Event Recording

Germany's Cybersecurity Architecture and How it is Linked to International Actors

Log in and watch the full video!

Christina Rupp has co-authored a publication of the Stiftung Neue Verantwortung, a Berlin based Think-Tank exploring the intersection of technology and society, on Germany’s Cybersecurity Architecture. In her introductory talk, she will provide insights into the development and status quo of Germany’s cybersecurity architecture and policy as well as its interplay with international levels such as the European Union.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Thank you very much Ed. As has been mentioned, I will give a brief introductory talk on Germany's cybersecurity architecture and how it is linked to international actors. As has been mentioned, I'll be mostly focusing on like a political, I will take a political perspective to it and I will briefly introduce as it's a very unpronounceable German name, We are an independent nonpartisan think tank that works at the intersection of technology and society. So we are only looking at check policy issues and I work in the team that is focused on international cybersecurity policy. Here you can see my, my great colleagues, we are kind of almost an all female team and we are working on several issues. So we are working on applied political science, so we do policy studies, we also do exercises and we publish regularly documents and policy recommendations. Then we also have some regional expertise that is mainly, of course we have it on Germany, the European Union, but also my colleagues have conducted like cybersecurity policy exercises in different countries including Armenia, Costa Rica, Kosovo Jordan, Kenya, Mexico and Run and South Africa.
So we also take a very holistic approach and look at how other countries are doing cyber security policy. And then of course we also engage in advocacy work, doing policy analysis, media work and colleagues are represented on certain boards. And then we are also engaged in community building. So we think that it is important to bring people together as we, as it's done here today. For example in a transatlantic cyber forum or within the Global Encryption coalition or stronger internet coalition. And just at the, at the bottom you can see the funders because we are kind of a non non-profit organization, we require funding and these are our current funders. And just to set the scene a little bit, this is probably known news to the most of you, just a brief overview, what we understand as cybersecurity, so in the middle we have the kind of protection goals of IT security that are availability, confidentiality and integrity.
And for us cybersecurity kind of builds on IT security, but we understand as as much more broader and like some of the crosscutting issues. So that also includes legal aspects, sociopolitical aspects like awareness of course also geopolitical aspects, which is very predominant right now unfortunately with the Russia's war Ukraine. Also political aspects like how do you actually make policies on cybersecurity, economic aspects as well as organizational aspects play a role. When we look at like somehow how cybersecurity has evolved in Germany, again a very political point of view, we have like somehow done a keyword search for the term IT security and cybersecurity in the documents of the German bonus tag, so the German parliament and it's just an indicator of course it's just a number kind of, it doesn't really say something about the content but still we found that it is kind of interesting to see that there is a real dynamic that the topic has gained traction.
I think in 1991 I think IT security or cyber security was mentioned one time and now we are almost at around 400 hits. So you can really see that the topic is politically gaining traction and this is also the case for when we extend the words IT security and cybersecurity and add the words policy to it. It's a slightly different picture. You see that like somehow only since 2016 and 2017 that these these words or keywords have really like entered entered the political debate. But it really shows that IT security not only the term IT security but also the connection to policy is getting more and more important and more and more involved. And also the term cybersecurity architecture is in the last year's gaining to action, which I will tell you more about in just a few minutes what a cyber security architecture is and what we understand as a cybersecurity architecture.
This is a kind of an exemplary timeline of how German cyber security policy has evolved again. And kind of it is the dynamic is kind of linked to the to the curve that we have seen in the previous, in the previous slide. In yellow we have the policy documents at federal level in slight, slight orange, light orange we have actors at federal level and in darker orange actors at federal state level that have been established and it already started quite early in 1991 with the bse, the federal office for information security that still exists and is the main central body for information security. Then in 1991 it started with the key elements on German encryption policy that have been published. In 2005 the government decided on a national plan for information infrastructure protection and then in 2011 the topic really gained traction and importance and really entered the political debate.
And this was mainly because the German government for the first time published a cybersecurity strategy that was also linked to the establishment in light yellow to the National Cyber Defense Center and the National Cybersecurity Council as well as also that the topic has been covered not only in interior policy but also the German foreign office. The Ministry of Foreign Affairs has kind of realized that it has to deal with the issue of cybersecurity. And so they established a cyber foreign policy and cybersecurity coordination step with, with dedicate with a dedicated ambassador for cyber foreign policy at its head. In 2012 the German government at the BSE also founded the so-called Alliance for cybersecurity, which is a multi-stakeholder kind of cooperation and like it includes public and private entities and the goal is to share information, share best, best practices, organize events, and just like somehow build a network of actors that are interested in ensuring and enhancing cybersecurity.
