Category Archives: History

Empty Hat: When a Cyber Security Podcast Gets NatSec Dead Wrong

I was thinking about doing a Cold War themed conference for cyber security, to infuse more NatSec, but now I’m thinking of starting a conference called Empty Hat, which is focused on examples of integrity breaches.

Based on my earlier post about the BMI I have been asked to turn in an analysis on a recent podcast. It turned out to be a recurring podcast segment, published June 30, 2026, in which two colleagues seem to know each other so well they forgo introductions when they discuss whether signals intelligence agencies should oversee “cyber forces”.

One of the two put forward a thesis, that a collection-first culture subordinates action to access (puts knowledge before execution) and therefore forfeits attack opportunities. The remedy stated is a separate organization, with its own culture and a mandate to act.

On the face of it, the thesis assumes lack of fire discipline (shoot first ask questions later) or relentless bombing has ever worked, which is a tell worth remembering, but I’m getting ahead of my historian self. His authority was presented as “so from my PhD dissertation,” at minute nineteen. That’s the second tell. Self-reference to invisible pants of a soon-to-be emperor. The dissertation is not named, no institution or supervisor is mentioned, and it cannot be located or checked. Then the other person on the podcast spent roughly forty minutes repeatedly asking what this proposed unaccountable organization would do. Perhaps I shouldn’t say unaccountable, but the premise of execution without intelligence gathering is like we used to observe about some people down range: fire, ready, aim!

The format of the podcast struck me as overly casual, as if to fiat the conclusions that had no business being concluded. A conversation between colleagues bypasses adversarial or independent framing, so a self-citation to an unnamed dissertation of unknown status is floated without any resistance. The speaker does identify himself elsewhere, in a social media biography, as a PhD researcher in a war studies department in London. That affiliation is self-attested under a pseudonym, so a supervisor remains unnamed, enrollment unconfirmed, and the draft of a dissertation cannot be retrieved even in principle, since any registration would sit under a legal name disconnected from the presentation of the work. Academic citation exists to let a reader walk a claim back to an examinable document. The podcast citation is constructed as mythical unexamined rhetoric to hold over scholarly work.

The segment timing is notable, and perhaps why I was asked to look at it, because BMI published its 691-page Referentenentwurf five days later, and because the argument made in it is the argument that underlies that huge draft. The podcast essentially presents the same or similar errors without statutory language. Both proceed in the same order: powers are asserted first, while the opportunity for the powers remains unspecified, and assess/audit/review is treated as a messy “inefficient” obstacle rather than a control. I mean literally. People who work in a control industry, arguing that representative controls are a waste of time and money, should perhaps lose their license to “lead” the discussion of controls. To me it rings like a doctor saying a license and board impede their need for aggressive measures on patients. And that’s not an exaggerated metaphor, given how German healthcare workers turn up murdering the people put in their care, using defenses relevant to this topic.

Where the informal format of the podcast fails at reasoning and history is therefore a reasonable guide to where the statutory version fails as well in Germany right now.

The thesis is collapsed

The thesis starts out bold. It is introduced as an organizational claim, that SIGINT is the wrong place. Under questioning it softened into a claim about mindset, and then finally was reduced to the proposition that effects “need to be someone’s job.”

Indeed.

The last formulation requires no reorganization and no new agency, and offers nothing a policymaker could adopt or a critic could refute. What remains constant through the retreat is the attempt to push a foregone conclusion; while the support changes like shifting sands. This is the inversion of how reasoning is supposed to work.

The support even falls into making up a coined vocabulary (“Collection Terminal” against “Actions Terminal”), a single example allegedly in the speaker’s own unnamed dissertation, and two cited authorities, cyber persistence theory and the UK’s responsible-cyber paper. Is “responsible-cyber” really supposed to be referenced in a thesis to reduce responsibility? When his colleague asked what effects would actually deliver, the answer was that this is someone else’s problem. When asked to name the opportunities being forfeited, the answer was that they are unknowable. When asked for a working model, the answer was the UK National Cyber Force, referred to in the segment as the “Notional Cyberforce.”

