Mikrofon und Bildschirm in einem bestuhlten Raum zur Illustration der Rubrik „Vorträge"

Keynote speech delivered by BfV President Dr. Maaßen at the 12th Security Symposium of the European Commission held in Brussels on 14 December 2017

Subject: "Digital Sovereignty in the Cyber Space"

– Check against delivery! –

I. Introduction

Ladies and Gentlemen,

In the decades of the East-West conflict, security policy was selfexplanatory and tangible. The watchtowers, the Wall, and the barbed wire were a daily demonstration of the fact that in a bipolar world order, security was being defended at a physical border. We were facing a visible opponent at a front line, which divided Germany and Europe into two parts.

Barely 30 years after Europe's reunification, there is a completely different situation. Today, it is the dissolution of borders rather than their existence which poses a threat to our security. We no longer operate in a symmetrical, bipolar system of states, but are heading for a multipolar world dis-order that is marked by asymmetrical wars, asymmetrical terrorism, and asymmetrical attacks in the cyber space.

This is also the result of a period of digital transformation, which is not yet over!

Periods of transformation, in which old structures loosen, are often characterised by insecurity, – but one thing is for sure:

The disruptive energy of digitisation fuels the beginning fragmentation of the global power structure!

In the 21st century, questions of security and power are answered in more than one area, with the cyber space being one of them. Cyber technologies are now major "game changers" in all relevant fields, including the military sector, economy, media or politics.

This is also a challenge to security policies in all fields. It is posed by cybercrime, cyber espionage, and cyber sabotage on the one hand, and cyber activities conducted by terrorists and extremists, who are also active in the cyber space and use its kind of lawlessness to their advantage, on the other hand.

We cannot accept and do not want to accept, however, that the cyber space develops more and more into a hot spot. The more digitisation transforms our real world, the less we are supposed to tolerate that the cyber space is becoming a no-go area for the state with its 'rule of law' principle. As vigilant democracies and as the European Union, we have to defend and to strengthen our digital sovereignty.

Against this background, I would like

  1. to contemplate the cyber space from the perspective of our sovereignty and

  2. to outline the necessary steps we should take with regard to security policy both in the short and the long run.

II. Horizontal and Vertical Diffusion of Power

Ladies and Gentlemen,

Please let me first present an abstract view of digitisation, for the cyber space is the place where a major phenomenon of the 21st century occurs in a particularly distinctive form:

I refer to the horizontal and vertical diffusion of power!

While struggles for power and shifts of power between states have been the rule from a historical point of view, digital technologies have caused an unprecedented diffusion of power and influence – also to other, non-state actors! By the dynamic dissemination of information, digitisation links formerly distant centres of potential conflict horizontally, increasing the range of ideologies and convictions. On the vertical axis, there is a continuous increase in actors. Not only states, media groups and journalists, but also private persons may fully benefit from the new technologies and possibilities.

Digital technologies spread information over a broad area without charging a fee. The concept for success of the digital leaders and messenger services is based on this supposedly free communication. As vectors of information, their algorithms direct and influence data flows and discourses, which makes the digital leaders the 5th power besides the traditional media, which have thus been losing their monopoly as the informal 4th power or Fourth Estate. Innumerable relations of senders/receivers have been formed, who often communicate and publish anonymously.

The mobilisation potential of digital platforms and chat communities is enormous in terms of range – thus being able to influence also the security situation. The G20 Summit in Hamburg, a major event of this year, for example, resulted in severe clashes of an international mob in July; the latter had been largely organised and co-ordinated through campaigns on left-wing extremist digital platforms.

Or look at the recent developments in Turkey, one of our NATO allies: The attempted coup in Turkey has activated complex lines of conflict between Turks and Kurds as well as between Erdogan opponents and adherents. It is easy to see that this is susceptible of affecting Europe's internal peace and our external relations to Ankara.

A single, uncorroborated piece of information on the bad state of health of PKK leader Abdullah Öcalan, who is incarcerated in Turkey, spread like wildfire overnight on the web in mid-October, mobilising hundreds of PKK supporters in dozens of German cities (BfV Schlaglicht of 30 Nov. 2017, 'Verstärktes Aktionsaufkommen von Anhängern der PKK anlässlich der Haftsituation Öcalans').

