13 April 2020

German Military Cyber Operations are in a Legal Gray Zone

By Matthias Schulze

In 2016, Germany created its military cyber command, the Cyber and Information Domain Service (German: Kommando Cyber- und Informationsraum; KdoCIR), tasked with cyber defense, limited offensive cyber operations, and defending against hybrid threats such as influence operations or disinformation. With the KdoCIR, the German Ministry of Defense claimed its stake in the whole-of-government approach to cybersecurity.

However, cybersecurity in Germany remains the prerogative of the Department of the Interior. Due to constitutional constraints, the KdoCIR has little room to maneuver to contribute to cybersecurity. The KdoCIR has always had to navigate legal gray zones that exist due to both the unclear status of cyber- and hybrid-warfare operations and the German constitution. These constraints could ultimately decrease the flexibility and the operational effectiveness of German military cyber operations.

Civil Cyber Defense vs. Military Cyber Defense?


In Germany, civil institutions such as the Department of the Interior, with its Federal Office for Information Security, as well as federal and local police are in charge of cybersecurity. Currently, the Department of the Interior is drafting an active cyber-defense policy, which will include the possibility of cyber counterattacks to delete stolen data or disrupt or degrade hostile command-and-control infrastructure in foreign networks. The specific contours of the policy are not yet published, and it’s not yet clear which government agency will be tasked with conducting these retaliatory cyberattacks. In all likelihood, the job will fall to federal police or intelligence agencies, not the military.

Meanwhile, the Bundeswehr, the German armed forces, are also involved in cyber defense through the KdoCIR. The central strategic document, the German White Paper 2016, highlights that the Bundeswehr shall contribute to the whole-of-government approach to cyber defense, for example, by protecting critical infrastructure against large-scale cyberattacks. The KdoCIR is staffed to carry out offensive activities: It has between 120 and 160 computer network operators ready to hit the keyboard. But constitutional constraints for Bundeswehr operations create some legal ambiguity about what role the KdoCIR actually can play.

Constitutional Restraints for Military Cyber Operations

Due to lessons from World War II, German military operations are subject to stringent legal restrictions. In addition to their impact on kinetic operations, these rules have constrained the permissible scope of German military cyber operations, as well.

The German constitution (the Grundgesetz, or GG), which went into force in 1949, outlines a defensive orientation for the country. Article 26, on securing international peace, states that “acts tending to and undertaken with the intent to disturb the peaceful relations between nations, especially to prepare for a war of aggression, shall be unconstitutional.”

The mission statement of the Bundeswehr is purely defensive: “The Federation shall establish Armed Forces for purposes of defense” (GG Article 87a/1). In extreme cases, such as an armed attack, an emergency state of defense (GG Article 115a) can be triggered that would shift more power to the executive and give the armed forces greater leeway. “During a state of defense or a state of tension the Armed Forces shall have the power to protect civilian property” (GG Article 87a/3). In these cases, the KdoCIR would theoretically have legal permission to engage in active cyber defense. But these emergency authorities have never been invoked.

A constitutional court ruling in 1994 decided that the German military has the legal authority to transfer sovereign powers to international systems of collective security and involve itself in “out-of-area” missions (GG Article 24). These are typically multilateral peace-management missions within the United Nations, the European Union or NATO.

But the constitutional court decided that these out-of-area missions require a constitutive parliamentary mandate. The German Bundestag has the power to deny the “deployment” of armed forces per the Parliamentary Participation Act of 2006, which provides for this veto mechanism. The act mandates that the Bundestag has to give its authorization for any situation in which “Bundeswehr soldiers are involved in armed operations or are expected to be involved in an armed operation.” In cases where combat is preplanned, the government must formally request a mandate from the Bundestag before deploying the Bundeswehr and the KdoCIR to operate in a foreign country. Emergency situations allow fast-tracking or post-hoc provisions of a parliamentary mandate. To date, the parliament has never refused to give a mandate to a Bundeswehr operation, and such a drastic step would likely trigger a “motion of no confidence” toward the government.

