German Cyber Security Policy: Focus and Approach

Oliver Schmidt-Voss Student number: 1236148 Word count: 15221

10 June 2018

Master Thesis Crisis and Security Management Thesis supervisor: Dr. Myriam Benraad Second reader: Dr. Ernst Dijxhoorn Leiden University Faculty of Governance and Global Affair

1 Acknowledgements

In memory of my beloved father.

With deepest gratitude, I would like to thank dr. Myriam Benraad and dr. Joey Mathys for their unconditional support.

I would like to acknowledge Mr. Sergei Boeke for introducing me to the field of cyber security and sparking my fascination for a topic I wish to engage with in my future path.

2 Table of Contents Acknowledgements ...... 2 Abbreviations ...... 4 1. Introduction ...... 5 Relevance ...... 6 Research Question ...... 6 Aim ...... 7 2.1 Cyber Security & Cyber Threats ...... 7 Malware ...... 9 Hackers ...... 10 Complexity ...... 12 2.2 Securitizing the Cyber Domain ...... 12 Cyber Security in Germany ...... 13 2.3 Cyber Security Policy ...... 15 Whole of Government and Public-Private Partnerships ...... 15 Cyber Defense ...... 15 Section Summary ...... 17 3. Research Design & Methodology ...... 18 3.1 Single case study ...... 18 3.2 Document analysis ...... 18 3.3 Interviews ...... 20 Email questionnaire ...... 20 Expert interviews ...... 20 4. Analysis ...... 21 Preventative Measures & Civilian Agencies ...... 22 Protection and Resilience ...... 22 Economy ...... 24 Private Sector ...... 25 Incident response ...... 27 Section summary ...... 29 Active Cyber Defense & Security Agencies ...... 30 Law enforcement & Security Agencies ...... 30 Hacking Back ...... 35 Bundeswehr ...... 38 5. Conclusion ...... 39 6. Further Research ...... 40 References ...... 41

3 Abbreviations

AA Federal Foreign Office

BBK Federal Office for Civil Protection and Disaster Assistance

BfV Federal Office for the Protection of the Constitution

BKA Federal Crime Police Office

BMI Federal Ministry of Interior

BMVg Federal Ministry of Defense

BMWi Federal Ministry of Economic Affairs and Energy

BND Federal Intelligence Service

BRH Federal Court of Auditors

BSI Federal Office of Information Security

Cyber-AZ National Cyber Defense Center

Cyber-SR National Cyber Security Council

MAD Military Counter-Intelligence Service

ZITIs Zentrale für Informationstechnik im Sicherheitsbereich

4 1. Introduction

The German government is exposed to cyber attacks on the private sector, the economy, and public administration on a daily basis (BSI, 2017: 7). According to the Federal Ministry of Information Security (Bundesamt für die Sicherheit in der Informationstechnik, abbr. BSI) the possibilities to conduct cyber attacks are evolving continuously. With the growing digitalization of society, the economy and government institutions, there is also a congruent development of the attack methods and mediums. The Internet as platform to conduct cyber attacks facilitates the anonymity and impunity of perpetrators. Cyber attacks can be mounted with limited resources, simply a computer and an Internet connection is necessary. Instructions on how to administer these attacks can be found online on the darkweb (Zedler, 2016: 2). The increasing necessity to address the cyber threat situation in Germany is also thematized in the media like the hacking of the government network in February 2018 and the Bundestag in May 2015 (Beuth et al., 2015) or the disruption of the Internet for 1.25 million users in November 2016 (Baumgärtner et al.: 2017, November 24). With these incidents cyber security has gained increasing attention in Germany. The increasing amount of devices connected to the Internet is creating what has been described as the Internet of Things. A new source of danger has developed for cyber security. The devices are easily targetable as in the production process as well as in the decision to purchase consideration for IT-security do not play a sufficient role (BSI, 2017: 23). The failure or disruptions of industrial control systems - particularly in the critical infrastructure sector - can have grave physical impact leading in the form of electricity breakdown or production processes. Furthermore, a recent phenomenon has been cyber-espionage of government institutions with the purpose to leak the acquired information in order to manipulate the democratic process. The reputation of a candidate is hampered influencing public opinion (BSI, 2017: 74-75). In recent years several developments have taken place in regard to Germany’s cyber security policy. In 2015 the IT-Security Law was passed aiming to establish protection for critical infrastructure. The same year the German government announced the development of a cyber command within the armed forces (BMVg, 2015). In November 2016 a new cyber security strategy was published (BMI, 2016), a document much more elaborative and broader in scope than the previous strategy (BMI, 2011). Furthermore, in the course of 2017 a political debate ensued on the potential use of offensive cyber capabilities as part of Germany cyber security policy (Reinhold & Schultz, 2017). The study thereby aims to examine how Germany is dealing with the cyber threat landscape it faces and how these recent developments figure into Germany’s cyber security policy.

5 Relevance

The study has academic relevance as to date there has not been an extensive study on Germany’s cyber security strategy of 2016. Furthermore, while previous studies have dealt with Germany’s cyber security policy (Kullik, 2014; Zedler, 2016; Steller, 2017) these have not focused on the institutional structures but have not examined how Germany engages with cyber security on a political level. There is thereby a significant knowledge that this study attempts to address. These insights attain particular relevance in light of the recent developments depicted in the previous paragraphs. The research touches upon how Germany has expanded its focus beyond the protection of critical infrastructure towards society, the larger economic sector and government institutions. Entailed in these developments has been an evolution in its approach from preventative measures to a more active engagement with the cyber threat landscape as the inauguration of the cyber command within the armed forces and the emerging discussion on potential cyber counter-operations reveal. The second broader contribution of the study is thereby an examination of how these developments figure into Germany’s cyber security policy. The findings are not only relevant to gain an understanding of Germany’s approach but also on a broader scale as it indicates how governments are dealing with and enacting the militarization of the cyber domain (Deibert, 2008; Dunn Cavelty, 2012). Germany is an insightful case study in this regard as it has to come to terms with its historical experience leading to an aversion for the increase in military and security agency capabilities (Kriesel and Kriesel, 2011). Part thereof is how countries are dealing with the friction between offensive and defensive cyber security measures as well as the friction between cyber security and public security. The societal relevance lies in its contribution to the current political debate on how to address cyber security. This discussion has attained particular political salience in the aftermath of the hacking of the government network in February 2018. The study touches upon the pertinent questions the German parliament and other policy makers are dealing with. Beyond a depiction of the political engagement of cyber security the focus on the policy level allows an examination of the inconsistencies in Germany’s approach. The study may thereby contribute to the elevation of certain ambiguities in Germany’s cyber security policy. The study aims to create an up-to-date reference point for professionals on Germany’s cyber security policy. Lastly, is provides a scantly available English language account of Germany’s cyber security policy.

Research Question

6 The study takes a security political perspective and poses the research question: How is Germany devising its cyber security policy to defend against cyber threats? Three sub- questions are derived from the research question: 1) what vulnerabilities and threats in the cyber domain is Germany addressing? 2) What policy goals and measures are German government officials devising to mitigate vulnerabilities and avert threats? 3) How is Germany grappling with friction between offensive and defensive cyber security measures?

Aim

The aim of the study is to examine Germany’s cyber security policy on a political level. The focus thereby relies on the policy documents and parliamentary debates. This allows gaining an understanding of how Germany is currently addressing the challenges it faces in the cyber domain.

2. Body of knowledge

The review of the body of knowledge has three parts. First, the conceptualization of cyber security provides a reference point for the further discussion. A depiction of the different threat clusters (malware, hackers and complexity) allows to envision the different angles cyber security policy can take. The second part addresses how cyber threats are dealt with in security policy drawing attention to securitization theory. Furthermore, Germany’s approach to cyber security is historicized showing that its focus relies on the protection of critical infrastructure. The last part demonstrates how cyber security policy can be studied and the various shapes it can take. This serves as a basis to orientate the discussion.

2.1 Cyber Security & Cyber Threats

The German government defined cyber security in 2011 as: “the desired objective of the IT security situation, in which the risks of the German cyberspace have been reduced to an acceptable minimum” (BMI, 2011: 15). While the conceptualization accentuates that cyber security is a dynamic process dependent on the threat landscape, the characterization ‘risks of the German cyberspace’ is ambiguous and thereby does not serve as a useful reference point for the analysis. Furthermore, in subsequent policy documents Germany has refrained from providing a definition for cyber security. This seemingly retracts from the added value of using the conceptualization when examining Germany’s cyber security policy.

The various policy documents and parliamentary debates explored in the analysis make use of the concept cyber security, information security and IT-security while attempting

7 to address the same policy field. Von Solms and van Niekerk (2010: 10) define cyber security as:

“the protection of cyberspace itself, the electronic information, the ICTs that support cyberspace, and the users of cyberspace in their personal, societal and national capacity, including any of their interests, either tangible or intangible, that are vulnerable to attacks originating in cyberspace.”

The conceptualization is useful as it emphasizes that cyber security encompasses IT-security entirely and information security to the extent that information is stored or transmitted using technology-based systems. Figure 1 depicts the relationship between the three concepts. Cyber security is concerned with the protection of different information-based and non- information based assets or in other words it is concerned with minimizing the risks ‘to’ or mounted ‘through’ IT-infrastructure (Deibert & Rohozinski, 2010: 16-17). The referent object in need of protection in cyber security moves between the lines of individual and collective, private and public, or economic and governmental. Cyber security does not relate to separate referent objects but to a constellation thereof. It may be described as the underlying security sector in which the other security sectors – military, environmental, economic, societal, and political – converge (Hansen & Nissenbaum: 1157-1163).

Figure 1 (von Solms & van Niekerk, 2010: 101)

Dunn-Cavelty (2013) distinguishes between three cyber threat clusters which can broadly be described as the means, actors and impact involved or pertaining to a cyber incident. The first is technological referring to malign software (malware) used to influence or intrude a computer network system. The second is socio-political referring to state and non-

8 state human threat actors. The third is concerned with the human-machine interaction and the consequential complex vulnerability of potential impacts of a cyber attack. The categorization serves to provide an understanding for the different angles cyber security policy can take. The desired cyber security situation can be maintained by impeding the distribution of malware, persecuting the actors involved, or establish the necessary protection and resilience measures against cyber attacks.

Malware

Policy makers have to address a spectrum of malware ranging from generic striving on the mass-exploitation of software vulnerabilities to highly specific Advanced Persistent Threats (APTs). The BSI defines APTs as: “targeted cyber attacks on selected institutions and organizations, in which attackers gain long-term access to a network and then spread the attack to additional systems.“ (BSI, 2016: 64). An example for such an operation is Stuxnet conducted by the U.S. and Israel. The operation required intelligence of the on going processes on-site, advanced knowledge of industrial control systems, and highly specified code to disrupt Iran’s nuclear enrichment facility (Lindsay, 2013). The intruders may also aim to exfiltrated information or place a ‘logic bomb’, which refers to a malware installed within the computer network system to be activated at a later time and cause the disruption (Rid & McBurney, 2012: 10-13). APTs are designed to bypass firewalls and automatic intrusion detection systems using a multitude of software vulnerabilities and thereby pose a challenge to policy makers as IT-security measures are not sufficient.

Common procedures to gain initial access to a server are spear-phishing or water holing (BfV, 2017). Spear phishing describes the sending of an email with an attachment or link to a website containing malware. Water holing is the strategy of embedding a malware into a website. Upon access it is downloaded onto the server. The targets of such procedures range from generic to specific. The latter may incur social engineering adding the human factor to the complexity of averting cyber threats. Another method that does rely on a software vulnerability to gain access is the use of an external device such as an USB-stick to upload the malware to the computer network system. This was the case during the Stuxnet incident (Lindsay, 2013: 34-37).

The WannaCry ransomware wave in 2017 disrupted network systems worldwide by using software vulnerabilities in the Microsoft Windows computer operating system (Nakashima & Timberg, 2017). Ransomware is a type of malware that locks the data of a computer system requesting the victim to pay a certain amount of money. The WannaCry ransomware was created in part on the basis of the leaked source code of the EthernalBlue program developed by the U.S. National Security Agency (NSA). The incident is an example

9 for (1) the increasing professionalization of malware and (2) proliferation of malware on the darkweb.

The increasing amount of devices connected to the Internet creating what has been described as the ‘Internet of Things’ poses an increasing challenge (BSI, 2017: 75). It facilitates and increases the disruption potential of the distribution of malware, however it also allows aggressors for more potential to tie these networks into a web – a botnet – that can be employed to overload data traffic onto a server causing the inaccessibility of a website. These enterprises are referred to as Distributed Denial of Service (DDoS) attacks (Rid & McBurney, 2012: 7-8). As such the BKA finds that malware is not only becoming increasingly more sophisticated but it has also become easier to administer disruptions of computer network systems.

