Cyber ​​warfare defense is more difficult than offensive

"Active cyber defense" for GermanyThe secret war on the net

"Our security authorities must have the legal and technical instruments to combat politically motivated crime effectively. Also in the area of ​​cybersecurity, where we as the federal government and parliament still have two major projects to tackle: active cyber defense and the Internet Security Act 2.0."

Federal Minister of the Interior Horst Seehofer in mid-May. He wants to allow security authorities to respond to sabotage over the Internet with countermeasures. Critics call this hackback.

"That is always the very last of all possibilities if all other defense possibilities fail. If you imagine a major attack on critical infrastructure - not just energy supply, but hospitals and the like and everything at the same time - then such a situation can arise where the conventional ones Defense options are no longer sufficient. "

Autumn reception of the security authorities: Federal Interior Minister Seehofer wants to allow the services to respond to sabotage with "hackbacks". (AFP / POOL / John Macdougall)

Active cyber defense instead of "hackback"

Active cyber defense can be various measures: the rather harmless pursuit of digital traces of the alleged originator, the switching off of programs - or even the destruction of the device control. Andreas Könen heads the Cyber ​​and Information Security Department in the Federal Ministry of the Interior. He doesn't want to talk about hackback.

"I don't hack back, I don't attack his infrastructure because he attacks mine, that is what the word hackback always implies - and that's why I reject the word hackback. It's about security, it's about the danger posed by you Attack threatens to end - and Hackback just doesn't fit. "

Officials should be able to take over internet servers and overcome access barriers and encryption. In the drawers of the Ministry of the Interior there is a draft law that is supposed to enable such measures.

"This is a process that then makes legislation necessary again, in a further round behind the IT Security Act and behind the amendment to the Constitutional Protection Act. In the next steps, of course, it also needs to be determined which authority actually does this for the Federal Republic of Germany should perform in the event of a crisis or disaster. "

Not only hackers, but also security authorities use IT security gaps in their work. (imageBROKER)

Until now, averting danger has been a matter for the federal states

It will be some time before that happens. Even the announced law on IT security 2.0 is controversial within the grand coalition. The interior and justice ministries have not yet been able to agree on a draft.

The so-called active cyber defense does not quite fit into the structure of the German security authorities. Andreas Könen thinks that the Federal Intelligence Service is best suited for this - but so far it has no police intervention rights, but is actually only supposed to collect information. Avoidance of danger is a matter for the police, therefore a matter of the state. Interior Minister Seehofer therefore wants to change the Basic Law.

"If one comes to the conclusion in such scenarios that the countries cannot shoulder it alone, it is our duty to prepare ourselves legally for such a situation. If we never need it, I would prefer it."

Intelligence services and the police work closely together in the field of cyber defense. This is explosive under civil law. The constitutional separation requirement actually provides for these areas to be kept apart in order to prevent overpowering and uncontrollable apparatus.

The Federal Intelligence Service is best suited for active cyber defense, says Andreas Könen from the Federal Ministry of the Interior. (picture alliance / Christoph Soeder / dpa)

Legal gray areas in cyberspace

And there is a third actor on board - the military. The Bundeswehr has had its own cyber and information room command, or CIR for short, for a good two years. Fritz Felgentreu, the defense policy spokesman for the SPD, explains:

"The basic idea is: How can we build up a defense capability in cyberspace. Our big problem is that cyberspace threats have suddenly emerged that can exceed the threshold of a normal hacker attack, giving them the intensity of a military attack . "

Excerpt from the Bundeswehr advertising poster for employees in the cyber defense (Bundeswehr)

When the Bundeswehr penetrates IT networks abroad or even domestically, it operates in a legal gray area. General Ludwig Leinhos, who is responsible for the CIR command, recently called for the "digital defense case" to be legally regulated. Tobias Pflüger, the defense policy spokesman for the left, thinks little of it:

"If you treat this area in the same way as land, sea, air, then it is clear that the Basic Law requirements also apply in this area.

Members of the cyber and information room command at roll call (dpa / Ina Fassbender)

NATO exercise in case of cyber war

"Good morning, cyber warriors around the world! Welcome to Locked Shields 2019! At the toughest cyber exercise of the world ..."

In the spring, NATO practiced for cyber warfare. German soldiers also took part in the Locked Shields maneuver, which was coordinated from Estonia. The scenario: A hacker group that is close to a foreign power is spreading fake news - propaganda and disinformation in order to unsettle the population. At the same time, she tries to take control of the waterworks and to turn up the digitally controlled chlorine supply to poison the drinking water.

How realistic are such scenarios - and what could "offensive measures" do against such attacks? We are talking about cyber war and cyber weapons. But many computer scientists are skeptical of the military language. For example Rainer Rehak from the Berlin Weizenbaum Institute for the networked society.

