Cybersecurity Risks Unify Old Partners in the Post-Alliance Era

Sarah Lohmann

Dr. Sarah Lohmann is Non-Resident Fellow with the American Institute for Contemporary German Studies at Johns Hopkins University. Dr. Lohmann is an Acting Assistant Professor in the Henry M. Jackson School for International Studies and a Visiting Professor at the U.S. Army War College. Her current teaching and research focus is on cyber and energy security and NATO policy, and she is currently a co-lead for a NATO project on “Energy Security in an Era of Hybrid Warfare”. She joins the Jackson School from UW’s Communications Leadership faculty, where she teaches on emerging technology, big data and disinformation. Previously, she served as the Senior Cyber Fellow with the American Institute for Contemporary German Studies at Johns Hopkins University, where she managed projects which aimed to increase agreement between Germany and the United States on improving cybersecurity and creating cybernorms.

Starting in 2010, Dr. Lohmann served as a university instructor at the Universität der Bundeswehr in Munich, where she taught cybersecurity policy, international human rights, and political science. She achieved her doctorate in political science there in 2013, when she became a senior researcher working for the political science department.

Prior to her tenure at the Universität der Bundeswehr, Dr. Lohmann was a press spokeswoman for the U.S. Department of State for human rights as well as for the Bureau of Near Eastern Affairs (MEPI). Before her government service, she was a journalist and Fulbright scholar. She has been published in multiple books, including a handbook on digital transformation, Redesigning Organizations: Concepts for the Connected Society (Springer, 2020), and has written over a thousand articles in international press outlets.

In the frenzy of finger-pointing this month following the latest cyberattacks affecting Germany’s Foreign Office, one piece of good news remained largely buried. On December 19, 2017, the Germans were informed of the attacks—which aimed to grab specific sensitive information from their supposedly most secure internal network—by a partner country’s security agency.[1] By the time Germany verified the attacks, now being attributed to the elite Russian hacking group “Snake,” seventeen Foreign Office computers had been affected, and at least three documents stolen.[2] Information sharing between old partners is still happening, albeit not always in the same format or with the speed that the agencies would want. But it is happening.

To improve timely information sharing and coordinated response to cyberattacks between the United States and Germany, at least three challenges need to be remedied:

1. A proliferation of agencies in both countries dealing with cybersecurity need more streamlined communication patterns
2. Germany’s, and Europe’s, interconnectedness and digitalization gap
3. The existence of a legal grey zone on who may respond to cybersecurity attacks, to what degree, and when.

A Proliferation of Agencies, A Multitude of Players

An urgent U.S. national security problem identified by National Security Advisor H.R. McMaster is that there is “no one room for the coordination of risks occurring in cyberspace,” National Defense University’s Thomas Wingfield said on a panel on the sidelines of the Munich Security Conference (MSC).

Another challenge is that the private sector is often the target of cyberattacks even as it provides the infrastructure for the nation’s water supply, telecommunications, and energy needs. Nowhere was this more clearly seen than in last summer’s NotPetya malware attack, which caused billions of dollars of damage to banks, shipping ports, law firms, transportation networks, and government agencies in sixty-four countries worldwide, including Europe and the United States.[3] At the same time, it is the private sector that develops the technology to protect federal agencies and corporations from attack, and is intimately affected by policy shifts made by the government which affect regulation of their platforms, encryption, creation of back doors, and more.

To address this coordination challenge, cybersecurity concerns have been given prominent place in the White House, where cyber coordinator Rob Joyce oversees the cybersecurity activities of all U.S. agencies, both civilian and military, nation-wide. He also serves as deputy to Tom Bossert, President Trump’s Homeland Security Advisor.[4] Calling for more close cooperation between corporations and the government to defeat nation-based cybersecurity threats, Joyce said from the Bayerischer Hof at the Munich conference that Russia, whose military the White House publicly named as responsible for the NotPetya malware attack, will be made to pay for its actions.[5]

The link between government and corporations in fighting cyber threats was long a goal of the State Department’s Office of the Cybersecurity Coordinator. However, a fruitful bilateral dialogue between Germany and the Coordinator’s office was largely put on hold almost a year ago when the Coordinator left the Department, making diplomatic coordination on cyber norms difficult, even as both countries’ policies on how to respond to cyberattacks is in rapid motion. In the middle of these developments, the State Department is being reconfigured to include a Bureau for Cyberspace and the Digital Economy, combining the previous Office of the Cybersecurity Coordinator, which Secretary of State Rex Tillerson wanted to shutter last year, and the Bureau of Economic Affairs.[6]

At the same time, Department of Homeland Security Secretary Kirstjen Nielsen is also making cybersecurity a top priority. Add the National Security Agency, U.S. Cyber Command, and the many cyber programs and offices of the intelligence agencies, and there are an overabundant number of cooks in the national cybersecurity strategy kitchen. Despite the proliferation of cyber bosses, there remains a gap of cyber experts, with 3.5 million cybersecurity jobs expected to be unfilled by 2021.[7]

There are an overabundant number of cooks in the national cybersecurity strategy kitchen.