Hackers

The socio-political dimension of cyber threats refers to the human actors such as cyber criminals, foreign intelligence services, cyber terrorists or military cyber commands. State and non-state actors may have different intentions: financial gain/damage, intellectual property theft, sabotaging working processes, or subverting public and private entities. They profit from absence of law enforcement and security agency capabilities to detect, attribute and take legal measures against them. The cyber domain allows perpetrators to hide behind a veil of anonymity and impunity.

A study by the German Institute for Economic Research of 2015 found that cybercrime affected 14.6 million consumers in Germany causing a financial damage of €3.4 billion (DIW, 2015: 3-4). A U.S. research study by Norton of Symantec in 2017 found that the total amount of consumers affected by cybercrime was €23.3 million causing a financial damage of €2.2 billion (Norton, 2017). Another representative study by bitkom found that in the year 2016/2017 cybercrime affected 49% of Germans (bitkom: 2017, October 10). The studies differ in their research parameters however their findings become particularly revealing in contrast to the number of accounted cybercrimes by the BKA. The agency recorded 82.649 cybercrimes and 253.290 crimes using the internet as medium in the year 2016 (BKA, 2017: 5). The BKA draws attention to the low clearance rate of 38,7% (Ibid: 4). As an indication, the crime clearance rate for all accounted crimes the same year was 56,2% (PKS, 2017: 50). Besides the financial damage caused by cyber crime in Germany the central aspect of these figures is that there is seemingly a vast discrepancy between the amount of cyber crime affecting German citizens and the accounted cyber crimes by the BKA. Secondly, only four out of ten accounted cyber crimes lead to a persecution. It demonstrates the enforcement deficit of the German police in the cyber domain.

10 The BfV’s annual report on the 2016 emphasizes that cyber espionage has “increased in intensity many times over” (BfV, 2017: 33). According to the BfV there is a strategic attempt to spy out policy makers and the federal administration. Main targets include the Federal Foreign Office and its diplomatic missions abroad, the Federal Ministry of Finance, and the Federal Ministry of Economic Affairs and Energy. Attackers also focus on the Federal Chancellery and Bundeswehr offices. Additionally, the economic sector and research institutions are increasingly becoming subject to cyber-espionage enterprises. A representative study of bitkom found that 53% of the surveyed businesses were victim of industrial espionage, sabotage and data theft causing a financial damage of €55 billion. In 2015 the percentage of affected business was 51% with a financial damage of €51 billion. Furthermore, only 31% of these businesses informed law enforcement agencies (bitkom: 2017, July 21).

A major incident is the hacking of the German parliament in May 2015. For three weeks the intruders had access to the parliaments computer system (Beuth et al., 2017 May 16). During the election campaign in 2017 the coalition parties affiliated think tanks, the Konrad-Adenauer Stiftung (Christian democrats) and the Friedrich-Ebert Stiftung (Social Democrats) had been the target of attempted intrusions (BSI, 2017 April 27). The leak of information and influence on the election was anticipated however in the end the fears of German government officials did not materialize.

The underlying structure of the Internet makes it difficult for law enforcement and intelligence services to assign responsibility for a cyber incident. In the literature this is referred to as the attribution problem (Rid & Buchanan, 2015). Possibilities for deception are numerous: using botnets or concealment software, false flag operations, channeling an operation through another server, or consciously using methods associated with another actor (Gartzke & Lindsay, 2015: 326-327). For example, if a perpetrator channels an attack through another server the target can only identify the IP-address of the third party. Technical prowess can allow the identification of the originator’s IP-address (technical attribution) but the investigator does not know who sits behind the computer (social attribution). The attribution of a cyber attack thereby takes time and needs to be corroborated with additional evidence including analysis and evaluation procedures. Davis et al. (2017: 24) found that an attribution of an APT-attack (e.g. cyber-espionage or sabotage of governmental institutions) takes on average 150-200 days. Critics argue that a complete attribution is never possible (Singer & Friedman, 2014). Besides the attribution problem there is also a lack of legal frameworks to prosecute perpetrators.

11 Cyber criminals can act transnationally requiring law enforcement cooperation. National laws on cyber crime are not harmonized however potentially leading to safe havens for perpetrators (Koops, 2011: 746-747). The Budapest Convention (2004) has been signed by states worldwide. There is no international institutions enforce the indictment nor are there norms of behaviour that could restrict state-led enterprises (Bendiek, 2012).

Complexity

The third threat cluster comprises the complexity of the human-machine relationship. The increasing dependence on IT-infrastructure make society more vulnerable and the complexity leads to an unknowability and inevitability of mistakes that can jeopardize essential pillars of modern life. Society and technology have become inseparable and thereby risks to critical infrastructures are risks to the modern way of life and being (Dunn-Cavelty, 2013: 114-115).

The urgency is underpinned by the interdependencies between critical infrastructures. For example, water and telecommunication systems require a continuous supply of electricity to stay operational and electric power systems need a provision of water and telecommunication services for power generation and delivery. (Ouyang, 2014: 44). The failure of one of these services would jeopardize all three. The problematic amplified by the necessity to identify the critical infrastructures. A study by Bitkom Research found that only 53% of the KRITIS critical infrastructure has established an emergency response plan (Bitkom Research (2017, September 1). KRITIS critical infrastructure as defined by the German government is As Picture 1 graphically demonstrates, Germany distinguishes between nine sectors of critical infrastructure: 1) energy, 2) health care, 3) IT and communication, 4) transport and traffic, 5) media and culture, 6) water, 7) finance and insurance, 8) nutrition, and 9) government and public administration (UP KRITIS, 2014: 5-6). The German government does not have regulatory competency for the sector media and culture. KRITIS critical infrastructure addresses the remaining seven sectors. Particularly vulnerable are industrial control systems as they rely on a multitude of telecommunications technology. An example of such an event is the attack on the Ukrainian power grit causing over millions household to have no access to electricity (Greenberg, 2017 July 20). Disruptions of critical infrastructure can have cascading effects for society, the economy and government institutions and are thereby perceived as a central threat to modern life and being.

2.2 Securitizing the Cyber Domain

Threat perceptions rather than actual threat levels define security politics. In the cyber domain seems to hold particularly true. A challenge for policy makers in the cyber security

12 domain is to attain an understanding for the actual threat landscape. Empirical evidence necessary to conduct an evaluation is limited by large numbers of undisclosed or unknown cyber incidents, the secrecy of adversary capabilities or the rapid technological development (Steller, 2017: 17-19). This makes it difficult to devise a fitting cyber security policy.

Securitization theory postulates that a security issue is constructed through political discourse. A security actor frames a referent object to be in urgent need of protection from a threat subject. The securitizing act evokes a necessity to prioritize and accelerate political action. Successful securitization depends on the audience regarding the security actor as legitimate and accepting the securitizing notion. Successful securitization occurs through the identification of an existential threat, emergency action, and the breaking free of rules. Securitization is a process through which an issue moves from the un-political, to the politicized, to the securitized (Buzan et al., 1998: 24-27). Bastl et al. (2015: 49-51) find that due to the top-down governmental conceptualization of cyber security as a national security issue it did not go through a securitizing process but was securitized from the start. Similarly, through the common use of references to disaster scenarios and cyber warfare the un- politicized and politicized are bypassed leading to the securitization of cyber security (Hansen & Nissenbaum, 2009: 1157). Scholars of cyber security discourse have found the salience of prospective and hypothetical threat representations (Dunn Cavelty, 2007: 24-28; Brito & Watkins, 2011; Lawson, 2013).

The following outlines discursive approaches in cyber security debates. The review is brief as the aim of the study is not how Germany securitizes cyber security issues but what issues are being addressed. As such these discursive tools are used as reference points to support the analysis. Hansen and Nissenbaum (2009) point towards two securitizing acts in cyber security discourse useful for the analysis. Hyper-Securitization draws on hypothetical and multi-dimensional cyber disaster scenarios. Everyday securitization places the responsibility to protect computer network systems onto the individual. A moral responsibility is conferred upon the individual that might move the subject from “helpless to careless to dangerous.” (Ibid.: 1166). Dunn Cavelty (2014) as well as Betz and Stevenson (2013) remark that the cyber security discourse uses metaphors and analogies (e.g. virus/infection, weapon or ‘digital 9/11’). These are discursive tools move the securitization process forward.

Cyber Security in Germany

Klick et al. (2015) found that a central motivator was a report in 1997 of U.S. President Clinton’s Commission for the Protection of Critical Infrastructure thematizing the vulnerability of networked IT-systems. Consequentially the German government inaugurated

13 the working group KRITIS (kritische Infrastrukturen) to examine potential threat scenarios and action requirements. Nevertheless, the financial resources necessary for the proposed recommendations discouraged their political implementation (: 67-68). The threat inflation and budget increases in subsequent years in the U.S. re-catalyzed Germany’s efforts towards cyber security (Guitton, 2013: 23-24). Building onto the findings of the working group in 2005 the National Plan for the Protection of Information infrastructure (NPSI) was established. It is Germany’s first national cyber security policy (BMI, 2005). It is also in 2005 that the BSI published its first report on the IT-situation in Germany insisting that cyber security has to be understood as a national task (BSI, 2005: 6). The following year the ministry of defense included cyber security in Germany’s security and defense policy (BMVg, 2006: 19). Cyber security and the protection of critical infrastructure had become a national security issue without prior incidents. The simultaneous process to address cyber security and the protection of critical infrastructure led to a congruent understanding of the two. As such cyber security is understood as critical infrastructure protection and synonymous with national security (Klimburg et al. 2012: 68).

Steller’s (2017) analysis of the strategic objectives and policy delineations of Germany’s second cyber security strategy in 2011 reveals, it is effectively a policy geared towards critical infrastructure protection. Stellar (2017) and Guitton (2013) emphasize that other more tangible issues such as cyber crime have been neglected due to the securitization of vulnerabilities to disruptions of critical infrastructure. Ruhmann (2015) found that there is an unequal budget allocation of 1:6 between law enforcement and the national security agencies. A forthcoming study has reconfirmed these findings, as indicating that the rate has even increased to 1:10 (Schulziki, 2018). The development of elevating cyber security to a national security issue and focusing on the protection of critical infrastructure has thereby been a consequence of U.S. threat inflation. Despite the apparent securitization of cyber security in Germany the findings of Bötticher (2015: 37), Kullik (2014: 13) and Zedler (2016: 22-25) suggest a lack of political will to address the pertaining issues of critical infrastructure protection such as governmental institutions. Germany’s policy has focused on KRITIS critical infrastructure.

Germany’s cyber security policy angle thereby seems to be driven by an attempt to address the vulnerability i.e. the third threat cluster identified by Dunn-Cavelty (2013) indicated in the previous section. Part of the research is thereby to explore in what way Germany has shifted its focus on the anonymity and impunity with which aggressors can act. This would imply an increasing focus on cybercrime and cyber espionage: has Germany’s principal understanding of cyber security evolved beyond the protection of critical infrastructure? Have the focal points of Germany’s cyber security policy evolved? As an

14 analytical tool the analysis draws on the securitization framework. It allows locating the political will of the German government.

2.3 Cyber Security Policy

Whole of Government and Public-Private Partnerships

The encompassing nature of cyber security connected various security sectors and the technological, socio-political, and complexity challenges policy needs to address require a whole of government approach including public private partnerships. These governmental structures are the underlying conditions enabling to combat cyber threats (Klimburg et al., 2012: 63). Luijf et al. (2013) found that creating a networked approach and strengthening the ties between the public and private sector is a common denominator across 19 cyber security strategies. A method to study how a country is addressing cyber security is thereby the security governance approach. These studies are principally focused on the organizational structures and division of responsibilities. Kullik (2014) examines whether Germany has an identifiable and consistent cyber security policy by looking and the political structures and legal parameters. Zedler (2016) builds on Kullik’s findings and pays closer attention to the governmental institutional ties including connections to the private sector. Similarly Bötticher (2015) maps the German cyber security governance structures domestically and with the European Union. The findings demonstrate that Germany cyber security governance lacks inclusiveness (Kullik, 2014) and that its remains fragmented with ill-defined responsibilities (Bötticher, 2015; Zedler, 2016). The study aims to move beyond the security governance approach and contribute to the literature by focusing on the political understanding of cyber security and the consequential policy approach. A deficiency in the security governance analysis is that it does not address the policy makers and documents. The German parliament is only indirectly involved in the analysis. The following section provides an indication of the spectrum cyber security policy measures can take.