The history portion of the podcast was even worse. Four references were offered in support, all of which had serious errors. The CIA operation in Iran was called “54” and described as a revolution. Wrong. It was in 1953, a coup against Mossadegh, twenty-six years before the revolution. Darius the Great was messily implied to have “tried to invade”, apparently meaning Persia, yet he ruled Persia and invaded Greece. The parent service of SOE, called out as the “Special Intelligence Service,” was actually the Secret Intelligence Service; the Special Intelligence Service was a completely other thing, an FBI unit covering Latin America from 1940 to 1947. Stuxnet gets described as making Iranian engineers “believe that their equations were wrong,” yet it was feeding them evidence that their equations were right. It drove centrifuges outside a safe operating range while recorded readings were played in the control room. An argument that misstates facts, stuff like this easily checked, invites the question whether claims beyond it are similarly mistaken.

The thesis isn’t new

Two countries are named as having separated cyber from signals intelligence. Hold on to your hat. They are… wait for it… the United States, where Cyber Command grew out of the NSA, and the United Kingdom, where the National Cyber Force was split out of GCHQ. These are known as the two most capable Western cyber powers, which sits very awkwardly with a thesis holding that SIGINT custody is the wrong arrangement. The most capable are the most wrong? The difficulty deepens near the end of the segment, when it is conceded that the NCF has produced nothing visible in years. These two admissions together cannot both help the argument. If the separations were genuine, the silence of the separated organization removes the promised payoff; if they were not, the evidence for separation evaporates. Arguing a logical inconsistency like this should be the kind of thing a podcast interviewer jumps on. You can’t say the thing that works is the proof that it doesn’t work.

The thesis admits success is from collection agencies

And on that note, the operations that are given approval in the podcast were produced inside the collection agencies that it criticizes. Stuxnet came from the NSA and Unit 8200, and the disruption of malware developers that the segment praises was run by the Australian Signals Directorate. Since the claim is that collection-first organizations are structurally incapable of such work, these examples do not merely weaken it; they falsify it.

Stick a fork in this thesis. It’s over. Done. Toast.

A fallback is offered, to be fair, that SIGINT agencies act rarely and never organically. But let’s be honest that a claim about capacity doesn’t get to come out of a claim about frequency. The frequency is a matter of tasking, not organizational design. The rareness might be because ready, aim, fire means wasting fewer bullets?

The ASD case is more damaging still. The colleague observed that the operation was politically directed, a priority arriving from above and an operation built to meet it, and the speaker agreed. The thesis being argued requires effects to emerge organically from cyber-native culture. And yet the one democratic example offered arrived through precisely the requirements process that the thesis describes as inadequate.

The thesis rails on

The dissertation’s thought experiment places Ukraine inside the Russian rail network, where wiping the system would buy roughly eight hours of disruption at the cost of continuing insight into troop movements, a trade the segment describes as plainly bad. That judgment is the collection-first equities calculation, applied correctly, in defense of the position that the thesis opposes. The alternative proposed, subtle misrouting designed to resemble error while preserving access, is patient, deniable, access-preserving tradecraft of the kind a collection culture teaches. The equities calculation also brings us right back to the BMI draft: the human review stops a bad aim before it fires, and it is the step the draft throws away for “efficiency”. Fire, ready, aim being automated is as bad as it sounds, an automated anti-aircraft gun in 2007 emptying its twin 250-round magazines in 30 seconds of friendly fire, faster than humans could stop it from killing them.

Source: RSA Conference 2023 (on the 2007 Lohatla incident)

The claims against the thesis

Each row below is an empty hat claim made to support the thesis, set against the record it contradicts. The segment is public and the recording has a lot of “thought leader” juice generating clicks; it goes unnamed here because the argument is the focus, regardless of the arguer.

