Bedingt Abwehrbereit? The German Debate about Cybersecurity and the Value of Intelligence
In today’s interconnected world, we can no longer keep our policy areas separate; what affects security policy also impacts an economy’s prosperity, and the decisions made can have ramifications on individual privacy. Cybersecurity and net neutrality form the link across these issues. What concerns many dedicated transatlanticists and stakeholders from the private sector and the think tank community, however, is the lack of interest (or even ignorance) that is being devoted to matters of all things “cyber” by vast parts of the German political and academic establishment.
The Economic and Social Dimension
Two recent events—one legal, one legislative—highlight not only the social and economic relevance of digital law, but also challenge national legislation for global technology. On 6 October 2015, the European Court of Justice struck down the U.S.-EU Safe Harbor Agreement, under which more than 4,000 American companies were handling the personal data of their European consumers. The court expressed doubts about their adequate protection in the United States. It is worth noting that the judges not only meant protection with respect to cyber criminals, but also considered government interventions (i.e., by intelligence agencies) a threat. This started as a sort of David-and-Goliath battle, when Austrian jurist and privacy activist Max Schrems filed a lawsuit against the multi-billion dollar company Facebook, challenging the website’s practice of data storage in the U.S. where it could be exploited by the National Security Agency (NSA) and other institutions. But it ended in a potentially damaging and expensive way for many companies, and certainly alienated people and economic players across the Atlantic. It again shed light on an ongoing transatlantic debate: different perspectives/attitudes on privacy, security, and political and commercial interests between the U.S. and parts of Europe. The British newspaper The Guardian even calls it “a growing chasm.” Schrems and European privacy advocates (among them many Germans) feel confirmed and forced a legal reorganization by the European Parliament, while the reaction in the United States gave a mixed picture. The New York Times, for example, declared the decision’s impact marginal; Secretary of Commerce Penny Pritzker immediately engaged in negotiations with EU representatives, and only a few Americans took the opportunity to criticize U.S. data protection measures.
The second decision was a vote in the European Parliament on 27 October. It issued a decree on net neutrality that has been criticized since it was proposed two years ago for opening the floodgates of undermining the core principles of neutrality. At stake is the equal treatment of data on the internet by governments and provider companies, to many a pillar of fundamental civil rights. On the one hand, the new decree offers more legal certainty than before (at least for Germany), as most member countries have not ratified any binding law at all. On the other hand, however, it limits the equality of data in favor of “special providers” without explicitly defining them. The process of debate took place widely unnoticed and uncovered by mainstream German media; instead, social media platforms like Twitter and Facebook as well as several blogs seemed to remain the best forums to articulate opposition and concern beforehand. Following the vote, the media outcry was great, as if there had not been enough time to seriously focus on the topic, especially after President Barack Obama brought it up last year by publicly supporting net neutrality.
Bashing the media rarely helps, but looking closer at what subjects receive attention from respectable outlets and publishers and which do not raises two questions. First, is there an assumption that news and stories on digital technology, cyber issues, and the future of social interaction combined with legal details induce disinterest and boredom—at least among the classic target audience? And second, how can we bring these, admittedly, sometimes not very approachable topics up on our radars? Rulings like the two aforementioned or—at least in the U.S.—the ongoing debate about encryption will continue to shape our daily routine, as they affect our lives not only at the workplace but at home, while travelling, or going out. Particularly in comparison with the U.S., the German discussion to a certain degree lacks understanding, knowledge, and, even worse, awareness. This does not seem to be a question of education or age—sometimes it seems like people take some sort of pride in being anti-technology, as if they think they could choose not to make use of the internet, smartphones, or digital infrastructure. Talking about the internet of things, which usually has to be explained and illustrated by several examples, a common reaction in Germany would be deprecatingly rejecting this “nonsense,” or even belittling a person who is in favor of embedded computing systems in physical objects operating within a network.
