Cyber Policy in Germany and the U.S.: Challenges in an Emerging Policy Field
Introduction: Digitization as Political Challenge
As Tessier Stall notes, “[c]yberspace is both the playground and the battleground of the future.”[1] Digitization is a great opportunity for society and modern information and communication technologies are already shaping our everyday life in a substantial way. Still, advancements in information and communication technologies and their widespread use lead to an ever greater dependence on cyberspace and its infrastructure, increasing the vulnerability of societies and economies to diverse cyber risks. Some cyber risks, for example cyber-crime, are already encountered as a daily reality. As Eric Schmidt and Jared Cohen note, the Internet “is a source for tremendous good and potentially dreadful evil, and we’re only just beginning to witness its impact on the world stage.”[2] Facing this challenge, they underline the “importance of a guiding human hand in the new digital age.”[3] This guidance can be provided by political leaders.
With its coalition treaty, Germany’s future Grand Coalition government took an important step by acknowledging the digital revolution and including political measures for how to deal with cyber issues. However, further challenges must be tackled on both the national and international levels.
This essay examines the CDU/CSU-SPD coalition treaty with regard to cyber policy and how the new government intends to address those risks. It then looks more broadly at the narratives, institutions, and regulations involved in cyber policy on both sides of the Atlantic, finding a need for greater German-American cooperation on this growing policy field.
The Grand Coalition’s Cyber Policy
In the process of negotiating the coalition treaty, two working groups[4] of the future coalition partners discussed nearly all cyber topics. In its preamble, the coalition treaty mentions the “advancing digitization of our life”[5] as a “far-reaching challenge.”[6] Implications of digitization are discussed in various aspects, most prominently in the “digital agenda,”[7] which attempts to be comprehensive and address economic, education and research, and social elements. First, the digital agenda addresses cyber’s economic aspects and proposes a roadmap to make Germany “digital growth country no. 1 in Europe.”[8] In order to achieve this goal, the future government will, among other things, optimize growth conditions for the German and European information and communications technology industries. The future coalition partners also support the transfer of knowledge of high-end research to practical applications. Favored areas include industry 4.0, intelligent mobility, e-health, and big data. Second, the digital agenda emphasizes education and research. The future government will support research on topics such as the Internet’s influence on society. With regard to education, following the concept of “digital autonomy,”[9] the need for every individual to have “media and information competence”[10] is seen as a vital factor for data protection and security on the Internet. Third, the digital agenda covers “digital living and working”[11] and favors models such as home teleworking to create more flexibility in order to improve the compatibility of family and work.
Beyond the digital agenda, the coalition treaty discusses cyber-related issues in several other sections. With regard to economic policy, the future government aims to create technologies and “software made in Germany”[12] and to promote it as a brand of “security, data protection, design and user-friendliness.”[13] Digital infrastructures are also a political focus: Rapid internet access via broadband (50 Mbit/s) shall be available all over the country by 2018. In addition, wireless LAN access shall be developed and net neutrality will be included in the telecommunications law.
Furthermore, in the field of interior policy, it is a fundamental goal of the future coalition partners “to create and conserve the balance between freedom and security also in the digital world.”[14] Thus, an IT security law, among other things, will be created with “binding minimum standards regarding IT security for critical infrastructures and an obligation to report significant IT security incidents.”[15] The German and European Internet and its infrastructure shall be conceived of as a “space of trust”[16]; therefore, “measures to regain technological sovereignty”[17] will be taken and “offers of national and/or European routing are welcomed.”[18] The future Grand Coalition also aims to implement data retention policies, a requirement that has its origin in the European Data Retention Directive.[19] As data retention, i.e., the storage of individuals’ communication data by the government for a certain amount of time, is highly controversial and thus not yet implemented, the EU Commission took Germany to court at the end of May 2012 because of the missing compliance, and requested monetary fines.[20]
The return of data retention following the election is criticized by the policy’s opponents and seen as ironic given the revelations on the NSA surveillance affair.[21] However, the future government has repeatedly underlined the importance of data protection and privacy aspects. It thus favors a speedy adoption of the EU’s General Data Protection Regulation, including, among other elements, the right to be forgotten.
