German cybersecurity is dead

German news media ran a story yesterday about a hack by "Advanced Persistent Threat 28", purportedly of Russian origin, who penetrated the data networks of Germany's federal government and its security institutions. That is to say the German equivalents of the entire executive branch, including chancellor, cabinet, and executive branch agencies like CIA, FBI, ICE, federal and state police services, military intelligence and security command. Yes, let that sink in.

Counter-intelligence noticed the breach in December. At that point the systems had been compromised for the better part of a year. A year.


Notwithstanding the fact that all journalism related to this attack is abysmal - in particular the "let's blame a sovereign nation for what amounts to a cyber act of war" based on what: an IP address? a common methodology? - the fact that a breach at federal level can remain undetected for a year speaks to how woefully unprepared Germany is in cybersecurity.

At this point, one should assume that there is no such thing as German state or economic secrets. Everything has been compromised. For a nation that used to pride itself on security and the strength of its intellectual property, this is a very sad day indeed.

2 responses
The other side of the question is what to trust. + hardware is compromised with backdoors (Intel CPU with the hidden processor) + software is compromised (Windows, Android, Linux+SE) + communications are compromised (Telekom giving data away like no tomorrow) + these "hacking" news are quick to point out RU, to satisfy the ruling system Real cybersec in Germany is made today by indie developers. Very seldom they ever get investment support or visibility, contrary to what one finds in US, RU, IL, UK, CN and FR. Still, it seems to be an intentional business strategy of the gov to keep weak cybersec around here. There isn't a real interest to change that anywhere soon.
Brito, thanks for the comment. I think you're right. It's funny that everyone keeps pushing "digitization" when the very foundation of that system - whether or not I can trust a signature - is eroded. The same is true for privacy.