In a world where each message and each scene of horror is only a mouse click away, formerly distant conflicts and philosophies now live in theories, tweets, and deeds directly in our midst.

This is also true for Islamist terrorism, which has long since expanded from the local area to the cyber space. They have been preaching a cruel pseudo-jihad there, which has abandoned any realistic aims, any understandable political demands and a really tangible organisational form.

This digital caliphate with its unlimited radius meets, like an ideological "shop of violence", various motivations and uses popcultural marketing strategies. It makes full use of the whole scope of the cyber space in order to inspire, to recruit and to co-ordinate adherents.

It is the breeding place for a sort of terrorism which communicates on a global and acts on a local level, which no longer knows any cultural, language or moral limits, and which demands only one thing of its adherents: their commitment to senseless and unrestrained violence against everything and everyone who does not submit to the dictate of a murderous ideology thinking in terms of black and white.

The consequence is that the workload of the security agencies has been growing permanently. On the one hand, we are confronted with the old al-Qaeda cadres, the scattered IS combatants gone into hiding, highly professional terror squads like in Paris, Brussels, or Manchester, and on the other hand with severely radicalised children, youths, and unstable persons, who use the simplest means as weapons to kill other people right next to them at random – and without any prior warning. So we are dealing with completely different terror scenarios, perpetrator profiles, and modi operandi.

At the same time, however, Islamist terrorism has condensed, after numerous metamorphoses starting from guerrilla warfare in Afghanistan's mountains, into the core of terror: into pure violence and the sheer "propaganda of the crime", which, spontaneously and at random, stabs the customers of a Hamburg supermarket with a kitchen knife stolen directly on the scene or runs over people in the street in Nice or New York, Barcelona or Berlin with a vehicle, killing them without hesitating!

Often, the terror is co-ordinated via the smartphone and propagated on the web afterwards. The smartphone is a perfect example for the effectiveness and power of the new technology: It makes communication not only mainstream, but also smart. It endows its user with enormous capabilities, including expertise formerly difficult to access, compressed into the tiny space of a microchip. Every civilian is potentially invited to buy, even without having technical knowledge, extensive encryption and communication capacities at a moderate price.

III. "Going Dark" and Islamist Terrorism

Ladies and Gentlemen,

In this connection, I would like to address an issue which in security circles is often referred to as "going dark" and which I cannot leave uncommented: "Going dark" refers to a paradox: the situation that in spite of massively increasing data volumes, we are less able to obtain intelligence on individuals under investigation when the later use modern services like Telegram or WhatsApp.

Foreign providers, such as Facebook, are not obliged to cooperate with our security agencies. In our opinion, providers should be obliged to co-operate fully with the national authorities in the country where they offer their services, according to the marketplace principle, so that terrorists or extremists cannot evade monitoring, by German authorities, for example.

Previously, there were – if at all – provider-based encryption systems, and there was the possibility of decryption. Today, the users have their own anonymisation techniques, which neither the providers nor we are able to eliminate just like that. Terrorists exploit the security agencies' lack of access systematically to their own ends.

From our point of view as an intelligence service, it would be appreciated if industry and political decision-makers would find a common line in this field to preserve the positive effects of encryption while allowing - in justified individual cases - for the possibility of decryption.

It is definitely not a question of further restrictions on civil rights, but our concern is to restore our former legitimate possibilities of investigation, which we have been losing due to the technical development!

In Germany, we commemorated the victims of the left-wing extremist terror of the so-called German Autumn this year, who were killed 40 years ago, in late 1977. In September and October 1977, the self-styled "Rote Armee Fraktion" (RAF) wanted to blackmail the state and bring it to its knees by assassinations and kidnappings. The terrorism of the seventies had a formative influence on Germany's sense of security and its security laws. At that time, mobile communication meant at best walking to the phone booth.

Today – 40 years later – we do not chase any more a single clandestine group communicating via secret messages, but whole networks; people from all over the world are literally involved in the crime now.

In our capacity as intelligence services, we have to keep an eye on international communications to a much greater extent these days. We have to co-operate much more closely with foreign liaison services. We have to make much more efforts in the field of preliminary investigation or preventive intelligence gathering and threat assessment. We have to identify micro-groups and lone wolves and have to investigate their cross-linkages and relations of knowing each other.

