A Reliable Global Cyber Power

Please note that the online version of this DGAP Policy Brief below does not include footnotes. To see them, please read the PDF version here.

Introduction

Russia’s invasion of Ukraine gives Germany a unique opportunity to position itself on the global cyberspace stage. It must go beyond its simple declarations of conducting cyber operations in accordance with international law and its commitment to pursue capacity building. Such anodyne statements are incomprehensible to Germany’s allies, especially in times of crisis. Berlin instead needs to take action that fits a strategic narrative. In short, it is time for the country to take a stance as a (cyber) power and shed a reputation for unreliability.

Germany has always pictured itself as a good partner, part of a Bündnis (alliance) with Western powers. But German politicians now increasingly believe that their country needs to stand out from the pack, assume leadership, and wield military and security capabilities that match its economic power. Attaining these goals requires an ability to transform into a reliable cyber power, one that protects vulnerable European neighbors, showcases effective domestic policies that can be emulated internationally, and offers offensive cyber capabilities that complement those of other major cyber powers. These capabilities include tools of war that, also in peacetime, can stop malicious cyber operations. Pursuing such policies is less about deterrence (Iran repeatedly launches cyberattacks on the United States despite its declared and demonstrated offensive capabilities) than about the proper conduct of a transparent democracy that is accountable to its citizens. Russia has never publicly acknowledged its offensive cyber capabilities or explained the circumstances under which it uses them.

Germany, above all, cannot afford more navel-gazing about the meaning of the Zeitenwende and its implications for a post-Cold War identity. The country needs to move on to a national security strategy (NSS) with all the attributes of a “grand strategy,” including a clear narrative that informs and motivates German society. The NSS must incorporate the cyber efforts of its allies and address their deficiencies, and the first step in accomplishing this is understanding their positions in the cyber domain.

The United Kingdom: The Responsible Cyber Power

The United Kingdom notes in its 2021 Integrated Review of Security, Defence, Development and Foreign Policy that it is not only a leading cyber power but also a responsible one. It consequently conducts cyber operations that conform with international and domestic law. This includes the Intelligence Services Act of 1994, which instituted parliamentary oversight of the country’s intelligence services. British cyber capabilities, the Review states, are also proportionate and targeted, limitations that are part of the United Kingdom’s effort to diametrically oppose “irresponsible” cyber behavior. The Review singles out Russia as a country that acts this way in cyberspace since it does not assess the legality of its cyber operations that have caused widespread, if not global, collateral damage. The United Kingdom, as a responsible cyber power, openly declares its offensive capabilities. “We will continue … to declare our nuclear and offensive cyber capabilities to Allies’ defense under our [NATO] Article 5 commitment.”

France: The Stabilizing Cyber Power

France, in its 2021 strategic update, positions itself “[a]s a stabilising power dedicated to peace and security.” The document also states that “[France] promotes effective multilateralism that respects human rights, fundamental freedoms and democratic principles.” The country has adopted a stance to counter destabilizing forces, including Russia, which is developing “exotic” weaponry. This includes nuclear-powered cruise missiles and intercontinental nuclear torpedoes. France also seeks to spearhead international stabilization efforts, even in regions in desperate need of political reform. France includes in its definition of stability the right to respond to cyberattacks. Its posture in this regard is akin to the United Kingdom’s as both defend norms of responsible state behavior. France also strives to safeguard stability by using confidence-building measures to staunch potentially escalatory effects of cyberattacks.

The United States: The Democratic Cyber Power

The United States positions itself as a values-driven defender of democratic norms. As such, it may sometimes blur the stipulations of international law to pursue its own geopolitical aims. Regarding the principle of sovereignty, the United States has noted that “a State’s remote cyber operations involving computers or other networked devices located on another State’s territory do not constitute a per se violation” of sovereignty. Such a perspective is broader than France’s, for example, which considers “any unauthorized penetration by a State of a French system or any production of effects on French territory via a digital vector” as a violation of sovereignty (emphasis added).

The United States’ self-image as a cyber power is also characterized by a willingness to impose serious costs on adversaries, an approach that is part of the persistent engagement theory that has driven recent US efforts in cyberspace:

“Defending forward as close as possible to the origin of adversary activity extends our reach to expose adversaries’ weaknesses, learn their intentions and capabilities, and counter attacks close to their origins. Continuous engagement imposes tactical friction and strategic costs on our adversaries, compelling them to shift resources to defense and reduce attacks.”

US President Joe Biden’s 2021 National Security Strategic Guidance is also unique in its heavy emphasis on values. It states that cyber threats, like other threats, are ultimately targeted against a community of democracies.

A Trio of Issues

There are three problems with the positioning of the three powers. First, they are not as coordinated as they may initially appear. Although their strategy documents often use the same language, the countries interpret wording differently. All three, for instance, share a general applicability of international law to cyber operations, but considerable differences about how the law applies exist. The aforementioned example about the definition of sovereignty highlights this.

Second, the three powers routinely overestimate the factors behind their unity, whether on international norms or as a community of values. They could consequently find themselves bound together even if the behavior of one is seen by the others as “irresponsible” or “destabilizing.” In one scenario, the United States, having placed malware into an adversary’s critical national infrastructure and missile systems, compromises that state’s offensive and defensive capabilities, thereby triggering preemptive action by that adversary. Conducting disruptive operations on allied territory could also be perceived as illegitimate action.

