How to Contain Putin’s Russia
A Strategy for Countering a Rising Revisionist Power
Like the rest of the world, German officials followed with interest the hacking of the Democratic National Committee and of the email account of John Podesta, the chairman of Hillary Clinton's presidential campaign. Now it’s Germany’s turn. On December 1, WikiLeaks published 2,420 documents detailing the cooperation between German and U.S. intelligence agencies that had been exfiltrated from the Bundestag's Special Investigative Committee on the U.S. National Security Agency. The incident came on the heels of a cyberattack on Internet routers supplied by Deutsche Telekom that took nearly one million German household Internet connections offline in late November. Whereas the attack that led to the Wikileaks dump was very likely the work of Russian hackers, the source of the attack on Deutsche Telekom remains unknown.
The episodes enraged German officials and set off calls for Berlin to harden Germany's cybersecurity as the country prepares for federal elections in 2017. On November 29, Bruno Kahl, the head of Germany's federal intelligence agency, warned in an interview with the Süddeutsche Zeitung that Russia would attempt to use cyberattacks to manipulate that contest. The same week, German Chancellor Angela Merkel made clear that Russian cyberattacks had become part of everyday reality. “We have to learn to live with it,” she said.
Germany's intelligence and law enforcement agencies have been overhauling their cyber-capabilities to better protect against, detect, and respond to attacks.
Recognizing the extent of the problem is only the start. German officials should also fortify the defenses of government-adjacent institutions, such as political parties; shift the focus of their responses from the content of leaks to the motive of leakers, emphasizing that cyberattacks violate the digital rights of German citizens; establish an alliance with Western governments and technology firms to ward off digital subterfuge; develop stricter standards for the Internet of Things; and work to enlist ordinary Germans in the fight to protect themselves.
A NEW PHASE
In recent months, as Berlin has prepared for next year's election, the degree of Russian penetration into Germany's government-affiliated institutions has become clear. In May 2015, German intelligence discovered a breach of 14 servers in the Bundestag's network; it later linked that attack to hackers in Russia. A year later, using information provided by German intelligence, Merkel's Christian Democratic Union (CDU) told party members that their headquarters had been probed by malicious actors. The hackers had created fake log-in pages for the CDU's remote email server and private email sites hosted by the popular providers GMX and web.de in an attempt to lure high-profile CDU officials to divulge their login credentials. Trend Micro, a German cybersecurity firm, later provided evidence that the hackers were members of a group known as Pawn Storm, which is widely believed to be affiliated with Russian military intelligence.
In August 2016, German officials discovered a third incident that they suspect was connected to the Russian government. At least two members of the Bundestag had received messages containing spyware links from an email account that purported to be affiliated with NATO. The spearphishing attack also targeted the CDU's youth wing and the party's provincial membership in Saarland, a small industrial state in Germany's west that is set to hold elections in the spring and is represented in the Bundestag by Merkel's chief of staff. Russian snoops had widened their sights: they were looking beyond Berlin.
The December 1 WikiLeaks dump, which showed many of the typical signs of Russian involvement, suggests that Russia’s cyber-subterfuge in Germany has entered another new phase, involving attempts to use hacked information to shape public opinion. Weakening Merkel’s government could help Russia undermine the European Union's unity on maintaining sanctions against Moscow (Merkel has been a central force in that consensus); undermine European integration, a process to which Germany is indispensable; put the brakes on the EU's Association Agreements with Ukraine and other post-Soviet states; give Russia a freer hand to deal with the countries on its periphery; cleave Germany and Europe from Atlanticism; and curb Germany’s support for the spread of free markets, the rule of law, and democracy.
To disseminate and amplify the information they extract, Russia's intelligence services and their proxies rely on a loose network comprising Twitter troll farms, hacker rings affiliated with organized crime groups that are brought into state service, and independent groups sympathetic to Russia's worldview. These actors guide stolen information into mainstream discourse and provide Moscow with a measure of cover. A burgeoning group of media outlets stands ready to support such efforts in Germany—from Moscow's German-language propaganda arm, RT Deutsch, to far-right outlets receptive to official Russian views, such as Junge Freiheit and PI News.