At present, we have about 10,300 Salafists in Germany as well as approx. 1,900 individuals (Date of information: 18 Oct. 2017) considered to belong to the Islamist terrorist scene. Their communication mainly takes place in the cyber space. Given the practical constraints mentioned above, the security agencies must be enabled to close the technical security gaps in order to be able to fully exercise their powers again, – for currently it is often just the security agencies' opponent who benefits from technological progress!

IV. Cyber Espionage, Cyber Sabotage and "Digital Proliferation"

Ladies and Gentlemen,

It is not only the terrorists who take advantage of technological progress: Cyber technologies optimise processes in industry, research, transport, or securities trading. And they optimise espionage and sabotage:

In the past, a few agents used to take many risks in order to reach protected places and to gain exclusive information. Today, quite the reverse is true: Many people just need to take little risks in order to be able to cause much damage and to steal large quantities of sensitive data.

In the 21st century, hackers infiltrate and sabotage critical infrastructures, computer networks, bank accounts, production lines, and email accounts – without even the necessity of rising from their chair!

Intelligence services no longer primarily count hostile tanks and missiles on satellite pictures, but rather the daily cyber attacks on company, military, or government networks.

Technically sophisticated espionage campaigns may run for years, with the malware modifying itself. Due to the large degree of interconnectedness between the real world and the cyber space, they meet with many points of attack and a perfect selection of victims.

The cyber-attack campaign APT 28 constitutes one of the focuses of attention of BfV's anti-cyber section. As you may know, APT 28 is a long-standing attack operation of international outreach, which has caused damage worldwide. Also the attack on the German Bundestag in 2015 was part of this campaign.

The cyber campaign APT 28 is of Russian origin (BfV Schlaglicht of 29 June 2017, 'Die russische Angriffskampagne APT 28 – aktuelle Entwicklungen') and was used not only for the purpose of espionage in the past, but also for influence operations, such as the false-flag operation conducted in April 2015 against the French television network TV5 Monde, in the course of which alleged Islamist hackers disseminating IS propaganda inflicted damage running into millions of euros on the TV station. A subsequent analysis, however, revealed APT 28 as the originator.

The range of electronic spying generally covers all strategic areas; the targets include, apart from industry, the political sphere, science, research, and industrial plants. We have recorded attacks on government and administration networks, on IT and cloud providers.

According to official data, about 50 percent of all German companies have already been the victim of digital industrial espionage, sabotage, or data theft. I do not dare to imagine the number of unreported cases.

If worst comes to worst, German and European companies may lose their competitive advantage, when expertise worth billions disappears in a data cable, which only cost a few euros.

Whoever is able, however, to penetrate sensitive networks as a cyber agent, can quickly become a cyber saboteur, too, by developing the malware modules in the victim's system into offensive weapons.

Please remind the so-called "WannaCry Virus" of May of this year:

In this classic case, criminals who could not be clearly identified exploited, using a professional modus operandi, dangerous security gaps in widespread operating systems, inflicting damage on companies and users worldwide who had not responded adequately to warnings by ignoring them, taking insufficient action or reacting too late.

Serious cases of cyber sabotage or even cyber terrorism have not been noted in Germany so far: Still, BfV has highlighted the potential threat for years. I have already mentioned that in the wake of digitisation, sensitive IT capabilities can be spread or sold to the highest bidder vertically and horizontally.

That means that security in the 21st century inevitably involves having the risks of "digital proliferation" on the radar! The theft and subsequent distribution of "weaponisable IT knowledge" will be a big challenge to our counterintelligence services.

V. Power Politics in the Cyber Space

Ladies and Gentlemen,

As all of us will be aware of, cyber operations also brutalise international relations. Cyber operations work on a scale between the poles of war and peace, because they take place in a twilight zone below the military threshold and are difficult to attribute to a certain attacker.

This obviously lowers the inhibition level for activities conducted by state as well as non-governmental actors, who have started violating the sovereignty of countries, governments, or enterprises directly.

  • violent border changes in Ukraine,

  • foreign influence exerted on the US presidential elections,

  • foreign interferences in Emmanuel Macron's election campaign,

  • attacks on the German Bundestag by hackers,

  • disinformation campaigns in social media,

  • and leads that mostly point to Moscow:

This is not a sketch of a second-class novelist, but these are the headlines dictated by reality!

