CYBERWAR (1): "The digital state of defense is only partly successful"

Just a few days ago, Australia's Prime Minister Scott Morrison announced a "massive" state-led cyber attack on his country. He did not disclose who the attackers from cyberspace are. But attacks and hybrid threats from cyberspace are already a reality not only in Down Under. We wanted to know: Are "critical systems and infrastructures" in Germany protected enough against attacks from cyberspace? How quickly can we respond to a hybrid scenario and what legal and international law principles apply in cyberspace?

For the In-Depth Special "In the Crosshairs - The Threat from Cyberspace," Sven Lilienström, founder of the Faces of Peace Initiative, spoke with the Inspector of the Command Cyber and Information Range, Ludwig Leinhos.

The new Cyber and Information Range (CIR) organization area is meant to prevent attacks on the digital infrastructure of the Bundeswehr. Who are the attackers and are you prepared for "worst-case scenarios"?

Ludwig Leinhos: The question of potential attackers is frequently asked. It must be known that attributing attacks in cyberspace poses a special challenge. With today's available technical capabilities, attackers can effectively hide their actions. With the constant - often automated - attacks on the Bundeswehr's IT system, there are numerous potential perpetrators and various motives. The attackers cover the entire spectrum, from traditional hackers to criminals to state entities.

However, the focus of our activities is different: the absolute priority is the protection and operation of Bundeswehr systems, i.e., the direct defense against attacks, while identifying attackers, given the challenges presented, is complex and more to be seen in an overall government context.

Are we well prepared? Yes, we have the necessary competitive technical equipment and keep it constantly updated, as well as the expertise of our employees. Let me briefly outline the different responsibilities in the field of cyber security in Germany based on these. I can explain the tasks of the Bundeswehr and thus also those of my Cyber and Information Range organization area better.

"Cybersecurity - which is the state when risks in cyberspace are reduced to an acceptable level - is a national task in Germany."

Cybersecurity - which is the state when risks in cyberspace are reduced to an acceptable level - is a national task in Germany. This is stipulated in the current basic document of German security policy, the 2016 White Paper. Internal and external security in cyberspace are as closely intertwined as in no other area of action, including the protection of critical infrastructures.

At the same time, there are different responsibilities in the national approach. The leadership for Germany's cyber security strategy lies with the Federal Ministry of the Interior, which is also responsible for cyber defense and the protection of civil infrastructures. The Foreign Office shapes international cyber security policy, while the Ministry of Defense is responsible for cyber defense.

The Bundeswehr is particularly dependent on the availability, confidentiality, and integrity of data, IT-based services, and networked infrastructure in military operational and command activities. Therefore, the focus of cyber defense by the Bundeswehr lies on the protection and operation of its own systems at home and abroad.

However, we must also prepare for the fact that future conflicts will be significantly shaped by actions in the dimension of cyberspace and information.

In order to ensure the security of our own systems, not only preventive protection measures but also reactive and active operations in the cyber and information space may be necessary. Such CIR operations can be conducted independently or in support. We must also maintain these capabilities.

In the 2016 White Paper, there is talk of "offensive high-value capabilities" as a tool of cyber defense. What legal and international law basis are your operations in cyberspace based on?

Ludwig Leinhos: The use of military cyber capabilities is subject to the same international and constitutional legal framework as the use of other military capabilities. The Bundeswehr is a parliamentary army, and therefore the regulations naturally apply to CIR operations as well. Specifically, this means: CIR operations, comparable to conventional military operations, can be conducted within the framework of national and alliance defense as well as within the scope of mandated foreign missions, or in the context of assistance.

Our capabilities either contribute as a protection and warning function and to support ongoing Bundeswehr operations, or are provided as an independent CIR operation.

Virtually, but securely with coffee as an operational tool: the emblem of the Command Cyber and Information Range on a cup.

These may include the targeted and coordinated use of specific software to gather intelligence on enemy systems or to act against them. For example, the integrity of important data could be compromised, or the availability of key leadership and information systems of the opponent could be restricted.

Last year, you called for a legal framework for the "digital defense case." What do you mean by that, and are we currently able to quickly respond to a hybrid scenario?

Ludwig Leinhos: The term "digital defense case" that I introduced is not equivalent to the constitutionally regulated military defense case - not even if it were triggered by cyber attacks.

"The 'digital defense case' is rather a slogan-like description of a situation where there are massive disruptions in Germany due to cyber attacks."

The 'digital defense case' is rather a slogan-like description of a situation where there are massive disruptions in Germany due to cyber attacks. These disruptions could, for example, cause significant economic damages, trigger shortages in population supplies, or impair the operational capability of the state. However, the attacks and their effects remain below the threshold that would trigger a conventional defense case.

In order to minimize the damage in this case and to quickly restore the full functionality of the state, prompt, coordinated, and effective action is required. Literally, every minute counts. The current processes of the federal government and the states are only partially geared towards this.

Good question ... Bundeswehr advertisement for their digital warriors.

The goal is to best prepare the state for such a situation. In my opinion, processes and procedures of governmental bodies need to be adapted. This should not interfere with the responsibilities of authorities and departments, rather ensure that the capabilities of government institutions are fully utilized and integrated. For instance, in such a situation, the Bundeswehr could support with cyber defense experts from our CERTBw teams under assistance. However, do the procedures behind allow for timely action?

"We are on the right path nationally, but we still have significant homework to do to meet all the challenges of a hybrid scenario."

Furthermore, I consider it essential that in the event of a hybrid attack, all relevant actors - government, as well as business and science - collaborate. We must network with each other to be sufficiently responsive in case of a crisis, across all legitimate competency boundaries. Already in 2011, in Germany, under the leadership of the Federal Office for Information Security, the National Cyber Defense Center (today's National Cyber Defense Center) was established as the first forum for cooperation among government agencies in the field of cyber security. This is currently being developed into a cross-departmental, operational institution involving all relevant stakeholders - an essential prerequisite for ensuring Germany's operational capability in this area in the future.

The basics are thus laid. An initial integrated operational capability exists, a first common situational assessment exists. We have a "Cyber Security Situation Germany." also, my Command Cyber and Information Range organization actively contributes to the National Cyber Defense Center. From our "Joint Situation Center" in the CIR Command, we provide a relevant situational contribution and have positioned staff permanently for situational assessment at the National Cyber Defense Center. Overall, we are nationally on the right path, but we still have significant homework to do to meet all the challenges of a hybrid scenario.

The Bundeswehr's Command Cyber and Information Range can be found on the Internet.

CYBERWAR on SPARTANAT:

- "The digital defense case only succeeds to a limited extent," General Lieutenant Ludwig Leinhos, Inspector of the Command Cyber and Information Range of the Bundeswehr interviewed.

- "We see many targeted cyber attacks," says the Head of the Department "Cyber Analysis & Defense" at the Fraunhofer Institute, Elmar Padilla.

- "Cyber attacks cost 20 dollars," says Harald Summa, CEO of the DE-CIX Group AG. He talks about critical infrastructure, the ubiquity of DDoS attacks, and the ruling of the Federal Constitutional Court on surveillance by intelligence services.

The book on the topic: "Myth of Cyberwar"

More on the subject: HERE you can download the Wehrtechnische IT Report for free.

Source: Initiative Faces of Peace. With kind permission