Cyber Defense

The literature shows that Germany has rested primarily on a preventative approach based on civilian agencies. The aim of Germany’s cyber security policy was the protection of its KRITIS critical infrastructure in an attempt to reduce the vulnerability to cyber threats. It has engaged in locating and prioritizing the critical infrastructure (Freiberg, 2015: 103-107). However, as Bologna et al. (2013) the mere protection of potential targets is insufficient. They advocate that cyber security policy should strive towards a ‘resilience mentality’. Resilience goes beyond passive cyber defense measures such as firewalls, anti-virus software

15 or automatic intrusion detection and prevention systems. It includes the establishment of risk management procedures and setting up Computer Emergency Response Teams (CERTs). Furthermore, Singer and Friedman (2014: 211-216) point towards distributing best practice guidelines, awareness building, and educational programs. Beyond protection resilience binds society into the project of cyber defense. Resilience is understood as the capability to respond and recover from a given event. The definition of the term is ambiguous, however what Bologna et al. (2013) suggest is to attain a more active approach to engage with cyber threats. While protection is focused on information sharing, public-private-partnerships and the establishment of IT-security standards resilience foresees incident response structures. However, the ex-US vice secretary of defense Lynn insists: “In a offense-dominant environment, a fortress mentality will not work” (Lynn, 2010: 99). It builds on the conviction that in the cyber domain the aggressor has the advantage. Attacking is easier and more cost- effective than defense, which is harder and more resource-intensive.

To increase the resolve against cyber criminals Brenner and Clarke (2009) suggest a ‘distributed security model’. The model suggests to bestow the society and producers with criminal sanctions if they do not adhere to reasonable security measures. It aims at increasing regulation and provide a deterrent to cyber crime without enhancing the capabilities of law enforcement. The lack of resolve government agencies experience in the cyber domain has led to an increasing amount of electronic surveillance and the militarization of the domain (Deibert, 2008: 132-137). It is a form of reasserting state sovereignty. Dunn Cavelty (2012) explains that the omnipresent sense of vulnerability has led to a focus on major cyber threats neglecting cyber crime. There is thereby a dual push created by the lawlessness and anonymity. On the one hand it leads to an increase of electronic surveillance as a counter- terrorism measure and militarization as means against cyber threats. Buchanan (2016) points out governments need to address how these measures affect cyber security overall. The developments in encryption technology indicate that that the intrusion in computer systems will become more and more frequent (: 35). Schulz (2017) asserts that this is particularly problematic due to ever more devices being connected to the Internet - the emergence of the Internet of Things. The problematic with surge of militarization, and increasingly electronic surveillance is that they require software vulnerabilities. It implies a possible acquisition of services on the private market, all while the attribution problem has not been solved (Reinhold & Schulze, 2017). The discussion thereby examines how Germany is dealing with these questions.

Bendiek (2016) explains Germany’s preventative posture with reference to its self- understanding as a civilian power i.e. that political and economic means should determine its foreign policy. For historical reasons the consensus persists that the militarization and

16 securitization of the cyber domain must be counteracted (Ibid: 9). The security political mentality of Germany has restricted its cyber security approach. Kriesel and Kriesel (2011) emphasize that while internationally there is no legal or consensual definition of what a cyber attack entails and the acceptable repercussions. However, in Germany politically an offensive cyber operation is equated with the use of force. Consequentially offensive cyber operations are bound to the same public and legal criteria in terms of justification and execution (Kriesel & Kriesel. 2011: 209). Arguments emerging form the military sector, urge that a paradigm shift in Germany’s security political thinking needs to take place (Baach & Fett, 2014: 115- 117). Political and legal norms prevent Germany from adopting a holistic and more active cyber defense policy. Nevertheless, Bendiek and Metzger (2015), accepting the circumstances, assert that while the preventative agenda may be insufficient Germany should become more active on the international stage potentially employing political sanctions and diplomacy. How is Germany’s historical self-perception garbled with on the political level? In what way has Germany expanded its focus? How has it evolved? How has Germany addressed these issues?

Section Summary

The review of the body of knowledge established that cyber security is an overarching concept comprising IT-security, information security and also humans and their assets. Cyber security policy is thereby concerned with minimizing the ‘risks to cyberspace’ and the ‘risk through cyberspace’. Next it is explained by drawing on the categorization by Dunn Cavelty (2013) of three different threat clusters that the risks to and through cyberspace can be described along technical, socio-political, and socio-mechanical lines. It shows that cyber security policy comprises a focus on different levels i.e. the means, the actors, or the impact of a cyber attack. Dunn Cavelty’s (2013) distinction is useful for the document analysis as it provides a framework to unravel what Germany aims to deal with – what is regarded as challenging.

The next section draws on securitization theory explaining that particularly in regard to cyber security, threat perceptions rather than actual threat levels define policies. Historicizing the development of Germany’s cyber security policy showed that Germany has understood cyber security through the lens of critical infrastructure protection. The last section delved into cyber security policy approaches explaining that Germany’s has largely rested on preventative cyber defense measures focusing on improving IT-security and establishing information sharing platforms. It then outlines the general approaches cyber security policy can take. This clarifies the possible policy orientations and serves as a tool to

17 indicate how Germany is dealing with cyber security issues and the potential future developments.

There are several questions that arise from this literature review the study touches upon: To what extent or whether Germany’s understanding of cyber security has evolved beyond the protection of critical infrastructure? In what way has cyber security become politically salient? What are the central challenges defining Germany’s cyber security approach and how has Germany adapted its policy to deal with these challenges? To what extent has Germany expanded its cyber security approach to the inclusion of more active cyber defense measures? How is Germany dealing with the offense-defense dilemma i.e. how are the moves towards a more active cyber security policy situated within Germany’s cyber security policy in general? What role does it assign to the recently inaugurated cyber command? 3. Research Design & Methodology

The research design is a single-case study. The methodology takes a social- constructivist approach and is based on a triangulation of methods using document analysis, email questionnaire, and expert interviews.

3.1 Single case study

The single-case study design serves to conduct an in-depth analysis of Germany’s cyber security policy. It allows directing the research effort towards attaining a holistic understanding of the context examined (Yin, 2013: 8). Given the knowledge gap on Germany’s cyber security policy an idiographic approach revealing particularities is beneficial for the research objective. The unit of analysis is Germany and the phenomenon examined is the focus and approach of its current cyber security policy. The subjectivity and verification bias potentially reducing the internal validity of the findings is counter-acted by relying on a systematic methodology (Flyvenberg, 2006: 8-12). The triangulation of methods has an additive and corroborative function (Davies, 2001). The potential lack of generalizability of the findings is a limitation of the study. However, the purpose of the study is not to confirm or disconfirm a theory but to identify the particularities of German cyber security policy i.e. where its focus lies and the approach employed. This may allow for future research and lead to way for more comparative studies.

3.2 Document analysis

18 The timeframe of the core set of documents analyzed is 2015 until June 2018 as it seems to represent Germany’s current approach to cyber security. During 2015 the Federal Ministry of Defense announced the development of a cyber command structure within the German armed forces (BMVg, 2015). Accordingly the potential use of offensive cyber capabilities received political attention. Additionally, in May 2015 the computer network system of the German parliament was hacked (Beuth et al., 2017 May 16). In November 2016 the Federal Ministry of Interior published Germany’s current cyber security strategy (BMI, 2016).

The documents were skimmed (superficial examination), read (thorough examination), and interpreted. The process drew on content and thematic analysis. Content analysis is the “process of organizing information into categories related to the central questions of the research” (Bowen, 2009: 32). A first-pass review of the documents was conducted in order to distinguish pertinent from non-pertinent texts and text-passages in regard to the research objective. Thematic analysis is “a form of pattern recognition within the data, with emerging themes becoming the categories for analysis” (Bowen, 2009: 32). This involved a more careful re-reading of the selected information and the construction of categories. Beginning with a content analysis the research proceeded with a thematic analysis. To counteract bias in selectivity an assessment of the authenticity, credibility, accuracy, representativeness and intended audience of the document was conducted (Bowen, 2009: 33).

First, a thorough reading of the Cyber Security Strategy for Germany 2016 (BMI, 2016) was conducted. Secondly, the Coalition Contract of CDU/CSU-SPD (CC, 2018) was skimmed to identify the relevant text passages and then re-read. Third, relevant topical parliamentary debates were identified and read accompanied by the video broadcast on the website of the German parliament or on YouTube. The parliamentary debates were held on the IT-Security Law (April and June 2015), on the Implementation of the European Union’s Network Information Security directive (March and April 2017), and on the cyber security policy proposal by the Green party (April 2018). Other parliamentary debates were read if suggestive by the research. Fourth, Answers to Brief Parliamentary Enquiries and Written Questions by the German government were identified by using keyword searches (e.g Cyber, Netzwerk Operationen). Fifth, follow up research based on the indications. Other sources include public speeches, institutional reports, policy documents identified by the research.

The securitization framework was used as a basis to identify the political salience of research topics. The cyber security discursive tools were used as a reference point to further the understanding of the cyber threat representations. To identify the angles of Germany’s cyber security policy the threat clusters of Dunn-Cavelty were used. The delineation between passive and active cyber defense measures was used to identify the policy approach.

19 3.3 Interviews

Email questionnaire

The email questionnaires were distributed based on two non-probability sampling methods. Judgment sampling incurs the selection of a group. It was deemed appropriate to question politicians, government officials and professionals in the field of German cyber security. Snowball sampling was used to increase the total amount of respondents relying on referrals from initial respondents (Fricker, 2016). The function of the email questionnaire is additive and corroborative. The findings are not used to make an inference about a larger population.

The emails were sent using the university’s email domain to attain more credibility as a researcher. The emails were sent to the personal email accounts of respondents or to the institution’s reception. A personalized salutation was included in the body of the email to improve response rates (Heerwegh et al., 2005). After sending the initial request a follow up request was sent after one week. Research shows that an early follow up request benefits response rates (Deutskens et al., 2005). The optimal timing of follow up requests is ambiguous, however week-intervals are useful as a general guideline (Bryman, 2012). A clear incentive could not be provided. Potential respondents were offered to be informed about the findings of the research. Along a request to fill out the survey the email contains a request for a personal interview.

The questionnaire was embedded in text form in the body of the email. Embedded email questionnaires are found to receive higher response rates (Bryman, 2012). They are easy to fill out i.e. by simply pressing the ‘reply’ button. Respondents are less likely to be discouraged to open the email, as there is no attachment that might include malware.

The research was conducted by a document analysis of the cyber security strategy of 2016, the coalition contract of 2018, and the parliamentary debates on the IT-Security Act (April and July 2015), the implementation of the EU’s Network and Information Security Directive (March and April 2017), and the cyber security policy proposal by the Green party (April 2018). The document analysis identified recurring themes i.e. cyber threat perceptions and policy initiatives.

Expert interviews

The expert interviews had an additive and corroborative function. The interviews proved essential in regard to amending earlier findings, indicating further focus points for the research and providing information not-publicly available. The interviews were semi-

20 structured with a length of 30-60 min. This left room to cover questions relevant for the research objective while also allowing a natural development of the conversation and potential adjustments depending on the responses/knowledge of the interviewee. As an unstructured component allowed the conversation to become more personal, potentially leading the interviewee to reveal information that he/she would have otherwise not. It was beneficial to develop rapport and attain a referral to another interviewee (Bryman, 2012: 471- 479). While face-to-face interviews were initially intended the interviews were conducted via telephone and using Skype. It should be noted that these mediums made it more difficult to develop rapport and conduct an unstructured interview (Opdenakker, 2006: 4-5; Deakin & Wakefield, 2014: 610-611). The interviews were not be recorded with a device. The potential of more detailed off-the-record information seems more valuable to the research objective than a detailed description of the interview. Notes were made during and right after the interview. A total of three expert interviews were conducted. These proved essential for the development of the research progress.

Based on Harvey’s (2011) literature review and personal experiences of expert interviews several strategies were adopted: transparency about person and affiliation, research nature (i.e. Master Thesis), intended interview length and use of information; prior research on institution and work of interviewee; adjust manner of conduct depending on interviewee; demonstrate knowledge on research topic; prepare explanations for relevance of planned questions; asking for feedback; subtle reminding of remaining timeframe of the interview. 4. Analysis

The literature review explained that Germany’s understanding of cyber security has been defined by the protection of critical infrastructure using passive cyber defense measures. The findings of the document analysis corroborated by expert interviews and email questionnaires reveal that Germany has expanded its focus towards the society, government institutions and the larger economic sector. Part thereof is also an evolution from establishing protection for objects of interest towards more resilience. Beyond these developments Germany has begun to develop the cyber capabilities of its law enforcement, security agencies and military. The first section discusses how Germany has solidified its protection and moved towards a resilience approach by focusing on society, the economy and government institutions.

The aim is to examine how Germany approaches cyber security i.e. what Germany is doing in this policy field. The analysis does not focus on the detailed content of policy initiatives but aims to demonstrate their overarching intention. Nevertheless, in doing so the

21 political contention points and policy challenges are addressed. These give indication for how Germany’s cyber security policy may develop and which challenges need to be overcome to move forward. An aim of the study is thereby to trace in what way a shift in German security political thinking has taken place and how the calls for a more offensive approach are substantiated in Germany’s cyber security policy.