The enemies of our open-minded society meticulously analyse our weak points and target them out of the dark. Though their operations may begin under cover of the dark cyber space, their consequences will later show themselves in the glaring light of the real world. Against this background, the immense Russian disinformation campaign in the Crimea was a didactic example of hybrid warfare.

These strategies virtually turn the Western approach to integrated crisis management – the so-called Comprehensive Approach – upside down:

Hybrid threats stimulate conflicts by isolating and de-stabilising its individual components. The aim is to disrupt states, to deprive governments of their legitimacy, and to discredit the elites that way. It is a game with the player using an invisibility cloak. This game wants to erase all traces and to distract our attention, draw it inwards, wants to foment conflicts and to bring the spirit of discord into society.

We are witnesses that not only the civil and military infrastructures of a country may be at risk from sabotage, but also the political resistance of a society, with propaganda, disinformation, and calculated indiscretion being the instruments.

This has been a special concern to the Federal Republic of Germany in the election year of 2017. BfV set up a task force, which was responsible for monitoring relevant cyber-attack campaigns such as APT 28 and keeping social media under increased observation, in order to be able, if necessary, to quickly respond to any attempts of exerting unfair influence on the parliamentary elections.

In addition, we have co-operated successfully with European and US liaison services. Both as a Western alliance united by common values and as the European Union, we are the target of such campaigns and should meet and counter them collectively as a unified front! As European partners, we have to become immune to the age-old "divide et impera" strategy, the strategy of "divide and rule!", by standing together, engaging in co-operation and exchanging our intelligence.

VI. What should we do?

Ladies and Gentlemen,

This leads me to the question of how to react to these challenges. As a first step, we have to admit that for a long time we have exclusively focussed our attention on the profits and gain in convenience ensuing from digitisation. All of us want to web a link to progress, but nobody wants to be caught in their enemies' web. The age of digitisation does not only link chances and potentials, but also risks and dangers. In the cyber space, the promises are great and the risks immense.

In the field of IT policy, we decide today about the risks of tomorrow. More than ever, it is worthwhile to turn our attention to the aspect of risk management. Security in the 21st century depends not only on technical solutions, but also on strategic decisions and concepts of restraint.

The centres of conflict in the Middle East, in Ukraine, or in Africa are clear and drastic signs of our times. But there are also dark and covert signs – and we find them in the cyber space. Most often, we need to take a closer look and decipher their codes, but they are the same drastic signs of the battle for influence, coming up, however, as digital forms of power politics. Digitisation has been dissolving borders – but does not resolve conflicts of interests!

We Europeans have much to lose: political influence, technological expertise, prosperity, or our democratic achievements. We do not have much time and must analyse risks and facts without reserve. To this end, transnational security alliances are essential – these days more than ever. At both national and European levels, we share the same problem: that our security as well as our sovereignty are being attacked, by the same threats, emanating from the same cyber space.

Ladies and Gentlemen, we are currently in a conference room bearing the name of Alcide De Gasperi, one of the founding fathers of the European Community!

When we are thinking of the success story of this European Community, we will recognise the positive synergy effects resulting from national sovereignty in combination with a fusion of our resources in Europe!

After World War II, a common effort was required to protect Western Europe's freedom. Now we should really find the courage and realise that it would be of much benefit to a unified Europe if we developed European IT sovereignty through joint action and common initiatives.

Isn't it true that we once, by setting up the European Coal and Steel Community(1) or the European Atomic Energy Community(2) , laid the foundations and milestones for successful and long-term community projects? Why should this not be possible in the field of digital forward-looking technologies, too? With Airbus, Europe has already proven to be able to be a global competitor in the aeroplane business.

There is undoubtedly a broad alliance of interests in the field of secure IT technology. It is high time to realise, even if this is painful, that efficient IT security must not be a patch-up job, but a solid construction starting with the basics. For decades, cyber security has at best been stuck as a makeshift plaster to digitisation's skin. The more digitisation penetrates society's organs, the more we are required, however, to fundamentally strengthen its cyber resistance.