Then in 2016 the first cybersecurity was a strategy was updated and also the German armed forces and cybersecurity has come started to play a role when it comes to German defense and the German armed forces with the setup of the cyber information domain commando and also the central office for information technology, which is kind of a, an agency that is supposed to like some develop tools for the security, for the security sector. And then we see like somehow dark orange actors start to emerge also, which is the federal state level, which is kind of specific in Germany that we have 16 federal states. And it also shows that it is like a slowly slow development but they have also started to set up their own dedicated national actors responsible for IT security. And then just at the end of last year, shortly before the new government entered into forest, kind of the last government updated the cybersecurity strategy.
And so we have a third cyber security strategy in place, which is kind of like somehow the current framework, the new interior ministry has established a cybersecurity agenda and we'll work on updating the cybersecurity strategy again. So we can expect probably an update maybe in the next year or the year afterwards this like someone we have seen that there is a dynamic that there are more and more actors kind of popping up and this has been kind of the goal for us or my colleagues, like my colleagues been happy since 2018 to kind of start mapping this ecosystem because they are more and more actors popping up. But to actually see how they are linked to each other, who is doing what was kind of the goal that was that made this publication happening. So we have it since 2018 and we updated twice a year and we just had it, the last update was published in September and the 10th edition will be published next year.
And I've talked about it in the beginning about cybersecurity architecture and as we understand it, of course it's, it's related to the political level For us, cybersecurity architecture includes all actors, government agencies, platforms, organizations that are part of the national and international ecosystem according to the national definition of cybersecurity. And then of course it is interesting because we look at Germany cybersecurity architecture, what is then the, how does the German government define cybersecurity And in the latest cybersecurity strategy it can be roughly translated as my own translation. So this is for record that this is not the official translation from the German government, but they define cybersecurity as the IT security of the information technology systems networked or networkable in cyberspace at the data level. So kind of then it's interesting what actors fall under this definition, what actors are involved in it. And this was kind don't be like somehow this leads to a chart we've tried to visualize according to certain political levels.
So we have the national level of course with the federal level in Germany, the federal state level with the 1616 federal states. That's why this this area is quite covered a lot when we have 16 states and the their corresponding entities. And then of course we have the local municipal level which is kind of, it has only five vectors because we have only covered it very in abstract terms because if we were to cover all the municipalities and cities in Germany, it would, it would make the chart even bigger. But of course cybersecurity is cross cutting issue. We've established that. But it is also topic that doesn't stop at national borders. So that's why of course also international levels play a role for national actors and for for the national level we have covered the EU level, the nature level and the UN level as well as other international actors.
And later I will dive deeper into what is actually the connection between the federal level and each of these international levels. To give a rough overview, it maybe should also be mentioned that in D chart we only cover gov governmental and directly related actors and all the information, it is available as an interactive version on our website. So you can click on each of the actors and see with which actor they are actually linked. And it is also explained below the chart a short actor description as well as the explanation of why the actor is linked to the actor X, Y, X, Y, Z. But all of this is based on open source information. Sometimes we do validation interviews, but this is just as a disclaimer that of course when you're working in a an organization something you might look differently for you. But this is just what all the public knowledge that we have tried to tried to collect.
And then we have seen, it's actually 384 actors that are in this chart. And one year ago we tried to like somehow actually see and add like a qualitative level to see is there a way that we can categorize the actors that are involved in a cybersecurity architecture or that a cybersecurity architecture is composed of. And we came up with six categories that I would like to just go briefly over one after the other. And the first is education and training. And these are actors that organize and provide education training platforms in the area of cybersecurity by training or courses, which is for example the federal Academy for security policy in Germany are at the European level, the European Security and Defense College as a second category, we have actors that are involved in research and research funding and these are actors that are actively involved in research on IT and cybersecurity related topics.