Time The claim The problem
0:49 Housing cyber inside a SIGINT organization is “just not the right place.” The only two countries named as separators, the US and UK, are the most capable Western cyber powers. The provided evidence favors the thesis being rejected.
3:49 The collection-first secrecy instinct is “the wrong mentality to have for cyber.” Hard targets are immediately exempted, and hard targets are where most of the intelligence value lies, so the exception covers most of the field.
4:27 The SIGINT mindset “subordinates action to collection.” The claim is presented as structural incapacity and later reduced to one about frequency, and frequency is set by tasking rather than by organizational design.
8:11 The CIA in Iran, “was it 54,” framed as the Iranian Revolution. Operation Ajax against Mossadegh took place in 1953 and was a coup; the Iranian Revolution came in 1979.
9:01 “Ever since Darius the Great tried to invade, we’ve always been at war with Persia.” Darius ruled Persia and invaded Greece; as spoken, the sentence has the Persian king invading his own empire.
14:08 Stuxnet, the “fast 16 malware,” made engineers “believe that their equations were wrong.” Stuxnet drove centrifuges outside their safe speed range to break the rotors while replaying recorded normal readings to the control room; the machines failed visibly and what was concealed was the cause.
17:51 SOE was born because “the SIS, which is the Special Intelligence Service.” SIS is the Secret Intelligence Service; the Special Intelligence Service was the FBI’s Latin America arm from 1940 to 1947.
18:41 SOE was aggressive, then “they disbanded in 1946.” The example demonstrates the pattern being argued against, in which democracies raise such organizations for existential war and dismantle them at peace.
18:58 SOE operated in an “existential war,” conceded, and today’s stakes are lower. Whether present conditions resemble an existential war closely enough to justify an SOE is the question at issue, and it is settled here by assertion.
20:39 Wiping Russian rail buys only “eight hours on a Wednesday” and burns your access. This is the equities calculation the thesis was constructed to reject, applied correctly in its support.
25:50 Cyber persistence theory says the domain is “initiative advantaged,” so you must act. Persistent engagement describes continuous contact across the full spectrum of operations; collection and defend-forward also seize initiative, and the reading collapses initiative into effects.
28:16 “80% of all incidents” start with credential theft, so access is cheap and replaceable. If access is cheap and replaceable, the equities conflict on which the thesis rests disappears, since a collection organization could reacquire access after acting.
33:07 An effects-requirements process fails because you cannot “prioritize the unknowable.” The objection applies equally to the thesis itself, since a space that cannot be characterized cannot be asserted to be large and squandered.
35:27 How to build and run all this is “someone else’s problem. I wouldn’t know how to do that.” Asked four times what the proposed organization would produce, the speaker offers no answer.
38:48 Friends call the National Cyber Force the “Notional Cyberforce.” The single existing instance of the proposed model has, by this account, no output to show.

The thesis as law

The standard all of these arguments should meet is a triad: named actors, specific mechanisms, and verifiable claims. And yet the segment, trying to glue support to a thesis, meets none of it. The one organization that is operating on the proposed model is described as notional. The actual mechanism is declared to be someone else’s problem. Every claim is built into a disinformation smorgasbord, laid out so that no observation counts against them. The effects produced by SIGINT are declared evidence that it could do more, while effects not produced are declared evidence of suppression.

The Referentenentwurf meets the triad, which is what makes it the more serious document. Its actors are named, the BfV and the BND. Its mechanisms are specific, automated countermeasures under the new § 25 Absatz 6 and a domestic deception charter under § 60 Absatz 2 Nummer 1 Buchstabe c. Its claims sit in the hefty 691 pages of text that anyone can read.

What the papers do not contain is any citation for the model being proposed, just like the thesis in the podcast. Nothing. Not Australia, not the Australian Signals Directorate, not the National Cyber Force, not GCHQ, not Cyber Command, not persistent engagement, not even the responsible-cyber paper. There are exactly zero occurrences in 691 pages.

The draft does look at other countries, but only when it wants to loosen the rules. When the authors want to weaken the wall between spying and police action, they point out that Austria, Sweden, and the American FBI run combined agencies. When they want less independent checking of collected data, they cite a survey of nine European states showing none require it in full. When the topic is the oversight body’s public report, a harmless transparency exercise, they cite the Netherlands and the United Kingdom as models. Every foreign example in the draft argues for fewer controls. Not one argues for the new powers.

And the new powers get almost nothing. The automated hackback authority cites a single source: a European regulation on artificial intelligence, from which the draft borrows some quality language while stating, in the same breath, that the regulation does not apply here. The power to spread false information cites nothing at all. So Germany has written itself an offensive cyber doctrine without referencing a single country that has actually run one, and those countries are the only place the hard answers could have come from: how often automated systems hit the wrong target, and what happens to bystanders when they do.