HOW TO RESPOND
Russia’s use of offensive cyber-force is not limited to hack-and-leak and disinformation campaigns. Since 2007 and 2008, when Russia launched broad cyberattacks against Estonia and Georgia, Moscow has also carried out a number of what might be called disrupt-and-destroy cyberattacks, which aim to damage physical or digital infrastructure.
In October 2014, hackers targeted the Warsaw stock exchange. Later that year, they attacked a German steel mill, causing serious damage. In 2015, attackers nearly destroyed the digital infrastructure of the French television outlet TV5Monde and launched an cyber-assault on a Ukrainian power plant that left some 220,000 businesses and homes without power for several hours. All of those incidents have since been tied to Russian intelligence.
Thanks in part to Berlin’s intensified focus on cybersecurity and a new information technology security law that entered into force in May, Germany's intelligence and law enforcement agencies have been overhauling their cyber-capabilities to better protect against, detect, and respond to attacks. The IT security law also created a raft of new security requirements for critical infrastructure, such as electrical grids and water-supply and telecommunications systems. But the law's implementation has been slow, and in other areas, constitutional requirements have made establishing greater government protections difficult.
Berlin's first priority in responding to these threats should be to harden the networks of institutions in close contact with the German government, such as political parties, nongovernmental organizations, think tanks, universities, and international organizations. Such institutions tend to be less secure than government bodies, yet they, too, host sensitive information that hackers can use to undermine public trust. Political parties are especially attractive targets, since their servers are repositories for campaign strategies, details on the early stages of policy planning, assessments of political personalities, and juicy details on rivalries, secrets, and crises. Yet political parties have traditionally had relatively little incentive to spend more money on cybersecurity, especially during campaign season. To address that weakness, Germany should revise its information technology security law so that it designates some government-adjacent institutions—particularly political parties represented in the Bundestag—as critical infrastructure, bringing into force the kind of oversight that would be needed to secure their networks.
Germany has effectively enshrined the privacy of personal data as a human right.
Next, German politicians and media organizations should change how they respond to hack-and-leak incidents. So far, German leaders have reacted to such attacks mostly by expressing their indignation with leaked content instead of condemning the break-ins and probing the intent of their perpetrators. By amplifying the hackers' findings, this kind of response effectively serves their interests.
German law provides a starting point for addressing this problem. Under the legal tradition of informationelle Selbstbestimmung, or informational self-determination, Germany has effectively enshrined the privacy of personal data as a human right. The EU's Charter of Fundamental Rights builds on that approach. Germany's political parties should marshal this understanding to refocus public opinion on the fact that hack-and-leak attacks constitute a violation of the basic rights of German citizens. Officials in Brussels, meanwhile, should incorporate the issue of state-sponsored hack-and-leak operations into their discussions over a potential EU Charter of Digital Human Rights.
Next, Germany should heed the call of Deutsche Telekom CEO Timotheus Höttges' to create a "NATO for the Internet,” an alliance of like-minded states and technology companies that would work to enhance the cross-border protection of key networks, increase intelligence sharing among businesses and governments, and define the kinds of attacks that would trigger retaliation. Germany could help initiate that conversation, perhaps during its 2017 chairmanship of the G20.
Germany should also lead a global effort to secure the Internet of Things, the increasingly common use of which is lowering the threshold for the kinds of attacks that can disrupt national economies and even cause physical harm. German and EU regulators should work with international standard setters, law enforcement agencies, and companies in the United States to make sure that Internet-connected devices incorporate reasonable fail-safes that prevent them from being exploited in cyberattacks. Finally, Berlin should take the unglamorous but necessary steps of changing German’s online behavior by pushing the use of two-factor authentication, virtual private networks, and encrypted communications. Germany's cybersecurity community needs to conscript citizens into the fight to protect the country's digital infrastructure—from the political class to the classroom.