given event. The definition of the term is ambiguous, however what Bologna et al. (2013) suggest is to attain a more active approach to engage with cyber threats. While protection is focused on information sharing, public-private-partnerships and the establishment of IT-security standards resilience foresees incident response structures. However, the ex-US vice secretary of defense Lynn insists: “In a offense-dominant environment, a fortress mentality will not work” (Lynn, 2010: 99). It builds on the conviction that in the cyber domain the aggressor has the advantage. Attacking is easier and more cost-effective than defense, which is harder and more resource-intensive.

To increase the resolve against cyber criminals Brenner and Clarke (2009) suggest a ‘distributed security model’. The model suggests to bestow the society and producers with criminal sanctions if they do not adhere to reasonable security measures. It aims at increasing regulation and provide a deterrent to cyber crime without enhancing the capabilities of law enforcement. The lack of resolve government agencies experience in the cyber domain has led to an increasing amount of electronic surveillance and the militarization of the domain (Deibert, 2008: 132-137). It is a form of reasserting state sovereignty. Dunn Cavelty (2012) explains that the omnipresent sense of vulnerability has led to a focus on major cyber threats neglecting cyber crime. There is thereby a dual push created by the lawlessness and anonymity. On the one hand it leads to an increase of electronic surveillance as a counter-terrorism measure and militarization as means against cyber threats. Buchanan (2016) points out governments need to address how these measures affect cyber security overall. The developments in encryption technology indicate that that the intrusion in computer systems will become more and more frequent (: 35). Schulz (2017) asserts that this is particularly problematic due to ever more devices being connected to the Internet - the emergence of the Internet of Things. The problematic with surge of militarization, and increasingly electronic surveillance is that they require software vulnerabilities. It implies a possible acquisition of services on the private market, all while the attribution problem has not been solved (Reinhold & Schulze, 2017). The discussion thereby examines how Germany is dealing with these questions.

Bendiek (2016) explains Germany’s preventative posture with reference to its self-understanding as a civilian power i.e. that political and economic means should determine its foreign policy. For historical reasons the consensus persists that the militarization and

securitization of the cyber domain must be counteracted (Ibid: 9). The security political mentality of Germany has restricted its cyber security approach. Kriesel and Kriesel (2011) emphasize that while internationally there is no legal or consensual definition of what a cyber attack entails and the acceptable repercussions. However, in Germany politically an offensive cyber operation is equated with the use of force. Consequentially offensive cyber operations are bound to the same public and legal criteria in terms of justification and execution (Kriesel & Kriesel. 2011: 209). Arguments emerging form the military sector, urge that a paradigm shift in Germany’s security political thinking needs to take place (Baach & Fett, 2014: 115-117). Political and legal norms prevent Germany from adopting a holistic and more active cyber defense policy. Nevertheless, Bendiek and Metzger (2015), accepting the circumstances, assert that while the preventative agenda may be insufficient Germany should become more active on the international stage potentially employing political sanctions and diplomacy. How is Germany’s historical self-perception garbled with on the political level? In what way has Germany expanded its focus? How has it evolved? How has Germany addressed these issues?

Section Summary

The review of the body of knowledge established that cyber security is an overarching concept comprising IT-security, information security and also humans and their assets. Cyber security policy is thereby concerned with minimizing the ‘risks to cyberspace’ and the ‘risk through cyberspace’. Next it is explained by drawing on the categorization by Dunn Cavelty (2013) of three different threat clusters that the risks to and through cyberspace can be described along technical, socio-political, and socio-mechanical lines. It shows that cyber security policy comprises a focus on different levels i.e. the means, the actors, or the impact of a cyber attack. Dunn Cavelty’s (2013) distinction is useful for the document analysis as it provides a framework to unravel what Germany aims to deal with – what is regarded as challenging.

The next section draws on securitization theory explaining that particularly in regard to cyber security, threat perceptions rather than actual threat levels define policies. Historicizing the development of Germany’s cyber security policy showed that Germany has understood cyber security through the lens of critical infrastructure protection. The last section delved into cyber security policy approaches explaining that Germany’s has largely rested on preventative cyber defense measures focusing on improving IT-security and establishing information sharing platforms. It then outlines the general approaches cyber security policy can take. This clarifies the possible policy orientations and serves as a tool to

indicate how Germany is dealing with cyber security issues and the potential future developments.