On the German side, who is boss sounds more clearly defined according to international law, but the reality of cyberwar makes it more complicated. The newly christened Cyber Command of the Bundeswehr coordinates offensive measures taken in response to cyberattacks that harm the German military capabilities.[8] In peacetime, the German Interior Ministry (Bundesministerium des Inneren) oversees coordinating cybersecurity efforts, while in war, the Defense Ministry would be in charge. Yet in an era where nation-states launch attacks that can disable military systems, and civilian infrastructure and federal systems can be compromised without official declarations of war, the Bundestag may not yet be ready to give the Defense Ministry the mandate it needs to act, even if an enemy nation-state can be attributed as being involved in the attack.

The new ruling coalition has decided to keep Germany’s federal information security agency, the BSI, subservient to the Interior Ministry in responding to cyber risks, with an increased focus on helping civil society and small and medium-sized businesses deal with cyber threats. The BSI also cooperates with the intelligence agency BND as well as with police to fight cybercrime.[9] The Foreign Office has a Special Envoy for Cyber Foreign Policy, and focuses on cyber norms, while the Economics and Energy Ministry focuses on security standards affecting the telecommunications and energy sector.

With many attacks such as NotPetya, more than one agency will be involved in responding. And as cyberattacks do not limit themselves to territorial adventures, many countries will be involved in countering the threats. It is that much more important that old allies are in regular contact—and can synchronize their data and analysis, when necessary, to ensure protection from common actors. It’s not just the communication flow of the many cyber agencies in both countries that needs improvement, however. In Germany, it’s also capabilities.

Europe’s Interconnectedness and Digitalization Gap

Just two weeks before the cybersecurity attack on Germany’s internal government system was made known, an energetic Minister of Defense Ursula von der Leyen announced to a room full of politicians and tech aficionados at the MSC’s Innovation Night that the German Bundeswehr needed to be a driver of innovation, with the courage to experiment, but also to fail. Von der Leyen admitted that night that further cuts to the defense budget requested by government coalition partners put Germany’s security in a tough spot.

Germany continues as the country second hardest hit by financial loss from cybercrime, behind the United States.[10] At the same time, it is also increasingly a target of cyber espionage by Turkey, Russia, and China. One very small part of the problem is that IT security standards it had committed to under the EU digital agenda have been difficult to attain. This requires a high amount of voluntary cooperation between the private sector, which must standardize both its cybersecurity infrastructure and its personnel know-how, and the government.

Germany is also affected by the fact that Europe-wide, armed forces are unable to effectively communicate quickly due to a “interconnectedness and digitalization gap.”[11] In addition to needing $120 to 140 billion in upgrades to high-bandwidth data links required to enable platforms to communicate with each other, networked infrastructure is also urgently needed, to the tune of $10 to $15 billion. The new government coalition wants to help bridge this gap with €12 billion in subsidies for high speed internet.[12]

Germany is also affected by the fact that Europe-wide, armed forces are unable to effectively communicate quickly due to a “interconnectedness and digitalization gap.”

Personnel able to protect and defend the platforms would cost another $2 to $3 billion per year.[13] Data can be more efficiently analyzed with increased personnel. There are 2,500 to 3,500 cyber warriors in the European cyber mission, with twice that many in the U.S. Cyber Command. For efficient cyber offense and defense, Europe needs 6,000 to 7,000 cyber warriors, according to a study by McKinsey conducted for the MSC.[14] Combined cyber operations centers will also improve a more streamlined processing and analysis of intelligence data.

A Legal Grey Zone

Allied countries have an interest in keeping each other apprised of cyberattacks that can affect networked systems, or compromise data of joint operations. Yet a joint response to an attack—and the point in time at which an allied nation must inform its counterpart that their systems are at risk—is not as clear cut as it would seem.

Germany’s military, for example, is allowed to legally hack back after defense resources have been attacked. It is not allowed to conduct such an action if, as in this case, civilian infrastructure has been attacked.[15] This has far-reaching consequences for the civilian population, which is put at risk through government systems being compromised, or who could be dangerously affected if water systems or power plants were hacked. Germany’s new government has pushed down the road the decision of when hack backs could be involved when civilian and federal agencies are affected.