Finally, cyber issues are included in comments on Europe in the coalition treaty. Other than emphasizing the need for investments in infrastructure, such as digital media and broadband, it is stated that “the role that Europe will play in the twenty-first century depends also on the fact if we manage to keep up in the domain of the digital world, to set European standards and thus to preserve our societal model.”[22] At the international level, the coalition has the goal of “an international convention for the global protection of freedom and personal integrity in the internet.”[23]
All in all, cyber-related issues in general and the digital agenda in particular have a prominent position in the coalition treaty. Although critics see many shortcomings, including the return of data retention and a too strong focus on security,[24] digitization has definitively arrived on the political agenda in Germany and an important step has been made.[25] The coalition treaty was signed on 27 November 2013,[26] approved by the Federal Committee (Bundesausschuss) of the CDU on 9 December 2013,[27] and is currently being voted on by the SPD membership. The results are expected on 14 December 2013.[28]
In any case, it is important to note that a coalition treaty, as the result of negotiations between two parties, basically contains a roadmap for the government for the next four years.[29] However, whether this roadmap will be implemented effectively can only be evaluated after the government has taken office.
Cyber Policy in a Comparative Perspective: Narratives, Institutions, and Regulation
Narratives and Discourses in Cyber Policy: What Is at Stake?
Cyber issues are controversial in Germany as well as in the U.S., and expert opinions on the likelihood and potential damages of cyber risks differ widely.[30] As a strictly scholarly assessment is hardly possible, political interpretations carry increasing weight. These interpretations manifest themselves and are created in discourse.
Observing the U.S. discourse, one notes an important security policy-related interpretation of cyber issues, for example, Leon Panetta’s “cyber Pearl Harbor.”[31] In this narrative, there is a strong national security link and militarization of the language used and outlines the risk of one devastating event with terrible consequences. As is noted by Ian Wallace, such a militarized language—another example is “cyberwar”—can be “dangerous,” as “[t]he war analogy implies the requirement for military response to cyber intrusions.”[32] Another quite dominant narrative in the U.S. discourse could be termed the “China threat.” These narratives are also present in Germany, albeit on a much weaker scale partially due to the lack of an event comparable to 9/11. However, going further back in Germany’s past, the experience of two dictatorships explains the prominence of the data protection narrative on this side of the Atlantic.
Another observation is the phenomenon of different institutional discourses within each country. One can argue that, in general, it is no wonder that different institutional actors, such as government agencies, see things through the specific lens given by their agency’s competence. However, in the emerging field of cyber policy, the different institutional discourses seem particularly vibrant and answers to the question of what is at stake regarding cyber risks and opportunities diverge widely because roles and responsibilities are not yet perfectly figured out. Thus, all institutional actors have an interest in promoting their agendas as well as their vested bureaucratic interests in controlling the cyber domain, which is mirrored in the discourse.
Institutional Approaches: Fragmentation or Centralization?
The cyber domain is a domain where the lines are blurring. Not only do cyber attacks not stop at national borders, but cyber-related topics in politics also transcend the borders of areas of competence in traditionally-established policy fields. How does politics react? At least for now, a fragmented institutional approach with different agencies dealing with cyber topics can be observed on both sides of the Atlantic.
The question is, which degree of fragmentation is useful and which degree of centralization necessary? In Germany, the idea of an “internet ministry” has been debated, a reaction to criticisms such as that the current fragmented approach is uncoordinated and results in policies that have only a limited impact.[33] A centralized institution could not only help provide more coordination, but also change the fact that cyber-related questions are currently often a mere add-on to policy fields.[34] Moreover, an internet ministry with proper resources and staff—and thus, power—could ensure that all government policies are cross-checked for their compatibility with digitization goals.[35] In the coalition treaty, such an internet ministry is not explicitly mentioned; however, it will be interesting to learn which ministry will have the lead in digital policy questions in the future German government.
