Germany reserves the right to launch a military strike in retaliation for future cyberattacks, the government has said in a statement that comes as a surprise given the country’s historic reluctance to use its army.
“A cyber operation can under certain conditions constitute an ‘armed attack’ under the definition of Article 51 of the UN Charter,” the government wrote in a response, seen by Handelsblatt, to a question submitted by a lawmaker from the opposition Free Democrats (FDP). “The Federal Republic could react to this with all permissible military means.”
Which means are chosen depends on the individual circumstances, but it includes the option of using the Bundeswehr, or Germany’s armed forces.
In 2016, NATO member states defined the cybersphere as an operational area, meaning that attacks via data networks are now treated in the same way as attacks by land, sea and the air. Computers are regarded as weapons, so in most cases the military response to cyberattacks will be confined to cyberdefense.
Germany, like many countries, is beefing up its defense against cyberattacks and set up an entirely new branch of its military, the Cyber and Information Domain Service Headquarters (CIR), which will operate alongside the land forces, air force and navy.
So the government’s reference to “use of the Bundeswehr” would in all likelihood mean getting CIR on the case rather than scrambling a squadron of Tornado jets. That would only be considered in an extreme case, for example if hackers sabotaged the power supply or a dam, resulting in civilian casualties.
“With cyberattacks you don’t get 100 percent certainty on who actually carried it out or whether it was on the orders of a national government.”
But experts doubt whether Germany, which has inherited a staunchly pacifist streak from the militarism and crimes of the Nazi era, would ever dispatch Tornados to neutralize cyberwarriors, or if that would even be feasible given how difficult it is to pinpoint the precise origin of such attacks.
“I’m very surprised that the German government would consider all military means, conventional and digital, in the case of a cyberattack and wouldn’t even shy away from a foreign mission by the Bundeswehr,” Stephan Thomae, the FDP politician who submitted the question, told Handelsblatt. “With cyberattacks you don’t get 100 percent certainty on who actually carried it out or whether it was on the orders of a national government,” Mr. Thomae cotinued.
Despite tough talk from Germany, its government has been overcautious about apportioning blame for recent cyberattacks even in cases where the evidence was clear. At the start of the year, Berlin perturbed its foreign allies by not joining the international condemnation of Russia, accused by the US, Britain and Denmark of being behind the devastating ‘NotPetya’ cyberattack.
“The German government needs to explain how it proposes to credibly deter cyberattacks if it shies away from publicly naming attackers.”
“The German government needs to explain how it proposes to credibly deter cyberattacks if it shies away from publicly naming attackers and from presenting concrete evidence,” said Matthias Schulze, a researcher at the German Institute for International and Security Affairs, a think tank.
At the same time, security experts and business leaders are calling for clearer international rules to boost cybersecurity and lessen the risk of military escalation. The CEO of Deutsche Telekom, Timotheus Höttges, called for the creation of a “world organization for cybersecurity,” similar to the World Health Organizaion. Microsoft has suggested agreeing a “digital Geneva Convention” to ban the use of certain cyber weapons.
The German government doesn’t see the need, saying international law already prohibits them. If only that were enough to stop them.
Donata Riedel covers economic policy for Handelsblatt. Moritz Koch was Handelsblatt’s Washington correspondent between 2013 and 2017. Since the summer of 2017, he has been a political editor in Berlin. To contact the authors: email@example.com, firstname.lastname@example.org