In the United States, the same dilemma exists. Lieutenant General Vincent Stewart of the U.S. Defense Intelligence Agency (DIA) announced that the U.S. government plans to capture malware and return it to the attacker as a way to defend itself when the military or government is attacked.[16] But a controversial piece of legislation, called the Active Cyber Defense Certainty Act, which would allow companies to conduct limited retaliatory attacks, has stalled in Congress.[17] U.S. Cyber Command Chief Admiral Mike Rogers warned Congress that due to difficulties in identifying the attacker with absolute certainty, hack backs could damage innocent third parties. Tech leaders have also warned that legalizing hack backs would pave the way for critical infrastructure to be more easily damaged.[18]

At the same time, attacks such as those on the Foreign Office, in which a system is infected with inactive malware for over a year without being noticed, are incredibly hard to detect. Even if a partner agency has the knowledge that its own nation’s systems are being affected, it does not mean that the same source has infected its allies.

Rules of the road agreed to by both countries—whose actions often have consequences for their allies—are needed to clarify when countries should be able to hack back, and when to inform their partners of risks.

Rules of the road agreed to by both countries—whose actions often have consequences for their allies—are needed to clarify when countries should be able to hack back, and when to inform their partners of risks.

When asked on the sidelines of the MSC if there is a standard that can be used by allied countries to be able to respond to a cyberattack, Merle Maigre, Director of the NATO Cooperative Cyber Defense Center, clarified that NATO reserves the right to “purposeful ambiguity,” as every attack is different in nature. Election hacks cannot be qualified as an armed attack, she explained.

For the protection of both our democracies, and their security, both Germany and the United States have now, more than ever, a vested interest in ensuring that the grey zone of ambiguity—of when to act, and when to tell—is daily getting smaller.

[1] Frank Jansen, “Hackerangriff auf Bundesdatennetz gestoppt,“ Tagesspiegel, March 2, 2018. The internal network, IVBB, allows the chancellery, ministries, security services, and federal auditing office to communicate internally.

[2] “Breach from the East,” Der Spiegel, March 5, 2018.

[3] Natasha Turak and Hadley Gamble, “US will impose costs on Russia for cyber ‘acts of aggression’ White House cybersecurity czar says,” CNBC, February 16, 2018.

[4] Chris Bing, “White House cybersecurity coordinator takes on additional role in Trump administration,” Cyber Scoop, October 13, 2017.

[5] Natasha Turak and Hadley Gamble, “US will impose costs on Russia for cyber ‘acts of aggression’ White House cybersecurity czar says,” CNBC, February 16, 2018.

[6] Olivia Beavers, “Tillerson proposes new unified Bureau at State to focus on cyber,” Politico, February 6, 2018.

[7] Steve Morgan, “Cybersecurity labor crunch to hit 3.5 million unfilled jobs by 2021,” Cybersecurity Business Report, June 6, 2017.

[8] Defense Minister von der Leyen commented at the opening ceremony of the Cyber Command that the German military can only act offensively when it is attacked. Germany is only prepared for a case of self-defense. See Kersten Mügge, “Bundesregierung plant digitalen Rettungsschuss,” Deutschlandfunk, April 20, 2017 for her quote in original German: “Sobald ein Angriff die Funktions- und Einsatzfähigkeit der Streitkräfte gefährdet, dürfen wir uns auch offensiv verteidigen.” “Wir sind also nur für den Verteidigungsfall vorbereitet und nicht für den Fall, in dem solche Angriffe außerhalb einer kriegerischen Handlung stattfinden oder verdeckt stattfinden oder man nicht genau weiß, wer der Urheber ist. Dafür gibt es bislang keine rechtliche Grundlage.”

[9] Mirko Hohmann, “Deutschland 4.0? Germany’s Digital Strategy Over the Next Four Years,” Council on Foreign Relations, March 5, 2018.

[10] Average annual cost to companies increased from $7.8 to $11.1 million in Germany and from $17.3 to 21.2 million in the United States, “2017 Cost of Cybercrime Study,” Ponemon Institute, LLC.

[11] “To the Brink – and Back?” Munich Security Conference Report 2018, p. 19.

[12] Mirko Hohmann, “Deutschland 4.0? Germany’s Digital Strategy Over the Next Four Years,” Council on Foreign Relations, March 5, 2018.

[13] Ibid.

[14] “To the Brink – and Back?” Munich Security Conference Report 2018, p. 23-24.

[15] Melissa Eddy, “Germany says hackers infiltrated its main government network,” The New York Times, March 3, 2018. See also, Kersten Mügge, “Bundesregierung plant digitalen Rettungsschuss,” Deutschlandfunk, April 20, 2017.

[16] AJ Dellinger, “Government Hacks Back: US Military Plans Malware Retaliation Against Attackers,” International Business Times, August 21, 2017.

[17] Iain Thomson,  “US Congress mulls first ‘hack back’ revenge law,” The Register, October 13, 2017.

[18] AJ Dellinger, “Government Hacks Back: US Military Plans Malware Retaliation Against Attackers,” International Business Times, August 21, 2017.