License to hack: Germany looks to boost cyberops
June 26, 2019
German spooks, it seems, are pretty trendy nowadays, donning hoodies and woolen caps, stubble and a generally pensive air. And they come with "a license to hack" — at least according to the large photo currently splashed across the recruitment website of the BND, Germany's foreign intelligence agency.
The postings include positions for experts for cybersecurity and computer network exploitation with a "willingness to travel abroad." The BND is looking to recruit spies able to infiltrate foreign computer networks. Most Western countries, too, are scrambling to recruit talent: Australia, the United Kingdom and Canada all have similar postings.
In one British ad, candidates are told, "we can hack the computers of terrorists and criminals to disrupt their plans." In another, the Australian government is looking for a candidate able to develop and apply "Autonomous Cyber Operations."
Read more: Germany struggles to step up cyberdefense
German hackers' hands are tied
In comparison, German hackers are somewhat unique: Once they've broken into a network, their license is curtailed by Germany's Basic Law — the constitution — which dictates a strict separation between policing, intelligence gathering and prosecution. In other words, the spook in the hoodie can't take down a hostile server that might be attacking German infrastructure or delete sensitive data an adversary may have stolen.
However, experts readily admit that in the extremely unlikely event of a cyberattack of such catastrophic proportions that lives are lost and infrastructure destroyed, the German military would counter with cyberstrike in self-defense. It could even launch a conventional war. But below the threshold of outright cyber or kinetic war, Germany's hands are currently tied.
This is at odds with the more aggressive stance other countries are taking following several attacks on their infrastructure in recent years.
Attacks include shutting off the power grid in Western Ukraine in 2015 and hacking into servers of the Democratic National Committee in the United States in the run-up to the 2016 elections. In both cases, lawmakers and experts pointed to Russian hackers.
'The new terrorist'
"Cyber" is increasingly being used to describe the abstract yet serious threat of malicious hackers possibly gaining access to key networks and wreaking widespread havoc. One researcher told DW wryly that the term has become "the new terrorist" threat that legitimizes calls to boost offensive capability and ask for funds. And with good reason, given the number of utilities, civil services, and business sectors that depend on digital operations to properly function. "Cyber Pearl Harbor," a term that lawmakers and soldiers like to use, hints at the level of destruction possible.
Yet major events are rare, compared to the daily barrage of attacks launched often indiscriminately by criminals against banks, companies and, more generally, anyone connected to the internet.
Nevertheless, international conflicts are spilling into the virtual sphere. The US, according to a recent report in The New York Times, has shifted towards offensive operations and has placed "potentially crippling malware" inside Russian servers "at a depth and with an aggressiveness that has never been tried before." This strategy is sometimes termed the "preparation of the battlefield": If conflict arises, software is already prepared and can be activated quickly to shut down a server.
Recently the US military reportedly launched a cyberattack on Iranian weapons systems that control its rocket and missile launchers. Others, too, are firmly moving towards offense.
Read more: US hits Iran with cyberattack
Cyberdefense without offense 'like a tank without a gun'
Take Estonia, a tiny Baltic Sea country that shares a border and a fraught history with Russia. Following decades of Soviet occupation, Estonia gained independence in the early 1990s.
In 2007, the Estonian government decided to move a Soviet-era statue from the center of the quaint capital, Tallinn, to a less central location. What followed was a swift digital retribution; A major offensive cyberattack on the country's banking system and several government websites. Many believe it was orchestrated by Russian hackers.
Tanel Sepp, the head of the Estonian Ministry of Defense's cyber programs, recalled not being able to check Estonian news sites from Brussels, where he was stationed at the time. He told DW his country has since learned its lesson and boosted its cyberdefenses. It is now piloting a cyberconscription and moving towards more offensive capabilities, as an additional tool in military operations: "Cyberdefense without offensive capabilities is like a tank without a gun," he said, grinning.
But when later asked about the specifics of offensive operations, including whether Estonia, like Russia, was conducting "preparation of the battlefield" operations, he declined to comment. Any details, he said curtly, were "classified."
Read more: The new digital insecurity
Interior Ministry working on new law
Germany, too, has experienced several attacks on government infrastructure, including on the internal network of the Bundestag in 2015, most likely by a group of Russian hackers that also targeted defense companies in several NATO states.
