Missing link: "If you don't digitize, you lose"
In an interview with heise online, BWI CEO Frank Leidenberger explains how the Bundeswehr's largest IT service provider is to make it fit for the future.
(Image: Gorodenkoff/Shutterstock.com)
- Falk Steiner
- Imke Stock
A large organization like the Bundeswehr has special requirements for its IT. One of the most important service providers for the German military is BWI, once a state-private joint venture, now completely in the hands of the federal government. Former Bundeswehr General Frank Leidenberger was temporarily seconded to the BND and was responsible for the Bundeswehr for many years in high-ranking positions in foreign missions, first in Bosnia-Herzegovina and later in Afghanistan. Since 2023, he has been Managing Director of the Bundeswehr's largest IT service provider – and is therefore jointly responsible for the ability of 260,000 soldiers and civilian employees to work.
In an interview with heise online, he explains: What do the cloud and digital sovereignty mean for defense capabilities? And would it be possible to do without US service providers if necessary? The questions were asked by Imke Stock and Falk Steiner.
7000 people for 300 projects
Mr. Leidenberger, what does BWI do for the Bundeswehr?
First of all, BWI provides operational services: the data centers, the wide area network. We provide 220,000 clients for the Bundeswehr, lots of cell phones. We are the foundation of the Bundeswehr's IT system. In addition, we continuously work on an average of 300 projects: From the digitalization of land-based operations to healthcare or collaboration environments such as groupware.
We advise the Bundeswehr, from consulting on IT processes and models to architecture issues and conceptual foundations. With currently 7000 people, we cover all facets that a large IT service provider can offer.
(Image:Â BWI GmbH/Xandra Herdieckerhoff)
You have seen the Bundeswehr from different perspectives. From BWI's current perspective, what do you think is the most urgent thing the Bundeswehr currently needs in the digital world?
The most urgent thing from a purely Bundeswehr perspective is the creation of a resilient communication system. This means, in particular, equipping it with software-defined radios, greater reliance on satellite systems, but also high-frequency radio. This is not currently the focus of the BWI's tasks, but is a basic requirement for services that the BWI also provides. Without a high-performance communication network, data centers and data sets are useless.
Digitization can be described using progress bars. If you were to use one that every user is familiar with, what percentage would it be?
My gut feeling is: We're almost at 100 percent for stationary systems, and perhaps 50 percent for mobile systems. The Bundeswehr's IT system doesn't just consist of BWI; the Bundeswehr has a large number of IT service providers. We are the largest in terms of volume, but they do a large part of their IT themselves. However, we are important across the board because we provide the backbone with the data center infrastructure and the wide area network.
If you look at what BWI can do today and what it should actually be able to do, are there any gaps?
BWI does what it is commissioned to do and what the Bundeswehr wants us to do. Of course, we follow technological developments and what the armed forces want. They want to be able to adapt their IT services more quickly, work with more data on a larger scale and also with AI support. This automatically leads to the generic term "cloud". We are currently building the Bundeswehr's cloud in accordance with BSI security requirements: air-gapped, completely controlled by us.
Bundeswehr cloud vs. hyperscaler
What must the cloud be able to do for the Bundeswehr?
It is designed for the entire Bundeswehr system, including the reservists and the administration as users in addition to the soldiers. So this is not happening as a big bang: we have a running, functioning and, we believe, fairly secure IT system.
We are now building cloud structures for current and future applications that are more military in nature. In theory, we can gradually move almost all IT services to the cloud.
We are asking ourselves the same questions as everyone else: Does it make economic sense? Does the migration make sense? Is it better to design new services right away?
How can a powerful, sovereign cloud be built independently of large hyperscalers?
Developments are very dynamic, and of course it's a bit of a shot in the dark. If we want to compare it with the hyperscalers: a cloud region typically has three synchronized data centers at a certain distance from each other, always for 2 million users. Then we build qualitatively the same, but quantitatively around 15 to 20 percent of them are dedicated with the corresponding capability for the Bundeswehr.
But you can't imagine this in total isolation. Of course, we don't just build a cloud stack and be satisfied with it. Instead, we are constantly evaluating how we can perhaps integrate others. There are several initiatives in Germany that provide clouds approved at least for "classified information – for official use only". We are of course monitoring whether this could be of use to the Bundeswehr and us. We don't have to do everything ourselves, and it's a question of resilience whether data or applications can be outsourced elsewhere.
Data centers are potential targets, probably primary targets, in the event of defense. How do you deal with this?
The first is to secure them adequately and not have a data center where everything is located. This raises the question: can you run certain workloads somewhere else? We are already starting to think very big about this "somewhere else".
What does that mean in practice?
I don't want to go too far out on a limb, but I'll take Ukraine as an example. Where are their data centers located? Mostly not on their territory, I would say. Of course, we are looking at the NATO area and beyond. Do we need data centers that are not in Germany? Data storage and computing power elsewhere in the world, where the data is cryptologically secured and accessible to us?