The draft is missing the same answers the podcast was missing, and reading both side by side suggests why: there was never a source behind either.

The podcast speaker could not say what these operations achieve. A German draft grants the power to run them anyway, with no analysis of how often they would fail. The speaker called the opportunities unknowable. The draft lets a machine act on them automatically, with a human checking only afterward, when damage is done and the action cannot be taken back. This violates the one source the draft cites: the same European regulation it borrows quality language from requires, in its human-oversight article, that a person be able to intervene in or interrupt an automated system. The draft quotes the regulation’s standards and deletes its stop button.

The podcast kept treating representation and review as an obstacle to executive powers. The German draft shrinks three independent watchdogs into one, and lets an agency chief postpone even that one’s approval simply by declaring the matter urgent. To put self-certification in proper context, alongside state-level political mythology, here is the current head of the BMI handling a single checkable number in public.

Presenting the 2024 Verfassungsschutzbericht in June 2025, Dobrindt claimed “violent left-wing extremists are rising significantly to 11,200.” The report he was presenting said the number was unchanged from the prior year, flat at exactly 11,200, which is visible on the chart he is holding.

Every hole in the podcast’s argument shows up again as the same hole in this nation’s draft law.

Coincidence of timing, probably. Convergence of thinking, demonstrably.

The one good moment in the podcast, when a human looked at a proposed attack and said the trade is not worth it, is precisely the step the draft deletes.

An argument that could never describe what it was for is now on its way to becoming law, and enacting it without the analysis it never contained is what I would argue is a grave mistake on the road to regret.

In William K. Clifford’s “The Ethics of Belief” (1877) he argues it is wrong (morally, not just intellectually) “always, everywhere, and for anyone, to believe anything upon insufficient evidence.” His example is a shipowner who talks himself into believing his ship seaworthy without inspecting it and sends emigrants to sea; the ship sinks, and Clifford’s verdict is that the sincerity of the belief excuses nothing, because he had no right to believe on the evidence before him.

Map that onto § 25 Absatz 6: a state acting automatically on unexamined conviction, with the inspection step deleted by statute. And the shipowner is not only a parable. American law codified him long ago as seaman’s manslaughter, which convicts on simple negligence, and its most recent famous conviction turned on a captain who failed to post the night watch, so a fire spread undetected while thirty-four people slept.

Dozens died trapped inside a burning vessel less than 100ft from the California shore, after the captain failed to post the required night watch. Nobody was watching, so nobody could stop it.

The deleted human watch was the crime.

Germany’s draft proposes it as policy.

The podcast and the draft law are Clifford’s infamous shipowner as cyber, at machine speed.

Believing without evidence is malpractice, if you will, especially in the country where yet another healthcare worker has just been sentenced for serial murder of patients.

He told the court he had convinced himself that he was doing the right thing, sparing them “suffering and infirmity”.

“Throughout it all, I thought this was the best thing for everyone,” he said.

That is Clifford’s shipowner speaking: sincere, convinced, and guilty of murder. The sincerity of a belief excuses nothing when there was no right to hold it. Clifford’s shipowner skipped the inspection; the German draft writes the skipped inspection into law after the podcast advocated for exactly that.

Welcome to the first declaration of Empty Hat. Hope to see you there.

Deutschland automatisiert Hackback und Desinformation, während die AfD der Macht näher rückt

English | Deutsch

Das BMI hat einen 691-seitigen Referentenentwurf veröffentlicht (5. Juli 2026, derzeit in der Ressortabstimmung, Verbändestellungnahmen angefordert), der das deutsche Nachrichtendienstrecht von Grund auf neu schreibt: ein neues BVerfSchG, ein neues BNDG und erstmals ein eigenes Stammgesetz für den Unabhängigen Kontrollrat (UKRat), dazu sechzehn Änderungen an Gesetzen vom Vereinsgesetz bis zur Abgabenordnung.

Der Entwurf macht einige sehr merkwürdige Züge. Ein paar davon gehe ich hier durch.

