Comment: No hack, just ignorance
Top politicians have fallen for a phishing attack carried out via Signal. This cannot continue, says Falk Steiner.
Whoever clicks faster gets phished earlier.
(Image: Katya Rekina / Shutterstock.com, Bearbeitung: heise medien)
President of the Bundestag Julia Klöckner, Federal Minister of Education Karin Prien, Federal Minister of Construction Verena Hubertz – they have all reportedly been affected by a phishing attack that has been causing unrest in political Berlin for two months. Signal itself – despite headlines to the contrary in the public media – has not been hacked. The attackers have exploited something else: naivety, ignorance, and a peculiarity of political reality.
While President of the Bundestag Julia Klöckner places great importance on her social media presence, comparable commitment to IT security is not documented. And among other politicians and actors now affected, no increased awareness of the problem is known. The incident is a classic Layer 8 attack: the human is the target. This is why almost every company with more than two employees now also has phishing attacks simulated. And at the Bundestag, phishing has been anything but an unknown quantity since at least the ghostwriter campaign in 2021.
The world of politics is full of big and small secrets. Small agreements that no one is supposed to know about beforehand, considerations about stock market-relevant changes to laws, about upcoming and missed backroom deals, personal relationships between politicians and third parties. This applies particularly to those who belong to governments, who as relevant members of parliament belong to government factions, who hold office or participate in policy-making. Whether as employees, civil servants in ministries, officials in authorities, or in the Bundestag administration.
And politics is something else: a target. For economic espionage, political espionage, to find compromising material against actors, to gain a knowledge advantage for negotiations. Knowing what others know, but they don't know that the other side knows it: a crucial factor in politics since antiquity. In times when it cannot be ruled out that Germany could also be drawn into a war, it would be all the more important to maintain radio discipline, as high-ranking Bundeswehr members had to learn two years ago.
Loose clicks sink ships
Yes, mistakes cannot be completely avoided. Politicians, ministers, civil servants, employees, and their general entourage are not IT security gods either. And yet, this case is different: in an environment where IT security problems, attack scenarios, and the danger of war are warned about in sometimes shrill tones, there is a part of the IT infrastructure that can be used far beyond all professional security standards. And that has something to do with the organization of politics.
Because on the one hand, those in positions of responsibility like Julia Klöckner as President of the Bundestag are precisely that: parts of a structured organization. Whether it's a ministry, the Chancellery, the Bundestag, or another is almost irrelevant. There are IT security specifications and guidelines everywhere.
Bring your own device as Default
And then there is the second reality: that of politics as parties. These are associations of many individual people who believe that they want to change something together and participate in the political decision-making process for it. In terms of IT organization, this primarily means: everyone brings their own end device to the party – and interoperability is only achieved through auxiliary means.
Videos by heise
When the Federal Chancellor, the President of the Bundestag, the CDU General Secretary, and the party presidium colleagues need to clarify something with each other, actors from dozens of different infrastructures are connected – via a messenger on their end device. And because Signal is not allowed in every infrastructure and party politics must not be conducted with the means of parliamentary administration or government agencies at federal and state levels – even if this is often not manageable in practice with such sharp distinctions. It usually means using private phones instead of encrypted, secure environments.
This alone does not necessarily mean that the institutions are compromised. However, this phone is not secured according to any BSI standard. And its integrity depends entirely on two things: the security awareness of the users – and their consistent behavior. To put it bluntly: Who would hire Julia Klöckner as an administrator for their IT security infrastructure?
Lack of awareness among politicians is not a software problem
Now, the problem itself is not new. Not in 2026. And not for top politicians. Anyone who, as a person in charge, declares the country's defense capability to be essential must act accordingly themselves. Currently, however, those affected are sending clear signals: German top politics is only very conditionally ready for defense when it comes to IT security.
No matter how good the technical solutions are: Of course, the human being as an entry point is and remains a core problem. And Signal could probably enable even better security mechanisms here than those it currently offers. But providers cannot solve the problem in front of the screen if the user is not interested in IT security principles.
(nie)
