Written Statement on Germany's new Cyber Defense Law

The German government is preparing a major overhaul of its cyber defense, with the Interior Ministry calling for powers “to strike back, even abroad, to disrupt attackers and destroy their infrastructure.” The draft law also proposes setting a relatively low threshold for such countermeasures. This comes against the backdrop of escalating attacks by Russian and Chinese hacker groups targeting political parties, government authorities, and critical infrastructure—causing economic damage estimated at €267 billion annually.

The proposal, shared with industry groups and experts for consultation, would amend several core security laws governing the Federal Police (BPOL), the Federal Criminal Police Office (BKA), and the Federal Office for Information Security (BSI). Its aim is to improve authorities’ ability to detect and respond to cyberattacks. Adopted following a cabinet decision in August 2025, the draft forms part of a broader shift toward more proactive cyber defense measures, as Berlin seeks to better protect critical infrastructure and public institutions from increasingly sophisticated threats.

The following document is a written statement (Stellungnahme) on the German government’s draft cybersecurity law, submitted as part of the official stakeholder consultation process. It analyzes the Interior Ministry’s proposal to expand cyber defense powers—especially intrusive measures such as “active cyber defense” or hackbacks—and argues that while the draft significantly increases government authority, it fails to address core problems, including fragmented responsibilities, weak coordination, a lack of transparency, and an insufficient focus on resilience.

Summary of the Written Statement (Machine Translated)

Statement by Dr. Sven Herpig within the framework of the participation of leading associations, expert circles and associations onDraft bill from the Federal Ministry of the Interior (BMI) for a “Law to Strengthen Cybersecurity

The draft addresses “active cyber defense” (often referred to as “hackback”), understood as state-directed or state-executed technical interventions in IT systems to counter ongoing cyber operations. These measures may interfere with the integrity, confidentiality, and availability of systems, including those of third parties.

The political and technical debate on such measures has stagnated for years, while previous initiatives have largely failed. At the same time, the government plans to expand intrusive powers across multiple authorities (Federal Criminal Police Office, Federal Police, and Federal Intelligence Service).

Active cyber defense entails significant risks, including collateral damage, misattribution, and the proliferation of cyber tools. Without proper integration into existing security structures, there is a risk of expanding operational powers without corresponding security gains. Such measures can only play a limited role; IT security and resilience remain the core pillars of national cybersecurity.

Therefore, intrusive measures should be limited to a necessary minimum and, where possible, replaced by less intrusive, scalable alternatives.

Criticism

Parallel Structures Undermine Effectiveness

The draft expands the powers of several authorities without addressing existing structural deficiencies. It lacks binding coordination mechanisms, conflict resolution procedures, and a shared operational platform.

This creates parallel responsibilities with insufficient coordination, leading to fragmented resources and blurred accountability. In addition, the government’s approach to handling vulnerabilities remains unclear. Overall, the proposed structure risks significantly reducing the effectiveness of cyber defense.

Powers Instead of Resilience

The draft prioritizes intrusive capabilities over strengthening IT security and resilience. Although the Federal Office for Information Security (BSI) receives additional powers (e.g., threat hunting), the allocated personnel resources are insufficient.

At the same time, substantial staffing increases are planned for highly intrusive measures within law enforcement agencies, despite unclear long-term benefits. Evidence suggests that such operations typically only slow down adversaries rather than stop them.

The core weaknesses lie in deficient IT infrastructure and insufficient baseline security measures. Effective cybersecurity therefore requires a stronger focus on resilience and operational capacity at the BSI and among federal IT operators.

Legal Uncertainty and Fragmentation

The expansion of intrusive powers at the federal level raises constitutional concerns, as public security and threat prevention are primarily responsibilities of the federal states. Instead of pursuing a constitutional amendment, powers are distributed across multiple federal agencies.

This approach leads to fragmented responsibilities and overlapping mandates, hindering coherent action. At the same time, the draft significantly broadens intervention powers (e.g., data manipulation, system interference) without acknowledging their fundamental implications.

Given the scope and intensity of these measures, a comprehensive constitutional debate appears necessary. There are also doubts as to whether the proposed thresholds meet the requirements set by constitutional case law.

Unclear Transparency and Governance

The draft lacks clear provisions on transparency, oversight, and governance. In particular, there are no defined standards for acquiring and managing vulnerabilities or operational tools.

There is also no systematic reporting on authorized and executed measures, making it difficult to assess effectiveness and proportionality. Since many measures are covert, individual legal remedies are often unavailable, increasing the need for independent oversight.

Furthermore, the absence of technical standards for handling digital evidence raises concerns about traceability and admissibility in court.

Recommendations

• Introduce systematic evaluation: Cyber defense measures should demonstrate measurable security benefits.

• Ensure proportionality: Limit intrusive actions to what is strictly necessary and carefully assess risks.

• Clarify constitutional responsibilities: Clearly define federal and state competences and consider constitutional amendments if needed.

• Establish a joint operational platform: Enable coordinated planning and execution across authorities.

• Strengthen coordination mechanisms: Implement binding procedures for cooperation and conflict resolution.

• Increase capacity for resilience: Expand resources for incident response and threat hunting at the BSI.

• Enhance transparency and governance: Introduce clear rules for tools and vulnerabilities, reporting systems, and independent oversight mechanisms.