Wer so etwas entwirft, entwirft einen Werkzeugkasten unter der Annahme, die AfD werde niemals das Innenministerium übernehmen. Aufgebaut wird eine Lizenz zur Täuschung und Intervention im Inland, mit einer Aufsicht, die in einem einzigen Gremium gebündelt ist — dessen Vorabkontrolle die Amtsleitung per selbstzertifizierter Eilbedürftigkeit aufschieben kann. Aufschieben, ja, technisch keine Umgehung, weil die Anordnung ohne Bestätigung außer Kraft tritt. Aber mal ehrlich: Bei verdecktem Fire-and-Forget wird die gesamte Aufsichtsbürokratie bedeutungslos. Falschinformationen sind injiziert, Daten gelöscht — das sind längst entlaufene Pferde, nachdem das Scheunentor offen stand. Die AfD schnallt sich vermutlich schon die Sporen an.

Deutschland hat derzeit eine kremltreue, NS-affine Partei an oder nahe der Spitze der Bundesumfragen. Die Weimar-Lektion, präzise formuliert, lautet nicht, dass der Staat zu schwach oder zu stark war. Sie lautet: Die Verteidiger der Verfassung bauten Instrumente, die intakt an ihre Feinde übergeben wurden. Die Gestapo hat die preußische politische Polizei nicht aufgebaut; sie hat sie per Preußenschlag geerbt.

Vor allem die Polizeipräsidenten werden ausgetauscht. Hitlers SA- und SS-Mannen haben keinen Grund mehr, die preußische Polizei zu fürchten.

Es sind die handwerklichen Fehler dieses Dokuments, die das Erbrisiko katastrophal machen. Ein gut instrumentiertes System bindet jeden, der es benutzt; wir haben immer gesagt: leicht richtig zu benutzen, schwer falsch zu benutzen. Der BMI-Entwurf ist stattdessen fail-open — wie eine geladene Waffe, ausgehändigt mit abgefeilter Sicherung und einem regenbogenfarbenen „Do no evil“-Aufkleber darauf.

Man nehme die neuen „Effizienz“-Behauptungen. Auf dem Papier sieht es nach Aufsicht aus, denn der Entwurf dehnt die Vorabkontrolle auf weitere Maßnahmetypen aus und behält den Namen der BfDI sogar in einer Paragraphenüberschrift. Aber Aufsicht heißt Redundanz, und davon gibt es keine. Drei unabhängige Kontrollinstanzen (G10-Kommission, BfDI, UKRat) werden zu einer einzigen komprimiert. Die G10-Kommission, 1968 als verfassungsrechtlicher Preis für die Einschränkung des Art. 10 geschaffen, ist einfach weg — ihre Abschaffung als Haushaltseinsparung verbucht. Redundante, sich überlappende Kontrolleure sind das Rückgrat jeder Aufsicht, das Gegenteil von Verschwendung: vorgelagerte Investitionen, die einander gegenprüfen und nicht alle gleichzeitig vereinnahmt oder ausgehungert werden können, was nachgelagerte, teure Katastrophen verhindert. Wenn interner und externer Prüfer dieselbe Person sind, die an sich selbst berichtet, reden wir über Enron (ich habe bei Arthur Andersen eine Computer-Risk-Praxis über fünf Bundesstaaten geleitet, ich kann davon erzählen). Der Entwurf stellt ein einziges Gremium mit gerade einmal 8,86 Mio. Euro pro Jahr auf, um einen Apparat zu kontrollieren, der allein für den IT-Betrieb des BfV 269 Mio. Euro pro Jahr ausgibt. Dreißig zu eins, Fähigkeit zu Kontrolle — als ließe sich Kontrolle abwerten, obwohl sie der Werthebel der Fähigkeit ist. Am falschen Ende gespart.

Man nehme, als weiteres Beispiel, die deutsche Geschichte. Das Trennungsgebot existiert wegen des Polizeibriefs und des Gestapo-Präzedenzfalls: eine Behörde, die zugleich beobachtete und handelte, verdeckt, ohne richterliches Verfahren. Dieses Dokument erwähnt auf 691 Seiten weder Gestapo noch Stasi noch die historische Begründung der Trennung. Der Entwurf zitiert ausschließlich BVerfG-Rechtsprechung ab 2013, als wäre das Prinzip eine datenschutzrechtliche Formalie und nicht eine Geschichtslektion namens „Nie wieder“.