Preventative Measures & Civilian Agencies

The cyber security strategy of 2016 begins its cyber threat characterization with the following statement: “Die Cyber-Bedrohungslage in Deutschland ist von steigender Komplexität und Interdependenz der eingesetzten Technik und sich ständig wandelnden Bedrohungen geprägt. Mit der Digitalisierung moderner Gesellschaften wachsen zugleich deren

Verwundbarkeit und das Missbrauchspotenzial im Cyber-Raum.” (BMI, 2016: 7) The German government emphasizes that the ‘increasing complexity and interdependence’ and a ‘constantly changing’ threat landscape (i.e. unknowability) has been leading to a ‘growing vulnerability’. The text envisions various impacts on ‘wide areas of public and private life’ or ‘the economy in Germany and the world’

(BMI, 2016: 7). Remarkable is that the German government does not only focus on the vulnerability to the cyber sabotage of KRITIS critical infrastructure, but also to cyber espionage and sabotage of political and governmental institutions and vulnerability of the general society due to an increasing development of the Internet of Things. The following addresses how Germany is dealing with this vulnerability of society, the economy and governmental institutions.

Protection and Resilience

Society

The field of action of Germany’s cyber security strategy “Safe and self-determined action in a digitized environment” addresses the society. Policy initiatives advanced aim to improve digital competencies, reduce digital carelessness, establish cryptographic standards for communication, further certification of IT-products, or subsidize research programs (BMI, 2016: 14-19). The coalition contract of 2018 reiterates these initiatives (CDU/CSU-SPD, 2018: 44-46). The cyber security strategy of 2016 emphasizes that the manipulation of devices connected to the internet permeating ever more aspects of life can bear “real and

22 serious dangers” for citizens (BMI, 2016: 7). A reading of the parliamentary debates reveals an increasing recognition of German policy makers for the challenges posed by the growing Internet of Things. The disruption of 900.000 wireless-routers in November 2016 provided a point of reference for politicians to call for policy initiatives addressing on the one hand the digital carelessness among society and on the other hand the lack of a security-by-design approach among producers (Deutscher Bundestag, 2017a: 22295-22296; 2017b: 23377- 23381; 2018a: 2411-2412, 2414-2415). The principal focus relies on establishing product security. It is proposed to establish a voluntary quality label to make the market more transparent for consumers and incentivize producers to adhere to IT-security standards. The interior ministry promotes the quality label as a poster project of its cyber security strategy (BMI, 2016: 17). Another form is the establishment of binding requirements for producers. The necessity to address security-by- design and producer accountability is also emphasized in the responses to the email questionnaire by MdB Sitte (Die Linke) and MdB Wendt (CDU/CSU) (Response 2, 3). Wendt suggests that producers could be required to offer software updates for certain periods of time after the product has been developed (Response 3). The German government thereby seems to contemplate to establish a form of distributed security (Brenner & Clarke, 2009) by moving the responsibility to provide protection towards the private sector. To improve information security for society, businesses and governmental institutions the Digitale Agenda 2014-2017 proclaimed: “Wir wollen Verschlüsselungsstandort Nr. 1 auf der Welt werden” (Die Bundesregierung, 2014: 32). These claims have already been part of the coalition contract of 2013 (CC, 2013: 148) and are reiterated in coalition contract of 2018 (CC, 2018: 45) as well as the cyber security strategy of 2016 (BMI, 2016: 16). The German government aims to establish end-to-end encryption as the standard of communication for society, the economy, and government. The topic received particular political salience in the debates of 2015 (Deutscher Bundestag, 2015a: 9043, 9045-9046, 9049), however subsequently the political will behind end-to-end encryption seems to have retracted (Deutscher Bundestag, 2017a: 22299; 2018: 2411). Nevertheless, the BSI has been active in developing the necessary technologies it has established various initiatives aimed at incentivizing public-private-partnerships commitments across the government (BSI, 2017: 70-74).

Disinformation

Disinformation and online propaganda as a cyber security issue have not been identified as a theme during the document analysis. However, the analysis revealed that German policy makers and government officials are not in agreement whether it should be part of a cyber security policy.

23 The cyber security strategy of 2016 asserts in the characterization of the cyber threat landscape: “Die gezielte Verbreitung von Falschmeldungen … kann zur Desinformation und Manipulation der öffentlichen Meinung genutzt werden. Hier in bestehen langfristig Gefahren für die freiheitliche Gesellschaft und die Demokratie” (BMI, 2016: 6). However, no specific policy initiatives are devised in the document (BMI, 2016: 14). The BSI (2017: 17, 75) and the BfV (2017: XX) emphasize the threat of disinformation campaigns to public opinion i.e. society. State Secretary of Defense Suder and BfV president Maaßen called attention to the problem during a public conference on Germany’s cyber threat landscape (Suder, 2017; Maaßen, 2017). The German government passed the Network Enforcement Act (Netzwerkdurchsetzungsgesetz) in June 2017. The law aims to combat the proliferation of hate speech and fake news on online social media platforms. The law was instituted in January 2018. The NEA requires social media providers to instate a systematic complaint management scheme and a domestic authorized representative as a point of contact. The preamble states: "Nach den Erfahrungen im US-Wahlkampf habe überdies auch in der Bundesrepublik Deutschland die Bekämpfung von strafbaren Falschnachrichten („Fake News“) in sozialen Netzwerken hohe Priorität gewonnen” (Deutscher Bundestag, 2017: 2). While the practicalities of the law are controversial the aim is not – all political parties agree that something needs to be done about hate speech and fake news. It has thereby become securitized. The coalition contract of 2018 professes that the NEA will be further developed, but does not give details (CDU/CSU-SPD, 2018: 131). Only enterprises that can be conducted exclusively through IT-infrastructure are considered cyber crimes. The FDP filed a parliamentary enquiry asking whether Germany’s cyber security policy has evolved towards addressing fake news. The German government established that ‘fake news’ is not part of cyber security - information technology is used as medium (Deutscher Bundestag, 2018f: 8). Critics of the NEA assert that it fails to address social bots (Deutsche Bundestag, 2017c). Would the use of social bots not count as an enterprise that can be exclusively conducted using IT-infrastructure? The discussion of disinformation and online propaganda aims to show that there is no clear consensus among policymakers weather to address these issues as part of a cyber security policy.

Economy

The economic sector is addressed under the second field of action emphasizing that it is a ‘joint effort of government and industry’. The following is structured into two parts, first

24 it addresses critical infrastructure providers, and second the larger economic sector excluded thereof.

Critical Infrastructure Providers

The protection of critical infrastructures resides at the “center” of the joint efforts between the government and the economy. It has “particular” relevance as is a “whole-of- society” responsibility (BMI, 2016: 22). The ‘Implementation Plan for Critical Infrastructure’ (UP KRITIS) provides the guideline for the public-private-partnership. The IT-Security Law provided for a legally binding cooperation. Instated in two parts in May 2016 and June 2017 the IT-Security Law requires providers of KRITIS critical infrastructure and online services (online-markets, online-search-engines, and cloud-computing-services) to adhere to minimum IT-security standards and reporting requirements of attempted or actual cyber attacks. The BSI is tasked to determine the standards in cooperation with the providers and verify their implementation (Deutscher Bundestag, 2015b: 41). The IT-Security Law effectuates the requirements of the EU’s Network Information security Directive which gives requirements to Member States on how to protect their IT-systems. Due to prolonged discussions on the EU-level, the German parliament passed the first part of the IT-Security Law focusing on water, nutrition, energy, healthcare and IT-and-telecommunications in June 2015. The spear- headed implementation of the law as the first country within the EU and the urgency attached to defending against disruptions of critical infrastructure demonstrate a securitization process (Deutsche Bundestag, 2015a: 1563-1580). The IT-Security Law is regarded as a landmark in Germany’s cyber security policy, nevertheless critics argued that the its does not set out the same requirements for governmental institutions and that it does not bind the economic sector (Deutscher Bundestag, 2015a: 1565; 1570-71). The coalition contract of 2018 advances that a ‘2.0’ version will be established within the current legislative period (CDU/CSU-SPD 2018: 98). The aim is to further define the companies affected by the IT-Security Law and possibly extent these beyond the providers of critical infrastructure. The parliamentary debate in April 2018 demonstrates broad support to extend the requirements of the IT-Security Law (Deutscher Bundestag, 2018a). The focus on critical infrastructure thereby remains pertinent.

Private Sector

To protect the economy Germany devises a range of sensitization and support initiatives. As a consequence of the cyber security strategy of 2011 the Alliance for Cyber Security (ACS) was created. It is a public-private-partnership between the BSI and primarily small-and-medium sized businesses. The aim of is to share information and develop best

25 practice guidelines on how to counter cyber crime and industrial espionage. Since its establishment in 2012 the ACS has developed into a platform of 2.600 businesses (BSI, 2016: 3-7). A new program demonstrating the increased focus is the ‘Initiative for Economic Security’ launched by the interior ministry. It is a information sharing platform between federal security agencies (BSI, BKA, BfV, BND) and various economic unions. The aim is to improve the response to economic cyber espionage and sabotage. The guiding theme is: ‘Prevention through Dialogue and Information’. It is the evolution of the BfV’s previous economic security approach based on the premise: ‘Prevention through information’. Furthermore, the cyber security strategy of 2016 sets out plans to institutionalize a information exchange platform (BMI, 2016: 25), these plans are not reiterated in the coalition contract. Remarkable is that while the BSI, the BfV and the cyber security strategy of 2016 problematize the risks of economic cyber espionage the issue is absent from political debates. The BSI publishes various institutional guideline compendiums giving recommendations on information security management systems (ISMS), building competence and awareness raising, maintaining operational continuity, and risk management procedures. The IT-Grundschutz (IT-Baseline Security) is the general directive applicable to the private and public sector. In the course of 2017 the BSI updated the IT-Grundschutz with the specific intention to make it more applicable to small and medium sized businesses (Alberts, 2017: 20-21). Complementarily the Wirtschaftsgrundschutz (Economic Baseline Security) has been developed providing recommendations on how to avert economic cyber espionage (BSI, 2016x). An accepted criticism among members of parliament is the lack of incentives for the economic sector to adapt and implement IT-security measures (Deutsche Bundestag, 2018a). As the BSI admits awareness raising and support initiatives do not necessarily lead to the implementation of recommendations (Greven & Kleinert, 2017: 23). The coalition contract of 2018 advances however that the German government want to sign a ‘National Pact for Cyber Security’ to promote a sense of responsibility and commitment towards improving IT- security (CDU/CSU-SPD, 2018: 44). As such while there is an increased consciousness and effort for sensitization and support initiatives targeting the society, economy, and government institutions there is a lack of incentives within the economic sector. This circumvented by the implementation of requirements, which is the topic of the following section.

Government

The cyber security strategy of 2016 proclaims the aim to establish a ‘capable and sustainable national cyber-security architecture’ (BMI, 2016: 26). Part thereof is the protection of government institutions against cyber threats. The hacking of the Bundestag in

26 May 2015 and the government network of 2018 have increased the political attention on the protection of governmental institutions. The IT-Security Law established that federal institutions have to implement minimum standards for their IT-systems. The BMI can establish these minimum standards as legally binding for federal agencies, so far however this has only been done for a single implementation (BSI, 2017: 56). In contrast, the providers of critical infrastructures are also required to fulfill organizational requirements such as ensuring operational continuity and risk management procedures. The deficiency was addressed with the reform of the ‘Implementation Plan for the Federal Administration’ (Umsetzungsplan Bund, abbr. UP Bund) in 2017. The UP Bund builds on the IT-Baseline Security guideline compendium of the BSI adjusted to governmental institutions. The UP Bund is intended as a binding policy document (UP Bund, 2017). Another project is the consolidation of the network and IT- infrastructure of the federal administration. The aim is to improve oversight and implementation of IT-security. These projects are endorsed by the cyber security strategy of 2016 (BMI, 2016: 35) and the coalition contract of 2018 (CDU-CSU-SPD, 2018: 46). Furthermore, reporting requirements for federal agencies of attempted or actual disruptions to their IT-systems exist since 2008. With the cyber security strategy of 2016 the German government aimed to make cooperation between the federal Computer Emergency Response Team (CERT-Bund) and the respective Länder organizations obligatory (BMI, 2016: 36). This has been legally established in the course of 2017 (BSI, 2017: 24). The research revealed that while Germany’s cyber security policy was initially focused on the protection of critical infrastructure in recent years the federal administration a series of policy initiatives have elevated the requirements to a comparable ground. However, as Julia Schuetze remarks, while the federal agencies may adhere to information security standards there is a gap to the communal level. Additionally, the cooperation with the Länder is currently based on 13 different models impeding the implementation (Interview 3). Recent initiatives of the BSI demonstrate an attempt to address the gap. First, the BSI with it headquarter in Bonn (North-Rhine-Westphalia) has established three additional regional offices (Middeke, 2017: 28-29). Secondly, as part of the cyber security strategy (BMI, 2016: 35) the BSI has developed an equivalent of the IT-Baseline Security guideline compendium for government constituencies (BSI, 2018).

