Three years ago, the German government established a national cyber defense center (“Nationales Cyber-Abwehrzentrum”). The stated objective was to establish a government entity that would coordinate and bundle the activities of various agencies that are tasked with cyber security, in order to give them more punch on a national scale.
In a classified assessment by the German Bundesrechnungshof (equivalent to the US GAO) that was leaked to the German newspaper Süddeutsche Zeitung and to German national TV, the government’s financial controllers frankly suggest to shut the operation down as in its present form it appears to be nothing but a waste of money.
The facts in a nutshell:
- The center’s only scheduled activity is a daily discussion of the situation.
- Several of the center’s ten (!) employees, which are on lease from other agencies, don’t show up on a regular basis.
- Strategic advice is issued by the center only in annual reports, obviously foiling the center’s stated objective of “quick assessments and call to action”.
- The center lacks the expertise to execute its stated mission.
- No procedure or workflow has been defined for what the center is supposed to do in the event of a substantial cyber attack against Germany.
The criticism can hardly surprise. We had already pointed out the center’s ridiculously tiny footprint and weak mission statement at the time of its creation. Hopefully, the present reporting will make German business decision makers aware of the fact that in time of cyber crisis, the government will hardly be able to provide any help – a phantasy that some CEOs used to nurture to justify their own inaction for providing appropriate cyber defenses.