Der vielleicht sonderbarste Zug von allen, sonderbarer noch als Deutschlands Weigerung, den NS-Präzedenzfall zu benennen: Automatisiertes Hackback wird damit begründet, menschliche Prüfung leiste „keine relevante Qualitätssicherung“.

Ein Zwischenschritt menschlicher Bearbeitung leistet hier keine relevante Qualitätssicherung, verzögert aber Abwehr erfolgsgefährdend.

Das ist verkehrt herum, gemessen am Kanon des Hackback wie an der Automationssicherheit. Mit einem Wort: Bockmist. Ein Gegner, der eine automatisierte Reaktion kartiert, besitzt sie: Wer die Auslösebedingungen lernt, kann staatliche Gegenmaßnahmen in Friendly Fire umlenken. Der Entwurf deutet Qualität an (Genauigkeit, Robustheit, Cybersicherheit — Kriterien aus der EU-KI-Verordnung entlehnt, von deren Geltung er sich zugleich ausnimmt) und quantifiziert nichts. Keine Fehlertoleranz, keine Schwelle für Attributionssicherheit, keine Drittschadensanalyse, nichts. Die automatisierten Maßnahmen selbst — Umleitung von Datenverkehr und Löschung von Daten — liegen genau in der Kategorie geteilter Infrastruktur, in der Fehlattribution unbeteiligte Dritte trifft: „Angreifer“-Daten auf einem kompromittierten Host gelöscht, und der Server eines Opfers ist zerstört. Das sind sehr, sehr alte Streitpunkte des Hackback, die hier null Beachtung finden: Wir haben das 2013 auf meinem Blog verhandelt — und der Entwurf übernimmt die unterlegene Seite ohne die Debatte. Die Begrenzung auf Cyberangriffs-Kontexte ist eben genau: geteilte Infrastruktur, umstrittene Attribution, Maschinengeschwindigkeit. Automation im Wilden Westen, wo man sie am wenigsten will.

Und der Wilde Westen hat jetzt auch seinen Waffenhändler. Versteckt in den Übermittlungspflichten (§ 10 Absatz 2 BNDG, entdeckt von Sven Herpig auf LinkedIn) wird das BSI, die Bundesbehörde, deren gesetzlicher Auftrag das Schließen von Schwachstellen ist, zur verpflichteten Zulieferstelle des BND: Schwachstellen roh und unbearbeitet („ohne vorherige Aufarbeitung“), 0-Days eingeschlossen. Die Begründung argumentiert für den Angriff:

Der Bundesnachrichtendienst nutzt regelmäßig Schwachstellen zur nachrichtendienstlichen Auslandsaufklärung.

[…]

Jegliche zeitverzögernde Prozesse minimieren die Nutzungswahrscheinlichkeit drastisch.

Die Zeit bis zur Behebung wird damit amtlich zum Erntefenster des BND erklärt. Kein Abwägungsprozess wiegt mehr den Wert der Verteidigung gegen die Eile zum Angriff. Herpig berichtet zudem, das Bundeskanzleramt habe im Namen des BND acht Jahre lang genau dieses gesamtstaatliche Schwachstellenmanagement blockiert, um jetzt stattdessen die einseitige Angriffszulieferung in den Entwurf zu schreiben. Sein Fazit: Kein Sicherheitsforscher wird dem BSI je wieder eine Schwachstelle melden. Die Behörde, der man Risiken meldet, ist jetzt per Gesetz auch die Annahmestelle der Behörde, die sie ausnutzt.

Bemerkenswert: Das Wort Desinformation beschreibt im Entwurf ausschließlich Gegner (z. B. Russland), nie deutsche Maßnahmen. Wenn der Inlandsnachrichtendienst dasselbe tut (§ 60 Absatz 2 Nummer 1 Buchstabe c: Falschinformationen über Vertrauenspersonen in Netzwerke einspeisen, um Verhalten zu steuern), heißt es „Schutzmaßnahme“. Es ist aber dasselbe. Das erinnert daran, wie lange vor der Bundesrepublik Nicolais Abteilung IIIb Desinformation als Aufklärung betrieb. Wo hier der Euphemismus auftaucht, sehe ich eine inländische Täuschungslizenz — eine Lizenz zur Desinformation — für die Behörde, deren Auftrag die Beobachtung politischer Bestrebungen ist.

