Federal cyber defence authorities are to be strengthened with two amendments to the Constitution. This is the plan of Federal Interior Minister Nancy Faeser. Critics call the envisaged capabilities “hackbacks”.
“We fundamentally reject hackbacks as a means of cyber defence,” the ruling government in Germany had written into its coalition agreement. This refers to the ability to penetrate and manipulate third-party server systems. The promise to renounce such hacker attacks by the state seems to be history after an announcement by the Federal Minister of the Interior, Nancy Faeser. The Social Democratic Party (SPD) politician told Redaktionsnetzwerk Deutschland on Monday that she wants to allow the Federal Criminal Police Office (BKA) to defend against cyber attacks. In “individual cases permissible under international law”, the Wiesbaden-based agency is to be allowed to take action against IT systems abroad.
Faeser is planning an amendment to the Constitution. So far, the BKA is allowed to investigate abroad, but not to intervene. In the area of the Darknet, for example, the German Criminal Police Office has “outstanding expertise”, Faeser said. International cooperation takes place, among others, with civilian and military intelligence services from the USA and France as well as Europol.
“There is hardly an authority in the national security structure that would be less suited for hackbacks than the BKA,” says Dennis-Kenji Kipker, professor of IT security law at the University of Bremen, in response to a question from “nd”. The BKA is a federal police agency with a focus on information and investigation work, Kipker says. “That’s kind of like me telling the Federal Police to arrest people in North Korea, China or Russia because they violate German law.”
It is also questionable where the technical competence for police cyber defence should come from. With the Central Office for Information Technology in the Security Sector (ZITiS), the BKA has set up a department that critics call a “hacker authority”. However, so far it is only looking for new ways to intercept secure communications and to analyse the data streams obtained in the process. There is no corresponding law for hackback powers of ZITiS.
Faeser announced a second constitutional amendment for the Federal Office for Information Security (BSI). Similar to the BKA, the authority with its headquarter in Bonn is to become a central office for the federal states, which are currently still responsible for cyber security.
The BSI already houses the National Cyber Defence Centre with the federal secret services, the BKA and customs. The authorities jointly try to determine the originator of a cyber attack. After this attribution, it is decided who is responsible for the defence. If it is an incident in the area of organised crime, for example, the BKA takes over. If another state is behind it, it would be a case for the Federal Intelligence Service and ultimately also the Bundeswehr. The military has set up a Cyber and Information Space Command with a digital intervention force for this purpose.
Under Interior Minister Horst Seehofer (Christian Social Union, CSU), the previous coalition government had already introduced the IT Security Act 2.0 and upgraded the BSI to a “central general reporting office”. In addition to collecting information, it is allowed to demand information from telephone and internet providers at any time and also to issue orders for troubleshooting. In addition, the BSI is to actively search for security vulnerabilities in federal IT systems and also try out simple passwords – de facto a hacking. If the BSI finds an infection, the operators of the website in question must redirect this data traffic via the authority.
Faeser describes her initiative as a “turning point” after the Russian war of aggression against Ukraine. The term, which was chosen as “Word of the Year” 2022, had been used by the German Chancellor Olaf Scholz (SPD) three days after the start of the war. At the end of February, Faeser had warned of a high danger from Russian disinformation, espionage and sabotage and announced the expansion of the BSI in this context.
Shortly afterwards, several German and international media had reported about the Moscow software company NTC Vulkan, which had been commissioned by Russian secret services to develop cyber weapons against critical infrastructure of Western countries. The aim was to paralyse “control systems of railway, air and ship transport” as well as vital areas such as electricity and water supply. The research is based on secret papers leaked to the media by unnamed sources. Western intelligence agencies call these documents authentic.
Published in German in „nd“.
Image: Cyber Crime Unit at BKA (BKA).