By Nele Achten
In February 2018, the German government’s network was attacked. Germany did not specify what kind of information was accessed by the foreign hackers, but it is publicly known that the hackers successfully attacked the IT system of the Ministry of Foreign Affairs. On March 18, 2018, the Head of the Federal Chancellery and Federal Minister for Special Tasks, Helge Braun, issued a public statement about this attack and explained that the government would examine the possibilities of cyber counterattacks. His statement heated the political debate about cybersecurity and parliamentary opposition groups raised concerns and questions in official inquiries to the federal government on March 23, May 4 and May 7. The questions covered many topics ranging from Russia’s potential influence on the domestic political debate to facts about specific cyber attacks to the domestic institutional framework for cyber defense to attribution and the international legal framework.
Germany has seen a number of cyber attacks since 2015, including the cyber attack on the German parliament in 2015, the spear-phishing attacks on political parties and foundations in 2016 and the worldwide “NotPetya” virus in 2017. Germany has attributed all these incidents and the recent attack in February to Russian networks. Public attributions have been done more frequently in recent years, particularly in the U.S. and by some of its allies attributing the NotPetya attack. Public statements from governments regarding how they will apply international law to cyber activities, however, are still rare, even though they are important for the development of international law. The U.K. and U.S. governments have made the most detailed statements on the legal framework of cyber operations so far. British Attorney General Jeremy Wright recently expressed the position of the U.K. government and the U.S. government’s position was outlined in two speeches by State Department Legal Adviser Harold Koh in 2012 and Brian Egan in 2016.