Germany’s National Security Strategy: A Chance to Pivot to Adaptive Cyber Resilience

In Resilienz stärken
Diesen Beitrag teilen

Most cyber incidents can be avoided. Germany’s efforts for a more resilient cyber security strategy critically depend on its ability to learn, adapt and coordinate important stakeholders.

Germany is drafting its first-ever national security strategy amid a profound shock to Europe’s security resulting from Russia’s war of aggression against Ukraine. The invasion and ensuing events have also been further blurring the boundaries between internal and external security. Cyber warfare and disinformation campaigns have become integral parts of the Russian war effort against Ukraine. The number of cyberattacks targeting government organizations and private companies in Germany and elsewhere in Europe is growing, too. The 2022 Allianz Risk Barometer predicted that cyber threats will be the number one corporate risk in coming years. 

In response to the rapid increase in cyber incidents, states and the private sector should adopt strategies for cyber resilience, a path also endorsed by the G7 Digital Ministers at their meeting in Germany in 2022. In practice, however, cyber resilience all too often remains a political catchphrase or is used synonymously with cyber incident response. Germany’s upcoming security strategy is a chance for the country to put forward a clearly defined approach to cyber resilience for both the public and private sector. 

Key points:

  1. Cyber resilience for government organizations and private companies can be achieved through adaptive cyber governance, which takes constant learning.
  2. By implementing risk management cycles, an active exchange of information, regular cyber exercises and efficient national coordination mechanisms, organizations can adequately address rising cyber threats.
  3. The German government needs to implement the EU NIS 2.0 Directive as well as the Cyber Resilience Act and offer advice to companies on dynamic cyber risk management and adaptive resilience. 

A Continuous Cycle

At its core, cyber resilience refers to an actor’s or a system’s ability to continuously deliver the intended outcome despite adverse cyber events” like threats, incidents or attacks. Resilience depends on the actor’s ability to adjust its functions before, during or following such events. Adjustments can be proactive (meaning anticipatory) or reactive (meaning in response) to a vulnerability or incident, and first and foremost they require adaptive and flexible organizational structures.

Hence, rather than as an isolated process, resilience should be seen as a continuous cycle of preparatory, proactive and more effective reactive responses and learning measures. Proactive steps range from regulatory and policy measures to on-the-ground monitoring, information-sharing capabilities, and exercises. In practice, the EU’s new regulations – such as the recently adopted NIS 2.0 Directive or the Cyber Resilience Act – are meant to strengthen member states’ capacity to prepare for cyber risk management. The EU’s reactive measures include technical and operational incident response and recovery capabilities – like the designated networks of national Computer Emergency Response Teams (CERTs) coordinated by the EU Cybersecurity Agency ENISA, or the joint EU Cyber Crisis Liaison Organization Network (CyCLONe), among others. Foreign policy instruments like the EU Cyber Diplomacy toolbox provide member states with political mechanisms to collectively respond to malicious cyber activities.

» Rather than as an isolated process, resilience should be seen as a continuous cycle of preparatory, proactive and more effective reactive responses and learning measures. «

— Heli Tiirmaa-Klaar & Isabel Skierka

Learning Is at the Heart of Resilience

An often overlooked but essential element of resilience is learning. As part of the recovery process, learning encompasses the evaluation of past cyber incidents or crisis management processes. It should lead to adjustments in organizational cooperation arrangements, the robustness of technological infrastructure and crisis communication, among others. 

This kind of dynamic learning approach to resilience promotes the effective preparedness that organizations need to address rising cyber threats. To fully implement it, certain key requirements must be met at a national, regional and organizational level. More specifically, Germany and other European countries should follow a number of concrete steps.

First, cyber resilience in organizations and companies should be based on a studiously implemented risk management cycle which encompasses technical, operational and strategic dimensions. With efficient prevention and preparation, and following simple cyber security guidelines, most cyber incidents can be avoided. 

Second, cyber security is a team sport. At the national and regional levels, relevant governmental bodies need to set up effective systems for the coordination and monitoring of critical information infrastructure security applications. Part of that coordination are adequate public-private partnerships that facilitate the proactive exchange of information and early warning mechanisms. And countries should further consolidate their complicated and fragmented organization of cybersecurity coordination between public and private actors.

» Cyber resilience is a team sport. «

— Heli Tiirmaa-Klaar & Isabel Skierka

Third, a key requirement for better cyber security is education. All organizations will benefit from education and training, regular cyber exercises, and awareness raising efforts for incident responders, policymakers as well as end users.

Fourth, countries require efficient national coordination mechanisms. Those should integrate cyber incident management into national crisis management frameworks and devise technical and political decision-making procedures for cases of large-scale and cross-border cyber incidents response.

Finally, Germany and other EU countries will have to combine these steps with the transposition of increasingly extensive EU legislation, including the recent EU NIS 2.0 Directive as well as the Cyber Resilience Act. These new EU-level regulations will broaden the scope of companies falling under the mandatory security requirements. This means that the German Mittelstand (small and medium-sized enterprises, or SMEs) face more reporting demands and other commitments, which they need to fulfil.

Toward Adaptive Cyber Governance

The overall goal should be to enable resilience through adaptive cyber governance, which takes constant learning as the core value. This approach will advance the capacity of organizations to deal with uncertainty and improve the speed of their decision-making. In preparation for and response to disruptive events, it relies on decentralized decision-making, the engagement of diverse stakeholders, the use of key actors’ tacit knowledge and experience, and rigorous evaluation of past processes.

Cyber resilience is achievable – but it needs effort and dedication by all significant stakeholders. States need to implement key national and EU regulatory acts even though the results could come into effect only in the medium to long term. For more immediate results, national authorities should offer advice to critical infrastructure companies, providers of services that are essential for the public sector as well as to SMEs on what is required to better protect themselves against cyber threats through dynamic cyber risk management and adaptive resilience.

Simple cyber resilience guidelines for all public and private sector organizations would already go a long way and should include the following recommendations:

  • Adopt cyber risk management procedures with relevant prevention, response and recovery elements.
  • Constantly and rigorously evaluate past incidents and crisis management processes and set up adaptation mechanisms to ensure organizational learning.
  • Set up permanent coordination at the highest level – meaning heads of government agencies or C‑suite decision-makers in companies – on cyber issues and cyber risk ownership.
  • Regularly organize cyber exercises, trainings and education events to stay updated on the current threat environment.
  • Implement awareness-raising program for end users to minimize vulnerabilities resulting from human negligence.
  • Consolidate existing public-private partnerships on cyber issues, including information-sharing and early warning, as well as national political responsibilities within the overall cybersecurity policy architecture to enable flexible and adaptive coordination at the national level.

Many German and European public and private organizations have already implemented elements of these guidelines. However, sometimes their efforts remain fragmented and lack an overarching strategy. In Germany, the upcoming National Security Strategy offers a unique opportunity to define the strategic cornerstones of a more comprehensive national approach to cyber resilience, including by consolidating existing structures. Its success will critically depend on the effective coordination of different stakeholders that are responsible for technical IT security, internal security, external security, national defense and diplomacy. In particular, and like in the United States – another large federal country –, the German National Security Strategy should establish the position of a ministerial-level national cyber directorate to provide leadership, make decisions, and ensure their effective implementation across ministries.

Heli Tiirmaa-Klaar

Director, Digital Society Institute, ESMT Berlin

Isabel Skierka

Program Lead for Technology Policy and Researcher, Digital Society Institute, ESMT Berlin