Throwback to Germany’s horror week.
The last week of February is likely one that the German defense community would rather forget. Throughout the week, Germany and its allies were confronted with a number of significant events that as a Berlin native, I found hard to ignore.
The week started with the German frigate Hessen firing at a US MQ-9 Reaper drone in the Red Sea, fortunately missing it. Then Chancellor Scholz caused irritation amongst his NATO allies with his Taurus statements by both refusing to send missiles to Ukraine and then openly suggesting that French and British troops were actively aiding Ukrainian troops in-country when conducting ground strikes. In what must have felt like a long Monday, Scholz then went on to contradict Macron’s statements regarding potential deployments of European or NATO troops in Ukraine in any capacity.
By Wednesday, the German Ministry of Defense had to own up to the unsuccessful attempt of the Hessen to take down the MQ-9 Reaper drone during a live press conference, the only silver lining being the successful takedown of two Houthi drones.
Friday, the Taurus leaks were made public.
Given the recording relating to Taurus was made a few weeks prior, it’s believable that the date for the leak was picked in the context of other things that happened that week. However, two other important developments were unfolding at the time. Navalny’s funeral was on the same day with numerous protests throughout Russia, and Wirecard fugitive Jan Marsalek was making it back into German headlines after a new investigation published by Der Spiegel allegedly showed his direct involvement with Russian state agencies.
While confirming the recording’s authenticity, the German Ministry of Defense was quick to downplay the incident. Populist news aside, I want to dive into what circumstances led to a Brigadier General resorting to an unsecured Webex dial-in via their hotel WiFi during a business trip to discuss matters of national security?
What might appear as a ‘silly mistake’, is actually indicative of underlying problems with the security culture prevalent in the German armed forces, and to a certain extent, throughout the entire administrative body, and the convoluted strategy underpinning Germany’s secure IT systems. Something I’ve witnessed firsthand.
BundesMessenger highlights the issues permeating Germany’s IT system
Germany has a highly fragmented IT systems landscape that seems to have been developed without a clear strategic intent. One great example in this context is the ongoing development and adoption of the BundesMessenger.
The BundesMessenger is essentially an updated version of the Bw Messenger, a messaging app developed specifically for the German armed forces (Bundeswehr). While the Bw Messenger has a user base that is strictly limited to the Bundeswehr, the BundesMessenger is meant to be rolled out to federal, state, and local authorities across various administrative functions.
The Bw Messenger can run on government-issued and personal devices, also answering the BYOD (Bring Your Own Device) question for the armed forces. The concept behind the messenger is not inherently flawed. Providing federal employees with a platform for essential communications instead of relying on commercial platforms is reasonable.
It’s open source, has no licensing cost, and runs on the Government’s on-premises infrastructure. The BWI (Germany’s Federal IT Service Provider) is even talking about setting up its own private cloud, migrating away from individual deployments. So, what’s not to like about it?
Well, there are a few challenges.
1. Overlapping functions and target customers
Users within the Bundeswehr complain about unclear guidance about which tools to use for which type of communication and which levels of classification. Sometimes the choices of tools available supposedly influence how documents end up being classified. VS-NfD is the lowest level of classification in the German military and is said to be used excessively. Technically it translates to NATO Restricted but can also be thought of as “OFFICIAL:SENSITIVE” or “For Official Use Only.”
2. It fails to address the core issue
Reports suggest significant usability issues on various devices, resulting in many individuals unofficially resorting to WhatsApp or other messaging platforms. While this is recognized and tolerated, the question arises; Why do we require a BYOD solution in the first place? If the third-largest economy and a technological powerhouse, especially in defense, cannot provide its relatively small armed forces with an adequate number of secure hardware devices and instead opts for individuals to use their own devices alongside an app, this presents a problem. Shouldn’t we be capable of supplying every soldier who needs one with a secure device?
3. It’s deployed on Huawei
One element of the BYOD-aspect of this that has garnered significant attention is the decision to launch the mobile client app of the messenger on the Huawei AppGallery. Despite being regularly listed as one of the top five largest smartphone vendors in Germany, Huawei holds only a low double-digit percentage market share at best. When considering the size of the user pool within the German armed forces, distributing just a few thousand devices would have been sufficient to prevent the creation of another potentially significant security vulnerability.
4. Over-decentralization is a disaster in the making
Another troubling aspect of the BundesMessenger plans, especially in light of the Taurus leaks, is excessive decentralization. In 2022, it was revealed by the BWI that instead of housing servers in a few national data centers in geographically separate locations, every institution would be tasked with hosting their servers locally. Going through the motions, this could mean you would have hundreds if not thousands of individually maintained deployments needing to be kept up-to-date and secure. This just seems like a disaster in the making.