We will have to think ahead. At the moment, we are initially ensuring that we design the large data centers in Germany to be redundant and secure so that our data can be kept secure and is also available.
Does that apply to the entire Bundeswehr?
It is even more flexible and has what we call deployable data centers: Compute capacities right "at the edge". Thanks to the increasing performance of hardware, it is already possible to keep a lot of storage and computing in small container-based data centers. If you differentiate between the combat capabilities of armed forces, for example, you will find that a lot of data is volatile. A target date that I have now may be irrelevant again in ten minutes. I can save it, but I don't have to. There are many ways to set this up in such a way that it becomes very resilient. Communication relationships can also be designed to be resilient and diverse.
What do you mean by digital sovereignty?
We assume that sovereignty essentially means that we have freedom of choice. Technologically, we will not get away from the four or five hyperscalers of this world. Unless we rely heavily on open source and on-bare-metal. We are also working on this and are looking into it because it could perhaps be an additional requirement for highly secure applications.
We follow the requirements of the BSI, evaluate the products and are in contact with the community. It goes without saying that we do not use products from countries that have otherwise become rather questionable, which might have been assessed differently around ten years ago.
The 100,000 dollar question
For a long time, sovereignty was primarily associated with China. However, the USA doesn't necessarily seem like an ally that you can rely on one hundred percent at the moment. How do you deal with this?
That is the 100,000 dollar question and, above all, a political one. We stick to what we are given in terms of strategic, military and political guidelines and would always add a bit of security on top. It would be very difficult if we didn't classify the USA as a friendly nation. Then, I believe, the IT systems in Europe would initially only be able to offer very manageable functionalities.
We monitor and minimize metadata outflows from Windows systems and similar wherever technically possible. That's why we build our cloud in such a way that we have no data outflow. Everything that goes in and out goes through our airlock. We recognize that there is nothing that is one hundred percent trustworthy, but we rely on those with whom we are allied to provide us with software and hardware that we can work with.
We also evaluate other supply channels and examine dual-vendor strategies in terms of delivery capability and security in the supply chain. But this always comes with a price tag. Not just that you have to buy twice. But also the operational aspect of always operating two systems. And even if they take different supply routes, where do the chips come from? They're probably all produced in Taiwan somehow, at least the high-performance ones.
How has the declared turnaround affected BWI?
We have set ourselves our own goals: We have resolved to make a contribution to command and operational capability and not "just provide a bit of IT", because the realization has matured: if you don't digitize, you lose. At its core, BWI must be available for the performance of the armed forces and be jointly responsible for this. Not just for whether an e-mail system works or not. Due to the increased availability of budget funds - keyword special assets - there is more money, more commissioning, especially for the design of the data center network
Our second major topic is the "German Mission Network", the command and control system for the mission. We don't always have to build and solder everything together ourselves. When it comes to deployable containers and data center infrastructure, it all comes from the market. That's why I believe it can be done quickly, even though the volumes involved are large.
Can you find the partners you need in Germany?
In principle, there are partners on the German market. As far as it complies with public procurement law, we also select partners based on the trustworthiness of the ownership structure of our strategic partners. On the other hand, there are technological factors. I don't know of any major German server manufacturer whose products we could quickly place in the data center at the required scale. That is why we are dependent on working with our partners for basic technology, as we have done successfully for many years.
There are always considerations to use the German Armed Forces, or in this case the BWI, as an anchor customer for a strengthened German ecosystem. How would you see your role here?
We are in discussions about this. If we take a more open source approach to the cloud, we could make a joint attempt to build a larger infrastructure for the public sector. If you look at the hardware and performance, you can't just say: it's all done by Germans – and the Bundeswehr is always the first user. At the end of the day, it's always a balancing decision: How much risk can you take because you need something now? How can you mitigate these risks? We do everything we can to keep our system secure. And we are reasonably confident that we will succeed.
This is also possible with our long-standing partners. I warn against talking all this down. We have been working really well with the big US companies for umpteen years. And they also have their challenges. We shouldn't act as if they are suddenly the enemy.
Videos by heise
What are your top three priorities at BWI for the next 5 to 10 years?
Cloud, cloud, AI. [laughs]. Well, no AI without the cloud. Of course there are special topics. The cloud drives data availability and use, which then also enables AI. These are mega topics for the Bundeswehr, which we support accordingly.
You had a long career in the Bundeswehr and then joined BWI. If you look at the Bundeswehr, the sleepy digitalization, BWI as a service provider. If an experienced member of the Bundeswehr is sitting there as CEO, how is that any different to a traditional IT manager?
I wouldn't accuse the Bundeswehr of sleeping through it. It was simply unable to implement it. We've seen that: even at the very bottom of the army, we once wrote papers pointing out that something had to be done. But if they don't get the extra €3.50, you can only serve the highest priorities.
I at least hope that my experience as a soldier is not a disadvantage for the BWI. But I can only emphasize that: The CEO is allowed to give the interviews, it will be implemented by the many outstanding BWI employees – who do it for the sake of it.
(vbr)