The Security Dimension
However, even if it were some kind of cultural habit, or if Germany just lagged behind other countries, the security dimension challenges everybody, regardless of the personal use of technology. The gap or “chasm” of perspectives on privacy versus security, as above mentioned, fully develops its impact over the ways and means of intelligence agencies and foreign policy. While the U.S. introduced the permanent United States Cyber Command (USCYBERCOM) as part of its Strategic Command in 2009, Germany only reluctantly established a single position within the Foreign Office (Auswärtiges Amt) in 2011. Yet this “Cyber Representative” is rather a temporary assignment: Thomas Fitschen, who took office in July 2015, is already the third appointee since 2013, and according to his job description he is responsible for counter-terrorism as well as “cyber foreign policy.” Apart from being understaffed and undervalued, the economic, social, and security dimensions of cyber are not reflected in this position. When in May 2015 the computer system of the entire German Parliament was hacked, one would assume that this “Bundestag Hack” would have raised the attention of a broader audience that goes beyond a group of educated individuals and institutions (i.e., the Bundesinstitut für Sicherheit in der Informationstechnik, BSI, cyber representatives and lawyers in the private sector) who for years have unsuccessfully alerted and warned the public against such a threat.
Even the recent bombings and shootings in Paris could not ignite a constructive German debate about the value of smart intelligence—very different from the United States. The very fact that the terrorists were able carry out the attacks seems to prove everyone right: those who strongly advocate extended police and intelligence legislation, data retention, and warrantless wiretapping as well as privacy proponents, who claim that even the best (or worst) security measures cannot prevent incidents like the ones that happened in the heart of Paris. The language within many of these knee-jerk reactions is getting harsher: John Brennan, Director of the CIA, complains about “hand-wringing” over the government’s role in finding and arresting terrorists; he indirectly blames Edward Snowden for enabling them to escape surveillance and eavesdropping by leaking classified documents on intelligence programs like PRISM. R. James Woolsey, former CIA Director, is even cited as saying “I think Snowden has blood on his hands from these killings in France,” and calls for a death sentence and “would prefer to see him hanged by the neck.”
Turning the focus of discussion to unauthorized disclosures, Snowden’s potential complicity, or the controversial question of encryption is, of course, a way to distract people’s attention from possible intelligence failures. Additionally, intelligence representatives seem to be seizing the moment of fear and uncertainty to push an agenda against the prevalent encryption that has been under siege ever since Apple and Microsoft provided encrypted text messaging software for their mobile devices. FBI Director James B. Comey does not tire of emphasizing the danger of refusing back door keys for intelligence agencies while activists, companies, and tech experts strongly advocate strong encryption by default to keep cyberspace safe. Since there is still no sound evidence whether the Paris terrorists had used protected communication in order to coordinate their actions, Donald Rumsfeld’s infamous quote “The absence of evidence is not evidence of absence, or vice versa” comes to mind. This matter is developing into a question of political faith rather than rational analysis and weighing pros and cons. But the very fact that this entire debate has not even started in Germany should be cause for concern.
More than two years have passed since the NSA affair broke, and ever since then the role of state-run intelligence services has become a popular topic in Germany—entirely leaving out the question of cybersecurity. It reached its first peak in 2013 as an immediate reaction to the Snowden revelations, and the second climax came following disclosures about the infiltration of NSA selectors in the German intelligence service (Bundesnachrichtendienst, BND) search engines, but seemed to fade as the indignation faded away. Given the ever-accelerating news cycles and new emerging crises and scandals, the U.S.-German intelligence affair remained for a remarkably long time on media agendas. And it has been only recently that the legal and technical complexity, in particular, of the matter has tired many citizens. To keep up with the pace of the debate one has to constantly follow the news to acquire an understanding of the rules and regulations. This includes not only the German Basic Law (particularly Article 10, the “G-10 law,” which regulates the limits of privacy and therefore the powers of intelligence services), but also a solid knowledge of cybersecurity, digital tools, and information technology. Only then can one actually participate in fruitful discussion about threats, chances, or the need for legal reform of intelligence, surveillance, and oversight.
Unlike in the United States, where permanent committees in both houses of Congress, FISA courts (Foreign Intelligence Surveillance Act), and a comprehensive oversight and accountability apparatus has been in place for decades, Germany and many other European countries still struggle with (or ignore the need for) a legal framework, the rights and obligations of their intelligence agencies, and a basic understanding of the impact cyber has within this context. The enormous public outrage over mass surveillance practices has cooled down a little over the last months also due to the intensive concern with the refugee situation and the notorious Volkswagen car emissions crisis. But what also alienates more and more people in Germany is a realization of their own shortcomings: a lack of interest or even ignorance regarding intelligence purpose, duties, and legal certainty. While the German public, media, and parts of the political establishment could for months unambiguously point at the United States for allegedly pursuing a contemporary 1984-style agenda, there was no reason to deal with unpleasant facts about the everyday business of foreign and security policy itself, including, of course, the German institutions involved.