We still have no operating systems, no basic IT, no instant messaging services, and no social networks, briefly speaking we have no base in the cyber area, allowing robust digital sovereignty. We have to reduce our dependence on US and Asian computer technology! Such efforts are projects that require concerted action, shoulder to shoulder, on a European level.

"Think big" in this context is not an indication of megalomania, but one of being conscious of the problems. In Israel, a "technology park" is under construction in the desert near Beer-Sheva, which concentrates science, military, and private industry in a tight space. Ideally, many actors will develop innovative high-tech products, prosperity, and security there in an alliance of interests.

In terms of a "digital dual strategy", however, we should also attend to the global phenomenon of digitisation on a global level, in addition to our European commitment. There are historical examples of how to ease the security dilemma in the anarchic state system by means of confidence-building measures, political treaties, and international regimes. It would be of benefit if we were able to counter the security dilemma in the cyber space by similar initiatives in a long-term perspective.

A possible approach would be that of international agreements on containing and restricting the cyber war. The outlawing of the first strike with cyber weapons used against civil infrastructures might be an equivalent to the SALT Treaty, which was designed to protect the international community from the uncontrollable effects of a nuclear war. Similar to nuclear arms control, joint action to counter cyber wars would replace the all-play-all battle in the cyber space.(3)

The pacification of the cyber space is in the best interests of all of us. A unilateral European appeasement policy in the cyber space, however, would be in the interests of our opponents!

VII. Conclusion

Ladies and Gentlemen,

In the past 30 years, we have repeatedly extended and adapted our security conception.

We have experienced that the world order of the East-West conflict was not to go on for all eternity, though it was based on the fundaments of two superpowers and their nuclear arsenals!

At present, we are witnessing the United States' global presence and our transatlantic partnership undergoing a stress test.

We should not take it for granted that our economic prosperity, our technological expertise, and our free democracy will last for all eternity!

We have to protect and to defend them every day in the age of digitisation! Otherwise, there will be the risk of a "silent ruin"(4) in the long run by thousands of pinpricks from the cyber space, with cyber espionage and cyber sabotage, disinformation and influence operations undermining our sovereignty.

A security conception that does not explicitly consider the parameters of the cyber space is ignorant. A security policy that does not involve digital risk control is deficient.

Our security architecture must adapt to the building materials of the age of digitisation so that it is stable and durable. Botched building work would cost us a lot. For such a complex workpiece, the combined expertise of many theorists and practitioners is needed.

But the building costs are worth their while, for cyber security today is decisive to our sovereignty of tomorrow.

Thank you very much for your attention.


(1) ECSC – established on 18 April 1951 by the Treaty of Paris by Belgium, the Federal Republic of Germany, France, Italy, Luxembourg, and the Netherlands.
(2) EURATOM – established on 25 March 1957 by the Treaties of Rome by France, Italy, the Benelux countries, and the Federal Republic of Germany.
(3) Richard A. Clarke / Robert K. Knake, 'World Wide War – Angriff aus dem Internet', Hamburg, 2011, page 342 – Original: 'Cyber War: The Next Threat to National Security and What to Do about It', New York, 2010.
(4) Sandro Gaycken, 'Cyberwar – Das Wettrüsten hat längst begonnen', 1st edition Munich, 2012, page 241.

Print view

Gebäude 2

Anti-terrorist Hotline: +49(0)221/ 792-3366

Anti-terrorist Hotline: +49(0)221/ 792-3366

Publications

2017 Annual Report on the Protection of the Constitution (Facts and Trends)

2017 Annual Report on the Protection of the Constitution (Facts and Trends)

DOI: July 2018
Further information Download
How can I identify extremists and members of foreign secret services within my environment? - Important information for refugees in Germany

How can I identify extremists and members of foreign secret services within my environment? - Important information for refugees in Germany

DOI: March 2018
Further information Download
2016 Annual Report on the Protection of the Constitution (Facts and Trends)

2016 Annual Report on the Protection of the Constitution (Facts and Trends)

DOI: July 2017
Further information Download
Our topics – Facts to know

Our topics – Facts to know

DOI: January 2017
Further information Download
Industry 4.0 – Challenges of a new technology

Industry 4.0 – Challenges of a new technology

DOI: January 2017
Further information Download
Social media – Risks posed by social networks

Social media – Risks posed by social networks

DOI: March 2016
Further information Download