Defining the adequate degree of centralization or fragmentation is a learning process on both sides of the Atlantic. The goal should be to find a modus operandi that implies a holistic view in order to consider the cyber threat and opportunity landscape as a whole, but that at the same time can be “granular”[36] enough to be able to deal with cyber-related questions according to their respective complexity.
Regulation: Top-down or Bottom-up?
In Germany and the U.S., different attitudes exist on regulation in general. However, the field of cyber policy is particularly complex given that a large part of critical (information) infrastructure is owned and operated by the private sector. Thus, top-down and bottom-up approaches are discussed in both countries.
The difficulty to regulate cyberspace issues in the U.S. can be illustrated by the House of Representative’s Cyber Intelligence and Sharing Protection Act (CISPA) and the Senate’s Cybersecurity Act (CSA), neither of which became law.[37] Following these legislative failures, Executive Order 13636[38] and Presidential Policy Directive 21[39] were issued in February 2013, tasking the Department of Commerce’s National Institute of Standards and Technology (NIST) with developing a voluntary Cybersecurity Framework, the preliminary version of which was released in October 2013.[40]
Interestingly, we can observe an inverse process—first a voluntary approach, then regulation—in Germany. Initiated by the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik), the “Alliance for Cyber Security” (“Allianz für Cybersicherheit”) sought a voluntary information-sharing on cyber security threats and incidents between federal agencies, companies, and other institutions.[41] As voluntary measures did not work out as intended, Federal Minister of the Interior Hans-Peter Friedrich proposed an IT security law (IT-Sicherheitsgesetz) in March 2013.[42] However, the bill did not pass before the September Bundestag elections; a new version is part of the coalition treaty, as was mentioned above.
The challenge lies in finding an effective approach to cyber security that allows policymakers to deal with the questions effectively, despite the fact that technology will continuously outpace legislative regulatory processes. As formulated by the Information Technology Industry Council (ITI) in the U.S., it is important to create “a security framework that is based on existing, voluntary, consensus-based standards and best practices.”[43] Thus, the ITI welcomes the NIST framework and underlines that “the tech sector has a critical role in advancing effective cyberspace policies,”[44] but also that “we [the tech sector] need governments to create the right policies to enable us to grow our businesses, innovate, and succeed in our role of cyber capacity-building.”[45] Independent of the choice of an either bottom-up or top-down oriented approach, the U.S. and Germany should make sure that this goal of the private sector can be realized successfully, as it is in both countries’ own interest.
Conclusion
Are Germany and the U.S. ready to cope with the cyber challenge? Several initiatives on both sides of the Atlantic have been started, the effects of which can only be judged over the course of time. Discourses as well as open institutional and regulatory questions show that a perfect cyber policy does not yet exist on either side of the Atlantic. A strong foundation for a successful cyber policy is a broad political and societal consensus on the right balance between freedom and security and on how to cope with the “challenges of the digital age in which power is about both connection and protection.”[46] In this regard, both countries still have unanswered questions that they need to tackle. However, in the end, all cyber-related questions are global in nature. Successful German-U.S. cooperation can be an important milestone on the way to more international cooperation. German-American cooperation can be encouraged by developing more intercultural understanding between the transatlantic partners, implying, among other things, a desire to better understand the respective attitudes toward, and perceptions of, and origins for cyber-related issues.
Ms. Kathrin Ulmer is a PhD candidate at the University of Stuttgart, Germany, and a research assistant in the EU Integration Research Division at the Berlin-based think tank Stiftung Wissenschaft und Politik (SWP). She was a DAAD/AGI Fellow in October and November 2013.
[1] Sacha Tessier Stall, “The Future of Cybersecurity,” The Hague Centre for Strategic Studies and TNO, Paper No. 2011-4, 3 February 2011, <http://www.hcss.nl/reports/the-future-of-cybersecurity/19/> (11 December 2013), p. 7.
[2] Eric Schmidt and Jared Cohen, The New Digital Age. Reshaping the Future of People, Nations and Business (New York: Alfred A. Knopf, 2013), p. 3.
[3] Ibid., p. 11.
