Tasks of Germany’s cybersecurity institutions
More than a dozen institutions deal with German cybersecurity for or with the support of the German government. Who are they and what do they do? An overview.
Federal government: The more, the better
The German government’s cybersecurity architecture is very heterogeneous. The reason for this is that cyberthreats are often international in scope and dynamic, and many user groups can be affected by attacks at the same time – especially since they are increasingly technically interconnected. This is why the German government decided to place cybersecurity protection in the hands of a large number of authorities. These include emergency response and regulatory authorities, law enforcement agencies, intelligence services and the Federal Armed Forces. According to the German government, the various ministries and responsible departments are working together on cyberdefence, primarily event and topic-related.
Cyber-AZ was established in 2011. It is designed to optimize operational cooperation and coordinate protection and defence measures. Information on cyberattacks is compiled and evaluated on information infrastructures – this is carried out by each authority from its own perspective and within its own sphere of responsibility. The following authorities are currently represented in Cyber-AZ: the Federal Office for Information Security (BSI), the Federal Criminal Police Office (BKA), the Federal Police (BPol), the Federal Office for the Protection of the Constitution (BfV), the Foreign Intelligence Service (BND), the Federal Office for Military Counter-Intelligence (BAMAD), the Federal Office for Civil Protection and Disaster Assistance (BBK), the Customs Criminal Police Office (ZKA), the Federal Armed Forces (BW) and the Federal Financial Supervisory Authority (BaFin).
The BKA is the central office of the German police and has extended its scope of work in the national fight against crime to include cyberspace. It ensures national coordination, operational evaluation and strategic cooperation. It solves crimes in cyberspace, conducts investigations and works to prevent cybercrime. The BKA is also part of the Federal Ministry of the Interior.
BSI is the federal cybersecurity authority. BSI shapes information security in digitalization for the state, economy and society through prevention, detection and reaction. According to the federal government, this office’s expertise is recognized both at national and international level. Its work ranges from defence against cyberattacks to consulting services, developing security recommendations, best practices and standards, as well as certification. BSI also supports the federal administration with the ‘Computer Emergency Response Team Bund’ (CERT-Bund) and with the ‘Mobile Incident Response Team’ (MIRT). It also operates the ‘National IT Situation Centre’, which is in constant contact with the ‘Joint Reporting and Situation Centre of the Federal Government and the Federal States’. The clear focus of the Situation Centre and CERT is to respond immediately and specifically to incidents, to manage the situation and to restore technical security. BSI is part of the Federal Ministry of the Interior, Building and Community (BMI).
It is the task of the BfV to fend off and investigate cyberattacks on the state and private institutions. To this end, the office observes how extremists, terrorists or foreign intelligence services use new technical means to conduct espionage in Germany, spread political disinformation or sabotage computers. According to its own information, the BfV collects, for example, “information about efforts that are directed against the free democratic basic order or against the security of Germany or one of its federal states”. The BKA is also part of the Federal Ministry of the Interior.
The BND is Germany's foreign intelligence service and acts on behalf of the federal government. Abroad, it observes attacks that are intended to serve cyberespionage or sabotage in Germany and warns affected stakeholders at home so that defence mechanisms can be initiated. The BND is part of the Federal Chancellery.
ZITiS was founded in 2017 and, according to its own statements, sees itself as ‘Cyber Authority 4.0’. ZITiS is the central service provider for the German security authorities. It supports and advises the authorities in matters related to IT skills. To this end, ZITiS bundles technical know-how with cyber-related expertise, conducts central research on new technologies and develops methods and tools to support the authorities in investigation and reconnaissance. It also works on topics, such as digital forensics, telecommunications surveillance, cryptanalysis and big-data analysis, as well as crime prevention, hazard prevention and counter-espionage.
Where the BMI relies on ZITiS, the Federal Ministry of Defence has access to the Cyber Innovation Hub (CIH), the Cyber Defence Research Institute (CODE) at the University of the Federal Armed Forces, Bundesweite IT-Systemhaus GmbH (BWI) or the Federal Office for Equipment, Information Technology and Utilisation of the Federal Armed Forces (BAAINBw). The CIH offers a platform for linking the Federal Armed Forces and start-ups in order to research and develop innovative technologies for the Federal Armed Forces. CODE pursues the goal of implementing innovative technical innovations to protect data, software and systems for the Federal Armed Forces. Publicly owned BWI GmbH has comprehensively modernized the IT systems of the Federal Armed Forces. The current focus of this IT service provider includes the operation and modernization of non-military information and communication technologies of the Federal Armed Forces.