Incident response

The BSI is the central agency in Germany’s cyber security architecture. Under its umbrella reside the National IT-Situation Center (Nationales IT-Lagezentrum) and the Computer Emergency Response Team of the Federal Government (CERT-Bund). The

27 National IT-Situation Center receives information from public administration (BDSG), from providers of critical infrastructure (ITSG) and voluntarily from the private sector through the Alliance of Cyber Security or directly from private institutions (BSI, 2017: XX). Another passage could be that the CERT-Bund picks up on suspicious data streams, either by itself or through information exchange with national/international CERTs or other governmental agencies such as the BND and its Signals Intelligence Support to Cyber Defense program (discussed below). The CERT-Bund would then contact the agency at risk. The CSS of 2016 aims to further develop the cooperation between the CERT-Bund and the corresponding Länder-CERTs. These share information through the Administration-CERT-Union (Verwaltungs-CERT-Verbund, abbr.- VCV). The IT-Planungsamt established the VCV in 2013 however, in an attempt to improve the cooperation across Federal-Länder boundaries to make the voluntary sharing of information mandatory (BMI, 2016: 36). These efforts seem to be addressed in the coalition contract of 2018 under the topic to improve and standardize the IT-structures between the Federal government and the Länder (CC, 2018: 125). Another channel for cyber incident response would be the National Cyber Response Center (Cyber- AZ) through which certain developments or incidents would be shared with the BSI to decide further responses (Cyber-AZ, 2015: 15). With the implementation of the NIS-Directive, in particular through the enactment of the second part of the IT-Security Act that came into effect in June 2017 the German government established the institutional tools to improve its response to cyber incidents. The Mobile Incident Response Teams (MIRT) of the BSI can become active on site in case of cyber incidents. The principal aim is to aid state institutions or providers of critical infrastructure to overcome in short term the technical repercussions of an incident (BSI, 2017: 60). Complementing these efforts is the plan to create ‘Mobile Cyber-Teams’ within the BfV that can be dispatched to investigate cyber attacks of foreign intelligence or extremist/terrorist background on site (BMI, 2016: 29). The BKA’s Quick Reaction Force (QRF) is intended as a specialized investigation task force to conduct the potential necessary immediate law enforcement measures resulting from a cyber attack (Ibid: 29). After a trial period between June 2016 and June 2017 the QRF is supposed to be established in the course of 2018 (Deutscher Bundestag, 2017l: 14). The QRF will be composed of four cyber crime experts of the BKA rotating at a 24/7-standby service (Ritter & Steffens, 2017: 18). Whether the MIRT, ‘Cyber Team’ or QRF are deployed is decided on a case-by-case basis and in cooperation and decided in cooperation with the targeted agency. The CSS of 2016 also aims to develop the delgatory role of the Cyber-AZ and establish it as the national crisis response center (BMI, 2016: 28). As previous finding by Kullik (2014) and Zedler (2016) have indicated the Cyber- AZ is currently seemingly more a information sharing platform than a operational coordination center. While the CDU/CSU endorsed the future development of the Cyber-AZ

28 in a declaratory statement before the federal elections in 2017 (CDU/CSU, 2017: 2), these convictions are not reiterated in the coalition contract (CDU/CSU-SPD, 2018). The BSI is principally a passive cyber defensive agency. However, with the creation of the Mobile Incident Response Team, the increased reactionary efforts made in regard to the CERT-Bund, and the planned establishment of the Cyber-AZ as the main cyber crisis response platform its role has attained a more active cyber defensive dimension.

Section summary

Germany’s preventative cyber security policy has expanded its focus from the protection of critical infrastructure to the protection and promoting of resilience of society, businesses and government institutions. Digital carelessness and security-by-design have become politicized. The emerging Internet of Things has brought about recognition for the challenges it poses. Part of the reason may be attributed to the failure of 900.000 Telekom- routers serving as a reference point for members of parliament. An increase in efforts can be observed in regard to the provision of sensitization and support initiatives. On the political level product security and producer liability has attained increasing focus. Furthermore, the establishment of end-to-end encryption is intended as a standard for society, the economy, and government institutions. Separately, while policy documents and parliamentary debates only tangentially touch upon the issue of hate-speech, online propaganda and disinformation campaigns. There seems to be a disagreement on whether these challenges should be addressed within a cyber security policy. The document analysis further revealed that disruptions to KRITIS critical infrastructure have been securitized. The IT-Security Act was established before the regulations were agreed upon on the EU level. An evident consensus among members of parliament can be observed for the further development of the IT-Security Law. A potential move discussed is to device responsibilities upon businesses. Complementing these intentions are the numerous policy initiatives directed towards the business such as a revision of the IT- Baseline Security guideline or the ‘Initiative for Economic Security’. The problematic is currently how to incentivize business to implement the necessary actions. The current government will need to address the issue between incentivizing and regulating. Lastly, while the focus on society and the economy may be part of the future the research indicated the increased focus on the protection of governmental institutions. Part of the reason is the hacking of the Bundestag in 2015 and of the government network in 2018. The protection of government institutions has seemingly undergone a process from the un-politicized to the politicized. A recent parliamentary debate shows that there are securitizing acts conducted by CDU/CSU to implement potential cyber counter attacks.

29 Part of the increasing consciousness for cyber security issues seems to be the development of a incident response structures within the government. This includes more cooperation between the CERT of the federal government and the Länder, mobile incident response teams, and the aim to establish the Cyber-AZ as national crisis response coordinator. In this regard it the question of upholding the ‘rule of separation’ between police agencies and the intelligence services would need to be addressed. However, in political debates this issue has not been addressed. Besides establishing the civilian structures to respond to cyber attacks.

Active Cyber Defense & Security Agencies

The previous section examined how Germany aspires to reduce the vulnerability of society, the economy and governmental institutions to cyber attacks. Another challenge is the anonymity and impunity with which aggressors can act. The German government writes in its cyber threat characterization: “Die quantitative und qualitative Vielfalt der potenziellen Akteure aus dem In- und Ausland und der technischen Möglichkeiten zur Verschleierung erschweren die Erkennung, Zuordnung, Abwehr und Verfolgung von Cyber-Angriffen” (BMI, 2016: 7) The passage accentuates how the resolve of state agencies is undermined in the cyber domain. A main field of action in the German cyber security strategy is the establishment of a ‘capable and sustainable national cyber-security architecture’ (BMI, 2016: 10-11, 27). The research revealed that the strategic objective has led to a progression of the operational cyber capabilities of law enforcement, intelligence services, and the military. Part thereof is institutional restructuring, personnel increases, technological advancements and the formation of legal authorities. The developments are situated within Germany’s cyber security policy expansion towards the use of active cyber defense measures. The analysis focuses on institutional developments and emphasizes pertaining policy issues. First, an overview of the recently inaugurated ZITiS is provided. Secondly the analysis delves into law enforcement and the BKA. Thirdly, the intelligence services are addressed i.e. the BfV and BND. Fourth, the analysis addresses the recently emerging debate on counter cyber operations. Lastly, it is examined how the military cyber command is situated within Germany’s cyber security policy.

Law enforcement & Security Agencies

ZITiS

30 The Central Office for Information Technology in the Security Sector (Zentrale Stelle der Informationstechnik im Sicherheitsbereich, abbr. ZITiS) is a federal agency under the umbrella of the interior ministry and was established in April 2017 as part of Germany’s cyber security strategy (BMI, 2016: 32). ZITiS is tasked to support law enforcement and security agencies with the development of methods and capabilities for cyber network operations, however the agency itself does not have operative authority (CSS, 2016: 32; 18/13667: 5-7). By 2022 ZITiS is supposed to employ 400 personnel, as of March 2018 it employs 34 (19013434: 12). ZITiS is situated within the facilities of the University of the Bundeswehr and in close cooperation with the co-located Research Center Cyber Defense (Forschungszentrum Cyber Defense, abbr. CODE) (18/13696: 16). The parameters of the cooperation or to what extent ZITiS will support the Bundeswehr per se is not specified. Up until December 2017, cooperation has occurred with the BKA, BPol and BfV (18/13696: 15-16). The German government has no information available whether the cooperation has brought about the development of technologies (19013434: 15). The president of Germany’s foreign intelligence service mentioned that cooperation may occur (Bundestag, 2017) whereas ZITiS was not specifically mentioned to support the BND. Furthermore, while the president of ZITiS has affirmed that it will not acquire zero-days or vulnerability-exploits from “unseriösen Firmen”, which companies are regarded as such is not specified (XXX). It thereby remains to be seen how ZITiS will operate. The BMI established ZITiS as part of the cyber security strategy. The new agency is in its build-up phase. The formation of ZITiS shows commitment towards, first, supporting a the resolve of government institutions in the cyber domain, and second, the harboring of software vulnerabilities.

Federal Crime Office

The Federal Crime Office (Bundeskriminalamt, abbr. BKA) is Germany’s central police agency. In regard to cyber security its task is the repression of cyber crime. According to Kullik (2014: 141-142) the BKA lacks the personnel and technological competencies. The German government aims to intensify law enforcement against cyber crime. Part thereof is an increase in personnel and technical capabilities and furthering national/international cooperation (BMI, 2016: 30, 43). With the IT-Security Law the German government increased the personnel of the BKA by up to 78 positions (Deutscher Bundestag, 2015: 5). With the cyber security strategy the German government wants to continue this process (BMI, 2016: 29).

31 The German government passed an amendment of the criminal code elevating the restrictions for the BKA to use Source Telecommunication Surveillance (STS) and Remote Network Searches (RNS). The modification took effect in May 2018 (Deutscher Bundestag, 2017g; 2018d). The developed its own technology for STS; the Remote Communication Interception Software (RCIS). In the past the BKA has acquired programs from the private company FinFisher Gmbh. Other acquisitions are not confirmed by the German government (Deutscher Bundestag, 2018d). Leaked documents revealed that the BSI supported the BKA in the development of software between 2007-2009, whether or to what extent this cooperation has continued is not disclosed (Deutscher Bundestag, 2017g: 9). In the future such support is supposed to be offered by ZITiS. The capabilities to conduct remote network searches are not publicly revealed. The German government emphasizes that the BKA uses these technologies with strict adherence to its legal grounds and has established an internal oversight body (Deutscher Bundestag, 2017g). The electronic surveillance tools require the use of software vulnerabilities. From a factual standpoint it leads to less cyber security. It shows the friction between public - and cyber security policy objectives. In case of Germany this friction is convoluted as the necessity to circumvent telecommunications encryption i.e. ‘Security despite Encryption’ (BMI, 2016: 15) is advanced within Germany’s cyber security strategy. Furthermore, in parliamentary debates on the amendment the effects on cyber security are only addressed by the opposition (Deutscher Bundestag, 2017c: 24311, 24317, 24320; 2017d: 24587) but are not at the center of the discussion. During a hearing of the parliamentary Legal and Consumer Protection Council the issues for cyber security are only addressed by Linus Neumann for the Chaos Computer Club (Deutscher Bundestag, 2017j). Firstly, the approach ‘Security despite Encryption’ is advanced within the cyber security strategy whereas from a factual standpoint it is counterproductive. Secondly, on the political level concerns for cyber security are not included in the discussions of public security measures.

