The massive poster covering the entire gable wall of a Berlin building is half advertisement and half recruitment call. Asking “When can you hack the hackers?” Over a stylised network diagram backdrop, its khaki-green elements give the first clue to the poster’s origin: Germany’s armed forces, the Bundeswehr.
On a sunny Wednesday afternoon in Bonn, Germany’s flinty defence minister Ursula von der Leyen announced a “milestone” in German military policy. Alongside its army ground force, air force and marines, the Bundeswehr now has a new pillar: a cyber force commando (CIS).
Stepping out to a cyber march, composed for the occasion by the Bundeswehr brass band, the defence minister warned that Germany’s next big war will probably not be on land, sea or in the air but in a virtual, cyber dimension.
With almost 300,000 attacks on Bundeswehr IT systems so far in 2017, some believe this war has already begun.
“The attacks on our systems come daily, independent of terms like war, peace, crisis, or conflict . . . and range from simple espionage, data theft and destruction to manipulation and influence attempts,” said von der Leyen.
We have to be ready for everything from hacker attack to state attacks
“If the networks of the Bundeswehr are attacked we are allowed to defend ourselves. As soon as an attack hinders our ability to act, we are permitted to go on the offensive.”
So what kind of attacks does the Germany military face and who is behind them? Bundeswehr officials say the attacks vary, with the force and frequency no longer linked to the size of a country or its traditional military capacity.
Hybrid warfare From so-called “hybrid warfare” in eastern Ukraine to the so-called “digital caliphate” of Islamic State, anyone – from a small country to a private person with money to pay an army of hacker mercenaries – can cause havoc without owning any boots, let alone having them on the ground.
For Lieut Gen Ludwig Leinhos, commander of the new CIS division, the Bundeswehr’s latest innovation is a logical, overdue step.
“For some time now wars haven’t been decided alone on the ground,” he said. “We have to be ready for everything from hacker attack to state attacks. If hackers manage to get into the on-board computer of a jet, human lives are at risk.”
A look inside one of the Bundeswehr’s Eurofighter combat aircraft reveals 80 on-board computers and 100km of cables, making each plane effectively a data centre with wings. The Boxer tanks favoured by the Bundeswehr have dispensed with the mechanical equipment of old in favour of laptops and screens.
These high-tech tools, there to improve precision, make missions vulnerable to attack from outside: with adversaries hunting for possibilities to infiltrate, observe or even divert fire.
“Another possibility is an attack on the Bundeswehr’s communications and other networks you need to communicate with individual troops during a mission,” says Marcel Dickow, defence expert with the SWP political foundation in Berlin.
From a standing start, some 13,500 people will be working in the new division by July, with another 1,500 joining the ranks by 2021. The division will pool existing IT capacity but bring in new technical capacities through a recruiting drive.
Since abolishing military service in 2011, however, the German armed forces have had a general recruitment problem, and officials hope to build their own staff capacity with new IT and cybersecurity qualifications at the Bundeswehr university in Munich.
I've no problem with the Bundeswehr protecting itself from a cyber attack, but this is about the Bundeswehr gaining access to others' networks
Beyond in-house graduates, the Bundeswehr says it has stepped up IT recruitment– up 60 per cent last year. With a combined current budget for IT investment and staff of €2.6 billion, they are confident of attracting suitable hackers by appealing to their patriotic instincts, and the challenge of real-world experience at the highest level.
Patriotic instincts
Defence analysts like Marcel Dickow are sceptical about hackers’ patriotic instincts and whether anyone with the necessary skills would be willing to work for the army when they can earn far more working in private industry.
“The Bundeswehr is not competitive at a salary level and the cultural sphere, of orders and obedience, is not necessarily what hackers know or how they work, but we’ll have to see,” says Duckow.
This being Germany, where history has made people hyper-sensitive to all things military, not everyone has welcomed the new Bundeswehr cyber command. The most critical voices can be heard in the Bundestag which, under Germany’s postwar constitution, controls the military and allows deployments only with an explicit mandate.
And in parliament, beyond Von der Leyen’s allies in the ruling Christian Democratic Union (CDU), other parties are concerned at just what the Bundeswehr has created. How will this new cyber command interact with existing units in the intelligence services and how much political oversight is possible – or even wanted – in this new cyber front?
Digital attackers are, as a rule, not identifiable. And when you 'defend' yourself against the wrong person then that is a declaration of war
Germany’s Social Democrats (SPD), junior coalition partner to chancellor Angela Merkel’s CDU, insist that any cyber deployment of the new Bundeswehr commando would, like a real-world deployment, require a Bundestag mandate.
But doubts over whether this is practicable persist in the opposition Bundestag benches of the Left and Green Parties, with their traditional scepticism of all things military.
Christine Buchholz, Left Party defence spokeswoman, fears the new commando could be the thin end of the wedge, with a defensive capability soon turning into an offensive military unit with no controls.
“I’ve no problem with the Bundeswehr protecting itself from a cyber attack, but this is about the Bundeswehr gaining access to others’ networks. This is a defence build-up in cyberspace which I reject as wrong.”
Anticipating such criticisms, Lieut Gen Leinhos insists the Bundeswehr – including his new division – will still be prohibited from any deployments not backed by the Bundestag.
Parliamentary army “We are a parliamentary army, even those of us who work with a mouse and keyboard,” he said.
But defence analysts point to the blurred lines between defensive and offensive action in cyberspace.
SWP defence analyst Marcel Duckow argues that any cyber command worth its salt can only defend if it knows how to attack – finding weaknesses in its own networks, and others.
“The Bundeswehr will have to develop these offensive attack abilities whether they want or not,” he says. “It’s a political question whether they choose to use them.”
Germany’s digital and hacker communities gave a cautious reception to the new Bundeswehr initiative, saying too few details had been released to assess the new commando’s reach, ambition or intentions.
After the hacks in the US presidential election, political parties here are braced for attacks on their networks ahead of September's federal election.
Digital policy website Poliomyelitides, threatened for a time in 2015 with treason charges for publishing intelligence agency documents, warned of a tendency to “run riot” with new digital powers.
“Unfortunately our experience shows that everything that can be technically done, will be done,” it added.
Another concern was raised by users on tech website Heise.de: “Digital attackers are, as a rule, not identifiable,” wrote one. “And when you ‘defend’ yourself against the wrong person then that is a declaration of war.”
Revelations
Such concerns took on a new urgency with this week’s Wikileaks revelations of CIA “obfuscation” techniques to hide the source of their cyber attacks.
In its news release, Wikileaks suggested the CIA added samples of Chinese, Russian, Arabic or even Farsi into their cyber attack code, a kind of digital false-flag operation.
Given such digital smoke-and-mirror tricks, how can Germany’s new cyber commandos know that their counterattack is directed at the person, country or institution that launched the initial attack?
Those are pressing questions for the Bundeswehr’s new cyber commandos, and the German political establishment charged with overseeing operations.
But all here agree that cyber threats are real and growing. After the hacks in the US presidential election, political parties here are braced for attacks on their networks ahead of September’s federal election. In the last months, the Bundestag has admitted two major cyber attacks, one of which was successful.
In a final play to attract hackers, the Bundeswehr says it is prepared to dispense with many of the trappings of military life. The new Bundeswehr recruits will not have to live on a military base, nor will they have to pass the usual fitness test to get in.
“It’s one thing to build a bridge and another when I can do my job with a mouse click,” said Katrin Suder, state secretary in the defence ministry.
Finally, and most importantly, no one expects Germany’s new hacker army recruits to swap their hoody for khaki.