Who is responsible for cyber security in Germany and which instruments can the federal government use? This question was also on the table during an expert hearing by the Bundestag Committee for Digital Affairs, which was attended by the Kritis working group, among others, last week. In the penultimate legislative period, the focus was primarily on offensive and defensive cyber security measures. After experts had spoken out very clearly against offensive measures, the narrative changed. Suddenly the vague term “active cyber defense” appeared. A so-called stage model has been discussed in security circles, but not publicly, since 2017. Nothing has been published officially in writing. Various offensive and defensive measures are categorized in this stage model. A cursory glance gives the impression that the classification was supposedly carried out according to the level of intervention of the measure.
(Image: Sanjar Khaksari)
Johannes Rundfeldt is the founder and speaker of the AG Kritis.
A question from the committee preparing for the hearing was:
Could you please define the term active cyber defense and the different levels and possibilities of active cyber defense (also against the background of a solely defensive or an offensive cyber defense) and where do you see specific deficits in the applicable law and in the applicable competencies that stand in the way of effective cyber defence?
The use of the adjective “active” is deliberately misleading. The aim of creating stages in this context is, as part of a political salami tactic, to initially legally allow a weakened form of defensive cyber defense via a stage model and to gradually expand these powers to offensive measures in the following years, as these are already outlined in the stage model .
Boundary between defensive and offensive
From the point of view of the Kritis working group, the question should not be “which levels of active cyber defense exist”, but rather “where is the boundary between offensive and defensive cyber defense”. The line between offensive and defensive cyber defense lies in maintaining the integrity and confidentiality of the remote systems involved in the attack.
In the level model, the use of a network scanner tool such as Nmap is already an offensive level 1 or 2 measure. Since the use of such a tool does not generally endanger the integrity and confidentiality of the system attacked, this should be counted among the defensive measures. On the other hand, measures aimed at executing third-party source code on the target system (level 4) count as offensive measures. The use of a honeypot is also one of the defensive measures, but is described as level 3 in the level model, provided that the perpetrator’s data is also leaked.
If a distributed denial of service (DDoS) attack is used as a counter-defense, neither confidentiality nor integrity is compromised, but availability is. However, since cyber attacks are often carried out by systems whose purpose is actually different and which the attacker has taken over for use in an attack, a DDoS attack can lead to collateral damage here. An extremely complex case-by-case assessment is necessary. In individual cases, it may be proportionate to take certain systems offline either with DDoS measures or with court orders to the Internet Service Provider (ISP).
Such measures must be checked with particular care, because it is possible that computers involved in the attack are in the control room of an energy supplier or are used in a hospital. If these systems were disrupted or deactivated with a DDoS or other Category 5 (“hackback”) measures, the failure that occurred would also affect other systems at the operator’s.
Linguistic twists
The word “defense” implies a defensive approach – but in combination with “active” defense it could also include offensive measures. The use of these terms is confusing and obscures the real motives of the security authorities. The tiered model appears to be a vehicle for granting offensive powers under the guise of “active cyber defence”. It is necessary to clearly separate the terms here and to clearly name offensive and defensive measures as such.
It is noticeable that the security agency representatives in particular, but also conservative political currents in the context of cyber defense, are caught up in a perpetrator mentality that fails to achieve the goal of increasing IT security and the resilience of the systems. The narrative of the security authorities is roughly that only enough (offensive) powers are needed to identify the cybercriminals. You can then stop the behavior through offensive measures, arrests or extradition requests.
This is not the case. Even identifying the country of origin of the perpetrators is often not possible. This also makes it almost impossible to identify the perpetrators themselves. Some countries around the world, like Russia, even accept that cybercriminals operate from within their own country and do not pursue them unless they target Russian companies or citizens.
Independent BSI without keeping security gaps open
As cyber criminals exploit vulnerabilities in the computer systems of business and citizens, the most effective antidote is to close these vulnerabilities immediately. Security authorities would like to exploit the same vulnerabilities to identify alleged cyber criminals – so they have an interest in keeping the vulnerabilities open.
As long as the Federal Office for Information Security (BSI) is controlled and supervised by the same department in the Federal Ministry of the Interior and Homeland (BMI) as the security authorities, there will always be a conflict of interest there. An independent BSI is therefore needed so that security researchers can contact the BSI without hesitation. You need the assurance that reports will actually lead to the closure of security gaps and not to secret disclosure for security authorities.
However, an independent BSI is not enough. There needs to be an obligation to report security gaps, which also obliges government agencies of all kinds – including secret services and intelligence services. Known security gaps there must be reported and closed in terms of IT security for the citizens.
private liability of companies
One measure that we did not describe in the AG KRITIS statement, because the Bundestag created the necessary legal basis in the early years of the republic, is the use of directors’ liability to improve IT security.
In corporations, managing directors are liable for grossly negligent behavior, even if it is a GmbH. From our point of view, anyone who has created a situation in which a ransomware attack has successfully caused a longer production downtime due to inadequate implementation of backup-and-restore processes, insufficiently equipped IT departments or by accepting risks must be responsible for are personally liable for the financial consequences. Especially when the ransom demands of the criminals have to be paid in order to ensure the continued existence of the company, the cause in almost all cases is grossly negligent behavior on the part of the management.
From our point of view, every shareholder of a company that has been affected by a ransomware attack should therefore urgently have it checked and support investigations as to whether the damage that has occurred must be paid for from the private assets of the management within the framework of managerial liability.
Defensive cybersecurity strategy for Germany
Working group Kritis believes that a strictly defensive cyber security strategy is the best choice. It makes it possible to ensure national security without running the risk of counterattacks and escalation. Instead, Germany should focus its efforts on increasing media literacy, improving the education and training of citizens and officials, and increasing the resilience and IT security of its own networks and systems. Cyber security measures that have been requested for a long time should not be prioritized first, but implemented as quickly as possible.
(mack)
