Germany’s Cybersecurity Posture? Let’s Focus on Resilience

Germany’s upcoming National Security Strategy provides an opportunity to consolidate the country’s foreign, security and defense policies across domains and thematic areas, and to make them more comprehensive – in line with the idea of a whole-of-society approach. No doubt, questions of cybersecurity, including cyber defense and cyber foreign policy, will play a crucial role, as they should. The security strategy, then, is also an excellent opportunity to formulate the country’s future cybersecurity posture. That posture should be one of resilience.

Defining Cyber Resilience

Some say that acting from the idea of resilience means admitting that even strong IT security measures will eventually be overcome, and that is true. The IT security community shifted to an ​“assume-breach mantra” years ago. However, this by no means indicates that IT security measures are not or less important. It just means that in addition to putting those into place, institutions and organizations have to prepare for an incident. And they should do so by strengthening their resilience.

Cyber resilience is defined by the US National Institute of Standards and Technology (NIST) as ​“the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” Basically, it means to plan for an incident, to mitigate the damage caused by the incident as much as possible, to get operations running again as fast as possible, and to make sure that the same kind of incident will not happen again – for example, by patching software vulnerabilities that adversaries have exploited.

The Advantages of a Cyber Resilience Posture at Home

There are two main reasons why increasing resilience at home should be a priority for German policymakers. First, as we moved toward an assume-breach mentality, resilience reflects a far more realistic view of both the current threat landscape and the security level of German IT infrastructures. Second, resilience is agnostic to threats: it does not matter if an incident was caused by an insider, by an adversarial intelligence agency, by a cybercrime group, or simply by an accident or a climate event. Resilience involves possessing the tools to counter all these threats. Take the idea of the Federal Foreign Office to establish offsite snapshots of entire software environments, so-called ​“digital twins” (essentially a fancier version of backups): No matter if your data gets encrypted by criminals, degraded by intelligence agencies or simply disconnected through a power outage caused by a storm – start up the digital twin and be operational again while fixing the affected IT infrastructure.

All this seems straightforward, but there is a simple reason why it can be hard to sell to policymakers that they should push for steps that will move the country toward a resilience posture. Similar to concrete IT security measures like basic cyber hygiene, the idea of strengthening resilience is often not sexy enough to make it onto the political agenda. And indeed, resilience is more of a bread-and-butter strategy. However, compared to other, potentially more attention-grabbing focus areas like hackbacks or offensive cyber operations, resilience actually makes Germany more secure instead of making other countries less secure. In the event of a targeted power outage caused by an adversary, for instance, it should be Germany’s priority to get the power running again as soon as possible – not to switch off the lights in a country that Germany assumes was behind the outage. Ideally, a resilience approach would entail proactively anticipating and identifying the threat and mitigating it before any damage is done, for example through what is called ​“threat hunting.” Threat hunting refers to a set of activities that allows organizations to look for active compromises of their IT systems and neutralize them before adversaries can exploit them further – which is possible because there are sometimes months between the initial breach of a network and follow-on activities such as a ransomware rollout.

The Advantages of a Cyber Resilience Posture Abroad

Similarly, there are three main reasons why a cyber resilience posture should also inform German foreign and security policy. First, policies based on cyber resilience scale internationally: one country’s cyber resilience policy – for instance, measures to enhance the resilience of its critical infrastructures – may actually also contribute to enhancing the cybersecurity of people in another country if these infrastructures are internationally shared or connected. This can be the case with a transnationally-linked power grid or with infrastructures that form the public core of the internet, like fiber cables or domain name servers (also dubbed the ​‘telephone book’ of the internet). 

Second, it follows that states – including Germany – have a strong motivation to focus their cyber capacity-building activities abroad on strengthening resilience. After all, this may not only contribute to enhancing cybersecurity in other states but also internationally, including in Germany. Consider the case of the NotPetya cyber operation: In 2017, this self-propagating malware encrypted the data on computers worldwide, rendering them useless and causing significant economic fall-out. The starting point for this operation (later attributed to the Russian military) was a Ukrainian tax software company, where the update process was exploited to deliver the malware to users. The perpetrators had gained access to the company’s systems weeks before the operation, meaning there was a window of time during which threat hunting could have picked up traces of the compromise and mitigated it before damage was done. Moreover, functioning backup systems in the affected organizations would have reduced NotPetya’s economic impact, which Germany felt both directly – German companies were affected – and indirectly through week-long system and operative outages in global companies like the logistics giant Maersk.

Third, Germany has a strong interest in other states taking on a posture of cyber resilience as well. This is because such a posture is by definition non-escalatory and can therefore contribute to enhancing international peace and security, making everyone safer. This distinguishes a resilience approach from other, more offensive postures – like that of the United States, which focuses on constant contact with adversaries on networks both domestic and foreign, or that of the People’s Republic of China, which focuses inter alia on economic espionage and surveillance. Germany has a chance to and should act as a norm-setter for cyber resilience – and the best (and most credible) way to do so is by establishing a cyber resilience posture at home. The European General Data Protection Regulation (GDPR) is one example for how European and German policies can influence the policy choices of other states. Germany should use its normative power and set an example, not least because German policymakers have an interest in other states upping the resilience of their systems instead of exploring new pathways for deploying offensive cyber capabilities.

Time to Act

Information and communication technologies are the Achilles’ heel of modern societies. We can think of a cyber resilience posture as equivalent to a Swiss army knife: it is a sensible choice for mitigating a variety of adverse effects, including those stemming from international cyber rime (and currently especially ransomware) as well as sabotage of critical infrastructures, climate disasters, or war. Ukraine is the living example that a significant investment in cyber resilience can effectively mitigate the adverse effects of military operations inside and outside the cyber domain. At the same time, the resilience posture holds advantages both from a domestic and foreign policy perspective. Germany’s National Security Strategy should therefore enshrine this approach in German strategic thinking.