There are several questions that arise from this literature review the study touches upon: To what extent or whether Germany’s understanding of cyber security has evolved beyond the protection of critical infrastructure? In what way has cyber security become politically salient? What are the central challenges defining Germany’s cyber security approach and how has Germany adapted its policy to deal with these challenges? To what extent has Germany expanded its cyber security approach to the inclusion of more active cyber defense measures? How is Germany dealing with the offense-defense dilemma i.e. how are the moves towards a more active cyber security policy situated within Germany’s cyber security policy in general? What role does it assign to the recently inaugurated cyber command?

3. Research Design & Methodology

The research design is a single-case study. The methodology takes a social-constructivist approach and is based on a triangulation of methods using document analysis, email questionnaire, and expert interviews.

3.1 Single case study

The single-case study design serves to conduct an in-depth analysis of Germany’s cyber security policy. It allows directing the research effort towards attaining a holistic understanding of the context examined (Yin, 2013: 8). Given the knowledge gap on Germany’s cyber security policy an idiographic approach revealing particularities is beneficial for the research objective. The unit of analysis is Germany and the phenomenon examined is the focus and approach of its current cyber security policy. The subjectivity and verification bias potentially reducing the internal validity of the findings is counter-acted by relying on a systematic methodology (Flyvenberg, 2006: 8-12). The triangulation of methods has an additive and corroborative function (Davies, 2001). The potential lack of generalizability of the findings is a limitation of the study. However, the purpose of the study is not to confirm or disconfirm a theory but to identify the particularities of German cyber security policy i.e. where its focus lies and the approach employed. This may allow for future research and lead to way for more comparative studies.

The timeframe of the core set of documents analyzed is 2015 until June 2018 as it seems to represent Germany’s current approach to cyber security. During 2015 the Federal Ministry of Defense announced the development of a cyber command structure within the German armed forces (BMVg, 2015). Accordingly the potential use of offensive cyber capabilities received political attention. Additionally, in May 2015 the computer network system of the German parliament was hacked (Beuth et al., 2017 May 16). In November 2016 the Federal Ministry of Interior published Germany’s current cyber security strategy (BMI, 2016).

The documents were skimmed (superficial examination), read (thorough examination), and interpreted. The process drew on content and thematic analysis. Content analysis is the “process of organizing information into categories related to the central questions of the research” (Bowen, 2009: 32). A first-pass review of the documents was conducted in order to distinguish pertinent from non-pertinent texts and text-passages in regard to the research objective. Thematic analysis is “a form of pattern recognition within the data, with emerging themes becoming the categories for analysis” (Bowen, 2009: 32). This involved a more careful re-reading of the selected information and the construction of categories. Beginning with a content analysis the research proceeded with a thematic analysis. To counteract bias in selectivity an assessment of the authenticity, credibility, accuracy, representativeness and intended audience of the document was conducted (Bowen, 2009: 33).

First, a thorough reading of the Cyber Security Strategy for Germany 2016 (BMI, 2016) was conducted. Secondly, the Coalition Contract of CDU/CSU-SPD (CC, 2018) was skimmed to identify the relevant text passages and then re-read. Third, relevant topical parliamentary debates were identified and read accompanied by the video broadcast on the website of the German parliament or on YouTube. The parliamentary debates were held on the IT-Security Law (April and June 2015), on the Implementation of the European Union’s Network Information Security directive (March and April 2017), and on the cyber security policy proposal by the Green party (April 2018). Other parliamentary debates were read if suggestive by the research. Fourth, Answers to Brief Parliamentary Enquiries and Written Questions by the German government were identified by using keyword searches (e.g Cyber, Netzwerk Operationen). Fifth, follow up research based on the indications. Other sources include public speeches, institutional reports, policy documents identified by the research.

The securitization framework was used as a basis to identify the political salience of research topics. The cyber security discursive tools were used as a reference point to further the understanding of the cyber threat representations. To identify the angles of Germany’s cyber security policy the threat clusters of Dunn-Cavelty were used. The delineation between passive and active cyber defense measures was used to identify the policy approach.