"The 'ammunition' - in quotation marks - is the knowledge of security gaps, which can then be implemented with small pieces of software that exploit them, so-called exploits, in order to then take over, read out or even shut down third-party systems . "

During the Locked Shields maneuver in Estonia, NATO rehearsed war on the Internet. (NATO)

Warning of the experts against blind strike back

Cyber ​​war follows different rules than conventional war. For example, it is not explained. It takes place in secret. The big cyber powers America, China and Russia are trying to infiltrate the networks of the others, to gain access in order to gain information and opportunities for sabotage. But they never come out of cover.

"It's almost invisible who is pushing any rockets where, and when rockets hit, it's not at all clear where they came from. This idea, there is an attacker on the other side, and I hit back to stop him, that does not affect the way IT attacks actually work. "

IT security experts call this problem - to clarify where an attack is coming from - the attribution. Using digital traces, they try to find out who has manipulated a computer or a network. But, explains the cryptographer Rüdiger Weis from the Beuth University of Technology: Such analyzes only provided plausible probabilities. He considers hackback measures to be irresponsible.

"It is sometimes psychologically understandable that they say that if the others have it, we want it too. But: If people throw beer bottles through the air at the Oktoberfest, then I shouldn't do it because other people do it I shouldn't blindly throw the beer bottles in the direction from which I think the beer bottle is coming from; that would escalate very quickly under certain circumstances. Perhaps that's a bit too graphic comparison - but it is also the same with the attacks on the Internet. "

Difficult to identify authors of cyber actions

A quantum cryptography test device: The models available so far still have security gaps. (Deutschlandradio / Frank Grotelüschen)

The originators of a cyber action are difficult to identify. Hitting your infrastructure then is even more difficult. And there is another problem, emphasizes Rüdiger Weis: the attacks are based on previously unknown software vulnerabilities, so-called zero day exploits. However, such exploits usually spread over time. First other countries use them, then criminals.

"It is a drastic problem that any security breach is open to attack. And of course, any backdoor is an open wound."

In a cyber war, a state has to bypass the protective measures of its opponents.

In other words: he needs hackers.

"I'm also an independent IT security researcher, but also a hacker. That's what I would call myself. I like to break things, and I do that professionally and in my free time."

Thorsten Schröder is the managing director of Modzero. His company specializes in the search for IT vulnerabilities. The following is already made clear on the website, which is kept simple as is customary in the industry:

"We just refuse that our services or our products are used for military or intelligence purposes. No, I'm just not there!"

On the black market, more and more states in cyber war appear as buyers who are obviously killing dissidents, criticizes IT expert Schröder. (Eyeem / Kritsada Seekham)

Black sheep frolic in the market

The market for security vulnerabilities has changed, reports Thorsten Schröder.

"They have become very rare. But that also means that if there is an exploit that spreads through the entire telephone, then it is worth a lot. Companies have established themselves on the market that deal with vulnerabilities, that is, They advertise specifically at hacker events and say: Here, if you've ever found a security gap, don't report it to the manufacturer, but come to us. And then they outbid each other at the hacker events, I say Well, for such a jailbreak exploit you can easily get $ 500,000. And then there are independent researchers who say: "I can make a living from it. If I find a big bug once a year in this big, widely used one Products, then I'll sell them for half a million or 200,000, and I'll make ends meet with that. ""

In this black and gray market, more and more states are appearing as buyers in the course of the cyber war. Without software errors, there are no "offensive measures". Many of the so-called brokers show morally questionable business conduct, criticizes Thorsten Schröder.

"They also supply services and states that obviously hunt and kill dissidents. That is one of the reasons why I do not want to have anything to do with this industry."

Role of the BSI and security gaps

In Germany, the Ministry of the Interior is responsible for both IT security and public security. The Central Office for Information Technology in the Security Sector, ZITIS for short, was set up two years ago. Their task: to give the services and the police access to data on smartphones and laptops. This often requires unused, i.e. previously undetected, security gaps. At the same time, however, the Federal Office for Information Security (BSI) is responsible for closing such access points as quickly as possible - and this office is also part of the Ministry of the Interior.

In the future, network operators should have their systems certified by the BSI and report any security gaps that have become known. But they fear that such information could pass through the ZITIS to the police authorities and services - which is bad for many customers who value confidentiality.

At a Bundestag hearing of experts in April this year, Klaus Landefeld from the Association of the Internet Industry said:

"So we see it that (for the function of the BSI) a clarification must actually be made that the BSI can work independently of the considerations of other bodies, other security authorities and is also exclusively obliged to improve IT security and networks."