Deutschland hat soeben staatliche Desinformation ins Gesetz geschrieben. Deutschland. Ausgerechnet. Deutschland.

Schon 2012 habe ich weltweit offen für Hackback geworben, und 2023 hielt ich am National Security Seminar der William & Mary Law School einen Vortrag mit dem Titel „The Heaviest of Burdens: Hackback“. Irgendwo hier liegt noch das Schützenvereins-T-Shirt als Beweis. Ich bin also nicht die übliche Bürgerrechtsstimme. Und gerade als langjähriger, führender Hackback-Befürworter, wenn auch zugegeben ein alter Seebär, sage ich: Dieses Dokument riecht nach Kunstfehler.

Die verfassungsfeindliche Partei bekämpft man mit dem öffentlichen, gerichtlichen Instrument, das genau dafür gebaut wurde, Artikel 21, damit Deutschland nie wieder eine geheime politische Polizei braucht. Richtig? Ist das Mikro an? 1932 versagte der Rechtsweg, weil er erst kam, nachdem der Apparat den Besitzer gewechselt hatte. Die Transparenz gut konstruierter, fail-safe gebauter Instrumente ist das, was feindliche Übernahmen übersteht — während das eilige, selbstzertifizierte, verdeckte Zeug wie dieses hier später stets als stumpfes Übernahmeinstrument studiert wird.

Germany Automates Hackback and Disinformation Tools as AfD Nears Power

English | Deutsch

The German BMI has published a 691-page Referentenentwurf (5 July 2026, currently in interministerial coordination, with stakeholder comments requested) that rewrites German intelligence law from the ground up: a new BVerfSchG, a new BNDG, and a standalone statute for the Unabhängiger Kontrollrat (UKRat) for the first time, plus sixteen amendments to laws from the Vereinsgesetz to the Abgabenordnung.

It makes some very strange moves. I’ll go through a few here.

Whoever drafts this is drafting a toolkit on the assumption the AfD will never hold the Innenministerium. They are standing up a domestic deception-and-intervention license, with oversight consolidated into a single body whose pre-approval the agency head can defer on self-certified urgency. I said defer, yes, technically not a bypass, because the order lapses if unconfirmed. But come on people, in a covert fire-and-forget the whole oversight bureaucracy becomes meaningless: false information injected and data wiped are typically long-gone horses after the barn door was opened. The AfD are probably strapping on their spurs in anticipation.

Germany currently has a Kremlin-aligned Nazi-adjacent party at or near the top of federal polls. The Weimar lesson for anyone paying attention, precisely stated, is not that the state was too weak or too strong, it’s that defenders of the constitution built instruments that were handed intact to its enemies. The Gestapo didn’t build the Prussian political police; it inherited it via Preußenschlag.

Vor allem die Polizeipräsidenten werden ausgetauscht. Hitlers SA- und SS-Mannen haben keinen Grund mehr, die preußische Polizei zu fürchten.

EN: (It is primarily the police chiefs who are being replaced. Hitler’s SA and SS men no longer have any reason to fear the Prussian police.)

The engineering failures of this document are what make the risks of inheritance catastrophic. A well-instrumented system means constraining anyone and everyone; we always used to say make it easy to use right, hard to do wrong. The BMI document instead is fail-open, like a loaded weapon handed out with the safety filed off and a rainbow colored “do no evil” sticker on it.

Look at the new “efficiency” claims, for example. On paper it looks like there is oversight because the draft extends pre-approval to more measure types and even keeps the BfDI’s name on a section header. However, oversight means redundancy, and there’s none of that. Three independent overseers (G10-Kommission, BfDI, UKRat) compress into a single one. The G10-Kommission, created in 1968 as the constitutional price of restricting Art. 10, is simply gone, its elimination booked as budget savings. Redundant, overlapping overseers are the spine of oversight, meaning the opposite of a waste: they are upstream investments that cross-check each other and can’t all be captured or starved at once, which prevents downstream costly disasters. When your internal and external auditor are the same person reporting to themselves, you are talking Enron (I managed a five-state Computer Risk practice at Arthur Andersen, I can tell you all about it). The draft has a single body funded at just €8.86M a year to control an apparatus spending €269M a year on BfV IT operations alone. Thirty to one, capability to control, as if to say control can be devalued when it’s the valuation lever on the capability. Penny wise, pound foolish.

