Draft Law: Police to no longer just reactively defend against cyberattacks

The days when German security authorities largely limited themselves to observation and subsequent prosecution in the digital space are drawing to a close. Considering an intensified threat situation from state actors and internationally operating hacker groups, Federal Interior Minister Alexander Dobrindt (CSU) is pushing for a turning point in German cybersecurity policy. A current draft law from his ministry to strengthen cybersecurity provides far-reaching powers for the Federal Criminal Police Office (BKA), the Federal Police, and the Federal Office for Information Security (BSI). It marks the transition to a significantly more offensive strategy.

The core of the planned reform, which media outlets such as Der Spiegel and ntv report on, is the authorization of authorities for so-called active defense measures. Previously, for example, the BKA was only permitted to intervene preventively within narrow limits for counter-terrorism. In the future, officers will have significantly more leeway in the event of attacks with external or internal security policy significance.

The goal is no longer just to document cyberattacks. Instead, law enforcement officials should be allowed to prevent such attacks technically before they can cause critical damage. According to reports, this includes redirecting or blocking data traffic, shutting down entire IT systems, and in particularly severe cases, even deleting or altering data on third-party servers.

Offensive Defense Beyond Borders

The Federal Cabinet had actually intended to set a corresponding draft law in motion a few weeks ago. The final consultations are now apparently underway. The focus on foreign countries is particularly sensitive. Digital attacks know no national borders. The federal government therefore wants to ensure that threat defense starts where the attacks originate.

Dobrindt has already underlined this ambition with clear words. He announced that German security authorities could in the future specifically disrupt attackers and destroy their infrastructure worldwide. The aim is not widespread digital counter-strikes, but precise interventions. This would be used, for example, to disable servers that serve as starting points for coordinated attacks.

The executive justifies this new direction, for example, with the changed security situation since the Ukraine war and an increase in attacks attributed to the Russian sphere. Corresponding hackbacks, which Dobrindt also wants to allow the Federal Office for the Protection of the Constitution (BfV), have been hotly debated for years. Many experts consider them to be unconstitutional.

In practice, the Federal Police Act and the BKA Act will be supplemented by a paragraph for special defense measures. If public safety, sensitive facilities, or even life and limb are endangered, officers would be allowed to intervene deeply in IT structures without the affected parties having to be informed in advance. While a judicial order remains the rule, the draft provides for an exception: in cases of acute danger, authorization could be obtained up to three days retroactively. This emergency competence is intended to ensure that authorities can react quickly enough in an emergency to prevent the escalation of a cyberattack.

Proactive Hunting and Industry as a Deputy Sheriff

In parallel, according to the plan, the BSI is to be expanded into a kind of digital hunter. "Threat Hunting" is intended to enable the office to proactively search for signs of impending attacks, rather than merely reacting to incidents that have already occurred. To this end, the BSI is to receive significantly expanded powers to collect and analyze data.

For this strategy to succeed, the legislator is also placing obligations on the private sector. Telecommunications companies and digital corporations are to be obliged to provide security-relevant information and to implement orders from the authorities. Those who refuse to cooperate could face drastic sanctions: fines of up to 20 million euros are at stake.

Within the security authorities, this development is welcomed as a long-overdue modernization. BKA President Holger Münch has repeatedly criticized the existing legal constraints as no longer being up-to-date.

To be able to cope with the new operational tasks, the government also envisages a massive increase in personnel in the relevant authorities in the three-digit range. It sees strengthening cyber defense as a prerequisite for Germany's economic success and social cohesion, as national security in the 21st century is inextricably linked with the integrity of digital infrastructure. Critics, however, are likely to scrutinize closely whether the balance between effective threat defense and the protection of digital civil liberties, repeatedly called for by the Federal Constitutional Court, would be maintained.

(mue)