In Germany, the Federal Minister of the Interior, Nancy Faeser, considered two amendments to the Constitution as part of an ambitious plan to strengthen cyber security across the nation. This followed from calls to strengthen cyber resilience for federal authorities, critical infrastructure and to modernise and expand cyber security architecture in Germany. Ms. Faeser noted that cyber security threats remained high. German authorities and businesses have been the target of cyberattacks since Russia’s war in Ukraine. Disinformation, sabotage and espionage were also identified as critical issues.

Recent reports of Germany’s Federal Office for Information Security (BSI) have also indicated that threat levels to cyber security were high. Other reports in Germany indicated a series of cyberattacks originating from Ghostwriter, a hacker group alleged to be under the control of Russian intelligence services. In March 2022, Anonymous, an activist hacker collective, attacked the German subsidiary of Russian oil company, Rosneft Deutschland GmbH.

Ms. Faeser’s proposal to amend the German Constitution were therefore two-fold. She proposed to expand the powers of the Federal Criminal Police Office (BKA), to allow it to conduct so-called, ‘hackbacks’. Then to expand the capacity of BSI as the central office for federal and state governments, similar to the BKA. This would allow better coordination amongst governments.

The use of ‘hackbacks’ are not without criticism. Hackbacks are a digital counterattack in which the initial hacker is targeted. Hackbacks are designed to make a server or IT system unusable, where it is discovered to be the source of an attack. The equipment is often located abroad. Through hackbacks, it is not unheard of that servers or equipment of third parties are damaged. Their use has been discussed in German Parliament since as early as 2018. A legal basis would be needed for federal government to engage in this activity, as it may raise international, constitutional and general legal issues.

An expansion of the BSI would enhance coordination amongst governments. In Germany, cyber security policy is predominantly organised at the state level. In recent years, more states have passed their own IT security laws and have own authorities to handle cyber security issues. The expansion of the BSI into a central authority would enhance coordination between federal and state authorities. At present, the BSI only has powers to support State authorities unilaterally within a framework of administrative assistance.

While this matter has been publicly discussed, it awaits the presentation of a draft bill. Following this, a two-thirds majority in the Parliament (Bundestag) and Federal Council (Bundesrat) are required to amend the Constitution. The coalition itself does not have a two-thirds majority before the Parliament.

Author

Jacky Lui
Jacky Lui
Foreign Lawyer, Frankfurt
+49 69 2222 82500