[4] On the one hand, the working group on Interior Affairs and Justice (Inneres und Justiz), lead by Federal Minister Hans-Peter Friedrich (CSU) and Thomas Oppermann (SPD); on the other hand, there was a subordinated group to the working group Culture and Media (Kultur und Medien), called Digital Agenda. This group was lead by Dorothee Bär (CSU) and Brigitte Zypries (SPD). See: <http://www.cdu.de/sites/default/files/media/dokumente/131023-vorsitzende-der-arbeitsgruppen.pdf> (11 December 2013).
[5] CDU/CSU and SPD, Deutschlands Zukunft gestalten. Koalitionsvertrag zwischen CDU, CSU und SPD. 18. Legislaturperiode, <http://www.tagesschau.de/inland/koalitionsvertrag136.pdf> (11 December 2013), p. 7. All quotes of the coalition treaty mentioned in the essay are personal translations by the author.
[6] Ibid., p. 7.
[7] Ibid., p. 138.
[8] Ibid., p. 139.
[9] Ibid., p. 141.
[10] Ibid., p. 141.
[11] Ibid., p. 141.
[12] Ibid., p. 20.
[13] Ibid., p. 20.
[14] Ibid., p. 147.
[15] Ibid., p. 147.
[16] Ibid., p. 147.
[17] Ibid., p. 147.
[18] Ibid., p. 148.
[19] European Parliament and Council, Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, 15 March 2006, <http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTML> (11 December 2013).
[20] European Commission, “Data Retention: Commission takes Germany to Court requesting that fines be imposed,” Press Release, 31 May 2012, <http://europa.eu/rapid/press-release_IP-12-530_en.htm> (11 December 2013).
[21] Markus Beckedahl, Thema Netzpolitik–da wäre mehr möglich gewesen, heute.de, 27 November 2013, <http://www.heute.de/Thema-Netzpolitik-da-wäre-mehr-möglich-gewesen-30855100.html> (12 December 2013).
[22] Ibid., p. 162.
[23] CDU/CSU and SPD, Deutschlands Zukunft gestalten. Koalitionsvertrag zwischen CDU, CSU und SPD. 18. Legislaturperiode, <http://www.tagesschau.de/inland/koalitionsvertrag136.pdf> (11 December 2013), p. 163. All quotes of the coalition treaty mentioned in the essay are personal translations by the author.
[24] Malte Spitz, “Der digitale Aufbruch kommt nicht,” Heinrich Böll Stiftung, 28 November 2013, <http://www.boell.de/de/2013/11/28/der-digitale-aufbruch-kommt-nicht> (12 December 2013).
[25] Nico Lumma, “Die Digitale Agenda im Koalitionsvertrag,” Blog Lummaland, 27 November 2013, <http://lumma.de/2013/11/27/die-digitale-agenda-im-koalitionsvertrag/> (12 December 2013).
[26] Christoph Sydow, “Schwarz-rotes Bündnis: Parteichefs unterzeichnen Koalitionsvertrag,” Spiegel Online, 27 November 2013, <http://www.spiegel.de/politik/deutschland/grosse-koalition-merkel-seehofer-und-gabriel-unterzeichnen-vertrag-a-935916.html> (11 December 2013).
[27] Heute.de: CDU stimmt Koalitionsvertrag zu, 9 December 2013, <http://www.heute.de/cdu-beraet-koalitionsvertrag-31036900.html> (12 December 2013).
[28] Michail Hengstenberg/dpa, “SPD-Anhänger würden die GroKo wählen,” Spiegel Online, 1 December 2013, <http://www.spiegel.de/politik/deutschland/umfrage-zu-koalitionsvertrag-spd-waehler-sind-dafuer-a-936603.html> (11 December 2/3/2013).
[29] Nico Lumma, “Die K-Frage der Politik,” Blog Lummaland, 5 December 2013, <http://lumma.de/2013/12/05/die-k-frage-der-politik/> (12 December 2013).