The ongoing Parliamentary Committee investigating the spying scandal, which chancellery minister Peter Altmeier ennobled by saying “it is one of the more interesting inquiry committees,” has been in place since March 2015. After a somewhat bumpy start—Christian Democratic Union (CDU) chairman Clemens Binninger left the board over disagreements of whether to prioritize Edward Snowden’s testimony from the beginning—the eight members of the Bundestag familiarized themselves with a range of topics. In the first couple of sessions they learned about experts’ opinions on the legal framework and technical aspects of intelligence. According to Hans-Jürgen Papier, former president of the Federal Constitutional Court, the German BND’s information-gathering practices are partly unconstitutional and therefore put Germany’s intelligence service at the core of the investigation, rather than the NSA that was eponymous for the enterprise. After the hearings of two former NSA employees who turned whistleblowers, William Binney and Thomas Andrews Drake, the commission has increasingly become a BND inquiry committee, since no active NSA officer will appear before them. Instead, numerous BND officials have testified on various SIGINT topics and projects, and for the first time members of the Bundestag as well as parts of an interested public in Germany got a glimpse behind the secretive scenes.
After several leaks of unknown origin the commission has stated to convene under the greatest possible interception precautions. It seems eager to fulfill its task, but periodically finds itself in the midst of political party confrontations, for example whether to hear Angela Merkel, or whether to back BND president Gerhard Schindler, or demand his resignation. They stand more united in the battle for parliamentary rights against the government—particularly since an unchallenged confidence in the Federal Chancellery’s oversight efforts is fading. It is mainly the Green Party and the Social Democratic Party (SPD) demanding a significant upgrade of the permanent parliamentary oversight board (Parlamentarisches Kontrollgremium, PKGr) which can only in hindsight agree to or dispute intelligence measures. There is growing evidence about advanced intelligence reform proposals being underway, and the SPD already released a position paper on its prioritized key issues (especially SIGINT legislation, extended G-10 commission competences, and prohibition of economic espionage).
After hearing testimony before the NSA Parliamentary Committee, and aided by media efforts, in May 2015 the German public became aware of the term “Selektoren,” (selectors) which describes search characteristics that are used by intelligence services to execute database queries. At Bad Aibling, a picturesque Bavarian town south of Munich that hosts one of the most active interception bases in Germany, the BND allegedly carries out the NSA’s inquiries, including those that are not covered by German law. Allegedly, the BND helped the NSA to conduct industrial espionage against European companies like EADS and Eurocopter. The German government stole the critics’ thunder regarding the selector list by first blaming the U.S.’ unwillingness to make such sensitive data available to a foreign government or even to the public. It turned out, however, that the White House had no substantial objections and it was solely the agencies’ decision to refuse to hand over a list of problematic search keywords. After a heated debate about parliamentary rights versus governmental supremacy, the chancellery (that is in charge of legal, technical, and administrative supervision of the BND) appointed former judge Kurt Graulich to go through a list of rejected NSA selectors and to report about his findings. It came as no surprise that not only did the opposition parties generally refuse to accept Graulich’s assessment, but he was also subject to accusations of having copied and assumed the BND’s positions on the matter. Once again, partisan struggle lost an opportunity to genuinely tackle questionable intelligence practices evolving from legal grey areas and poor accountability and oversight.
One Step Forward, Two Steps Back?
Just a few days later, the most recent turbulences shook the German public over disclosures about extensive espionage programs against the Vatican, various interior ministries of friendly nations, leading NGOs, and politicians—carried out all alone by the German foreign intelligence agency. What did not cause much excitement among experts worldwide again stirred up a debate many had hoped was over. And there we are again: Stuck in incredulous astonishment about the nature of intelligence as if we did not learn anything over the past two years. Chancellor Merkel’s remark that “spying on friends is unacceptable” was in hindsight the worst thing to say regarding bilateral and multilateral relations and understanding national security. Saying so never enjoyed unrestricted validity but rather imposed unrealistic moral high ground upon intelligence services around the globe. Spying on friends actually is part of the game, but awareness, a reasonable legal framework, as well as foresight with regard to future digital and technological challenges are the key to achieving a working balance domestically and internationally. German politicians public seem to either willingly ignore or lack this kind of critical attitude that would be necessary to move the debate about intelligence in the twenty-first century beyond mere indignation on the one hand, and apathy on the other.
