Bundestag

German Cybersecurity Policy 2021-2025

Alexandra Paulus Commentary

The new German government will mean a shift for the country’s cybersecurity policy. The joint coalition agreement of the three ruling parties lays out their plans for the next four years and signals changes of course in areas like encryption policy and “hackbacks”. In other fields – particularly cyber diplomacy – the devil will be in the details. The country’s cybersecurity policy will also be affected by broader policy projects, such as a review of all governmental surveillance powers and the development of a national security strategy.

In September 2021, Germans elected a new parliament – the Bundestag – and determined who would form the next federal government. The stakes were high: Angela Merkel, after 16 years as chancellor, wasn’t running. Merkel’s Christian Democrats and their Bavarian counterpart, the Christian Social Union, suffered a significant loss, to the benefit of other parties. Three parties – the Social Democrats, the Greens and the Liberals – entered coalition talks and on 24 November 2021 presented their coalition agreement. The new government – with social democrat Olaf Scholz as chancellor – was formally appointed on 8 December. This may signify a watershed moment for Germany’s cybersecurity policy: while the Christian Democrats have traditionally prioritised national security matters, the three parties that will form the new government have long emphasised their commitments to digital policy. Below is an overview of what to expect from German cybersecurity policy between now and 2025.

More Independence for the National Cybersecurity Agency

Germany’s national cybersecurity agency (BSI) plays a key role in protecting the country from cyber threats, earning it a place at the forefront of all relevant policy debates. For years, experts have argued that the BSI needs greater independence from the Federal Ministry of the Interior, as the latter is responsible for both promoting IT security and undermining IT security for the purpose of law enforcement and intelligence. This year, Germany passed the second version of its IT Security Law, which gave BSI a little more independence. However, that wasn’t enough for the parties forming the incoming government, as the coalition agreement refers repeatedly to a “more independent BSI”. In addition, the BSI will assume a central role connecting the various state-level cybersecurity agencies of Germany’s federal system.

Right to Encryption

Until 2020, Germany’s stand on encryption was quite straightforward: it was committed to strong encryption, while enabling law enforcement and intelligence agencies to conduct government hacking operations. In 2020, however, Germany moved the debate towards lawful access mechanisms by using its EU Council Presidency to table a resolution at the EU level advancing a particular interpretation of recital 54 in the draft of the EU Network and Information Security Directive 2. The current wording about encryption in the coalition agreement reverses this approach and instead promotes the right to encryption. It is not clear, however, how the new government plans to put the genie back in the bottle.

No “Hackbacks”

The coalition agreement promises “generally, no hackbacks”. However, it is unclear what the coalition defines as a “hackback” and what “generally” means in this context. It does definitely leave a small door open for invasive active cyber defence operations, especially since active cyber defence is mentioned in the country’s latest cybersecurity strategy, published in September 2021 under the outgoing government. The agreement’s effect will come down to the definitions of “active cyber defence” and “hackback” and the interpretation of “generally”. The German government should have been wiser than to pass a strategy during the outgoing government’s last months in office.

Vulnerability Management

While the national cybersecurity strategy mentions a coordinated vulnerability disclosure process as well as a vulnerability equities process, the coalition agreement takes a slightly different approach to the topic. It designates BSI as the central coordinating agency and spells out that every vulnerability will be rapidly disclosed and that the government will neither stockpile nor procure vulnerabilities. Additionally, the current legal grey zone for security researchers will be addressed, so they don’t have to fear repercussions for discovering and disclosing vulnerabilities in a responsible manner. This has been a topic generating quite a bit of concern in recent months.

Reform of the (Cyber)security Architecture

A reform of Germany’s cybersecurity architecture has been debated for years, with a focus on the legal statuses of its national cyber defence center (NCAZ) and the agency in charge of procuring and researching tools to be used by law enforcement and intelligence agencies (ZITiS). Both are central entities that urgently need to be put on transparent and sound legal footings. This is also true of the nation’s leading strategic platform, the cybersecurity council (Cyber-SR), which has not been mentioned explicitly in the coalition agreement. However, the document does suggest reviewing not just specific stakeholders but the general security architecture. The coalition further promises to review the role of the army’s Cyber Command (CIRBw), though it is unclear what that actually means. The agency for technical assistance (THW) is supposed to include cybersecurity assistance in its portfolio, and civil society has spent several years promoting a concept of what that might look like.

Cybersecure Everything

Apart from security-by-design and default, the coalition agreement mentions cybersecurity specifically in connection with education platforms, small- and medium-size enterprises’ IT infrastructure, smart grids and the cloud for public administration. This suggests the coalition understands cybersecurity to be a cross-cutting issue that must be included ex ante in digitization projects – at least that’s what the authors would like to read into this.

National Security Policy and Cybersecurity Policy

There are two noteworthy issues at the intersection of security policy and cybersecurity policy that can be found in the coalition treaty. First, the government promises to map surveillance powers across the whole government, to evaluate whether more or less surveillance in certain areas is desirable. In the German debate, this is known as the “Überwachungsgesamtrechnung”. This issue is closely connected to a planned general evaluation of security laws, because it’s difficult to evaluate the usefulness of security laws without taking stock of what policy and intelligence powers exist and how effective they are – a point that experts have made in the past.