[30] For opposing views, see for example: Myriam Dunn Cavelty, “So wahrscheinlich wie die Sichtung von E.T.,” The European, 9 January 2011, <http://www.theeuropean.de/myriam-dunn-cavelty/5160-cyberwar-und-cyberangst> (12 December 2013); Sandro Gaycken, “Kabel-Gate,” The European, 23 January 2011, <http://www.theeuropean.de/sandro-gaycken/5410-cyberangst-und-cybersorge> (12 December 2013).
[31] Leon E. Panetta, Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security, New York City, 11 October 2012, <http://www.defense.gov/transcripts/transcript.aspx?transcriptid=5136> (12 December 2013).
[32] Ian Wallace, “Why The U.S. Is Not In A Cyber War,” The Daily Beast, 10 March 2013, <http://www.thedailybeast.com/articles/2013/03/10/why-the-u-s-is-not-in-a-cyber-war.html> (12 December 2013).
[33] Jelka Lerche/Götz Hamann/Inge Kutter, “Jetzt ein Internetministerium,” Die Zeit, No. 48, 21 November 2013, <http://www.zeit.de/2013/48/infografik-internetministerium> (11 December 2013).
[34] Ole Reißmann, “Internetminister: Wir brauchen eine Macht fürs Netz,” Spiegel Online, 20 November 2013, <http://www.spiegel.de/netzwelt/netzpolitik/wir-brauchen-einen-internet-minister-kommentar-von-ole-reissmann-a-934653.html> (11 December 2013).
[35] Ibid.
[36] Expression of Suzanne Spaulding, Acting Under Secretary for National Protection and Programs Directorate at DHS in the Brookings Event “The Cybersecurity Executive Order and Presidential Policy Directive: What Does Success Look Like?” November 19, 2013, Brookings Institution, Washington, DC.
[37] Steven P. Bucci et al., “A Congressional Guide: Seven Steps to U.S. Security, Prosperity, and Freedom in Cyberspace,” The Heritage Foundation, Backgrounder #2785 on National Security and Defense, 1 April 2013, <http://www.heritage.org/research/reports/2013/04/a-congressional-guide-seven-steps-to-us-security-prosperity-and-freedom-in-cyberspace> (12 December 2013).
[38] The President, Executive Order 13636–Improving Critical Infrastructure Cybersecurity, 19 February 2013, <http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf> (12 December 2013).
[39] The White House, Presidential Policy Directive–Critical Infrastructure Security and Resilience, 12 February 2013, <http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil> (12 December 2013).
[40] National Institute of Standards and Technology (NIST), NIST Releases Preliminary Cybersecurity Framework, Will Seek Comments, NIST Website, 22 October 2013, <http://www.nist.gov/itl/cybersecurity-102213.cfm> (12 December 2013).
[41] Federal Office for Information Security, Allianz für Cybersicherheit, Website of the Federal Office for Information Security, <https://www.bsi.bund.de/DE/Themen/Cyber-Sicherheit/Strategie/Allianz_fuer_Cybersicherheit/Allianz_node.html> (12 December 2013).
[42] Federal Ministry of the Interior, Friedrich stellt Wirtschaft IT-Sicherheitsgesetz vor, Website of the Federal Ministry of the Interior, 12 March 2013, <http://www.bmi.bund.de/SharedDocs/Kurzmeldungen/DE/2013/03/eco_mmr_itsicherheitsgesetz.html?nn=3446780> (11 December 2013)
[43] Danielle Kriz, President Obama Makes a Downpayment on Cybersecurity, ITI Policy Blog, 12 February 2013, <http://blog.itic.org/blog/president-obama-makes-a-downpayment-on-cybersecurity> (12 December 2013).
[44] Danielle Kriz, Global Technology Industry Unites on Approaches to Cyberspace Policy, ITI Blog, 17 October 2013, <http://blog.itic.org/blog/global-technology-industry-unites-on-approaches-to-cyberspace-policy> (12 December 2013).
[45] Ibid.
[46] Jackson Janes, The Great Misunderstanding, AGI At Issue, 13 November 2013, </issue/the-great-misunderstanding/> (12 December 2013).