The GG also limits Bundeswehr operations in the domestic context. Under GG Article 35 the Bundeswehr can be used domestically only under very restricted circumstances, such as for harvest assistance or to help during disasters. This exception allows medical assistance for coronavirus patients but does not permit the military to execute sovereign functions (that is, arresting someone or other coercive measures) or to deploy genuine military means like fighter jets.

Military operations by the Bundeswehr are therefore allowed only (a) in a defense situation, that is, in the event of an armed attack on German soil; (b) in out-of-area missions that require a parliamentary mandate; and (c) in limited circumstances for functions that are not genuinely military in nature. The Bundeswehr also has clear legal authority to engage in purely defensive or passive cybersecurity measures such as information sharing with the Department of the Interior-led National Cyberdefense Center since such activities are not generally considered to be military deployments.

What Does This Mean in the Cyber Domain?

The German government maintains the position that these same legal principles determine whether the KdoCIR can engage in offensive cyber operations for cyber defense purposes, or whether the military must defer to civil agencies. Operationalizing these 72-year-old legal principles into the digital domain is challenging and entails several legal gray zones.

The first question involving a legal gray zone is what type of cyberattack would reach the threshold of an armed attack against German soil and thus trigger a defense situation that enables the KdoCIR to engage in military cyber defense? A clear case would be a conventional attack paired with cyber operations—Russian cyberattacks on Georgia in 2008 are an example of this type of situation. But even in this relatively straightforward case, some ambiguity remains because the distributed denial-of-service attacks were initiated before the conventional invasion. This begs the question: When exactly is a defense situation triggered?

The legal situation is even less clear with standalone or strategic cyberattacks. Like other NATO countries, Germany adopts the position that a standalone cyberattack, severe in its scale and effects, reaches the threshold of an armed attack and could trigger the right to self-defense under the U.N. Charter (Article 51). For a cyberattack to meet that threshold, however, it must be attributed to foreign actors. In reality, most cyber incidents don’t reach the threshold of an armed attack, and states intentionally design their aggressive cyber operations so as to not trigger a conventional escalation. So, the self-defense justification is not suited to initiate military cyber defense in most cases.

This is particularly challenging for the KdoCIR because it participates in fighting hybrid warfare and information operations. After all, the name Cyber and Information Domain Service was intentionally chosen to include information warfare aspects. But information operations don’t reach the threshold of an armed attack either. Therefore, the KdoCIR claims responsibility to defend the country against hybrid subversion techniques but does not seem to have any legal justification to undertake that mission.

The chief of the Cyber and Information Domain Service, Lt. Gen. Ludwig Leinhos wanted to clarify this legal gray zone in a public debate in June 2019. Leinhos noted that the KdoCIR currently has no legal justification to defend against hard-to-attribute hybrid operations, such as Russia’s attacks on Ukraine in 2014. He argued that Germany needed to define a digital state of defense that has a lower legal threshold compared to the analog version (GG Article 115a). Creating this new standard would allow the KdoCIR to engage in offensive cyber defense on more stable legal ground. Such a definition of digital defense would correspond more accurately to the realities of cyber conflict. In a parliamentary inquiry a few weeks later, the government answered that the concept of a “digital state of defense” is not an established legal term and is not currently being used or developed in Germany. This shot down the general’s initiative, but the gray zone he identified persists.

A second question involving a legal gray zone is what type of cyberattack by the KdoCIR would constitute an “out-of-area” deployment of military force and thus require a mandate by the parliament? The situation for adjunct cyber operations combined with conventional force is clear, but it gets fuzzy with standalone or strategic operations. German legal scholars are divided on this. There are two interpretations.