* “Partially ready to defend” refers to an article by Conrad Ahlers published in Der Spiegel on 8 October 1962. It included a devastating NATO evaluation of West Germany’s military performance and eventually resulted in the infamous Spiegel scandal. For further information, see: Martin Doerry, Hauke Janssen (Ed.), Die Spiegel-Affäre: Ein Skandal und seine Folgen. DVA München, 2013.
 For facts and figures on the importance of transatlantic data flows, see: Joshua P. Meltzer, “The Importance of The Internet and Transatlantic data flows for U.S. and EU Trade and Investment,” Brookings Global Economy & Development Working Paper 79, October 2014.
 Charles Arthur, “Safe harbour ruling illustrates growing chasm between US and EU,” The Guardian on the web, 6 October 2015, http://www.theguardian.com/technology/2015/oct/06/safe-harbour-ruling-growing-chasm-us-eu-data-protection (10 November 2015).
 Marco Saal, “Europe versus Facebook. Beriets 16.000 Unterstützer für Sammelklage von Max Schrems,” Horizont, 6 August 2014, http://www.horizont.net/medien/nachrichten/Europe-versus-Facebook-Bereits-16.000-Unterstuetzer-fuer-Sammelklage-von-Max-Schrems-121676 (10 November 2015).
 The Editorial Board, “European Ruling is Merely a Symbolic Victory for Privacy,” New York Times on the web, 9 October 2015, http://www.nytimes.com/2015/10/09/opinion/european-ruling-is-merely-a-symbolic-victory-for-privacy.html?_r=0 (11 November 2015).
 Georgina Prodhan, “U.S. sees new EU data-sharing pact within reach,” reuters (U.S. edition), 29 October 2015, http://www.reuters.com/article/2015/10/29/us-eu-privacy-usa-idUSKCN0SN1O620151029#vwY7fjptrZi0Kwf7.97 (11 November 2015).
 See for example these letters to the editor from the New York Times (13 October 2015), http://www.nytimes.com/2015/10/13/opinion/digital-privacy-in-the-us-and-europe.html?_r=0 (11 November 2015).
 Such as netzpolitik.org; digitalegesellschaft.de.
 Almost exclusively online journalists, however, took on the task of reporting extensively (e.g., from Motherboard, heise, correctiv), and this illustrates exactly the discrepancy mentioned before.
 Michael Hanfeld, “Das neutrale Internet ist Geschichte,” Frankfurter Allgemeine Zeitung on the web, 27 October 2015, http://www.faz.net/aktuell/feuilleton/debatten/eu-parlament-setzt-der-netzneutralitaet-ein-ende-13879188.html (27 November 2015).
 Edward Wyatt, “Obama Asks F.C.C. to Adopt Tough Net Neutrality Rules,” New York Times on the web, 10 November 2015, http://www.nytimes.com/2014/11/11/technology/obama-net-neutrality-fcc.html (27 November 2015).
 According to a U.S. DoD fact sheet “USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.” http://www.stratcom.mil/factsheets/2/Cyber_Command/
 In September, Minister of Defense Ursula von der Leyen released an “order of the day” addressing cyber and announced the formation of a cyber team for the armed forces: http://www.bmvg.de/portal/a/bmvg/!ut/p/c4/NYuxDsIwDET_yE5gKWwtZWBhYIGypW0UGTVOZZyy8PEkA3fSG-7p8Iml7DYKTimxW_CBw0TH8QNj3AK8UpayQiSmt3qhHPFeP7OHKbHXSvWsVBjEaRJYk-hSTRYpBmjGwdi-M9b8Y7_t7nw9nJpm31-6G64xtj-fkO2W/ (3 December 2015).
 Markus Beckedahl, “Thomas Fitschen ist neuer Cyberbeauftragter im Auswärtigen Amt,” netzpolitik.org, 15 July 2015, https://netzpolitik.org/2015/thomas-fitschen-ist-neuer-cyberbeauftragter-im-auswaertigen-amt/ (27 November 2015).
 According to the BSI (Bundesamt für Sicherheit in der Informationstechnik), nearly 60 percent of German authorities and companies were targets of cyber-attacks: https://www.allianz-fuer-cybersicherheit.de/ACS/DE/Micro/Umfrage/umfrage2015.html (27 November 2015).