3.3 Interviews

Email questionnaire

The email questionnaires were distributed based on two non-probability sampling methods. Judgment sampling incurs the selection of a group. It was deemed appropriate to question politicians, government officials and professionals in the field of German cyber security. Snowball sampling was used to increase the total amount of respondents relying on referrals from initial respondents (Fricker, 2016). The function of the email questionnaire is additive and corroborative. The findings are not used to make an inference about a larger population.

The emails were sent using the university’s email domain to attain more credibility as a researcher. The emails were sent to the personal email accounts of respondents or to the institution’s reception. A personalized salutation was included in the body of the email to improve response rates (Heerwegh et al., 2005). After sending the initial request a follow up request was sent after one week. Research shows that an early follow up request benefits response rates (Deutskens et al., 2005). The optimal timing of follow up requests is ambiguous, however week-intervals are useful as a general guideline (Bryman, 2012). A clear incentive could not be provided. Potential respondents were offered to be informed about the findings of the research. Along a request to fill out the survey the email contains a request for a personal interview.

The questionnaire was embedded in text form in the body of the email. Embedded email questionnaires are found to receive higher response rates (Bryman, 2012). They are easy to fill out i.e. by simply pressing the ‘reply’ button. Respondents are less likely to be discouraged to open the email, as there is no attachment that might include malware.

The research was conducted by a document analysis of the cyber security strategy of 2016, the coalition contract of 2018, and the parliamentary debates on the IT-Security Act (April and July 2015), the implementation of the EU’s Network and Information Security Directive (March and April 2017), and the cyber security policy proposal by the Green party (April 2018). The document analysis identified recurring themes i.e. cyber threat perceptions and policy initiatives.

Expert interviews

The expert interviews had an additive and corroborative function. The interviews proved essential in regard to amending earlier findings, indicating further focus points for the research and providing information not-publicly available. The interviews were

semi-structured with a length of 30-60 min. This left room to cover questions relevant for the research objective while also allowing a natural development of the conversation and potential adjustments depending on the responses/knowledge of the interviewee. As an unstructured component allowed the conversation to become more personal, potentially leading the interviewee to reveal information that he/she would have otherwise not. It was beneficial to develop rapport and attain a referral to another interviewee (Bryman, 2012: 471-479). While face-to-face interviews were initially intended the interviews were conducted via telephone and using Skype. It should be noted that these mediums made it more difficult to develop rapport and conduct an unstructured interview (Opdenakker, 2006: 4-5; Deakin & Wakefield, 2014: 610-611). The interviews were not be recorded with a device. The potential of more detailed off-the-record information seems more valuable to the research objective than a detailed description of the interview. Notes were made during and right after the interview. A total of three expert interviews were conducted. These proved essential for the development of the research progress.

Based on Harvey’s (2011) literature review and personal experiences of expert interviews several strategies were adopted: transparency about person and affiliation, research nature (i.e. Master Thesis), intended interview length and use of information; prior research on institution and work of interviewee; adjust manner of conduct depending on interviewee; demonstrate knowledge on research topic; prepare explanations for relevance of planned questions; asking for feedback; subtle reminding of remaining timeframe of the interview.

4. Analysis

The literature review explained that Germany’s understanding of cyber security has been defined by the protection of critical infrastructure using passive cyber defense measures. The findings of the document analysis corroborated by expert interviews and email questionnaires reveal that Germany has expanded its focus towards the society, government institutions and the larger economic sector. Part thereof is also an evolution from establishing protection for objects of interest towards more resilience. Beyond these developments Germany has begun to develop the cyber capabilities of its law enforcement, security agencies and military. The first section discusses how Germany has solidified its protection and moved towards a resilience approach by focusing on society, the economy and government institutions.

The aim is to examine how Germany approaches cyber security i.e. what Germany is doing in this policy field. The analysis does not focus on the detailed content of policy initiatives but aims to demonstrate their overarching intention. Nevertheless, in doing so the

political contention points and policy challenges are addressed. These give indication for how Germany’s cyber security policy may develop and which challenges need to be overcome to move forward. An aim of the study is thereby to trace in what way a shift in German security political thinking has taken place and how the calls for a more offensive approach are substantiated in Germany’s cyber security policy.