Federal Office for the Protection of the Constitution

Together with the respective Länder offices the BfV is responsible for the surveillance of terrorism/extremism. Other constitutional functions on the federal level include the gathering of information on security threats and foreign intelligence service activities. The BfV is thereby tasked to inquire cyber espionage against political institutions and the sabotage of critical infrastructure. Beyond these duties the BfV is also takes up tasks for the protection of the economy with a particular focus on industrial espionage. The German government presents ‘Effectively combat Cyber-Espionage and Cyber- Sabotage’ (BMI, 2016: 11, 28) as one of its strategic objectives. The principal measure

32 advanced is to strengthen the BfV’s monitoring methods of all foreign intelligence activities in Germany. Anticipated is a personnel increase for the counter-espionage department and a purposeful organizational restructuring. Here the focal point is the defense against cyber- espionage with presumed foreign intelligence service origin of federal agencies and other targets. Additionally, the BfV is adjourned to intensify its resolve against cyber sabotage of extremist or terrorist background (BMI, 2016: 28). The planned increases in personnel are a continuation of analogous efforts legitimated through the implementation decree of the IT-Security Law (Deutscher Bundestag, 2015a: 5). The German government qualifies the acquisition and training of personnel to fill the necessary positions of the BfV to have ‘highest priority’ (Deutscher Bundestag, 2017e: 14). Similarly, the BfV repetitively lobbies to increase its technical and legal capabilities (e.g. Maaßen, 2016; 2017a: 4). According to the findings of Kullik (2014) and Zedler (2016) the BfV has a lack of personnel and technical capabilities. At the unclassified level the approach, capabilities, or methods of the BfV in the cyber domain are ambiguous. Parliamentary enquiries are rejected in reference to the welfare of the state (Deutscher Bundestag, 2017g; 2018c). Sven Herbig (Stiftung Neue Verantwortung) remarks that particularly in regard to the BfV the government’s non-transparency makes it is difficult to interpret how and to what extent the agency can operate in cyberspace. In contrast to the BND there is no public information as a reference point to make meaningful inferences (Interview 1). The German government asserts however that the BfV does not conduct computer network intrusions as the legal grounds are not provided (Deutscher Bundestag, 2018c: 15). The BfV does have attributive capacities. While the BfV has named Russia, China and increasingly Iran as perpetrators of cyber-espionage endeavors specific incidents have only been attributed to Russia. The group APT 28 (also know as Sofacy, Fancy Bear or Pawn Storm) is held responsible for the hacking of the German parliament in May 2015, a wave of spear-phishing emails against federal agencies in August 2016 and breaches of the computer networks and political party institutions of the CDU in May 2016 (BfV, 2016; 2017). Furthermore the hacking of the computer network of the federal government has equally been attributed to APT 28. The German government confirms that on the basis of the evidence provided by the BfV corroborated by findings of international partners these incidents can be attributed to the group APT 28 including the group’s connection to the Russian government (Deutscher Bundestag, 2018e). While the president of the BfV has publicly named Russia as the main perpetrator on numerous occasions (Maaßen, 2016; 2017a), the German government has only confirmed these allegations in late 2017. Furthermore, the expulsion of Russian diplomats in response to an alleged attempt to murder an ex-Russian intelligence employee residing in the United Kingdom was justified in part by the reference to the intrusion of the

33 Russian hackers in the federal government’s network. The naming-and-shaming of Russia shows that the BfV has the capabilities to conduct attribution to a sufficiently accurate degree and secondly it demonstrates an emerging international political assertiveness of the German government in regard to cyber security issues. Nevertheless, it should be recognized that the German government has not asserted these claims through official diplomatic channels nor were they voiced by a representative of the German government as a whole e.g. chancellor, president or foreign minister.

Federal Intelligence Service

The BND is Germany’s foreign intelligence agency. In regard to cyber security the BND is tasked with the reconnaissance of cyber espionage and sabotage against governmental and/or critical infrastructure from abroad. The German government presents the strategic objective to solidify ‘a early warning system against cyber attacks from abroad’ (BMI, 2016: 11, 32). The BND has the legal authority and technical capabilities to strategically oversee international data streams (BND website). The word ‘strategically’ is indicative as according to Kullik (2014) the BND does not have extensive technical resources and is dependent on external information. It thereby operates with the harpoon-method i.e. targeting particular data streams (Ibid: 141). This allows the BND to identify the propagation of malware or malign activities, such as an APT attack against a governmental institution, originating from a server or system. The BND uses the gathered intelligence to generate overviews of the current cyber threat situation and/or alert the actors at risk (Ritter and Steffens, 2017: 14-15). The BND refers to this course of action as the ‘Signals Intelligence Support to Cyber Defense’ (SSCD) program (BND, 2016). As part of the cyber security strategy of 2016 the BND together with IT-experts and analysts is developing the SSCD into an early warning system against cyber attacks from abroad (BMI, 2016: 32). This allows the BND to identify cyber attacks in the preparatory and conduct phase. Furthermore the BND is able to monitor information flow in the aftermath of a cyber attack. The German government does not disclose specific information on the approach, capabilities, or methods of the BND (Deutscher Bundestag, 2018d). Nevertheless, Dr. Herbig (Stiftung Neue Verantwortung) remarks that the operability of the SSCD implies that the BND has the capability to conduct computer network operations (Interview 1). The president of the BND Bruno Kahl corroborated these inferences during a public hearing of the Parliamentary Oversight Panel (Parlamentarisches Kontrollgremium, abbr. PK) stating that his agency does in fact have these technical capabilities (Deutscher Bundestag, 2017k). Under the Federal Intelligence Service Act (BND-Gesetz) the BND may not be attached to a police

34 authority (BNDG §1) and does not have military-operational capabilities (BNDG §2). This restricts the agency to solely focus on gaining and analyzing information without the intrusion in foreign computer network systems. Responding to a parliamentary inquiry the German government asserts that the BND does not make use of external specialists or private service providers to operate the SSCD. In 2014 in the course of the Snowden-affair it was revealed that the BND is heavily reliant on information exchange with the U.S. National Security Agency (NSA) to conduct the surveillance of international data streams as well as the technology to do so (Kullik, 2014: 152-153). If the BND has only limited capabilities to conduct its reconnaissance activities information on which servers to particularly observe is relevant for the operation of the SSCD.

Hacking Back

The increased focus of the German government on the development of the cyber capabilities of law enforcement and security agencies ties into the emerging debate on hack backs. The German government states in its cyber security strategy of November 2016: “(Es) sind schwerwiegende Cyber-Angriffe vorstellbar, gegen die mit den klassischen präventiven Maßnahmen in der notwendigen Zeit nicht nachhaltig vorgegangen werden kann. Die Bundesregierung wird daher prüfen, unter welchen rechtlichen Rahmenbedingungen und mit welchen technischen Möglichkeiten in diesen Fällen durch staatliche Stellen Netzwerkoperationen durchgeführt werden könnten” (BMI, 2016: 29) The passage demonstrates (1) acknowledgment for the deficiencies of passive cyber defense measures and (2) consideration for conducting cyber counter-operations. Responding to a parliamentary enquiry in January 2017 regarding the passage the German government explained that ‘network operations’ conceives the aversion or interruption of a cyber attack. The operational parameters and the agency that is intended to carry out these enterprises is left unspecified. Furthermore, a cyber attack is regarded as ‘grave’ if the impact attains an ‘extensive’ dimension. Scenarios envisioned are the effects on a large amount of citizens, if the targets are of ‘particular importance’ or if the economic damage is potentially ‘particularly’ high. As an example the disruption of critical infrastructure is referred to (Deutscher Bundestag, 2017e: 9). The German government conducts a hyper-securitizing act (Hansen & Nissenbaum, 2009) by describing hypothetical cascading effects and evoking urgency due to the insufficiency of passive cyber defense measures requiring a change of rules. The German government advances a frame that circumvents the question of whether cyber counter-operations should be implemented and immediately focuses on the how. An absence of such capacities would expose Germany - society, the economy and government

35 institutions - to existential threats. Nevertheless, the ambiguous language and absence of detail accentuates a gap between the strategic objective and defined policy delineations. German media outlets revealed that in March 2017 the Federal Security Council (Bundessicherheitsrat, abbr. BSR) requested an examination of the technical and legal requirements for cyber counter-operations (Mascolo, 2017 April 20). The BSR is a cabinet of the chancellor and the federal ministers conferring about national security and defence policy. Meetings and agenda items are classified. As of June 2018 the inquiry has not been terminated (Deutscher Bundestag, 2018f: 12). In the course of 2017 several government officials called for the implementation of cyber counter-operations. On the political level interior minster de Maizière expressed his support during his time in office (Baumgärtner et al., 2017 November 24). More assertive were voices from the intelligence and security sector. The president of the BfV publically lobbied to attain the technical and legal capabilities on numerous occasions (Deutscher Bundestag, 2017; Maaßen, 2017a; 2017b; 2018). The president of the BND Kahl expressed similar aspirations, emphasizing that while the BND has the technical capabilities it lacks the legal grounds (Ibid). Another proponent is the president of the decryption agency ZITiS (Baumgärtner et al., 2017 November 24). The consensus is that it should at least be possible to conduct rescue mission of stolen data – while the BfV and BND also consider the potential destruction of an aggressors’ server(s). Despite these advances a public or political debate did not emerge. The research only revealed a partial engagement with the topic in parliamentary enquiries (Deutscher Bundestag, 2017g; 2018c). The revelation of the hacking of the government network in February 2018 marks a turning point in the discussion on cyber counter-operations and the political salience of cyber security in Germany. According to Stephan Thomae (FDP) the revelations caused a surge in the discussion on ‘hack backs’ within government circles (Response 1). In the aftermath the opposition parties filed a multitude of parliamentary enquiries (Deutscher Bundestag, 2018c; 2018e; 2018f; 2018g). The Green party filed a policy proposition emphasizing a recission of Germany’s move towards active cyber defense measures and accordingly advanced a thorough passive cyber defense policy (Deutscher Bundestag, 2018h). The proposal was discussed in parliament in April 2018 during which the first open parliamentary debate ensued regarding Germany’s plans to conduct cyber counter-operations (Deutscher Bundestag, 2018a: 2410-2419). A reading of the debate reveals that the oppositional parties (Die Linke, Grüne, FDP and AfD) are against these plans. Critical arguments make reference to the problematic of leaving vulnerabilities open which cyber counter-operations necessitate, the acquisition of vulnerabilities from private companies, the attribution problem, and potential escalatory effects (Deutscher Bundestag, 2018a: 2410-2419). Relevant is also that the SPD is not firmly

36 affirmative of such conducts. It is only the representatives of the CDU/CSU that are assertive. MdB Schuster (CDU/CSU) proclaims: “Man kann doch solche Bedrohungen nicht allein durch das Bauen von Firewalls beherrschen. Unsere Auffassung ist ganz klar – dazu werden wir Ihnen Vorschläge machen die sie quälen werden - : Ja, wir brauchen eine aktive Cyberabwehr.” (Deutscher Bundestag, 2018a: 2412) While the CDU/CSU is firmly affirmative its coalition partner SPD is not. The parliamentarians agree that something needs to be done i.e. cyber security as a whole is securitized. The discussion is centered on principles and overarching themes. There is no discussion of the details such as vulnerability management. Nevertheless, according to Sven Herpig (Stiftung Neue Verantwortung) and Thomas Reinhold (Hamburg University) cyber counter-operations are going to be implemented. Before that however the debate needs to occur within the public.

The Offense-Defense Dilemma

The previous sections show that Germany has expanded its approach towards a more active cyber defense policy. There is a friction between passive and active cyber defense measures. The cyber security strategy of 2016 professes ‘Security through Encryption’ and ‘Security despite Encryption’ explaining: “Um eine Aushöhlung (der) bereits bestehenden Befugnisse zu vermeiden, müssen die technischen Fähigkeiten der Strafverfolgungs- und Sicherheitsbehörden zur Entschlüsselung parallel zu den technischen Entwicklungen in Sachen Verschlüsselungen stetig fortentwickelt werden.” (BMI, 2016: 15). The German government takes a dual political stance - congruently promoting encryption and decryption. This position is reaffirmed in the coalition contract of 2018 and in answers to parliamentary enquiries (Deutscher Bundestag, 2018c: 4; 2018d: 2) asserting that law enforcement and security agencies need to have the same capabilities within the cyber domain as outside (CDU/CSU-SPD; 2018: 128). This claim is also used as a justification for the inquiry into cyber counter-operations. The analysis is a depiction of the dual efforts the German government pursues. There is a friction within Germany’s policy that can be described as the cyber offense/defense dilemma. On the one hand the German government wants to close software vulnerabilities, as shown by the range of passive cyber defense measures, on the other hand it wants to use these vulnerabilities i.e. keeping them open for the conduct of law enforcement and security agencies. The problematic is that such a policy approach diminishes IT-security overall making society, businesses and government institutions more susceptible to cyber threats.

37 A possibility would be a vulnerability management system: is there a system in place that manages the acquisition, assessment and balancing, usage and safeguarding of these vulnerabilities? Is there a system that allows for balancing the potential dangers of keeping vulnerabilities open against its potential benefits? The German government has not come to a conclusion in this regard (Deutscher Bundestag, 2018c: 14). The offense/defense dilemma touches upon a German political debate on the the institutional position of the BSI. Under the umbrella of the interior ministry reside the BKA, BfV and ZITiS. As the analysis shows these agencies are concerned with the harboring of software vulnerabilities. Critics argue that it is not transparent in what way the BSI provides support to the security agencies. According to Julia Schütze it is not evident what the BSI does with the information it receives. In the past is has been proven that the BSI supported the BKA (Deutscher Bundestag, 2018d: 1-2). The problematic is a lack of trust towards the BSI - if the agency that is supposed to close vulnerabilities is also involved in aiding the agencies aimed at keeping certain vulnerabilities open. The issue remains as there is no transparency. Critics argue that the BSI should be extracted from the interior ministry. Furthermore, there is also a controversy in regard to the BMI as it has both an encryption and decryption agency under its umbrella. The problematic becomes more accentuated in regard to the increasing operational capabilities of the Cyber-AZ. The BSI having a delegatory role would thereby work more closely on an operative level with these agencies. The dilemma is not limited to Germany however it is accentuated through the recently emerging discussion on ‘hacking back’ including the historical background of how Germany is changing its outlook.