For example, as a research institute or who support respective funding, support respective research by providing funding. And these can be for example at the national level, the agency for Innovation and Cybersecurity or at the European level, the European Cybersecurity Industrial Technology and Research Competence Center, the ecc, which is to be established in BU NEST as a third category that we came up with. It might also be like we looked at all the actors that we have and tried to categorize them is information sharing and collaboration platforms. So these are actors that are particularly dedicated to information sharing and or networking and or improving relationships and fostering corporation to strengthen it and cybersecurity. And these firms can be organized according to teams themes or but also cross cross-cutting platforms. And they they are very loose, like it can be loose networks, it can be very institutionalized actors.
So the institutional, the degree of institutionalization can vary as a false category. We have also actors that engage in standardization certification practices and these are actors that are working on the development and agreement of norm standards and certifications for I C T based applications, systems and networks. And this includes for example the German Institute for Standardization but also European international ponds like the European Committee for Standardization. And then almost last but not least, we have of course a category of actors that are engaged in operational IT and cybersecurity. And these are actors that are operationally implementing measures that are intended to lead to greater IT and cybersecurity including the prevention and detection of incidents, combating cyber in crime, responding to incidents, but also imposing fines for non-compliance. And this includes for example, the federal criminal office that is responsible for fighting cyber crime or the national IT Crisis response center in Germany.
And now last but not least, we definitely, because we are talking about cybersecurity policy, we definitely of course also have actors that are engaged in policy and strategy and these actors are responsible for policy making as well as setting policy goals in the area of IT and cybersecurity, but who have also the often the responsibility for drafting respective legislation. And these actors often set the course kind of for many other actors in the cybersecurity act architecture because they are responsible for drafting kind of the basic foundational guidelines. And this of course includes many ministries but also for example at the U level, the horizontal working party on cyber issues, which is a preparatory body for the council of the European Union.
And then just like somehow to give a quantitative overview, again, it's only an indication but like some, it is interesting that almost half of the actors that we consider that are part of Germany cyber security architecture, I engaged in operational IT cyber security followed by policy and strategy and then information sharing and collaboration platforms. And then on fourth place standardization research and research funding and education and training. Just just just as an overview of kind of how these three end of 84 actors like somehow actually split up when it comes to kind of the actual field of field of work and what they are doing. And now I would like quickly go through like somehow we have seen these seven political levels that we include just to like somehow explain a little bit, of course I cannot go into too much detail but try to give an overview of how actually these political work like levels are related to each other and how they work together.
And just as an introduction, it might be useful to like somehow consider again that the guiding principle for all these like somehow relationships is the principle of subsidiary. So like somehow each public task should be kind of conducted or executed at the lowest political level possible. So that of course like somehow gives many, many room of responsibility to the federal state level, which is for example responsible for the prevention of threats. Like the federal level of course comes in when like somehow more federal states are involved. But the federal level is evidently like somehow responsible for the cyber interior policy when it comes to the cyber cyber protection by the federal Ministry of defense, but also the cyber foreign policy. But many competences lay with the federal state level. Just as a quick overview, when we look at the federal level in Germany, a few actors that are relevant or maybe good to know the main actors, I've just hired a few of them of course as you can see there are way more actors that play a role at the federal level.
Kind of the lead organization in Germany for cybersecurity policy is the Ministry of the Interior, which has many entities in its Fairview including the federal office for information security and for example all the criminal police office or an intelligence service that is of course also working on cyber security. And then we have the Federal Ministry of Defense and the federal foreign office and we also have two kind of coordinating bodies, which is the National Cyber Security Council, which is supposed to give strategic advice to the government and is composed of all ministries, representatives of the federal states and the local level and well as the economy. And then we have also the National Cyber Defense Center, the cyber sent home, which is more like somebody is not operating on a strategic level but is supposed to enhance operational cooperation and operational relations between actors for example as the bu the actor like someone that is working on criminal police matters, the bse.
So it's really about exchanging information and collecting the information to be able to like somehow respond or to have a whole holistic picture of the cyber situation that Germany is faced with. And then I see this is, this is just like somehow I've mentioned the interactive visualization, like somehow you can click on every actor or you can even like select a level and this is just like somehow I've selected the whole federal state level to see how the federal state level is linked to the federal level. And what becomes clear is that of course like somehow when we look at the federal level to the federal state level, what kind of cluster emerge and it is that there are coordination bodies that it is a lot about operational cooperation and that the federal office for information security with its sat with the German sat, it sad BUN plays a big role and probably will be play a even bigger role in the future because the interior ministry is currently planning to introduce amendment of the German constitution to ensure that the BSE is able to like somehow really act as a central body between the federal and the federal state level.