In 2018, the German government decided to establish the Agency for Innovation in Cybersecurity (Cyberagency) which is to be set up at Leipzig/Halle Airport by 2022. The agency's task will be to promote the development of innovative solutions in the field of cybersecurity. It also aims to help Germany to increase its own technological sovereignty in cybersecurity. One hundred IT specialists will work on security issues in the Federal Armed Forces and the police. The agency is jointly supervised by the Federal Ministry of Defence (BMVg) and the Federal Ministry of the Interior, Building and Community (BMI).
Founded in 2011, the Cyber-SR is the strategic advisor of the federal government. It organizes cooperation in cybersecurity both within the federal government as well as between the government and industry. According to the federal government, the Cyber-SR identifies long-term needs for action and trends and uses this to strengthen cybersecurity. It brings together representatives of the federal government, the federal states and industry and is supported by a scientific expert and advisory committee. The chairman of the Council is the Federal Government Commissioner for Information Technology (BfIT).
The establishment of the German Institute for Internet Security (DIIS) was already announced by the Federal Foreign Office (AA) back in 2016. This institute will focus on cybersecurity issues related to international stability and crisis prevention. In the 2018 coalition agreement, the establishment of the Agency for Innovation in Cybersecurity (ADIC) was decided. Under the leadership of the BMI and BMVg, this cyberagency is to ensure “technological innovation leadership” in the field of security-relevant key technologies.
Thirteen of Germany’s sixteen federal states have established cybercrime centres to combat and investigate cybercrime. The cybercrime centres are organized mainly in the police sector of the corresponding state criminal investigation offices or in the public prosecutor's offices.
The federal-state CERTs are the Computer Emergency Response Teams of the individual federal states. Within the framework of the Administrative CERT Network (VCV), the federal government and the federal states work together to set up and operate the federal-state CERTs. The federal-state CERTs cooperate with the CERT Alliance at BSI.
The Administrative CERT Network (VCV) is a platform where the CERT Group and the existing federal-state CERTs can exchange information. The aim of this network is to strengthen IT crisis prevention and response and to improve IT security in the public administration.
The Common Reporting and Situation Centre (GMLZ) is responsible for providing a uniform picture of the civil protection situation for the federal government, the federal states and the specialist authorities. To this end, it monitors and evaluates relevant events in Germany and abroad around the clock and reports on them in the daily situation report or in targeted situation reports.
The ITZBund is the IT service provider of the federal administration. It is part of the Federal Ministry of Finance and one of its tasks is to improve protection against cyberattacks. The ITZBund was founded in 2016 from three predecessor authorities: the Federal Office for Information Technology (BIT), the Federal Institute for IT Services (DLZ-IT BMVI) and the Centre for Information Processing and Information Technology (ZIVIT). The purpose of this move was to bundle the IT capacities of the federal government.
The state sees it as its duty
The growing threat to infrastructures by cybercriminals has led the federal government to make IT security a top priority, according to the federal government's cybersecurity strategy. Ensuring security in cyberspace and protecting critical information infrastructures have become existential questions of the 21st century and therefore require a high level of commitment from government. It must guarantee security, justice and freedom also in cyberspace. This calls for a modern cybersecurity architecture that effectively interlinks the various players at federal level.
Duplication and multiple funding?
Opinions differ regarding the usefulness and efficiency of the many institutions which the German government is employing in an effort to achieve its goals. Critics see the collaboration between various authorities in the National Cyberdefence Centre as a mixture of law enforcement and intelligence activities, claiming that this violated the separation between the police and intelligence agencies. The Federal Court of Audit is of the opinion* that the Cyberdefence Centre does not have sufficient capacities, that it lacks the authority to act and that it is unclear what would actually happen in the event of a cyberattack. The court also believes that contradictory approaches to cyberattacks and a reluctance to share knowledge and information would hamper smooth cooperation.
Criticism has also been expressed regarding the planned “federal cyberagency”, stating that it was poorly financed*. The Federal Audit Office also sees the risk of the cyberagency not being “able to distinguish itself from other research organizations"*, referring, for instance, to the Federal Armed Forces and its Cyber Innovation Hub for “disruptive innovations and digital transformation”. The University of the Federal Armed Forces operates a Cyberdefence Research Institute (CODE) as an ‘interdepartmental cybercluster’ for ‘basic research at excellence level’. The Ministry of Research is funding three competence centres for IT security research at universities and institutes. In addition, there is the Federal Office for Information Security (BSI), the Central Office for Information Technology in the Security Sector (ZITiS), as well as an Agency for the Promotion of Springboard Innovation (SprinD). This all could quickly lead to duplication with multiple funding, making it difficult to understand the need for another new cyberagency.