Third, each of the powers often frames its own role primarily in the negative, in terms of what they are not. France does not operate like a terrorist group because terrorist groups are spoilers and destabilizers. The United States is not like China because the two countries’ values are diametrically opposed to one another. The United Kingdom is not like irresponsible Russia. Even when positive doctrines are elaborated, they are muddled. The United Kingdom speaks of “responsible offensive cyber operations” in its aims to hold malicious cyber actors accountable for their activities. But the author of this DGAP Policy Brief has previously noted that conducting “responsible” cyber offensive operations is illusive due to definitional and operational challenges.

Germany: The Reliable Cyber Power

The conclusion from this analysis is that the cyberspace strategies of Germany’s allies significantly overlap in their overarching goals. Differences, however, emerge over the applicability of international law and the conduct of cyber operations. The United States is the boldest by far concerning disruptive operations – Stuxnet and interference with North Korean missile capabilities come to mind – while France and the United Kingdom have adopted a more restrained or, at least, secretive approach. This perceived discrepancy in boldness needs to be reflected in national strategies. Germany’s NSS should lay out the many commonalities it holds with allies, but Berlin should also highlight its distinction as a reliable cyber power. Here is how Germany should do this.

At Home …

Germany’s NSS and domestic policies must be reliably and consistently geared toward transparency and strong cybersecurity to encourage policies abroad that emphasize the same. Its current policies regarding vulnerability disclosure and encryption do not do this. The interior ministry’s recent cybersecurity agenda emphasizes the role of the Central Office for Information Technology in the Security Sector (ZITiS) in the domestic development of offensive cyber tools to reduce reliance on similar foreign instruments. However, unlike the United States and the United Kingdom, Germany lacks a transparent policy on publicly disclosing the use of such tools. Without such a framework, known commonly as a “vulnerabilities equities process,” in place, Germany fails to protect itself and others since it sets an example for opacity.

Germany’s domestic policy on encryption is similarly unworthy of a reliable cyber power that boasts strong security. The country’s current approach can be summed up as “security through encryption and security despite encryption.” This reflects contradictory German objectives of upholding end-to-end encryption while undermining it by allowing authorities to have backdoor access. Such a policy exposes Germany to cyber threats and further legitimizes the actions of authoritarian states that have systematically weakened encryption to allow domestic surveillance.

… and Abroad

Germany’s cyber vision needs to align with its overall vision of itself as a power or, in other words, with its grand strategic goals. Current strategic priorities lie in playing a greater role in European defense and, in this area, being a reliable partner for its weaker neighbors. Indeed, Germany has recently taken a more active role in patrolling Eastern and Southeastern European airspace, specifically that of Poland and Romania, areas directly threatened by Russia.

Germany should assume a similarly active role in defending the Eastern and Southeastern European flanks in cyberspace and coordinate this effort with other EU member states. To do this, the country will need to increase international capacities and exchange best practices with partners. Recent cyberattacks on Albania (which it has attributed to Iran) reveal the need for regional cyber defense support, which has, in the aftermath of the cyberattacks, come primarily from the United States. In Montenegro, also a target of malicious cyber activities, the US Cyber Command has assisted in making networks more resilient. Demand for German expertise, however, also exists. Staff from Germany’s Federal Office for Information Security, in fact, were scheduled just before Russia’s invasion to travel to Ukraine to deliver cybersecurity support. While security considerations made the trip too risky, such assistance is to be encouraged under safer circumstances.

Germany’s statement on offensive capabilities is hidden on page 133 in the definitions section of its 2021 cybersecurity strategy. Berlin should more prominently declare in the forthcoming NSS that it holds offensive cyber capabilities and that it will use them in accordance with international law. Germany’s offensive cyber operations should be conducted only as a response to malicious activity and to halt disruptive operations. Germany should refrain from planting logic bombs in adversaries’ critical infrastructure unless direct hostilities exist or are imminent. This would not preclude it from entering adversary networks to gain intelligence and conduct reconnaissance. Germany’s capacity to deploy offensive cyber capabilities may spark skepticism, but the Bundeswehr, in 2016, hacked into Afghanistan’s cellular network infrastructure to gather information on a hostage incident.

As a reliable cyber power, Germany should share offensive cyber capabilities with trusted EU and NATO members or partners further abroad, if requested, in crisis situations. Bilateral and multilateral agreements would ensure that capabilities are shared only with countries that conduct cyber operations in accordance with international law. Such agreements would also define the capabilities to be shared and the circumstances under which sharing would occur.

Germany’s approach to deploying limited offensive cyber capabilities would be in stark contrast to US cyber activities, which hit enemy infrastructure, even that which is related to daily operations, in an effort to degrade an adversary’s ability to attack. The United States’ current approach relies on its early 21st century war on terrorism, in which eliminating terrorists was common practice. But those tactical strikes are unlikely to have made the world safer. Crippling an enemy’s cyberattack infrastructure may be similarly ineffective. Blocking a Russian propaganda outlet’s internet access during midterm elections would impose costs also on US operators whose resources may be better spent building domestic cyber resilience or conducting strategic cyber operations with more lasting effects. US tactical day-to-day operations, around which persistent engagement is built, may have limited long-term value, even cumulatively. This is the case for most Russian cyber operations, too.

Finally, Germany should further enhance its position as a cyber capacity-building actor worldwide, thereby cementing its role as a reliable cyber power. Berlin is already engaged in several cyber capacity-building initiatives, but this engagement should be enlarged and made an integral part of the German strategic narrative.