Preventative Measures & Civilian Agencies

The cyber security strategy of 2016 begins its cyber threat characterization with the

following statement:

“Die Cyber-Bedrohungslage in Deutschland ist von steigender Komplexität und

Interdependenz der eingesetzten Technik und sich ständig wandelnden Bedrohungen

geprägt. Mit der Digitalisierung moderner Gesellschaften wachsen zugleich deren

Verwundbarkeit und das Missbrauchspotenzial im Cyber-Raum.” (BMI, 2016: 7)

The German government emphasizes that the ‘increasing complexity and

interdependence’ and a ‘constantly changing’ threat landscape (i.e. unknowability)

has been leading to a ‘growing vulnerability’. The text envisions various impacts on

‘wide areas of public and private life’ or ‘the economy in Germany and the world’

(BMI, 2016: 7).

Remarkable is that the German government does not only focus on the

vulnerability to the cyber sabotage of KRITIS critical infrastructure, but also to cyber

espionage and sabotage of political and governmental institutions and vulnerability of

the general society due to an increasing development of the Internet of Things. The

following addresses how Germany is dealing with this vulnerability of society, the

economy and governmental institutions.

Protection and Resilience

Society

The field of action of Germany’s cyber security strategy “Safe and self-determined action in a digitized environment” addresses the society. Policy initiatives advanced aim to improve digital competencies, reduce digital carelessness, establish cryptographic standards for communication, further certification of IT-products, or subsidize research programs (BMI, 2016: 14-19). The coalition contract of 2018 reiterates these initiatives (CDU/CSU-SPD, 2018: 44-46). The cyber security strategy of 2016 emphasizes that the manipulation of devices connected to the internet permeating ever more aspects of life can bear “real and

serious dangers” for citizens (BMI, 2016: 7). A reading of the parliamentary debates reveals an increasing recognition of German policy makers for the challenges posed by the growing Internet of Things. The disruption of 900.000 wireless-routers in November 2016 provided a point of reference for politicians to call for policy initiatives addressing on the one hand the digital carelessness among society and on the other hand the lack of a security-by-design approach among producers (Deutscher Bundestag, 2017a: 22295-22296; 2017b: 23377-23381; 2018a: 2411-2412, 2414-2415).

The principal focus relies on establishing product security. It is proposed to establish a voluntary quality label to make the market more transparent for consumers and incentivize producers to adhere to IT-security standards. The interior ministry promotes the quality label as a poster project of its cyber security strategy (BMI, 2016: 17). Another form is the establishment of binding requirements for producers. The necessity to address security-by-design and producer accountability is also emphasized in the responses to the email questionnaire by MdB Sitte (Die Linke) and MdB Wendt (CDU/CSU) (Response 2, 3). Wendt suggests that producers could be required to offer software updates for certain periods of time after the product has been developed (Response 3). The German government thereby seems to contemplate to establish a form of distributed security (Brenner & Clarke, 2009) by moving the responsibility to provide protection towards the private sector.

To improve information security for society, businesses and governmental institutions the Digitale Agenda 2014-2017 proclaimed: “Wir wollen Verschlüsselungsstandort Nr. 1 auf der Welt werden” (Die Bundesregierung, 2014: 32). These claims have already been part of the coalition contract of 2013 (CC, 2013: 148) and are reiterated in coalition contract of 2018 (CC, 2018: 45) as well as the cyber security strategy of 2016 (BMI, 2016: 16). The German government aims to establish end-to-end encryption as the standard of communication for society, the economy, and government. The topic received particular political salience in the debates of 2015 (Deutscher Bundestag, 2015a: 9043, 9045-9046, 9049), however subsequently the political will behind end-to-end encryption seems to have retracted (Deutscher Bundestag, 2017a: 22299; 2018: 2411). Nevertheless, the BSI has been active in developing the necessary technologies it has established various initiatives aimed at incentivizing public-private-partnerships commitments across the government (BSI, 2017: 70-74).