Bundeswehr

In the summer of 2015 Der Spiegel leaked information on the basis of a classified strategic document that the German defense ministry planned to expand and formally institutionalize the cyber capabilities of the Bundeswehr (Gebauer, 2015 July 10). Consequentially the same year defense minister von der Leyen officially announced the development of a cyber command structure (BMVg, 2015). In April 2017 the Bundeswehr’s cyber command was inaugurated. The ‘White Paper of Germany’s Security Politics and the Future of the Bundeswehr’ published by the German government in 2016 states: “Die Verteidigung gegen [Cyber] Angriffe bedarf auch entsprechender defensiver und offensiver Hochwertfähigkeiten” (BMVg, 2016: 93). Similarly, the final report of the organizing staff for the cyber command states: “... zur Durchführung wirkungsvoller Cyber-Maßnahmen [sind] immer defensive und offensive Fähigkeiten erforderlich” (BMVg, 2016: 5). These statements demonstrate that an

38 active cyber defense is regarded as a necessary component of Germany’s national cyber security policy. The Bundeswehr becomes active in the case of self-defense (Article 115a, GG). However, the parameters at what point the impact of a cyber attack, such as the sabotage of critical infrastructure, qualifies as a ‘case of defense’ and requires involvement of the Bundeswehr have not been clarified. Furthermore, while the defense ministry affirms that the cyber command will only operate under the mandate of the Bundestag (§1(2) of the Parlamentsbeteiligungsgesetz) how the parliamentary mandate is applicable to military cyber operations is equally not addressed (Bendiek, 2016: 25). The White Paper nor the cyber security strategy of 2016 give indication. Defense minister von der Leyen proclaimed during the inauguration speech of the cyber command: “Wenn die Netze der Bundeswehr angegriffen werden, dann dürfen wir uns auch wehren. Sobald ein Angriff die Funktions- und Einsatzfähigkeit der Streitkräfte gefährdet, dürfen wir uns auch offensive verteidigen” (von der Leyen, 2017: 1-2). The statement shows that while there are still unanswered questions, for Mrs. von der Leyen offensive cyber operations are part of the Bundeswehr’s repertoire. The parameters of necessary i.e. the attribution or the dimensions of a military cyber-counter attack are not specified. The personal interview with Dr. Thomas Reinhold, Hamburg University, remarks that the “Bundeswehr ist eigentlich nicht Einsatzfähig”. He remarks that to be operational the Bundeswehr would need to conduct reconnaissance during peacetime, which implies that the Bundeswehr would need a continuous mandate. It thereby needs to be clarified in what way it cooperates with the intelligence services. While in the case of the security agencies it is still being discussed weather they should receive the capability to conduct cyber-counter operations, for the Bundeswehr this questions has been affirmed. However, the same questions remain. As such a discrepancy between the strategic objectives and the clearly delineated policy can be observed.

5. Conclusion

The first sub-question “What are the cyber threats addressed by Germany?” was addressed by using Dunn-Cavelty’s (2013) classification into different threat clusters, i.e. malware, hackers, and complexity, and the securitization framework as an underlying tool. The research revealed that the focus on the protection of critical infrastructure persists. However, there has been an expansion of the focus towards dealing with the vulnerability to society, the larger economic sector, and government institutions. The commitment is most solidified in regard to government institutions as in contrast to the other focus points the strategic objectives have led to clear policy delineations. A particularity was identified in

39 regard to dealing with disinformation. There does not seem to be a consensus among policy makers whether to include it as a cyber security issue. Furthermore, particularly the threat of cyber-espionage from foreign intelligence services has received political attention through the hacking of the German governments network. Whether the attention will persist remains to be seen. Nevertheless, it led to an intensification of the calls for cyber counter-operations indicating securitization acts. Cyber crime remains at the side-line of policy documents and parliamentary discussions. The second sub-question, “How does Germany devise its cyber security policy?” was delineated by pointing towards the different approaches of cyber security policy. The research revealed that Germany has moved beyond its protective approach expanding it towards resilience. This can be observed through the increase in sensitization and support initiatives. Particularly in regard to the economic sector this has been the approach Germany takes as the regulations are more difficult to implement in contrast to critical infrastructure providers and government institutions. Apparent is also a move towards a more active cyber security policy by strengthening law enforcement, security agencies, and the military. The BKA’s cyber capabilities have been strengthened in part to conduct electronic surveillance. These efforts are included in the cyber security strategy of 2016. The contradiction is that the German government attempts to establish its resolve in the cyber domain however in regard to the BKA this is done as a counter-terrorism measure. On a political level these efforts are not discussed with reference to the effect on cyber security. The BKA would need to use software vulnerabilities and thereby from a factual standpoint diminishes cyber security. The cyber capabilities of the BfV and the BND are not transparent impending analysts to make inferences about their cyber operations. The emerging discussion on cyber counter-operation can be regarded as an outstanding shift in Germany’s approach, Nevertheless, the debate is at its beginning and the focus relies on overarching questions rather than its details such as the implementation of a vulnerability management system. The Bundeswehr has established a cyber command structure. However, it has not been clarified how the capabilities are used. The development of offensive cyber capabilities and the friction it poses with defensive measures. 6. Further Research

The analysis has shown that there are several avenues for further research. First, there is a remaining knowledge gap on Germany is dealing with the interaction between public security and cyber security, implied therein is the friction between

40 offensive and defense cyber security endeavors. How governments are dealing with these aspects and in particular Germany is currently unresolved. Secondly, there is a remaining focus on reducing the vulnerability to cyber threats in particular disruptions to critical infrastructure. A further avenue of research would thereby be in what way the focus on the overarching vulnerabilities leads to an exemption of cyber crime.

References

Alberts, K. (2017). IT-Grundschutz Runderneuert. BSI-Magazin 2017/02: Mit Sicherheit, 20-21.

Baach, W. & Fett, W. (2014). Sicherheitspolitik im Cyber-Zeitalter: Reicht passive Abwehr aus?. Europäische Sicherheit & Technik (August 2014): 115-117.

Baumgärtner, M., Gebauer, M., Knobbe, M., Rosenbach, M. & Wiedmann-Schmidt, W. (2017, November 24). Hacker mit Dienstausweis: So rüstet sich Deutschlands Cyberarmee. SPIGEL ONLINE. Retrieved from http://www.spiegel.de/spiegel/deutschland-ruestet-im-cyberkrieg-auf-a-1179975.html

Bendiek, A. & Metzger, T. (2015). Deterrence theory in the cyber-century. German institute for International and Security Affairs. Berlin, Germany: SWP-Berlin.

Bendiek, A. (2016). Due diligence in cyberspace: Guidelines for international and European cyber policy and cybersecurity policy. German Institute for International and Security Affairs. Berlin, Germany: SWP-Berlin.

Beuth, P., Biermann, K., Klingst, M. & Stark, H. (2017 May 12). Cyberattack on the Bundestag: Merkel and the Fancy Bear. Die Zeit. Retrieved from http://www.zeit.de/digital/2017-05/cyberattack-bundestag-angela-merkel-fancy-bear- hacker-russia

Bitkom (2017, July 21). "Spionage, Sabotage, Datendiebstahl: Deutscher Wirtschaft entsteht jährlich ein Schaden von 55 Milliarden Euro". Bitkom: Presseinformationen. Retrieved from https://www.bitkom.org/Presse/Presseinformation/Spionage- Sabotage-Datendiebstahl-Deutscher-Wirtschaft-entsteht-jaehrlich-ein-Schaden-von- 55-Milliarden-Euro.html

Bitkom Research (2017, September 1). Nur vier von zehn Unternehmen sind auf Cyberangriffe vorbereitet. Bitkom research: Pressearchiv. Retriever from https://www.bitkom- research.de/epages/63742557.sf/sec98e10427fe/?ObjectPath=/Shops/63742557/Categ ories/Presse/Pressearchiv_2017/Nur_vier_von_zehn_Unternehmen_sind_auf_Cybera ngriffe_vorbereitet

41 Bitkom (2017, October 11). Cybercrime: Jeder zweite Internetnutzer wurde Opfer. Retriever from https://www.bitkom.org/Presse/Presseinformation/Cybercrime-Jeder- zweite-Internetnutzer-wurde-Opfer.html

BKA (2017). Cybercrime: Bundeslagebild 2016. BKA: Wiesbaden, Germany.

BKA (2017b). Polizeiliche Kriminalstatistik 2016. BKA: Wiesbaden, Germany. BMI (2005). Nationaler Plan zum Schutz der Informationsinfrastrukturen (NPSI). Berlin, Germany: BMI.

BMI (2011). Cyber-Sicherheitsstrategie für Deutschland : 2011. Berlin, Germany: BMI.

BMI (2016). Cyber-Sicherheitsstrategie für Deutschland: 2016. Berlin, Germany: BMI.

BMI (2017). Verfassungsschutzbericht 2016. Spangenberg, Germany: Werbedruck GmbH Horst Schreckhase.

BMVg (2006). Weißbuch 2006 zur Sicherheitspolitik Deutschlands und zur Zukunft der Bundeswehr. Berlin, Germany: BMVg.

BMVg (2015). Tagesbefehl der Bundesministerin: 15 September 2015.

BMVg (2016a). Weißbuch 2016: Zur Sicherheitspolitik und zur Zukunft der Bundeswehr. Berlin, Germany: BMVg.

BMVg (2016b). Abschlussbericht: Aufbaustab Cyber- und Informationsraum.

BSI (2005). Die Lage der IT-Sicherheit in Deutschland 2005. Bonn, Germany: BSI.

BSI (2016). Einführung in den Wirtschaftsgrundschutz. Bonn, Germany: BSI.

BSI (2017a). Die Lage der IT-Sicherheit in Deutschland 2015. Bonn, Germany: BSI.

BSI (2017b). Allianz für Cyber Sicherheit. Bonn, Germany: BSI.

BSI (2018). IT-Grundschutz-Profil: Basis-Absicherung Kommunalverwaltung.

Bologna, S., Fasani, A. & Martellini, M. (2013). From fortress to resilience. In Mertellini M. (Ed.). CyberSecurity: Deterrence and IT protection for criticalinfrastructures (pp. 53-56). Heidelberg, Germany: Springer VS.

Bowen, G. A. (2009). Document analysis as a qualitative research method. Qualitative Research Journal, 9(2), 27-40.

Bötticher, A. (2015). Die Strukturlandschaft der Inneren Sicherheit der Bundesrepublik Deutschland. In Lange, H., & Bötticher, A. (Eds.). Cyber-Sicherheit (pp. 69-102). Wiesbaden, Germany: Springer VS.

42 Brenner, S. & Clarke, L. (2009). Combating cybercrime through distributed security. International Journal of Intercultural Information Management 1 (3): 259–274.

Bryman (2012). Social Research Methods (4th ed.). New York: Oxford University Press Inc.

Carr, M. (2016), Public-private partnerships in national cyber-security. International Affairs, 92(1), 43-62.

Davis II, John S. et al., “Stateless Attribution: Toward In- ternational Accountability in Cyberspace”, Rand Corporation,2017, S. 24.

Davies, P. (2001). Spies as informants: Triangulation and the interpretation of elite interview data in the study of the intelligence and security services. Politics 21(1), pp. 73-80.

Deakin, H. & Wakefield, K. (2014). Skype interviewing: reflections of two PhD researchers. Qualitative Research, 14(5), 603-616.

Deibert, R. J. (2008). Black code redux: Censorship, surveillance, and the militarisation of cyberspace, in Digital Media and Democracy: Tactics in Hard Times, ed. Megan Boler (Cambridge, MA: MIT Press), 137-162.

Deibert, R. & Rohozinski, R. (2010). Risking Security: Policies and Paradoxes of Cyberspace Security. International Political Sociology, 4(1), 15-32.

Deutskens, E., De Ruyter K., Wetzels, M. & Oosterveld, P. (2004). Response rate and response quality of internet-based surveys: An experimental study. Marketing Letters 15(1), pp. 21–36.

Deutscher Bundestag (2015a). Plenarkprotokoll 18/110. Stenografischer Bericht 110. Sitzung (10 Juni 2015).

Deutscher Bundestag (2015b). Drucksache 18/4096 (25.02.2015). Gesetzentwurf der Bundesregierung. Entwurf eines Gesetzes zur Erhöhung der Sicherheit informationstechnischer Systeme. (IT-Sicherheitsgesetz).

Deutscher Bundestag (2017a). Plenarkprotokoll 18/221. Stenografischer Bericht 221. Sitzung (9 März 2017).

