Cyber Defence

Despite all the attention, cyberspace is far from secure. Why this is so reflects conceptual weaknesses as much as imperfect technologies. Two questions highlight shortcomings in the discussion of cybersecurity. The first is why, after more than two decades, we have not seen anything like a cyber Pearl Harbor, cyber 9/11, or cyber catastrophe, despite constant warnings. The second is why, despite the increasing quantity of recommendations, there has been so little improvement, even when these recommendations are implemented.
These questions share an answer: the concepts underlying cybersecurity are an aggregation of ideas conceived in a different time, based on millennial expectations about governance and international security. Similarly, the internet of the 1990s has become “cyber,” a portmanteau term that encompassed the broad range of global economic, political, and military activities transformed by the revolution created by digital technologies.
If our perceptions of the nature of cybersecurity are skewed, so are our defenses. This report examines the accuracy of our perceptions of cybersecurity. It attempts to embed the problem of cyber attack (not crime or espionage) in the context of larger strategic calculations and effects. It argues that policies and perceptions of cybersecurity are determined by factors external to cyberspace, such as political trends affecting relations among states, by thinking on the role of government, and by public attitudes toward risk.
We can begin to approach the problem of cybersecurity by defining attack. While public usage calls every malicious action in cyberspace an attack, it is more accurate to define attacks as those actions using cyber techniques or tools for violence or coercion to achieve political effect. This places espionage and crime in a separate discussion (while noting that some states use crime for political ends and rampant espionage creates a deep sense of concern among states).
Cyber attack does not threaten crippling surprise or existential risk. This means that the incentives for improvement that might motivate governments and companies are, in fact, much smaller than we assume. Nor is cyber attack random and unpredictable. It reflects national policies for coercion and crime. Grounding policy in a more objective appreciation of risk and intent is a first step toward better security.

What will the world be like in 2035? The forecast seems dire. In the four years since Global Trends 2030 was published, the biggest change in the world is the increased risk of major conflict. In 2012, a large-scale US/NATO conflict with Russia or China was close to unthinkable. Now, the post-Cold War security order has broken down, and the consequences are immense, potentially threatening globalization.

Global cyberspace is undergoing fundamental change. There are now frequent references to a “fragmentation of the Internet”, but many European and international working groups are also increasingly aware that “a free, open and at the same time secure Internet” is a global public good. However, the political rules adopted for International and European cyber policies and cybersecurity policies will always lag behind technological developments. It is the more important, therefore, to subject these rules to the over-arching norm of due diligence in cyberspace, and to do so on the national, European and international levels. This generates three requirements for Germany’s future strategic orientation in cyberspace:
- European cooperation: integrating national policies into the European framework;
- Inclusiveness: giving different interest groups broad and publicly accessible representation in formulating policies;
- Civilian response: prioritising the civilian component over the military component, particularly in times of peace.

However, Germany’s major partners are confused as to what goals precisely it is pursuing in cyberspace. It is therefore advisable for Berlin to improve its coordination and communication of responsibilities at the national and EU levels, be it on issues of Internet Governance, the fight against cybercrime, or cyberdefence.