Disinformation

Disinformation and online propaganda as a cyber security issue have not been identified as a theme during the document analysis. However, the analysis revealed that German policy makers and government officials are not in agreement whether it should be part of a cyber security policy.

The cyber security strategy of 2016 asserts in the characterization of the cyber threat landscape:

“Die gezielte Verbreitung von Falschmeldungen … kann zur Desinformation und Manipulation der öffentlichen Meinung genutzt werden. Hier in bestehen langfristig Gefahren für die freiheitliche Gesellschaft und die Demokratie” (BMI, 2016: 6).

However, no specific policy initiatives are devised in the document (BMI, 2016: 14). The BSI (2017: 17, 75) and the BfV (2017: XX) emphasize the threat of disinformation campaigns to public opinion i.e. society. State Secretary of Defense Suder and BfV president Maaßen called attention to the problem during a public conference on Germany’s cyber threat landscape (Suder, 2017; Maaßen, 2017).

The German government passed the Network Enforcement Act (Netzwerkdurchsetzungsgesetz) in June 2017. The law aims to combat the proliferation of hate speech and fake news on online social media platforms. The law was instituted in January 2018. The NEA requires social media providers to instate a systematic complaint management scheme and a domestic authorized representative as a point of contact. The preamble states:

"Nach den Erfahrungen im US-Wahlkampf habe überdies auch in der Bundesrepublik Deutschland die Bekämpfung von strafbaren Falschnachrichten („Fake News“) in sozialen Netzwerken hohe Priorität gewonnen” (Deutscher Bundestag, 2017: 2).

While the practicalities of the law are controversial the aim is not – all political parties agree that something needs to be done about hate speech and fake news. It has thereby become securitized. The coalition contract of 2018 professes that the NEA will be further developed, but does not give details (CDU/CSU-SPD, 2018: 131). Only enterprises that can be conducted exclusively through IT-infrastructure are considered cyber crimes. The FDP filed a parliamentary enquiry asking whether Germany’s cyber security policy has evolved towards addressing fake news. The German government established that ‘fake news’ is not part of cyber security - information technology is used as medium (Deutscher Bundestag, 2018f: 8). Critics of the NEA assert that it fails to address social bots (Deutsche Bundestag, 2017c). Would the use of social bots not count as an enterprise that can be exclusively conducted using IT-infrastructure? The discussion of disinformation and online propaganda aims to show that there is no clear consensus among policymakers weather to address these issues as part of a cyber security policy.

Economy

The economic sector is addressed under the second field of action emphasizing that it is a ‘joint effort of government and industry’. The following is structured into two parts, first

it addresses critical infrastructure providers, and second the larger economic sector excluded thereof.

Critical Infrastructure Providers

The protection of critical infrastructures resides at the “center” of the joint efforts between the government and the economy. It has “particular” relevance as is a “whole-of-society” responsibility (BMI, 2016: 22). The ‘Implementation Plan for Critical Infrastructure’ (UP KRITIS) provides the guideline for the public-private-partnership. The IT-Security Law provided for a legally binding cooperation. Instated in two parts in May 2016 and June 2017 the IT-Security Law requires providers of KRITIS critical infrastructure and online services (online-markets, online-search-engines, and cloud-computing-services) to adhere to minimum IT-security standards and reporting requirements of attempted or actual cyber attacks. The BSI is tasked to determine the standards in cooperation with the providers and verify their implementation (Deutscher Bundestag, 2015b: 41). The IT-Security Law effectuates the requirements of the EU’s Network Information security Directive which gives requirements to Member States on how to protect their IT-systems. Due to prolonged discussions on the EU-level, the German parliament passed the first part of the IT-Security Law focusing on water, nutrition, energy, healthcare and IT-and-telecommunications in June 2015. The spear-headed implementation of the law as the first country within the EU and the urgency attached to defending against disruptions of critical infrastructure demonstrate a securitization process (Deutsche Bundestag, 2015a: 1563-1580).