One interpretation, following international law, would be that any KdoCIR cyberattack that reaches the threshold of an armed attack would constitute the employment of military use of force and thus require a mandate. But what about offensive cyber operations by the KdoCIR that do not reach that threshold? What about low-intensity, standalone cyber operations, such as intelligence, surveillance and reconnaissance or minor disruptions? Do they require a mandate? If they don't, this legal interpretation could give the KdoCIR a blank check—most cyber intrusions start as reconnaissance and then are upscaled to initiate other effects.

The Parliamentary Participation Act of 2006, which delineates when the Bundestag has authority over military operations, could be read in a way that supports this interpretation: Planning, preparatory and low-intensity missions—where no armed engagement can be expected—don’t require a mandate by the parliament. In the non-cyber world, this was meant to allow the Bundeswehr to use unarmed military observers or staff personnel in NATO headquarters. The determinant in the cyber context as to whether the parliament must be involved is whether an “armed engagement can be expected.” What this means is unclear. What does it mean to expect an “armed engagement” when hacking into a foreign system? Beyond that, do cybersecurity measures undertaken in defense, such as shutting down backdoor access or deleting malware, qualify as armed engagements (especially as some observers have taken to analogizing such activity as “hand-to-hand combat”)?

This lack of clarity stems from two crucial questions: First, whether or what type of exploits qualify as arms or military weapons? Second, are cyber conflicts inherently escalatory so that an armed engagement can be expected?

Because of this ambiguity, another group of legal scholars argue that the threshold at which the Bundeswehr is required to obtain parliamentary consent is lower than the “armed attack” threshold of international law. In their view, the intent of the Parliamentary Participation Act was to enable and not to bypass parliament veto. This interpretation is backed by a ruling of the constitutional court, which found that even passive intelligence, surveillance and reconnaissance missions with an unarmed surveillance aircraft require a parliamentary mandate. In the cyber context, this interpretation of the law would essentially prohibit the Bundeswehr from undertaking any military cyber operation without a parliamentary mandate. It is currently unclear which legal interpretation is dominant because the body of law can be interpreted in both ways.

Strategic Implications for the Preparation of the Environment

Due to the defensive orientation of the Grundgesetz, it seems unlikely that strategic military cyber operations in peacetime—namely, cyber deterrence by punishment or power projection—would be legal. This interpretation of the law seems to have one other crucial implication: German military cyber operations cannot be used for a strategic “preparation of the battlefield,” or any type of persistent engagement, a key component of U.S. cyber defense. This could severely reduce the effectiveness of defensive military cyber operations.

Preparation of the environment implies breaking into a foreign system before a future threat materializes. Goals of this activity are to observe adversary behavior and to place backdoor implants in case a future escalation occurs. The preescalation insertion of these implants is important because complex implants must be tailored and tested in advance to guarantee operational effectiveness with little collateral damage. Peacetime deployment of implants thus allows for a quicker and more effective response.

In strategic documents, German military planners seem eager to undertake this type of activity as a means to disrupt adversary military command and control or deployment logistics to slow down a conventional attack. But in the current legal framework, such activity is likely not permissible under German law. The problem for the KdoCIR is that effective preparation of the battlefield, even only for defensive purposes, may require active cyber operations to break into sensitive foreign systems. These might potentially be perceived as hostile acts, could lead to escalation and thus could legally imply an armed engagement—a violation of the defensive orientation of the German constitution. Because preparation of the battlefield activities would most likely take place in foreign military and defense networks (out of area) and could potentially invoke retaliatory measures from the adversary (expected armed engagement), they likely require a parliamentary mandate. So, the KdoCIR cannot launch them without the authorization of the parliament. A public vote by the parliament, however, might alert potential adversaries against whom these measures might be directed. Ultimately, it could be the case that any “preparation of the battlefield” for future military cyber operations—even for defense—is prohibited unless the parliament says so.

The Bundeswehr cannot resolve these legal ambiguities itself. It’s up to the courts to offer an authoritative interpretation or for the Bundestag to update the language of the Parliament Participation Act to clarify what “expected armed engagements” in the cyber domains are. If neither the courts nor the Bundestag intervene, this legal gray zone will persist.

No comments: