Germany's critical infrastructure is poorly protected

It was big news when Germany's interior minister fired the country's cybersecurity head Arne Schönbohm this month. The decision came following reports that he had contacts with Russian intelligence services. The national cybersecurity agency, BSI, is the federal office responsible for IT security in Germany and reports to the Interior Ministry. 

This latest event again puts the spotlight on how delicate the situation is in Germany when it comes to "critical infrastructure" — systems so vital to a country that their incapacity would have a debilitating impact on national safety and security. This includes power grids, rail links, and the production processes of major industrial companies.

Security experts have long sounded the alarm that important infrastructure in Germany is hardly protected, especially against cyber attacks.

"There is a lot of infrastructure in Germany that is particularly relevant and needs to be prioritized,” Alexander Fekete, Professor of Risk and Crisis Management at the Technical University in Cologne, told MDR public radio. "This critical infrastructure is essential for basic supply, for example, with water, electricity, heating, but also for spreading information."

Such critical infrastructure includes transport and traffic. A few days ago, an attack on the German railway made headlines: Essential cables of the railway network's communication system were cut, paralyzing almost all rail traffic in northern Germany. Investigators assume sabotage, but who the perpetrators are is unknown. The only thing that is clear is that the railroads were more or less defenseless in the face of this attack, and that the perpetrators knew exactly which cables to cut where in order to sabotage the rail traffic of an entire region.

Who is responsible for infrastructure protection?

An estimated 80% of the critical infrastructure in Germany is privately owned, by industrial companies, for example. But government agencies are also increasingly falling victim to hacker attacks, including the federal parliament — the Bundestag — and federal ministries. Konstantin von Notz, security policy spokesman for the Green Party in the Bundestag, told DW: "Whether it's the attack on the German Bundestag in 2015, or on numerous companies or municipalities — Germany has been facing very widespread attacks on critical infrastructure for years. IT security in Germany has been in a poor state for years. Despite multiple warnings and countless debates in the Bundestag, the massive security risks have never been adequately addressed due to a completely wrong political prioritization."

After Russia's invasion of Ukraine in February 2022, Germany vowed to step up its defenses.

"Germany is very vulnerable when it comes to critical infrastructure,” Roderich Kiesewetter, a security expert with the largest opposition party, the center-right Christian Democratic Union (CDU), told DW. "This is partly due to the fact that the vast majority of critical infrastructure is privately owned, which means that protection is primarily the responsibility of private operators. On the other hand, Germany lacks a strategy to ensure better safeguards against attacks on critical infrastructure. Cyber protection measures are primarily directed against petty criminals. Our society's resilience is weak because there has been insufficient investment in crisis preparedness and prevention measures," Kiesewetter said.

Too little investment in protection

All experts agree that in the short term, Germany needs to increase awareness and encourage companies and citizens to do more to protect themselves.

Neither companies nor state authorities have invested enough in network protection in recent years. The Minister of the Interior, therefore, wants to take action now: She has set up a coordinating body of all federal ministries to finally counter the ever-increasing dangers. 

In 2011, the federal and state governments named nine "critical" sectors: Transportation and traffic, water, energy, food, finance and insurance, health, information and telecommunications, waste disposal, media and culture, government, and administration. These are seen as critical because life simply does not function without them. Experts are now advising that less emphasis should be placed on using police resources to combat hacker attacks and sabotage, as was the case with the railroads, and instead invest more into making the systems less vulnerable to attacks. 

Operators of critical infrastructure are subject to industry-specific security standards developed by the BSI. Private operators are required to report attacks on their IT systems to the agency. And from May next year, they are required to deploy systems that can quickly detect attacks.

But right now, the office is busy with internal matters following the affair involving its former head. And as for German companies, they will find it hard to spend a lot of money to protect themselves better against hacker attacks, while coping with spiraling energy costs.

Chinese blackmail potential

Meanwhile, security experts pointed to a new potential threat to critical infrastructure. Differences erupted over the approval of Chinese investment into a container terminal in the Hamburg port.

The Green Party-led Economy Ministry was advising against the involvement of the Chinese terminal operator Cosco acquiring a large stake in such critical infrastructure, pointing to "blackmail potential." The Chancellor's Office, on the other hand, was pushing for the investment to go ahead. This week, a compromise was reportedly reached, paving the way for Cosco to take over a 24.9% stake, which would limit China's influence.

Bruno Kahl, the head of Germany's foreign intelligence service, BND, has warned against naivety toward China. Speaking before a parliamentary panel on security last week, he said he viewed Chinese corporate investments in German infrastructure "very critically."

The Chinese government has called on Berlin not to politicize mutual trade relations or resort to protectionist measures "in the name of national security."

 

This article was originally written in German.

While you're here: Every Tuesday, DW editors round up what is happening in German politics and society. You can sign up here for the weekly email newsletter Berlin Briefing.