When the pink clouds are sold to us in the context of digitisation, we are happy to suppress the premises. Necessary network bandwidths, high availability, security requirements and above all risks. Everything must always be pink. Because only this colour stands for better.
Since at least some in the German Armed Forces have recognized that a lot of light also casts many shadows, the new CIR command (Cyber- and Information Rooms) has been so prudent to be able to better counter these very risks. Of course also to have options in the battle of bits against bytes. From a technical and financial point of view, this string even meets the factual reality. In terms of equipment, we are fighting in the middle of what we have identified as a threat anyway. Quasi drooling standing at the edge of the field. As a reserve of the main players.
And that's not all because then the new "Bundeswehr Space Command" was additionally staged in a populist and above all press-effective manner. Although not quite as beautiful as the US-Space Command, which has even made the Starship Enterprise emblem its emblem, at least in name. And consequently housed in a run-down barracks, so that claim and appearance are visually balanced...
But why so high up, if it doesn't work even on the simplest level?
The DAU (the stupidest user to assume) has struck again and all processes, rules, regulations and binding reporting channels are failing?
They fail because opportunistic self-interest for individual career preservation is to be regarded as more important than the claim of the German armed forces and the Federal Republic of Germany to secure cyber and information spaces. No matter whether space-based or ground-based 1.0 and "wired".
Once again, the Pfullendorf site and the Army Training Command in Leipzig come into rehearse here. "To be an army means to be more", we were taught in the 80s. And so, it was clear that the Ground Forces Training Command in particular, as a pioneer of training in the army, could breed it's very own DAUs in large numbers. In addition to other experts and competent persons on topics such as sexual harassment, right-wing extremism and other fields. That was unsuitable, but it shows the tendency.
But now to the case itself. A case that could have affected any civil-economy company, any public authority and any other service. Probably even many have already been affected, but they do not even know it yet.
A good example of well-intentioned, much wanted, little known and therefore moronic.
Instead of being happy that the damage would have been manageable through the timely and proactive initiative of a few, those who noticed it were now persecuted.
For this very reason, the German Armed Forces has implemented reporting channels for IT security breaches in a way that reports of security incidents can also reach the next responsible department via other reporting channels. Away from the normal so-called official reporting channels. Precisely so that the human factor and its "individual career and protection needs" take a back seat to security for everyone. In theory, this is an excellent idea. Theoretically.
But what does the practice look like?
Actually, the same as we are striving for Corona in the pandemic. And open network access and data access have the same pandemic effect as Covid-19, which is why many technical terms in IT security also have biological cousins from the field of virology.
Lieutenant Colonel L., Chief of the IV. Inspection at the training centre, wanted to create the possibility to work or have worked on exercise situations (scenarios to practice military operations) via home office in the lockdown. But, what a miracle, the German Armed Forces was not equipped for this. Similar to schools, where children were to be digitally trained from now on and many teachers first had to learn how to use the Internet. So, this was not an isolated incident. But the aforementioned lieutenant colonel did not use certified and therefore not approved means for this purpose: a NAS (data storage with its own operating system connected to a network, Network Attached Storage)! A data storage with principally open and unprotected lines with the possibility of external access. For a military application...
The commissioned soldiers were eventually to be able to access the private notebook in the superior's private flat from their home office via this memory, connected to the private notebook. A "protection" of the simplest kind was implemented. In the end, the officer could have started the whole thing via Facebook group...
This included training situations and regulations for recovery operations. These are military and very risky operations that always start when, for example, aircraft crews are shot down behind enemy lines and have to be recovered. Like in the movie "Bat-21" with Gene Hackman.
There are specific procedures for this, which have to be practised regularly by those to be rescued as well as by the rescuers. These are mostly NATO uniform, so that each nation can also rescue soldiers from other nations, and they know the procedure well enough not to endanger themselves and the rescuers. If the enemy knows these procedures, he can use them to use the person(s) to be rescued as bait for the fish and to lure the recovery team into a trap.
This has been a popular practice in Afghanistan, Vietnam and elsewhere.
And Lieutenant Colonel L. has now presented such a situation exercise with the corresponding procedure, classification VS-NfD (Top secret), to the exercise participants in an attic. A memory that allowed everyone to access via the Internet, if they only knew the simplest access possibilities. Here it is not only about the level of secrecy, which is kept as low as possible so that one can practise with it at all, but about the topic(!) of the exercise and the execution itself. - The possible mission hazard of recovery operations in the field.
Already during the installation of this network storage facility, two attentive sergeants noticed that there was a massive violation of internal IT security guidelines and sought the conversation with Mr. L. They could have reported this incident to the IT department of the location. They even had to!
But instead of seeing the error and asking for help "to pull the number out of the mud", the two sergeants were ordered to keep quiet. However, the German Armed Forces has created regulations for such cases to prevent something like this from happening EXACTLY!
Both NCOs reported dutifully and in accordance with regulations to the S6 officer (telecommunications and IT officer), who in turn prepared a report for the commander of the training centre in Pfullendorf. The latter, Colonel KK, probably passed the case on to his deputy, Lieutenant Colonel L1, especially since the latter brought a reserve officer before the Military Tribunal in a similar case. And this Lieutenant Colonel L1 did something? - Exactly: NOTHING! Better still, he weighed up the S6 officer's report for "not applicable".
Simultaneously, one of the sergeants was disciplinary investigated for "insubordination". Both sergeants received a disciplinary penalty for allegedly disobeying the official channels.
From such moments on, there is changing in troop units. Injustice has an effect and the case fell figuratively over the barracks fence. Via two intermediate stations he came to the author, who then made a few phone calls. Yes, in Pfullendorf there was "nowadays peace on the cemetery". The local staff council met, soldiers, including women, visited doctors because of psychological stress. The word bullying hung in the air and the anteroom lady of Lieutenant Colonel L., the person responsible for the crisis, also felt increasingly uncomfortable.
As we all know, competence and good leadership are often found in people concurrently. And so, what belongs together blossomed into new flowers.
So, the author decided to send a press enquiry with the explicit reference to a publication today. Once to the press officer in Pfullendorf (this is the personnel officer in personal union there) with questions about the commander Colonel KK. And then in a somewhat more precise form, peppered with details, to the Deputy Commander CIR, Major General Setzer, who is the German Armed Forces's highest ranking IT security officer. The Army's IT security officer was deliberately skipped.
It came as it had to come. General Setzer sensed the bear trap and sent a press release to CIR:
"The questions concern several topics and responsibilities. To answer the questions, it is first necessary to examine a number of framework conditions that are the responsibility of the Army. Against this background, we ask you to address this request to the Army Command, Army Press and Information Centre".
The CIR press centre functions in an exemplary manner. And in the author's view, it is a showcase for the German Armed Forces's press technology. Thus, the CIR created the opportunity for the last possible reporting office within the German Armed Forces to have a thumb on the matter itself to be able to make "adjustments" if necessary.
Of course the army was not interviewed, as the author knows from experience that the "small official channels" were now in place and the responsible persons were informed in advance with bcc-distributors (invisible parallel forwarding of mails to other recipients), which are so popular with the German Armed Forces, that "something is up.
It had been foreseeable that the commander in Pfullendorf would not answer. But neither Pfullendorf nor the CIR knew about the other press enquiry.
Meanwhile, one of the sergeants in Pfullendorf had realised that reporting past his superior in parallel to the next higher level complied with the regulations. He described the well documented case in writing to the IT security officer of the Army Command in Strausberg. He even received a confirmation of receipt. When asked by telephone, he was informed that the process of his report had been passed on to the training command in Leipzig, which in turn would coordinate with the subordinate office in Pfullendorf, since the commander in Pfullendorf would actually have to report this serious security breach. - Or should have reported...
And Pfullendorf has never done that before. But what people in Pfullendorf don't know is that they have already been explicitly informed of the incident in higher places. Also, that Pfullendorf has not reported a serious IT security incident here. And thus that time is running out. Expired. - Shut up, the monkey dead!
How the drama continues now, the future may show. What is certain is that the best promise of wanting to do more will fail on the "muddy level" if you don't also make sure that there is a feeling for IT security. Not as lip service, but in reality at work.
Everyone makes mistakes. The author has also experienced this in his active time as an officer. And when things got tight, you say that you A) messed up and ask B) for help. This was never denied. The "nonsense" was cleaned up, straightened and/or put on the right track and in the end you paid for the beer for the common "you-idiot-evening". After the final dressing-down with the boss / commander, who also got a beer. This is also sometimes called comradeship.
The case in Pfullendorf would not have had to boil up like this. It is also not the only incident. It could have been cleared up. Quick and clean. Write a report that something like this had been set up for a short time, but that you realised in time that it was not possible and wanted to report proactively. To avert a possible but unlikely damage. - Nothing would have happened! Nothing at all!
Instead, two attentive sergeants were and are harassed, reports are straightened out, reporting channels are actively blocked and damage is done to the Federal Armed Forces.
And in the field, cut off and alone, crouching in the dirt with the chasers on their heels, every soldier will now think twice before calling for help and risking that the comrades of the recovery team will be ambushed because of him. It is better to try to reach your troops on your own. Despite all odds to the contrary.
Stupidity happens. But it can be "caught" by comradeship. But narrow-minded arrogance with power thinking is beyond what one could still define as THAT. It is simply the grave for every network, for every database and for every effort to secure critical IT connections.
So instead of creating an "Enterprise Command" in a press-effective manner, Pfullendorf should reassess and finally provide the kind of forward-looking professionalism that the army needs in training. Also in digital training.
As is now generally known, home office and online learning can even save costs. Free up money. For urgently needed equipment.