 “Bundestag muss IT-Netzwerk wohl komplett austauschen,” DieWelt on the web, 10 June 2015, http://www.welt.de/politik/deutschland/article142298394/Bundestag-muss-IT-Netzwerk-wohl-komplett-austauschen.html (26 November 2015).
 See Brennan’s interview: https://www.washingtonpost.com/world/national-security/why-its-hard-to-draw-a-line-between-snowden-and-the-paris-attacks/2015/11/18/34793ad4-8e28-11e5-baf4-bdf37355da0c_story.html (27 November 2015).
 See Woolsey’s interview on CNN: http://thehill.com/blogs/blog-briefing-room/260817-ex-cia-director-snowden-should-be-hanged-for-paris (27 November 2015).
 James B. Comey’s testimony, 8 July 2015, https://www.fbi.gov/news/testimony/going-dark-encryption-technology-and-the-balances-between-public-safety-and-privacy (27 November 2015).
 See for example Bruce Schneier on encryption: https://www.schneier.com/blog/archives/2015/06/why_we_encrypt.html (26 November 2015).
 Full text of the formal implementation by the Parliament: http://dip21.bundestag.de/dip21/btd/18/008/1800843.pdf (10 November 2015).
 “NSA Untersuchungsausschuss. Binninger gibt Vorsitz auf,” Stuttgarter Zeitung on the web, 9 April 2015, http://www.stuttgarter-zeitung.de/inhalt.nsa-untersuchungsausschuss-binninger-gibt-vorsitz-auf.e4fb167e-9230-441c-b862-0907b751ac78.html (10 November 2015).
 “Staatsrechtler sehen BND im rechtsfreien Raum,” Die Zeit online, 22 May 2014, http://www.zeit.de/politik/deutschland/2014-05/nsa-untersuchungsausschuss-bundesnachrichtendienst (10 November 2015).
 Most of the hearings excluded the public, but thanks to Wikileaks many transcripts appeared online and were translated into English shortly after.
 “BND Affäre. CDU bremst schnelle Befragung Merkels aus,” Frankfurter Allegemeine Zeitung online, 3 May 2015, http://www.faz.net/aktuell/politik/inland/bnd-affaere-cdu-bremst-schnelle-befragung-merkels-aus-13572217.html (10 November 2015).
 Full text of the paper is available here (only in German): http://www.spdfraktion.de/themen/bnd-aus-rechtlicher-grauzone-herausholen (27 November 2015).
 Or those who had not seen Citizenfour by Laura Poitras.
 Kai Biermann, Patrick Beuth, “Was sind eigentlich Selektoren?” Die Zeit on the web, 24 April 2015, http://www.zeit.de/digital/datenschutz/2015-04/bundesnachrichtendienst-bnd-nsa-selektoren-eikonal (27 November 2015).
 See for example: Maik Baumgärtner, Martin Knobbe, Hubert Gude, “BND Affäre: Weitere Listen mit brisanten Suchbegriffen aufgetaucht,” Der Spiegel on the web, 21 May 2015, http://www.spiegel.de/politik/deutschland/bnd-affaere-weitere-listen-mit-brisanten-suchbegriffen-a-1035018.html (27 November 2015); Georg Mascolo, “BND half NSA beim Ausspähen von Frankreich und EU-Kommission,” Süddeutsche Zeitung on the web, 29 April 2015, http://www.sueddeutsche.de/politik/geheimdienst-affaere-bnd-half-nsa-beim-ausspaehen-von-frankreich-und-eu-kommission-1.2458574 (3 November 2015).
 Kai Biermann, Patrick Beuth, Tilman Steffen, “BND half NSA beim Überwachen europäischer Politiker,” Die Zeit on the web, 23 April 2015, http://www.zeit.de/digital/datenschutz/2015-04/ueberwachung-bnd-half-nsa-wirtschaftsspionage-europa (27 November 2015).
 “Kritik prallt an Graulich ab,” Deutschlandfunk online, 5 November 2015, http://www.deutschlandfunk.de/nsa-untersuchungsausschuss-kritik-prallt-an-graulich-ab.1818.de.html?dram:article_id=336019 (27 November 2015).
 “Auslandsgeheimdienst: BND spionierte Ministereien befreundeter Staaten aus,“ Der Spiegel online, 7 November 2015, http://www.spiegel.de/politik/deutschland/bundesnachrichtendienst-spionierte-systematisch-freunde-aus-a-1061517.html (27 November 2015).