Deutscher Bundestag (2017b). Plenarprotokoll 18/231. Stenografischer Bericht 231. Sitzung (27. April 2017)

Deutscher Bundestag (2017c). Plenarprotokoll 18/238. Stenografischer Bericht 238. Sitzung. (2. Juni 2017)

Deutscher Bundestag (2017d). Plenarprotokoll 18/240. Stenografischer Bericht 240. Sitzung (22. Juni 2017)

Deutscher Bundestag (2017e). Drucksache 18/10839 (16.01.2017). Antwort der Bundesregierung auf die Kleine Anfrage der Abgeordneten Jan Korte, Frank

43 Tempel,Dr. André Hahn, weiterer Abgeordneter der Fraktion DIE LINKE. – Drucksache 18/10682 –. Cyber-Sicherheitsstrategie der Bundesregierung.

Deutscher Bundestag (2017f). Drucksache 18/13069 (06.07.2017). Antwort der Bundesregierung  auf die Kleine Anfrage der Abgeordneten Jan Korte, Dr. Petra Sitte, Frank Tempel, weiterer Abgeordneter und der Fraktion DIE LINKE. Betriebssysteme und IT-Sicherheit in Bundesministerien und Bundesbehörden.

Deutscher Bundestag (2017g). Drucksache 18/13566 (13.09.2017). Antwort der Bundesregierung auf die Kleine Anfrage der Abgeordneten Dr. Konstantin von Notz, Hans-Christian Ströbele, Volker Beck (Köln), weiterer Abgeordneter und der Fraktion BÜNDNIS 90/DIE GRÜNE – Drucksache 18/13413 – Einsatz von Schadsoftware (sog. Bundestrojaner) und Zurückhaltung und Ausnutzung von Sicherheitslücken durch Bundesbehörden.

Deutscher Bundestag (2017h). Drucksache 19/317 (22.12.2017). Schriftliche Fragen mit den in der Woche vom 18. Dezember 2017 eingegangenen Antworten der Bundesregierung. .

Deutscher Bundestag (2017i). Drucksache 18/11272 (22.02.2017). Gesetzentwurf der Bundesregierung Entwurf eines Gesetzes zur Änderung des Strafgesetzbuchs, des Jugendgerichtsgesetzes, der Strafprozessordnung und weiterer Gesetze.

Deutscher Bundestag (2017j) Pro und Contra Staatstrojaner: Recht und Verbraucherschutz/Anhörung - 01.06.2017 (hib 353/2017) https://www.bundestag.de/presse/hib/2017_06/-/509318

Deutscher Bundestag (2017k). Ausschüsse der 18. Wahlperiode. Parlamentarisches Kontrollgremium (PKGr): Nachrichtendienste sehen sich vor großen Herausforderungen. https://www.bundestag.de/ausschuesse/ausschuesse18/gremien18/pkgr#url=L2Rva3V tZW50ZS90ZXh0YXJjaGl2LzIwMTcva3c0MC1wa2dyLzUyNjUwNg==&mod=mod 441792

Deutscher Bundestag (2017l). Drucksache 18/10839. Antwort der Bundesregierung auf die Kleine Anfrage der Abgeordneten Jan Korte, Frank Tempel, Dr. André Hahn, weiterer Abgeordneter der Fraktion DIE LINKE. Cyber-Sicherheitsstrategie der Bundesregierung.

Deutscher Bundestag (2018a). Plenarprotokoll 19/26. Stenografischer Bericht 26. Sitzung (19. April 2018).

Deutscher Bundestag (2018b). Plenarprotokoll 19/32. Stenographischer Bericht. 32. Sitzung. Berlin, Mittwoch, den 16. Mai 2018.

Deutscher Bundestag (2018c). Drucksache 19/1434 (28.03.2018). Antwort der Bundesregierung auf die Kleine Anfrage der Abgeordneten Dr. Konstantin von Notz, Luise Amtsberg, Canan Bayram, weiterer Abgeordneter und der Fraktion BÜNDNIS 90/DIE GRÜNEN – Drucksache 19/982 – Staatliches Hacking von Internetkommunikation – Transparenz rechtlicher und tatsächlicher Voraussetzungen.

44 Deutscher Bundestag (2018d). Drucksache 19/522 (24.01.2018). Antwort der Bundesregierung auf die Kleine Anfrage der Abgeordneten Martina Renner, Ulla Jelpke, Jan Korte, Niema Movassat und der Fraktion DIE LINKE. Informationstechnische Überwachung durch Bundeskriminalamt und Zoll.

Deutscher Bundestag (2018e). Drucksache 19/1867 (25.04.2018). Antwort der Bundesregierung auf die Kleine Anfrage der Abgeordneten Andrej Hunko, Anke Domscheit-Berg, Dr. Petra Sitte, weiterer Abgeordneter und der Fraktion DIE LINKE. Kompromittierung deutscher Regierungsnetze.

Deutscher Bundestag (2018f). Drucksache 19/2307 (24.05.2018). Antwort der Bundesregierun auf die Kleine Anfrage der Abgeordneten Stephan Thomae, Jimmy Schulz, Manuel Höferlin, weiterer Abgeordneter und der Fraktion der FDP. Cybersicherheit.

Deutscher Bundestag (2018g). Drucksache 19/1556 (06.04.2018). Schriftliche Fragen mit den in der Woche vom 3. April 2018 eingegangenen Antworten der Bundesregierung.

Diehl J. & Rosenbach, M. (2017 December 4). Wie ein Bräutigam bei einer Millionen Deutschen das Internet ausknipste. SPIEGEL ONLINE. Retrieved from http://www.spiegel.de/spiegel/telekom-hackerangriff-ein-braeutigam-knipste-das- internet-ausknipste-a-1181406.html

Dunn Cavelty, M. (2013). From cyber-bombs-to political fallout: threat representations with an impact in the cyber-security discourse. International Studies Review 15, 105-122.

Flyvenberg, B., (2006). Five misunderstandings about case study research. Qualitative Inquiry, 12(2), 219-245.

Freiberg, M. (2015). Grenzen und Möglichkeiten der öffentlich-privaten Zusammenarbeit zum Schutz Kritischer IT-Infrastrukturen am Beispiel des Umsetzungsplans KRITIS. In Lange, H., & Bötticher, A. (Eds.). Cyber-Sicherheit (pp. 103-120). Wiesbaden, Germany: Springer VS.

Gartzke, E. & Lindsay, J. R. (2015). Weaving tangled webs: Offense, defence, and deception in cyberspace. Security Studies, 24(2), 316-348.

Gebauer, M. (2015 July 10). Geheime Bundeswehr-Strategie: Von der Leyen rüstet and der Cyberfront auf. SPIEGEL ONLINE. Retrieved February 20, 2017, from http://www.spiegel.de/politik/deutschland/bundeswehr-ursula-von-der-leyen-ruestet- an-der-cyber-front-auf-a-1042985.html

Guitton, C. (2013). Cyber security as a national threat: overreaction from Germany, France, and the UK?. European Security, 22(1): 21-35. Kullik, J. (2014). Vernetzte (Un-)Sicherheit?: Eine politisch-rechtiche Analyse der deutschen Cybersicherheitspolitik. Hamburg, Germany: Verlag Dr. Kovac.

45 Greenberg, A. (2017, July 20)S. How an entire nation became Russia’s test lab for cyberwar. The Wire. Retrieved from https://www.wired.com/story/russian-hackers- attack-ukraine/

Greven, F. & Kleinert, T. (2018). Anlaufstelle und Austauschplattform. BSI-Magazin 2018/01: Mit Sicherheit, 22-23.

Hader, D. & Deuster, P. (2017). Neue Mindeststandards. BSI-Magazin 2017/2. Mit Sicherheit: Informationssicherheit als Vorraussetzung für Digitalisierung. pp. 22-24.

Harvey, W. (2011). Strategies for conducting elite interviews. Qualitative Research 11(4), pp. 431-441.

Hansen, L. & Nissenbaum, H. (2009) Digital Disaster, Cyber Security, and the Copenhagen School. International Studies Quarterly, 53(4), 1155-1175.

Heerwegh, D., Vanhove, T., Matthijs, K. & Loosveldt, G. (2005). The effect of personalisationon response rates and data quality in web surveys. International Journal of Social Research Methodology, 8(2), pp. 85–99.

Klick, J., Lau, S. & Marzin, D. (2015). Cyber-Security aus Sicht der Sicherheitspolitik. Berlin, Germany: Freie Universität Berlin.

Kullik, J. (2014). Vernetzte (Un-)Sicherheit?: Eine politisch-rechtiche Analyse der deutschen Cybersicherheitspolitik. Hamburg, Germany: Verlag Dr. Kovac.

Kriesel, F. W. & Kriesel, D. (2011). Cyberwar - relevant für Sicherheit und Gesellschaft? Eine Problemanalyse. Zeitschrift für Außen - und Sicherheitspolitik 4, 205-216.

Lindsay, J. R. (2013). Stuxnet and the limits of cyber warfare. Security Studies, 22(3), 365-404.

Lynn, W. J. (2010) Defending a New Domain: The Pentagon’s Cyberstrategy. Foreign Affairs, 89(5), 97-108

Nakashima, E. & Timberg, C. (2017, May 16). NSA officials worried about the day its potent hacking tool would get loose. Then it did. The Washington Post. Retrieved from https://www.washingtonpost.com/business/technology/nsa-officials-worried-about- the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16/50670b16- 3978-11e7-a058-ddbb23c75d82_story.html?utm_term=.e3dfe1c0c004

Maaßen, H. (2016). Nationale Cybersicherheit, Potsdamer Konferenz für Nationale CyberSicherheit (2016), Potsdam, June 4, 2016. Potsdam, Germany: Hasso-Platter Institut.

Maaßen, H. (2017) Terrorismus, Extremismus, Spionage: Der Bundesverfassungsschutz vor den Herausforderungen einer globalisierten Welt. Zeitschrift für Außen - und Sicherheitspolitik.

46

Mascolo, G. (2017, April 20). Wie die Regierung gegen Hacker zurückhacken will. Süddeutsche Zeitung. Retriever from http://www.sueddeutsche.de/digital/it- sicherheit-wie-die-regierung-gegen-hacker-zurueck-hacken-will-1.3469456

Meister, A. (2015, July 30). Geheime Cyber-Leitlinie: Verteidigungsministerium erlaubt Bundeswehr “Cyber War” und offensive digitale Angriffe. Netzpolitik.org. Retrieved from https://netzpolitik.org/2015/geheime-cyber-leitlinie- verteidigungsministerium-erlaubt-bundeswehr-cyberwar-und-offensive-digitale- angriffe/#5-2-Cyberverteidigung

Middeke, F. (2017). Auf in die Fläche. BSI-Magazin 2017/2. Mit Sicherheit: Informationssicherheit als Vorraussetzung für Digitalisierung. pp. 28-29.

Opdenakker, R. (2006). Advantages and disadvantages of four interview techniques in qualitative research. Forum: Qualitative Social Research, 7(4).

Reinhold, T & Schulze M. (2017). Digitale Gegenangriffe. Stiftung Wissenschaft und Politik: German Institute for international politics and security. Working paper: Research group security politics (pp. 1-18).

Rid, T. & Buchnan, B. (2015) Attributing Cyber Attacks. Journal of Strategic Studies, 38(1), 4-37.

Rid, T. & McBurney, P. (2012). Cyber Weapons. The RUSI Journal 157(1), 6-13.

Ritter, S. & Steffens, T. (2017). Das BSI vor Ort im Einsatz. BSI-Magazin 2017/02: Mit Sicherheit: 14-17.

Ruhmann, I. (2015) Aufrüstung im Cyberspace: Staatliche Hacker und zivile IT- Sicherheit im Ungleichgewicht. Wissenschaft und Frieden, 2015- 3(Friedensverhandlungen).

Schulzki-Haddouti, C. (2017, December 6). Studie: Cyberoffensive erhält deutlich mehr staatliche Mittel als Schutzmaßnahmen. Heise.online. Retrieved from https://www.heise.de/newsticker/meldung/Studie-Cyberoffensive-erhaelt-deutlich- mehr-staatliche-Mittel-als-Schutzmassnahmen-3911337.html

Singer, P. W: & Friednman,, A. (2014). Cybersecurtiy and cyberwar: What everyone needs to know. Oxford, United Kingdom: Oxford University Press

Steller, S. (2017). Die Cyber-Sicherheitstrategie für Deutschland. Arbeitspapiere zur Internationalen Politik und Außenpolitik 1/2017.

Von der Leyen, U. (2017). Rede der Bundesministerin der Verteidigung Dr. Ursula von der Leyen bei der Aufstellung des neuen militaörischen Organisationsbereichs und des Kommandos Cyber- und Informationsruam (CIR), Bonn, April 5, 2017. Bonn: Bundesministerium der Verteidigung.

47 Von Solms & van Niekerk (2013) From information security to cyber security. Computers & Security, 38, 97-102.

Yin, R. K. (2009). Case study research. London, United Kingdom: SAGE.

Zedler, D. (2016). Zur strategischen Planung von Cyber Security in Deutschland. Arbeitspapiere zur Internationalen Politik und Außenpolitik 2/2016. Cologne: Universität zu Köln.

48