The IT-Security Law is regarded as a landmark in Germany’s cyber security policy, nevertheless critics argued that the its does not set out the same requirements for governmental institutions and that it does not bind the economic sector (Deutscher Bundestag, 2015a: 1565; 1570-71). The coalition contract of 2018 advances that a ‘2.0’ version will be established within the current legislative period (CDU/CSU-SPD 2018: 98). The aim is to further define the companies affected by the IT-Security Law and possibly extent these beyond the providers of critical infrastructure. The parliamentary debate in April 2018 demonstrates broad support to extend the requirements of the IT-Security Law (Deutscher Bundestag, 2018a). The focus on critical infrastructure thereby remains pertinent.

Private Sector

To protect the economy Germany devises a range of sensitization and support initiatives. As a consequence of the cyber security strategy of 2011 the Alliance for Cyber Security (ACS) was created. It is a public-private-partnership between the BSI and primarily small-and-medium sized businesses. The aim of is to share information and develop best

practice guidelines on how to counter cyber crime and industrial espionage. Since its establishment in 2012 the ACS has developed into a platform of 2.600 businesses (BSI, 2016: 3-7). A new program demonstrating the increased focus is the ‘Initiative for Economic Security’ launched by the interior ministry. It is a information sharing platform between federal security agencies (BSI, BKA, BfV, BND) and various economic unions. The aim is to improve the response to economic cyber espionage and sabotage. The guiding theme is: ‘Prevention through Dialogue and Information’. It is the evolution of the BfV’s previous economic security approach based on the premise: ‘Prevention through information’. Furthermore, the cyber security strategy of 2016 sets out plans to institutionalize a information exchange platform (BMI, 2016: 25), these plans are not reiterated in the coalition contract. Remarkable is that while the BSI, the BfV and the cyber security strategy of 2016 problematize the risks of economic cyber espionage the issue is absent from political debates.

The BSI publishes various institutional guideline compendiums giving recommendations on information security management systems (ISMS), building competence and awareness raising, maintaining operational continuity, and risk management procedures. The IT-Grundschutz (IT-Baseline Security) is the general directive applicable to the private and public sector. In the course of 2017 the BSI updated the IT-Grundschutz with the specific intention to make it more applicable to small and medium sized businesses (Alberts, 2017: 20-21). Complementarily the Wirtschaftsgrundschutz (Economic Baseline Security) has been developed providing recommendations on how to avert economic cyber espionage (BSI, 2016x).

An accepted criticism among members of parliament is the lack of incentives for the economic sector to adapt and implement IT-security measures (Deutsche Bundestag, 2018a). As the BSI admits awareness raising and support initiatives do not necessarily lead to the implementation of recommendations (Greven & Kleinert, 2017: 23). The coalition contract of 2018 advances however that the German government want to sign a ‘National Pact for Cyber Security’ to promote a sense of responsibility and commitment towards improving IT-security (CDU/CSU-SPD, 2018: 44). As such while there is an increased consciousness and effort for sensitization and support initiatives targeting the society, economy, and government institutions there is a lack of incentives within the economic sector. This circumvented by the implementation of requirements, which is the topic of the following section.

Government

The cyber security strategy of 2016 proclaims the aim to establish a ‘capable and sustainable national cyber-security architecture’ (BMI, 2016: 26). Part thereof is the protection of government institutions against cyber threats. The hacking of the Bundestag in

May 2015 and the government network of 2018 have increased the political attention on the protection of governmental institutions.

The IT-Security Law established that federal institutions have to implement minimum standards for their IT-systems. The BMI can establish these minimum standards as legally binding for federal agencies, so far however this has only been done for a single implementation (BSI, 2017: 56). In contrast, the providers of critical infrastructures are also required to fulfill organizational requirements such as ensuring operational continuity and risk management procedures. The deficiency was addressed with the reform of the ‘Implementation Plan for the Federal Administration’ (Umsetzungsplan Bund, abbr. UP Bund) in 2017. The UP Bund builds on the IT-Baseline Security guideline compendium of the BSI adjusted to governmental institutions. The UP Bund is intended as a binding policy document (UP Bund, 2017). Another project is the consolidation of the network and IT-infrastructure of the federal administration. The aim is to improve oversight and implementation of IT-security. These projects are endorsed by the cyber security strategy of 2016 (BMI, 2016: 35) and the coalition contract of 2018 (CDU-CSU-SPD, 2018: 46). Furthermore, reporting requirements for federal agencies of attempted or actual disruptions to their IT-systems exist since 2008. With the cyber security strategy of 2016 the German government aimed to make cooperation between the federal Computer Emergency Response Team (CERT-Bund) and the respective Länder organizations obligatory (BMI, 2016: 36). This has been legally established in the course of 2017 (BSI, 2017: 24).