All opposition parties except the AfD are now calling for the BSI to be separated from the Ministry of the Interior. (dpa / picture alliance /)

Questions about the independence of the BSI

All opposition parties except the AfD are now calling for the BSI to be separated from the Ministry of the Interior. The Green Konstantin von Notz addressed his President Arne Schönbohm directly at the hearing:

"That's why I'm going to ask you pointedly, Mr. President: But the BMI won't look over your speech slip for the hearing beforehand? You know, I'm fighting very hard for your independence, but it would help that you as president too Take a stand, because that would actually be an important building block. "

(Schönbohm :) "Mr. von Notz asked me to take a position on the issue of the independence of the BSI. Well, I actually feel very well. The question is always - and that is what you have behind it - there is always some of the experts such a feeling that some weaknesses are being passed on to someone there. I've been in this position and in this function for a good three years. I have never been prevented anywhere from ensuring that a weakness is closed quickly (interjection). Yes, I know, it's public, everything is clear. And I feel very, very comfortable in the current phase, as we all work together. "

(From Notz :) "But if you were of the opinion that hackbacks are the devil, can you say that - as President, in the department of technical and legal supervision of the Federal Ministry of the Interior?

(Schönbohm :) "Of course I can say that. The question is how many times can I say that, but I can already say it."

Schulze: "Offensive skills, but no strategy"

China, Russia, Europe and the USA are facing each other in the intensified digital arms race. (picture alliance / Klaus Ohlenschläger)

"I am not fundamentally against hackbacks, I am against the careless use of them."

Matthias Schulze from the Science and Politics Foundation, Security Policy Research Group.

"So at least since 2016 we have had a more offensive pace in German IT security policy. Before that, the whole thing was primarily civil and defensive-oriented. In 2016 we have the new white paper, which has a more offensive touch, we have the structure of the CIR command "We have the creation of the ZITIS. And these are all stakes that are being struck in order to go in a more offensive direction."

Matthias Schulze complains that there is no overall concept recognizable and warns of unwanted consequences:

"We build offensive skills, but we don't have a strategy for how we want to deal with them. Because if you look at the interaction of cyberpowers, it is to be expected that what we are doing will be tested. In other words, offensive actors test how it is with our political will to use these skills. "

Big blocs digital arms race

In fact, the world powers are in an intensified digital arms race. It is being driven by the strongest militarily among them: China - Russia - Europe - and at the head the United States.

US Vice President Mike Pence: "The American security authorities will be just as dominant in the digital world as they are in the physical one." (Dpa-Bildfunk / Tobias Hase)

"Resilience though isn‘t enough. We also must be prepared to respond ..."

A year ago, US Vice President Mike Pence gave a speech on American cyber strategy:

"Our administration has begun to equate the United States' cyber command with the other branches of the armed forces. The days when our adversaries could attack us with cyberattacks with impunity are over. Our goal remains: American security agencies will be just as dominant in the digital world as in the physical. "

"This is a very aggressive, offensive cyber doctrine. In contrast to the Western European doctrines, which are more defensive and based on defense, the Americans argue: Okay, deterrence doesn't work in the digital space anyway, that's why we're trying to solve the whole thing operationally, by permanently binding the opponent's attackers because we keep them busy fending off our own cyberattacks. "

Permanent attempts at infiltration, opponents unclear

In the corresponding strategy paper of the Department of Defense, the approach is described with persistent engagement and defending forward - "permanent confrontation" and "forward defense".Specifically, this means: constant attempts to infiltrate the networks of the opponents and monitor their activities.

"That means that it no longer only takes place in your own network, but also in the opponent's network and also in allied networks. It is therefore quite possible that American cyber command hackers play defend forward in German or European networks and with Russian or Iranian hackers interact. "

Experts believe it is entirely possible that American cyber command hackers play defend forward in German or European networks and interact with Russian or Iranian hackers. (imago / Sven Simon)

Is the US Cyber ​​Command active in German servers, is it possibly placing digital back doors there? Andreas Könen from the Federal Ministry of the Interior:

"Malicious software in German systems is certainly an unacceptable thing, no matter by whom it is implemented or where it comes from ... We strive for systems that are preventively and cleanly secured, that do not contain any malicious code, that is safe nowhere and for no one German infrastructure acceptable. But I don't see that either; I don't see any point where something like this is required or even intended from our American friends. "

On Thursday of this week, the Ministry of the Interior will present its report on the IT security situation. No news on active cyber defense is to be expected. But it will become clear once again how vulnerable our digital infrastructure is. The computer scientist Rainer Rehak from the Berlin Weizenbaum Institute therefore demands that we concentrate on the defensive.

"If I put so much money into my hands and build up competencies - why not do it right? What do I, the 'Agency for Software Defense' ', know when it has to sound like a military. With this active cyber defense, we actually hide that we don't have our normal IT security under control at all. "