German cyber security agency seeks power to ‘hack back’ in case of attack
“As a [German] citizen I expect that our state would remain capable to act in the face of the emerging digital threats,” Wilfried Karl, the president of the Central Service for Information Technologies in Security Field (Zitis), told the Der Spiegel weekly. He explained that in order to make it possible, German security services, including his agency, must be empowered with wide-reaching authority in the field of cyber security.
“Would it not be desirable [to have capacity] to at least delete stolen data and documents from the thieves’ servers?” Karl asked rhetorically, as he explained what could be achieved if German security services had the legal mandate to “hack back.”
He then pointed out that legislation allowing intelligence services to plant malicious software into cyber criminals’ computers in the event of a hacking attack already exists in neighboring Switzerland. A law passed in 2015 and which came into force this September, allows the Swiss intelligence service, the NDB, to plant Trojans into alleged culprits’ computers and hack into their networks.
Karl, however, criticized a proposed US bill that envisages legal ways for private companies to take retaliatory measures against suspected hackers, particularly in the form of “hacking back.” Such “offensive capabilities should be reserved for governmental agencies only,” he said.
Zitis was formed earlier this year with a directive to assist German security agencies in developing information technology tools to fight cybercrime. It was also granted powers to track the communications of potential terrorists. The Munich-based agency, which falls under the interior ministry, officially started its work in mid-September with just 20 employees. German authorities plan to increase the number of its personnel to as many as 400 by 2022.
Karl is not the first German security official to speak in favor of entrusting the country’s security network with wider powers and the legal capacity to “hack back.” In early October, the head of Germany’s domestic security service, the Federal Agency for the Protection of the Constitution (BfV), Hans-Georg Maassen, also said that German security services should be authorized to destroy data stolen from domestic servers and moved to other servers abroad in the event of an attack from foreign powers.
At a session before the German parliament’s committee which monitors the activities of its security services, Maassen said “infecting” the servers of foreign hackers with malicious software would give Berlin’s intelligence services greater surveillance capabilities over any malicious operations aimed against Germany.
At the time, Maassen was supported by Bruno Kahl, the President of Germany’s Foreign Intelligence Agency (BND), who said his division already had the necessary expertise in destroying foreign servers, but still lacked legal authority to do so.
Such suggestions, however, were not well received by some politicians and IT experts both in Germany and abroad. Konstantin von Notz, the deputy head of the Green Party faction in the lower house of the German parliament, the Bundestag, opposed such proposals, saying “[cyber] attacks are most problematic both in [a] legal and practical sense, so they should not be legalized.”
“In the cyber security field, the best defense is still a [good] defense,” the politician said, as cited by Der Spiegel. Brad Smith, Microsoft’s President and Chief Legal Officer, expressed a similar opinion. Smith even suggested adopting an international “Digital Geneva Convention” to lay down the rules of conduct in cyberspace.