Germany’s cybersecurity authority, the Federal Office for Information Security (BSI) has observed a consistent increase in hacking attacks and online data breaches.
“We are dealing with a very complex threat environment,” said BSI President Arne Schönbohm on Tuesday. Such actions “could be used by potential attackers to influence the upcoming elections this year,” he said.
When Chancellor Angela Merkel’s Christian Democratic Union (CDU) met online to elect a new party leadership in January, hackers carried out a series of massive attacks aimed at throwing the summit into chaos. The attacks picked up speed every time delegates were about to vote.
The assailants, operating mostly from abroad, bombarded the party’s website with internet traffic to overwhelm its server. At some point, they succeeded. The site collapsed and the live stream of the event cut out.
In the end, the CDU managed to push the intruders out: The party’s technical staff got the website back up by blocking access from outside Germany and specific locations inside the country. Meanwhile, undeterred by the attacks, delegates elected a new party leader through a voting system hosted on a separate server — a safeguard that had been set up to fend off cyber intruders.
The digital CDU party conference in January was attacked by hackers
Yet the thwarted attack illustrates the threat of online meddling that looms over Germany’s upcoming election campaign.
As Europe’s largest economy heads into a string of regional votes that will culminate in a federal election in September, security experts and lawmakers have warned in various interviews that digital risks are on the rise.
“The threat level remains persistently high,” said a spokeswoman for the Federal Office for Information Security (BSI), Germany’s cybersecurity authority.
In March, hackers with suspected ties to Russia sent emails with infected links to several dozen members of the Bundestag and regional parliaments and managed to break into some of their accounts. Stolen data, authorities believe, could later this year be leaked to the web.
The BSI has observed a consistent increase in hacking attacks and online data breaches, the BSI spokesperson said. Both actions “could be used by potential attackers to influence the upcoming elections this year.”
US technology giant Microsoft, which advises German political parties on how to protect their election campaigns against cyberattacks, warns that malicious actors have diversified their strategies: They increasingly use more than one cyberweapon in their attacks, making it harder to counter them.
“Such hybrid attacks are what particularly worry us and others in the tech industry,” said Jan Neutze, who leads the company’s Defending Democracy Program.
A threefold menace
To better understand the cyber threat hanging over Germany’s election, it helps to break it down into three categories.
First, there is hacking: the gaining of unauthorized access to data in a system or computer. As coronavirus restrictions will likely move campaigning from the streets to the internet, hackers could infiltrate the parties’ networks and disrupt campaign events with tactics similar to those deployed during the CDU summit.
Intruders might even try to sabotage the actual vote on election night, September 26, by hacking into the software used to count votes or into the program officials use to report early results.
Germany’s BSI said it was working with authorities and candidates to help them shield themselves from such attacks.
But those security measures will not help counter what’s considered the second key cyber threat: misleading or false information that is spread to manipulate how voters think or behave.
The disinformation threat
Tankred Schipanski, a member of parliament and the digital policy spokesperson for Merkel’s conservative bloc, described disinformation campaigns as “our greatest challenge.” The representative added that such campaigns are “often organized and financed abroad.”
A March 2021 report by the European Union’s diplomatic service calledGermany “the main target” of Russian disinformation in the bloc, listing over 700 disinformation campaigns since late 2015.
But lawmaker Schipanski also stressed that while disinformation campaigns often originate abroad, they spread with the help of domestic actors like the Alternative for Germany,” Germany’s far-right party known by its acronym, AfD.
Social scientists found that false information criminalizing refugees that spread before the last federal election in 2017 drove voters to the AfD.
This year, AfD officials have already tried to cast doubt on the upcoming election by spreading allegations that mail-in ballots could easily be manipulated — a move that takes inspiration from Donald Trump’s campaign to discredit postal voting.
Similar disinformation campaigns have popped up around the world. They are so numerous and sophisticated that experts have coined the term “infodemic.”
In December, US tech giant Facebook shut down 17 coordinated large-scale efforts on its platforms, a record number. One targeted users in Germany, although it was unrelated to the elections.
In late February, a Facebook spokeswoman said the company, which has over 43 million users in Germany, had “not seen evidence of … operations targeting the German election” but added that the company is “staying vigilant” — not least because of therise of new deepfake technology that lets users produce realistic fake videos in which people appear to do or say things they never did.
Then there is a third kind of cyberthreat looming over the election: complex operations known as “hybrid attacks.” These combine hacking with the placement of distorted information, and they often start with intruders breaking into the accounts of political decision-makers or their confidants by masquerading as trusted contacts.
Such phishing attempts have become more frequent and professional. The majority detected by Microsoft could be traced back to Russia and China, but also North Korea and Iran. “It is legitimate to say that actors from those countries have both the capabilities and, at least in part, a geopolitical interest to become active around the German federal elections too,” Neutze pointed out.
After the hacking, damaging material obtained is put online, where it takes on a life of its own.
Users who are unaware of the material’s origin share it on social media or messenger services. Once it reaches a certain number of people, it tends to be picked up by political players with a larger following. They, in turn, are quoted by professional journalists, who bring the issue to the forefront of public debate.
What makes countering such hybrid campaigns so difficult is that the leaked material is often not false per se but distorted or deliberately taken out of context to inflict harm.
Experts therefore speak of “malinformation” rather than “disinformation.” They say boosting digital media literacy among social media users is key to helping them recognize information designed to deceive.
Germany, however, has missed several chances to build such resilience among its population of 83 million over the past ten years, said Manuel Höferlin, a member of parliament for the opposition Free Democrats and the party’s digital policy spokesperson.
“That is a huge failure,” he added.
Germany has strict rules and restrictions for election campaigning in the offline world
No rules for online campaigning
What complicates the situation further is that even though social media companies have rules for their platforms, political online advertising remains, in effect, unregulated in Germany.
In the offline world, the country has strict rules and restrictions for election campaigning, like limiting the time campaign billboards can stay up or restricting time slots for campaign ads on TV — but no such restrictions have been put in place for online campaigning.
The European Union has drafted proposals to regulate digital campaigning, but it will take years for them to be implemented, and Berlin has run out of time to come up with its own national rulebook.
Behind closed doors, talks are being held over whether the country’s parties could agree on a voluntary code of conduct for the upcoming online campaign. It could include a deal that would oblige them to mark online campaign advertising, or ban buying followers or likes.
A decision could be made in the coming weeks, according to an official involved in the negotiations who spoke on the condition of anonymity.
“And if some parties refuse to participate, that in itself would be telling,” the official said.
This is an updated version of a text published in early March.
While you’re here: Every Tuesday, DW editors round up what is happening in German politics and society, with an eye toward understanding this year’s elections and beyond. You can sign up here for the weekly email newsletter Berlin Briefing, to stay on top of developments as Germany enters the post-Merkel era.