Policy Coherence and Whole-of-Government Approach

At the EU level, the document aims to establish “an EU digital policy that follows a whole-of-government approach” that bridges differences between the distinct directorates general. While this is a laudable objective, it raises the question of why the issue of policy coherence is not addressed with equal importance at the national level. Currently, Germany’s national cybersecurity policy in some regards misaligns with some of its cyber diplomacy commitments, for example in the case of encryption policy. However, such stringency would be essential as Germany currently does not have a cyber diplomacy strategy and the international aspects mentioned in the national cybersecurity strategy are in part contradictory. One way forward might be the national security strategy that the new government will elaborate. This would be the first such document for Germany.

Cyber Diplomacy

On the global stage, the new government wants to pursue “active cyber diplomacy”. This diplomatic field has become polarised: one group of states led by Russia and China aims to undermine the global and open nature of the Internet. It is therefore encouraging to see that advocating for “a global, open internet” will be a priority of the new German government. After important cyber diplomacy advances in 2021, especially at the United Nations, the tenure of the new government will coincide with the second UN Open-Ended Working Group on cybersecurity and the drafting process of a global cybercrime convention at the UN. In both forums, Germany will need to coordinate with its partners and allies in the EU and beyond to put these calls into practice, for example by further developing the EU’s Cyber Diplomacy Toolbox or by developing response instruments that can be used when consensus among all EU member states – a prerequisite for triggering the toolbox – cannot be achieved.

Cyber Norms and International Law

Among the diverse cyber diplomacy issues, cyber norms and international law play a key role. In late 2020, Germany, together with five fellow EU member states, reaffirmed its commitment to both in a non-paper. While the coalition agreement endorses cyber norms, the authors do not detail how the government wants to overcome current challenges like lagging norm implementation. Regarding international law, the agreement calls for establishing “an international law of the net”. This formulation stands in contrast to Germany’s previous commitment, most recently outlined in the 2021 Position Paper On the Application of International Law in Cyberspace, that “international law, including the UN Charter and international humanitarian law (IHL), applies without reservation in the context of cyberspace”.

Technical Standards

Alongside these norms and legal provisions regulating state conduct, the new German government also wants to play an increasingly active role in international forums and processes to develop technical standards. However, it remains unclear which issues Germany will prioritise and how the country will seek to build coalitions in international organisations, such as the International Telecommunication Union, in the face of growing opposition by authoritarian states.

Cyber Capacity Building

In the field of international cyber capacity building, the new leadership will aim at “supporting partners in building their independent digital infrastructures for strengthening their respective digital sovereignty”. This points to the Global Gateway initiative of the EU but seems to neglect other elements of cyber capacity building, many of which Germany already actively pursues. A key challenge will be to define the respective roles of the Federal Foreign Office and the Federal Ministry for Economic Cooperation and Development, as both ministries are active in this field now.

Export Controls

The future governing parties aim to reform export control regulation – including but not limited to cyber capabilities that can be used for malicious purposes – at both the national and EU level, following the recent recast of the EU dual-use regulation. The document goes beyond the EU regulation by committing to not exporting surveillance technologies to “repressive regimes”. This follows debates about the use of these technologies in human rights violations worldwide and export control action by the United States. It remains to be seen, however, how the German government will define and identify repressive regimes and surveillance technologies. This measure could contribute to the establishment of an international norm that severely restricts the proliferation of these technologies.

Arms Control

Another diplomatic priority of the new government will be arms control. Regarding “cyber weapons”, the coalition agreement envisions a “digital disarmament policy” that will advocate for “the peaceful use of […] cyberspace” and strive for cyber arms control initiatives. Considering the structural challenges of applying this policy instrument to software, it will be interesting to see which new approaches the government will follow.

International Partners

The coalition agreement also lays out concrete priorities for cybersecurity dialogue and coordination with international partners. Digital policy will continue to figure prominently in Germany’s dialogues with the states of the Indo-Pacific region and the African continent. With the United States, Germany wants to collaborate more closely on technical standards, disarmament and international security. While the document does not specify this, it is likely that the whole-of-government China strategy that is to be drafted by the new government – on the topic of which the coalition agreement strikes a more assertive tone than previous German policy documents – will feature cybersecurity. The agreement does not specify cybersecurity as a priority in Germany’s diplomacy towards Russia.

Miscellaneous

There are a couple of issues, such as greater funding for cybersecurity research, product liability and exclusion of untrustworthy vendors, that the government will definitely need to provide more detail on during the next couple of months to indicate its plans and objectives.

Conclusion

The new government will have a lot to deliver on in the field of cybersecurity. Several initiatives could make lasting marks on both national policy and international debates, like the commitments to refrain from procuring software vulnerabilities and to avoid exporting surveillance technologies to repressive regimes. On other issues, the coalition agreement stands in contrast to previous commitments the German government has made, for instance in the national cybersecurity strategy or the Position Paper On the Application of International Law in Cyberspace. These tensions will need to be solved. In other cases, the coalition agreement contains blanket statements that are open to diverging interpretations – in these cases, the proof of the pudding will be in the eating. Independent from its actual implementation, the coalition agreement has a refreshing, brave and ambitious take on cybersecurity policy.

Thumbnail Image credits: @purzlbaum on Unsplash.

Image

About the Author

Alexandra Paulus

Alexandra Paulus is Project Director for International Cybersecurity Policy at Stiftung Neue Verantwortung, the Berlin-based tech policy think tank. Her work focuses on cyber diplomacy, the development and implementation of cyber norms and non-traditional actors in international cybersecurity policy.

Image

About the Author

Sven Herpig

Sven Herpig is head of international cybersecurity and the Berlin-based tech policy think tank Stiftung Neue Verantwortung. Sven worked for the German government on IT-security issues in various positions and served as expert for the German parliament.

Share this Article