The research revealed that while Germany’s cyber security policy was initially focused on the protection of critical infrastructure in recent years the federal administration a series of policy initiatives have elevated the requirements to a comparable ground. However, as Julia Schuetze remarks, while the federal agencies may adhere to information security standards there is a gap to the communal level. Additionally, the cooperation with the Länder is currently based on 13 different models impeding the implementation (Interview 3). Recent initiatives of the BSI demonstrate an attempt to address the gap. First, the BSI with it headquarter in Bonn (North-Rhine-Westphalia) has established three additional regional offices (Middeke, 2017: 28-29). Secondly, as part of the cyber security strategy (BMI, 2016: 35) the BSI has developed an equivalent of the IT-Baseline Security guideline compendium for government constituencies (BSI, 2018).

Incident response

The BSI is the central agency in Germany’s cyber security architecture. Under its umbrella reside the National IT-Situation Center (Nationales IT-Lagezentrum) and the Computer Emergency Response Team of the Federal Government (CERT-Bund). The

National IT-Situation Center receives information from public administration (BDSG), from providers of critical infrastructure (ITSG) and voluntarily from the private sector through the Alliance of Cyber Security or directly from private institutions (BSI, 2017: XX). Another passage could be that the CERT-Bund picks up on suspicious data streams, either by itself or through information exchange with national/international CERTs or other governmental agencies such as the BND and its Signals Intelligence Support to Cyber Defense program (discussed below). The CERT-Bund would then contact the agency at risk. The CSS of 2016 aims to further develop the cooperation between the CERT-Bund and the corresponding Länder-CERTs. These share information through the Administration-CERT-Union (Verwaltungs-CERT-Verbund, abbr.- VCV). The IT-Planungsamt established the VCV in 2013 however, in an attempt to improve the cooperation across Federal-Länder boundaries to make the voluntary sharing of information mandatory (BMI, 2016: 36). These efforts seem to be addressed in the coalition contract of 2018 under the topic to improve and standardize the IT-structures between the Federal government and the Länder (CC, 2018: 125). Another channel for cyber incident response would be the National Cyber Response Center (Cyber-AZ) through which certain developments or incidents would be shared with the BSI to decide further responses (Cyber-AZ, 2015: 15).

With the implementation of the NIS-Directive, in particular through the enactment of the second part of the IT-Security Act that came into effect in June 2017 the German government established the institutional tools to improve its response to cyber incidents. The Mobile Incident Response Teams (MIRT) of the BSI can become active on site in case of cyber incidents. The principal aim is to aid state institutions or providers of critical infrastructure to overcome in short term the technical repercussions of an incident (BSI, 2017: 60). Complementing these efforts is the plan to create ‘Mobile Cyber-Teams’ within the BfV that can be dispatched to investigate cyber attacks of foreign intelligence or extremist/terrorist background on site (BMI, 2016: 29). The BKA’s Quick Reaction Force (QRF) is intended as a specialized investigation task force to conduct the potential necessary immediate law enforcement measures resulting from a cyber attack (Ibid: 29). After a trial period between June 2016 and June 2017 the QRF is supposed to be established in the course of 2018 (Deutscher Bundestag, 2017l: 14). The QRF will be composed of four cyber crime experts of the BKA rotating at a 24/7-standby service (Ritter & Steffens, 2017: 18). Whether the MIRT, ‘Cyber Team’ or QRF are deployed is decided on a case-by-case basis and in cooperation and decided in cooperation with the targeted agency. The CSS of 2016 also aims to develop the delgatory role of the Cyber-AZ and establish it as the national crisis response center (BMI, 2016: 28). As previous finding by Kullik (2014) and Zedler (2016) have indicated the Cyber-AZ is currently seemingly more a information sharing platform than a operational coordination center. While the CDU/CSU endorsed the future development of the Cyber-AZ