This was followed by an attack on the federal administration's network in 2018, and late last year, the personal data of hundreds of German politicians was released online, including credit card information and personal chats.
These attacks seem to have jolted the German government back into action — after an earlier round of discussions on cyberdefense petered out. Interior Minister Horst Seehofer said recently that Germany couldn't just "helplessly endure" a cyberattack. Rather, Germany needed a more "active cyberdefense," using the government's preferred term, which has a less bellicose ring to it than the more commonly used "hackback."
His ministry, Seehofer said, was working on draft legislation. While the details are strictly classified, a working paper was leaked earlier this year. Accordingly, Seehofer's ministry, it seems, would like to task the foreign intelligence agency with the ability to delete data and, as a last resort, shut down enemy servers.
Opposition: Hackback plans 'reckless'
But the plans to step up government hackers' powers have shocked and angered many, especially among the opposition. In his spacious office, the shelves stacked with books on the CIA's interrogation programs, Andre Hahn of the Left party said the law was "reckless" and "ignored history."
He was referring to the Nazi regime, during which the secret police — the Gestapo — detained, tortured and disappeared people without any legal oversight, leading to a strict separation between policing, intelligence gathering and prosecution after the Second World War. Never again, the reasoning went, should a secret police force act with total impunity as the Gestapo had done.
Thus, in theory, in order to give the BND the license to hack offensively, the German constitution would have to be changed — an idea so "preposterous," Hahn told DW, that it didn't bear thinking about.
Read more: The significance of Germany's Basic Law
Hahn — who told DW he never discusses sensitive matters on the phone, but rather in person during walks along busy roads — is also concerned about parliamentary oversight. As a longtime member of the parliamentary group tasked with overseeing the country's intelligence agencies, he is well aware that these tend to reveal as little as possible of operations.
Indeed, he said, most of what he knows about secret operations is what he has garnered from investigative reporting.
Other members of the opposition, including the Green and business-friendly Free Democrat parties, also vehemently disagree with tasking the BND with offensive cyberdefense.
Are hackbacks the right tool?
Several politicians and experts DW contacted, however, question whether hackbacks are even a useful type of offense. Matthias Schulze of the German Institute for International and Security Affairs, a Berlin-based think tank that advises the government on foreign and security policy, said that hackbacks are notoriously difficult.
For one, hackers often launch their attacks via computers of innocent bystanders — for example hospitals, which could be harmed in the event of a retaliatory attack. Moreover, deleting data is next to pointless, he said, as any competent hacker will have made sure to have backups.
Schulze fears that offensive capabilities may lead to an escalation or even a virtual arms race, which could spiral out of control. Rather than boost defensive capabilities, Schulze is convinced that Germany should invest more in internet security.
Both foreign and domestic intelligence agencies make use of backdoors — vulnerabilities in the software that allow outsiders to gain system access — but so do criminals and suspected terrorists at home. If these backdoors are kept open, Schulze says, anyone can use them to access key networks and computers, including criminals seeking to steal data or insert malicious software to blackmail users.
"There are no backdoors just for the good guys. Either you have a backdoor and the system is insecure for everyone, or you close the door and everyone is safer," Schulze said.
Read more: Europe's cybersecurity gap threatens infrastructure, elections
Ministry pushing ahead with plans?
Despite the concerns voiced by Schulze and other experts, the Interior Ministry seems to be pressing ahead. In a written statement, a spokesperson told DW that active cyberdefense was an "indispensable instrument," but declined to answer questions about specific details and timing.
Many in the opposition fear that the current coalition government may yet strike a deal and implement a more offensive cybersecurity plan, even at the risk of it being unconstitutional. In theory, opposition politician Hahn told DW, the government could approve and implement hackbacks — meaning that unless and until Germany's Constitutional Court were to rule against their use, the government could continue to employ them. "It is certainly not inconceivable that they might do so," he said. "It has been done in other cases."
One thing is clear: Should Germany's intelligence agency get the legal go-ahead, switching to more active operations is fairly straightforward. Once a hacker has gained access to a network, Matthias Schulze says, "actually deleting data is pretty trivial." In other words, the spooks that Germany is currently trying to recruit, could swiftly — and silently — move to offense.
DW's Thomas Allinson contributed to this report.