With decades of executive experience in top German auto and engineering firms, including Audi, Volkswagen and ThyssenKrupp, Klaus Hardy Mühleck was tapped late last year to reshape the German military into a force fit for cyber conflicts. His new division in the Ministry of Defense will eventually oversee roughly 18,000 personnel, both operational and administrative, and manage an annual budget of around €2 billion. With about 35,000 cyber incidents directed at the German Bundeswehr per week, Mühleck faces many of the same problems as his international counterparts: Securing all networks, tweaking internal acquisition processes, and training a new army of cyber warriors.
He sat down with Defense News German correspondent Sebastian Sprenger in his Berlin office to talk about his plans and how the Pentagon has helped shape his approach.
What is the cyber threat level directed at the Bundeswehr?
We record thousands of attacks on our networks and routers every day, most of them low-level attempts that can be neutralized by our automated defenses such as firewalls and intrusion-detection systems. Some certainly bear the signatures of more advanced hackers. It’s hard to know exactly from where these attacks originate, because hackers could have used remote servers to conceal their location. Most of the attacks seem to come from the East, including Ukraine, Russia and China, though some also come from African countries. But basically every country could be used as a jump host, so a final attribution is difficult. It’s hard to be absolutely certain.
If the attribution of attacks is uncertain, what does this mean for response operations?
We are actively discussing this within our government, and also with our American colleagues. We all act within tight legal constraints. You can’t just shut down a server in, say, North Korea, without a proper justification under national and international law. Of course we are always authorized to defend our deployed forces. And that can mean conducting active defense operations with our specific forces for that purpose. In Afghanistan, for example, we could shut down some enemy devices if it helps protect our troops. But the armed forces are not allowed to conduct such operations unless specific legal conditions are met. Determining the legal authorities related to cyberspace will be a big topic in the new legislative session.
With the German elections coming up on Sept. 24, are you worried about hacking against election-related infrastructure?
This is not my direct responsibility, but that of the Federal Ministry of Interior. Of course, we all share our experiences on this matter, including with our colleagues around the world. I think we’re not positioned all that badly here in Germany. A lot has happened to protect our centers, our networks.
Gaining access to the technology startup scene is a big topic for the U.S. military. What’s your approach in Germany?
Besides adopting new technologies from our bigger vendors, like [German software maker] SAP or Software AG, we have created a Cyber Innovation Hub to act as a magnet for startups and as a point of reference in working with the Bundeswehr. But we have the problem that we, as an agency, are too slow. So the Cyber Innovation Hub is deliberately decoupled from our processes as far as legally possible. So far, we are seeing great interest. We conducted an initial market scan and invited startup companies to a pitch event on one of our navy vessels. The concept will initially run for three years with a budget of roughly €30 million. But it’s not really limited to that. We’d like to lean in a direction of something like a Defense Advanced Research Projects Agency. The Defense Innovation Unit Experimental, DIUx, also serves as a model for us.
What specific new capabilities are you hoping to gain from German startups?
We are open to anything. There is great potential in areas such as machine learning and image-recognition systems. We can place those into our existing application architecture. The same goes for geo-information technologies, networking the physical world with the cyber world. Also of interest are solutions for data analytics, early-warning systems for crisis prediction, cryptology, software-defined networks and new capabilities for our missile-guidance packages.
How are you modifying acquisition processes to reflect cyber and IT requirements?
The core of our strategy is to introduce a modular architecture for all our military equipment. That’s being worked now. We are defining lead architects for our platforms. It’s the only way to ensure new technologies can be inserted into existing systems without upgrading them in their entirety.
Which programs, specifically, are you working on toward that end?
Mobile Taktische Kommunikation (MoTaKo), or mobile tactical communications [a suite of communications technologies], recently approved by parliament, is key in this context. Over the course of 10 years, we will equip more than 90,000 vehicles with it. But it takes time. We just determined the project phases toward an initial roll-out. Software-defined radios also are an important component of this, as is the equipment worn by individual soldiers. We just equipped 50 group-lead vehicles with software-defined devices.
What is your plan for ensuring the Bundeswehr’s supply chains are safe from malicious cyber technologies that could be inadvertently built into German weapons?
In Germany and Europe, we were very much shaped by SAP environments, which allows a very detailed reporting of maintenance- and engineering-related inventories for our equipment. That makes change control relatively easy. It’s still a decentralized process today, but we plan to consolidate it just as the large car companies are doing it for their billions of parts. It’s done pretty effectively in the Bundeswehr, piggy-backing on SAP’s experience in the automotive sector. Ultimately we want to develop our cloud strategy to include that type of data.
What are your thoughts on improving interoperability within NATO?
Working through the [NATO] Federated Mission Network works well, especially with the Americans. If the other countries would move similarly to us in Germany, then there would be no problem working in a networked structure. But it would require all those who like to pursue their own projects to come along. Germany and the Netherlands are model students in this area.
The use of software-defined radios also must be expanded. Together with France there could be an area of cooperation.