27 May 2017

A hacked-off Germany hacks back

By JANOSCH DELCKER

The threat of cyberattacks has escalated dramatically and, according to officials, German companies suffer an estimated €50 billion in damages every year | Photo-Illustration by Ivo Oliveira/POLITICO (Source images by Getty Images) 

Jolted by a hack in 2015 when intruders roamed around freely in the German parliament’s network for weeks, Berlin is preparing to “hack back” — disrupting ongoing attacks by breaking back into a hacker’s system to delete data or even destroy the entire system.

The country, where the experience of two authoritarian dictatorships makes citizens particularly sensitive to assaults on their privacy, is eager to send the message that it’s considering more aggressive means to combat hacking attacks. In doing so, Berlin is broaching decade-old taboos such as the rigid rules defining the use of its military to combat crime.

Earlier this year, Germany’s army launched a new command of 13,500 soon-to-be cyber soldiers and contractors. Simultaneously, the interior ministry opened a cyber unit in Munich where 400 people will be hired to develop tools to decode encryption and work on how to strike back during cyberattacks.

“The state needs to have an entire tool kit available on how to counter cyberattacks, and ‘hacking back’ is one of those instruments, particularly when it comes to attacks with strong indications that they’re led by foreign states,” said Thomas Jarzombek, a member of the German parliament and the internet policy spokesman for German Chancellor Angela Merkel’s conservative Bundestag group.


Legally, however, things are more complicated.

Generally speaking, destroying another computer system is illegal — and there’s no clear legal ground for “hacking back,” let alone for the question of which one of Germany’s more than three dozen security agencies would be in charge of running such operations.

“There are tons of unanswered legal questions,” said Konstantin von Notz, an MP for the opposition Green party, “and instead of solving them, the ministries in charge are focusing on their own internal arms race, competing over who will be the fastest in entering the cyber war.”

“It’s a placebo discussion,” he added.
Multi-faceted threat

The threat of cyberattacks has escalated dramatically in recent years and, according to officials, German companies suffer an estimated €50 billion in damages every year.

Beyond the cost of business espionage, hacks on public institutions and concern about potentially devastating attacks that could bring down the country’s infrastructure have increased the pressure on Berlin to tackle the threat.

Some security experts argue that in certain cases, attacking a server to take it down is not just advisable but inevitable.

“Take for instance a server that spreads state secrets or credit card data,” said Martin Schallbruch, formerly a director general at the German interior ministry, who oversaw the country’s national cybersecurity strategy for more than a decade. “In this case, one can’t block the entire internet. But there’s a need to stop the server from spreading the information.”

Along those lines, experts argue that “hacking back” would bring what’s known as a state’s monopoly on violence — the right authorities have to use violence in order to enforce existing law and maintain security — into cyberspace.

But there are several problems.

For one thing, attributing a cyberattack beyond a doubt to a particular perpetrator or perpetrators is extremely difficult.

Secondly, hackers often capture the server of a third party, located in a different country from where they are based, and then launch the attack from there. “Hacking back” operations, which need to be launched as quickly as possible to be effective, would primarily target these third parties, possibly inadvertently punishing people unaffiliated with the attackers.

Highlighting the urgency of the issue, Merkel has made the creation of a legal framework for “computer network operations,” the broader technical term for “hacking back,” a priority.

In March, the German Security Council — Germany’s most exclusive government committee which includes just Merkel, her chief of staff and a few top ministers – commissioned two analyses on how to draft legislation.

A central question is which security agency should be responsible for developing “hacking back” operations.

Hans-Georg Maaßen, the president of the country’s domestic secret service, suggested mirroring the analog world: Germany’s police should be responsible for striking back at criminals, its intelligence agencies against foreign secret services and its armed forces against military attacks.

The suggestion was met with controversy within the cybersecurity community.

“That idea seems unsuitable, considering that it’s often times impossible to clearly attribute an attack to a certain intruder before striking back,” said former national cyber strategy head Schallbruch, who is now the deputy director of Berlin-based Digital Society Institute (DSI).

The question of attribution is also crucial because Germany’s security agencies are highly fragmented, comprising about 40 federal and regional agencies, which goes back to post-World War II considerations of preventing another dictatorship in the country.

Criminal prosecution inside Germany is restricted to the country’s police and law enforcement agencies. With very few exceptions, Germany’s army can only act outside the country’s borders or once the country is under attack.

“We’re losing time every day” — MP Konstantin von Notz

Furthermore, borders are blurry in cyberspace and hackers’ backgrounds — whether they’re criminals or foreign agents — are often impossible to know before striking back.

Others have suggested that, in certain cases, the police should be able to command the military’s cybersecurity forces to conduct counterstrikes for them.

“It’s somehow similar to the fact that our police forces don’t have their own jet fighters, which would neither make sense nor would we be able to afford it,” said the DSI’s Schallbruch, “But if worst comes to worst — let’s say a plane has to be brought down in Germany — our armed forces can support our police forces with their jets, under certain circumstances.”

Defense over offense

German Interior Minister Thomas de Maizière of Merkel’s CDU said last month that new legislation legally clearing the country’s security forces to strike back would be implemented “very soon” after the country’s national election.

“Very soon” may be too soon.

No matter who wins in September, it will likely take until early next year to decide who will lead the ministries during the next term and officials said that, especially given the legal complexity of the issue, they didn’t expect any legislation to be passed before the second half of 2018.

Meanwhile, the cyber threat is growing.

“We’re losing time every day,” MP von Notz said. Instead of debating how to bolster Germany’s cyber warfare capacities, he argued, he added, the country should focus on better protecting its own infrastructure against attacks. “The ministers in charge and their directors are puffing themselves up, keeping many of the experts we have busy with developing offensive strategies on how to hack back, instead of bringing up the security level of critical infrastructure.”

No comments: