Germany proudly invokes 500-year-old laws dictating what makes beer worth drinking. It’s a national point of pride across industries, from energy to entertainment, that every detail is professionally curated and monitored for quality.

And yet, the Bundeswehr just openly admitted it has zero clues about what’s been going into its weapons systems, or from where.

A new October 2025 study (Eine Achillesferse moderner Streitkräfte: Risiken der Software-Lieferkette und Schutzmöglichkeiten) by Germany’s own defense think tank confesses what should terrify natsec experts: The German military cannot answer the basic questions about trust in software systems. What’s inside? Who made it? Is anyone still maintaining it? Are we already breached?

Four years after internal experts recommended fixes, nothing has been done. Nichts.

This isn’t about capability gaps. It’s about a strategic blindness in a culture that demands vision.

Germany learned from mistakes made with Russian gas dependency and intentionally diversified energy supply. Yet they apparently learned nothing from Russian cyber operations. They’ll embargo and re-route from Russian oil but keep running code from opaque supply chains with potential ties to America, Moscow or Beijing. Yes, I said America. Not least of all because we know the Russians and Chinese are in American software, eh?

The Germans obsess over China EVs impacting their automobile industry while ignoring that the same adversary might control the update mechanisms in the military systems. The study’s own examples prove this threat vector isn’t academic or theoretical.

In March 2025, Ukrainian fighter jets nearly became expensive paperweights when the US threatened to cut software support—no attack needed, just flip a switch. On day one of Russia’s 2022 invasion, Moscow hijacked a satellite software update to knock out Ukrainian military comms before firing a shot. Chinese intelligence spent 2013-2018 inside the largest US naval shipyard not by breaching firewalls, but by compromising cloud providers.

Ask me about yesterday’s AWS outage and I’ll ask you what ingredients are in that beer in your hand.

Every modern military defeat through software happened via supply chains. And Germany’s response to the list of breaches is…?

The study admits: no one is responsible, no processes exist, no visibility into what’s actually running. The Bundeswehr treats software like Cold War hardware—buy once, use for decades, don’t ask questions. Meanwhile, they’re planning “software-defined defense” with massively networked systems, which means exponentially more code, more dependencies, more attack surface, and that’s just the beginning.

This is like announcing plans to renovate your kitchen while the whole house is on fire and you can’t find the extinguisher.

The contradiction is stark. Germany doesn’t allow a beer without proving ingredients, but billion-euro weapons platforms on unaudited code from global supply chains are fine without control or monitoring.

Physical supply chains are treated as high priority sovereignty issues. Digital supply chains are lowly, obscured department problems.

When AWS goes down in a “patently absurd” crash, the world asks what should be done. The answer is to admit first that when military software supply chains fail, wars are lost. The SolarWinds breach gave Russia access to US nuclear weapons administration for over a year. That wasn’t sophisticated tradecraft—it was simple supply chain positioning in an environment failing to hold integrity as a critical leg of safety.

Here’s what makes this a strategic culture failure rather than just a capability gap: Germany has the regulatory muscle, the engineering tradition, and the bureaucratic capacity to fix this. They apply industrial-grade rigor to food safety, environmental compliance, and manufacturing standards. The Reinheitsgebot proves they understand supply chain integrity when they care about it.

They just don’t yet understand dangers to systems that determine whether they can fight.

The study recommends everything necessary, and expected: establish responsibility, create processes, mandate software bills of materials (SBOM), verify suppliers, monitor for compromises, build expertise.

All feasible.

All ignored for four years while the threat environment deteriorated.

This matters beyond Germany. The Bundeswehr’s procurement inertia is teaching adversaries a lesson: Western militaries will spend billions on platforms while treating the software that makes them work as an afterthought. That’s an exploitable vulnerability at strategic scale.

Everyone saw Ukraine’s communications die from a poisoned update; and everyone has seen years of undetected access through trusted vendors. Adversaries are studying already for decades how kinetic missiles need to be coupled with patience and a position in the software supply chain.

Germany is projecting “Zeitenwende” transformation while running on mystery code from unknown sources with no security guarantees. You can call that a lot of things. “War-capable by 2029” isn’t one of them.

The Reinheitsgebot works because Germany decided beer purity mattered and enforced it for five centuries. The question isn’t whether they know how to secure supply chains. The question is whether they’ll treat military software with the same seriousness they treat beer.

Right now, the answer is no.

EU adversaries already are in the software sausage of the military. Germans shouldn’t wait until they lose control of the beer too.