Germany is a target for hybrid threats
Germany has long been the target of hybrid influence by state and non-state actors. Regardless of whether it be the cyberattack by a Russian hacker group on the SPD party headquarters in 20231, the attack by Chinese hackers on the Federal Agency for Cartography and Geodesy (BKG) in 20212, pro-Russian disinformation campaigns such as the doppelganger campaign3, acts of sabotage on Deutsche Bahn fibre optic cables4, cases of suspected espionage for Russia at the Federal intelligence service5, drone flights over critical infrastructure6, and Russian research vessels in the Baltic Sea mapping the seabed7: the number and density of hybrid influences on Germany have increased.
Hybrid threats involve the combined use of various means such as cyber attacks, targeted propaganda and disinformation, sabotage, espionage, attacks on critical infrastructure, economic pressure and migration.8 These threats aim to exploit the vulnerabilities of liberal societies, the social market economy, democratic decision-making and digitalised processes. The main objectives are to undermine state interests, unsettle and destabilise societies, and influence public opinion. Germany is a particular focus of Russia's attention, but China and Iran are also showing increasing activity in this area.
Security structures are not geared to hybrid threats
Existing security structures and federal responsibilities in Germany often make it impossible, or only possible very late, to contextualize individual acts of influence and respond quickly. Official responsibilities cannot always be clearly determined at the time of an attack, precluding a rapid response. In the event of an attack, it is not immediately clear to security authorities whether it is a military or intelligence operation by a state or the activities of private or criminal groups from within or outside Germany. State attackers, in particular, use private and criminal groups to conceal the origin of the attack.9
Currently, there is no center where information on disinformation campaigns, cyberattacks, attacks on critical infrastructure, sabotage, and espionage is consolidated and analyzed in real time. There is no nationwide, uniform situational awareness of hybrid threats. The security authorities in Germany maintain their own situational awareness reports, which largely duplicate and overlap. For example, the Task Force Against Disinformation within the Federal Ministry of the Interior and Home Affairs and a Joint Critical Infrastructure Coordination Staff (GEKKIS) were established in the last two years. Furthermore, there are organizational structures at the federal level, such as the National Cyber Defense Center (Cyber-AZ), the Bundeswehr Cyber and Information Space Command, and the Federal Security Operations Center (BSOC), which share their situational reports and cyber intelligence only to a limited extent.
Defense center consists of situation and analysis center
The Defense Center for Hybrid Threats consists of a Situation Center and an Analysis Center. It is located within the remit of the Federal Chancellery as a higher federal authority. All relevant and necessary authorities are represented at the Defense Center: the Federal Criminal Police Office, the Federal Police, the Federal Office for the Protection of the Constitution, the Federal Intelligence Service, the Military Counterintelligence Service, the Bundeswehr, the Federal Office for Information Security, the Federal Office for Migration and Refugees, the Federal Office for Civil Protection and Disaster Assistance, the Federal Network Agency, the Customs Criminal Investigation Office, the state criminal investigation offices, the state offices for the protection of the Constitution, and the Federal Prosecutor General. The Federal Chancellery is responsible for managing the center.
Networking and analysing the situation enable rapid action
In the situation centre, the significant incidents are displayed in a dynamic real-time situation picture dashboard. Information from the individual member organisations and the various situation reports converge in the centre in real time. This enables a common overall situation to be determined and the necessary operational measures to combat or respond to it to be taken. In future, attackers will carry out cyber attacks, sabotage or espionage and information operations in an even more targeted and coordinated manner. The dashboard includes cyber attacks, disinformation campaigns, prevailing narratives in the media and social networks as well as essential basic services in Germany (e.g. energy, water, healthcare, food supply and internet).
Current incidents and the current supply situation are evaluated in the analysis centre and the intensity of the incident is determined. The presence of all necessary and relevant authorities enables an interdisciplinary analysis of the situation. Depending on the intensity of the incident, different crisis response mechanisms are available to the responsible authorities. The analysis centre also creates profiles of the attackers' activities and identifies the characteristics of certain attacks. The attack patterns and characteristics of the attackers are recorded and stored in an analysis database. This means that attack patterns can be recognised more quickly in the event of incidents and can be assigned to specific actors without any major loss of time.
In addition, Germany's own systemic weaknesses are continuously analysed. Among other things, currently prevailing narratives with the potential for polarisation and division, weaknesses in IT systems, unstable supply services or disrupted supply chains as well as legislative gaps or regulatory ambiguities are among the potential vulnerabilities that are of interest to attackers.
The situation centre in the Federal Chancellery provided for in the coalition agreement, in which an overall situation picture is to be created across all departments, can form the basis for the defence centre. However, in addition to the Situation Centre, the associated Analysis Centre is also essential. The Defence Centre enables hybrid threats and systemic vulnerabilities to be identified at an early stage, put into context and quickly countered. The ability to quickly recognise and defend against these threats is a decisive factor for national security and the resilience of the state and society.
1 https://www.bmi.bund.de/SharedDocs/pressemitteilungen/DE/2024/05/aktuelle-Cyberangriffe.html [last access: 05.05.2025].
2 https://www.bmi.bund.de/SharedDocs/pressemitteilungen/DE/2024/07/cyberangriff-bkg.html [last access: 05.05.2025].
3 https://www.auswaertiges-amt.de/blob/2660362/73bcc0184167b438173e554ba2be2636/technischer-bericht-desinformationskampagne-doppelgaenger-data.pdf [last access: 05.05.2025].
4 https://www.tagesschau.de/wirtschaft/bahn-schutz-sabotage-100.html [last access: 05.05.2025].
5 https://www.mdr.de/nachrichten/deutschland/panorama/prozess-gegen-bnd-mitarbeiter-russland-spionage-100.html [last access: 05.05.2025].
6 https://www.ndr.de/nachrichten/schleswig-holstein/Drohnen-ueber-Brunsbuettel-Man-moechte-Unsicherheit-schaffen,drohnen402.html [last access: 05.05.2025].
7 https://www.tagesschau.de/investigativ/ndr-wdr/russland-ostsee-spionage-100.html [last access: 05.05.2025].
8 https://www.bmvg.de/de/themen/sicherheitspolitik/hybride-bedrohungen/was-sind-hybride-bedrohungen--13692 [last access: 05.05.2025].
9 https://www.computerworld.ch/security/microsoft/kriminelle-gruppen-staatliche-hacker-arbeiten-haeufig-2937086.html [last access: 05.05.2025].