5. Wide open door for malicious actors
Consolidating the infrastructure to a reasonable level of decentralization with federated individual environments as a strategic initiative seems more scalable and secure. By distributing the system on such an enormous scale, lots of vulnerabilities are being created. What was sold as a feature to increase resilience actually looks more like a lack of ownership and a strategic misstep.
Servers running a civil version of a messenger created for members of the armed forces to communicate with each other would be running in poorly secured facilities across the nation.
It sounds like an open door for malicious actors. It does not take too much imagination to envision a future leak stemming from an altered version of the server code that was injected into a system, misleading users into believing they are using a secure messaging service when in reality it has been compromised.
Developing a secure messaging app is commendable. Releasing it on the Huawei app store? Not good. Deploying the servers across hundreds of sites with questionable physical security? Very bad. Germany is trying but it seems to not give the security aspects of their solutions enough attention.
Culture - let’s not be naive
The Minister of Defense, Boris Pistorius, made it very clear, immediately after the leaks, that he was not planning to make any personnel changes as a result of it. This is a welcome change from previous administrations, where systemic issues were pinned on individual military leaders a bit too often. But there is always a flip side.
When the Minister of Defense says he won’t let Putin and his games discredit one of his best officers, it also sends a signal to anyone concerned about implementing a culture of security awareness in their unit. It’s hard to demand compliance with security policies when it’s not being upheld at the highest levels.
When it seems acceptable to high-ranking officers of the Bundeswehr to dial into a telephone conference over unencrypted lines where security-relevant matters are discussed, one can only imagine how low the sensitivity to this issue is in other ranks.
There are a few basic principles to follow. One of them is, if you cannot participate securely, do not participate.
The Webex bridge utilized during the Taurus conversation is intended for use no higher than VS-NfD. While the discussion’s references to allied troop deployment structures and technical details of the Taurus system might suggest that the tool used for the meeting was inappropriate, the determination on this matter will have to wait until the internal investigation has concluded.
Based on the information available today, it appears that the key participants of the Taurus meeting did not utilize crypto devices. This isn’t entirely surprising, considering that many of the few thousand encrypted phones issued to members of German federal institutions reportedly remain unused due to quality and usability issues. Some argue that even if a crypto-device had been available, the Brigadier General might not have been able to take it out of the country for the trip he was on, attending the Singapore Airshow. That’s a valid point. However, when a high-ranking military officer travels abroad, perhaps more consideration should be given to how they will communicate with their staff during the trip.
There’s always a balance between convenience and security. However, when reasonably secure methods are accessible, they must be prioritized. The Singapore Airshow is a significant event, and attendees should have anticipated heightened surveillance activity. It appears that at times, German military leadership still grapples with the realization that they are in a frontline position, making them increasingly susceptible to espionage campaigns.
Surely they have a secure room from which to make telephone calls at the German embassy in Singapore?
Later in the week, it became apparent that a second participant in the phone conversation dialed in using an insecure connection. The person in question was Lieutenant General Ingo Gerhartz, the highest-ranked officer in the German Air Force, adding insult to injury. Culturally, we must prioritize the security and effectiveness of our IT systems, and this change must begin from the highest levels of leadership.
The bigger picture
The Taurus leaks were undoubtedly damaging, both for Germany and its allies. However, as confirmed by the defense minister, they were not indicative of a large-scale attack or a compromised system. If the latter were true, Russian intelligence wouldn’t have considered the conversation significant enough to expose their source. The leak’s value for Russia lay in demonstrating to the German public that sending Taurus missiles wasn’t feasible. It occurred at an opportune moment, likely stemming from a broad surveillance effort among attendees of the Singapore Airshow.
Perhaps the hit was accidental in the sense that the specific conversation wasn’t targeted beforehand. However, it can’t be considered accidental when you realize that every participant traveling to the event must have expected to be targeted by foreign intelligence activities during their stay.
The leak shows both a weakness in the technical communication landscape within the German military as well as a cultural problem. Similar to the public discourse surrounding the phase-out of Huawei hardware within Germany’s telecommunications infrastructure, there needs to be a robust discussion concerning the IT security strategy and corresponding systems of our military and governmental institutions, ensuring their alignment with our national interests.
Too often, IT systems are still an afterthought and IT security awareness is lacking. Germany certainly needs to do more.