Russia's spy leak reveals military communications risk

On March 1, Russian state media published a recording of an online call involving four senior German air force officials. They were discussing possible scenarios in Russia's war in Ukraine. This leak of sensitive military deliberations has sparked diplomatic tensions and raised concern over the cybersecurity of Germany's military, the Bundeswehr.

As German leaders try to reassure their allies over the security of its communications, more details about the breach are emerging. They suggest negligence of officers involved in the incident, and raise questions about a lack of cybersecurity awareness within the Bundeswehr in general. 

"If this is not an isolated case, but simply the only case that's come to light, then we have a problem," cybersecurity analyst Manuel Atug told DW. 

How did Russia get its hands on the recording? 

Defense Minister Boris Pistorius on Tuesday dispelled rumors that Russia had directly hacked into the meeting, which was held on the online conferencing platform WebEx. Instead, the call "may have been tapped due to an individual user error," he said.  

Authorities believe hackers intercepted the unsecured connection one of the participants used to dial into the meeting from a hotel room in Singapore, a violation of security protocols. 

The official was in Singapore for an air show that attracts military personnel worldwide. Such events are "catnip for Russian intelligence services," Pistorius said. Russia has used them in the past to conduct "targeted eavesdropping operations" also in the hotels where conference participants were staying.    

The interception of the published conversation was likely "a fluke as part of a broad and scattered approach," Pistorius added. 

Discussing classified information on WebEx? 

While Bundeswehr officials have been labeling the breach as an individual mistake, the discussion has shifted to whether officials should have used the WebEx software to discuss potentially classified information. 

"There are clear protocols: no classified information may be discussed on WebEx," said cybersecurity analyst Atug. "Classified information may only be communicated via classified systems." 

The Bundeswehr uses four levels of classification for confidential information. Only information classified at the lowest level may be discussed over certain encrypted WebEx video and audio calls.  

In other cases, conversations must be conducted using specific, certified hardware and software, often in a tap-proof environment. In practice, this means that military and government officials abroad often have to go to an embassy to make such calls.  

So far, it is unclear whether the Air Force officials were indeed sharing such highly confidential and secret information in their chat. Defense Minister Pistorius declined to answer a DW reporter's question on this matter, citing the ongoing investigation. 

A broader problem? 

Critics say the incident points to a broader lack of awareness of cybersecurity risks within the German military. 

"During this whole conversation, no one seemed to sense the risks, no one addressed them or suggested alternatives," Anke Domscheit-Berg, a member of parliament for the opposition Left Party, told DW.  

"They obviously felt safe, even though they were communicating under high-risk circumstances," she said.  

With all the participants being high-ranking military personnel, the breach highlighted a lack of cybersecurity awareness at the highest levels of the Bundeswehr, she added: "This makes them the worst possible role models for the entire defense sector." 

What are the consequences? 

If the investigation finds that classified and highly sensitive information was indeed discussed over WebEx in violation of existing protocol, the officials involved in the call could face disciplinary action.  

But critics say the consequences should go further.  

"This incident should be a wake-up call for the entire German government to finally make IT security a top priority," says lawmaker Domscheit-Berg. This applies not only to the country's military but to its entire public digital infrastructure. 

"More training in the basics of IT security is needed — at all levels," she said. 

DW's Chief Political Editor Michaela Küfner contributed to this report. 

Edited by Rina Goldenberg.

While you're here: Every Tuesday, DW editors round up what is happening in German politics and society. You can sign up here for the weekly email newsletter Berlin Briefing.