In the name of cybersecurity
More than a dozen institutions deal with German cybersecurity for or with the support of the German government. Who are they and what do they do? An overview.
Federal government: The more, the better
The German government’s cybersecurity architecture is very heterogeneous. The reason for this is that cyberthreats are often international in scope and dynamic, and many user groups can be affected by attacks at the same time – especially since they are increasingly technically interconnected. This is why the German government decided to place cybersecurity protection in the hands of a large number of authorities. These include emergency response and regulatory authorities, law enforcement agencies, intelligence services and the Federal Armed Forces. According to the German government, the various ministries and responsible departments are working together on cyberdefence, primarily event and topic-related.
The state sees it as its duty
The growing threat to infrastructures by cybercriminals has led the federal government to make IT security a top priority, according to the federal government's cybersecurity strategy. Ensuring security in cyberspace and protecting critical information infrastructures have become existential questions of the 21st century and therefore require a high level of commitment from government. It must guarantee security, justice and freedom also in cyberspace. This calls for a modern cybersecurity architecture that effectively interlinks the various players at federal level.
Duplication and multiple funding?
Opinions differ regarding the usefulness and efficiency of the many institutions which the German government is employing in an effort to achieve its goals. Critics see the collaboration between various authorities in the National Cyberdefence Centre as a mixture of law enforcement and intelligence activities, claiming that this violated the separation between the police and intelligence agencies. The Federal Court of Audit is of the opinion1 that the Cyberdefence Centre does not have sufficient capacities, that it lacks the authority to act and that it is unclear what would actually happen in the event of a cyberattack. The court also believes that contradictory approaches to cyberattacks and a reluctance to share knowledge and information would hamper smooth cooperation.
Criticism has also been expressed regarding the planned “federal cyberagency”, stating that it was poorly financed.2 The Federal Audit Office also sees the risk of the cyberagency not being “able to distinguish itself from other research organizations"3, referring, for instance, to the Federal Armed Forces and its Cyber Innovation Hub for “disruptive innovations and digital transformation”. The University of the Federal Armed Forces operates a Cyberdefence Research Institute (CODE) as an ‘interdepartmental cybercluster’ for ‘basic research at excellence level’. The Ministry of Research is funding three competence centres for IT security research at universities and institutes. In addition, there is the Federal Office for Information Security (BSI), the Central Office for Information Technology in the Security Sector (ZITiS), as well as an Agency for the Promotion of Springboard Innovation (SprinD). This all could quickly lead to duplication with multiple funding, making it difficult to understand the need for another new cyberagency.