And like so we play that true now with all the other levels. So brace ourselves for many other pictures. I've talked about the international level and the four levels that we have because it is kind of, you can really speak of an internationalization of Germany's cybersecurity architecture and we see that when we look at the European level again, there are certain clusters that we can see of actors that are linked to the European level and what we see with the federal level and the eu, again, of course it's many, it's many ministries for example also the Federal Ministry of Defense and of course the interior ministry with its operational entities in its purview like the bse but also the federal foreign office that had many links with the European level but also and interestingly also of course the Federal Ministry of Finance and the German central bank that are related to actors that we have assigned to the European level.
And because I only have 40 seconds left, I will try to be a little bit faster. And then we have the nature level, and this is kind of unsurprisingly of course mostly linked to entities that are related to the German Ministry of Defense and the military entities, but also the Ministry of the Interior with the BSI and the Federal of Foreign Office are kind of responsible for Germany's representation in nato, NATO entities and CDs. And then we also have the UN level and again I try to just briefly sketch it, it is of course also ministries again that play a big role when it comes to how these actors are linked, are linked to the UN level, it's interior ministry, the foreign office, also the digital ministry, the economic ministry, but also the justice ministry because of course at UN level they are discussions about a new cyber crime treaty.
So of course that involves like somehow also the justice ministry and law enforcement agencies that have an interest in participating in these negotiations. And of course also standardization bodies at the UN level, it is the International Telecommunications Unit Union, but of course activities of cap capacity building that are predominantly done by the UN development program. And now we are almost at the end we have another level because these three levels couldn't kind of picture all the international actors that we find relevant. So we have another level that is very briefly caught, international actors and these, this includes for example the Council of Europe, the OS C Interpol or the itf. And first just to give an overview of what the international actor level includes. And again, same, same game. What we see here, it is particularly ministries, law enforcement agencies because for example, the federal criminal office, the police, the B is the Central National Bureau for and again, standardization bodies and set networks like first and trusted, introduce them.
Okay, now I will sum up like somewhere we have seen many slides and connections and pictures and I try to sum it up a little bit, kind of somehow what are actually these areas of intersection between a national cybersecurity architecture and the international political levels that we see. And I think these are just a few examples, but I think that what has been shown is that the international level is important for the national level when it comes to sharing and exchanging information, for example, in certain networks, research and innovation, standardization, fighting cyber crime. Because again, this is not a thing you can do at a national level very well. You can, the international level is important when it comes to responses to cyber operations. Therefore Germany, of course, it's predominantly the EU level that is relevant for example with the cyber diplomacy toolbox that can be used when it comes to public attribution or sanctions, cyber defense in the framework of nato, but also cyber capacity building or the development of mobile incident response teams. So this is just a rough overview. I hope it has not gotten more complexity. You've maybe understood a little bit how in Germany at least this is structured and maybe it'll be interesting to see how the panelists will see it and discuss deep, deep dive into it a little bit further. So thank you very much.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Unify Identity and Security to Block Identity-Based Cyber Attacks

Join security and identity experts from KuppingerCole Analysts and ARCON as they discuss the importance of securing enterprise credentials, explain why a unified identity security approach in line with Zero Trust principles improve security and efficiency, and describe how to combine…


Recap Cybersecurity Leadership Summit 2022


Key Findings on Malign Information, Misinformation, and Cyberattacks

Ksenia Iliuk, Head of Research at Detector Media, Ukraine tells us about some key findings of their research in the media landscape of Ukraine. Find out what she has to say about Telegram and what it has to do with #cybersecurity .

Webinar Recording

Effective IAM in the World of Modern Business IT

Digital Transformation promises lower costs, and increased speed and efficiency. But it also leads to a mix of on-prem and cloud-based IT infrastructure, and a proliferation of identities that need to be managed in a complex environment. Organizations adopting a Zero Trust approach to…

Analyst Chat

Analyst Chat #149: The Top 5 Cybersecurity Trends - Looking Back at CSLS 2022

Deep Fakes, AI as friend and foe, Business Resilience, Mis-, Dis- and Malinformation: The Cybersecurity Leadership Summit has taken place in Berlin and covered all of this and much more. Martin Kuppinger and Matthias look back on the event and identify their Top 5 Trends from CSLS2022 in…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00