Look at the history of Germany, for another example. The Trennungsgebot exists because of the Polizeibrief and the Gestapo precedent, where an agency both watched and acted, covertly, without judicial process. This document has zero mentions of Gestapo, Stasi, or the historical rationale for keeping separation. The draft cites only post-2013 BVerfG doctrine, as if the principle were a data-protection technicality rather than a lesson in history called “never forget”.

Perhaps the most peculiar move of all, even more than Germany refusing to acknowledge Nazi precedent, is that automated hackback is justified with “human review adds no relevant quality assurance.”

Ein Zwischenschritt menschlicher Bearbeitung leistet hier keine relevante Qualitätssicherung, verzögert aber Abwehr erfolgsgefährdend.

EN: (An intermediate step involving human processing provides no relevant quality assurance here, yet delays the response to a degree that jeopardizes success.)

That’s backwards, per the canon of hackback and per automation safety. Horseshit, in a word. Adversaries who map an automated response own it: learn the trigger conditions and you can redirect state countermeasures into friendly fire. The draft gestures at quality (accuracy, robustness, cybersecurity, criteria lifted from the EU AI Act while exempting itself from the EU AI Act) and has no quantification. No error tolerance, no attribution-confidence threshold, no third-party-harm analysis, nothing. The automated measures themselves, traffic redirection and data deletion, are placed in a shared-infrastructure category where misattribution costs hit innocent bystanders: “attacker” data wiped on a compromised host, and a victim’s server just got destroyed. These are very, very old talking points in hackback that get zero attention: we litigated this on my blog in 2013 and yet the draft adopts the losing side without the debate. The scope limitation to cyberattack contexts is in fact the shared infrastructure, contested attribution, and machine-speed response. That’s automation in the wild west where you want it the least.

And the wild west also just got its gun dealer. Buried in the transmission duties (§ 10(2) BNDG, as spotted by Sven Herpig on LinkedIn), the BSI (federal agency whose statutory mission is getting vulnerabilities patched) becomes a mandatory intake feeding the BND, raw and unprocessed vulnerabilities (“ohne vorherige Aufarbeitung”), including 0-days. The justification is for attack:

Der Bundesnachrichtendienst nutzt regelmäßig Schwachstellen zur nachrichtendienstlichen Auslandsaufklärung.

EN: (BND regularly uses vulnerabilities for foreign intelligence collection)

[…]

Jegliche zeitverzögernde Prozesse minimieren die Nutzungswahrscheinlichkeit drastisch.

EN: (any time-delaying processes drastically minimize usage probability)

The time it takes to remediate has been officially declared the BND’s harvest window. No equities process is left to weigh the value of defense against the rush to offense. Herpig also reports the Kanzleramt spent eight years blocking exactly that Schwachstellenmanagement on the BND’s behalf, before drafting this one-way attack feed instead. His conclusion: no security researcher will report a vulnerability to BSI again. The agency you report risk to is now, by law, also the intake for the agency that exploits it.

Notably, the word Desinformation is used only to describe adversaries (e.g. Russia), never German measures. When the domestic intelligence service does it (§ 60(2)(1)(c), feeding false information through informants into networks to steer behavior) it gets branded “Schutzmaßnahme” instead. But it’s the same thing. This reminds me how way back before there was a Bundesrepublik, Nicolai’s Abteilung IIIb ran Desinformation as Aufklärung. When the euphemism appears here I see a domestic deception charter, license to perform disinformation, for the agency whose remit is observing political movements.

Germany just wrote state disinformation into statute. Germany. Of all places. Germany.

Back in 2012 I openly led hackback around the world, and I even gave a 2023 lecture titled “The Heaviest of Burdens: Hackback” at the National Security Seminar, William and Mary Law School. Somewhere around here I have the gun club t-shirt to prove it. I’m not the typical civil liberties voice here, in other words. As a long-time leading hackback advocate, although arguably a salty dog, this document smells like malpractice.

Fight the anti-constitutional party through the public, judicial instrument built for exactly this, Article 21, precisely so Germany never again needs a secret political police. Right? Is this thing on? In 1932 the judicial remedy failed because it arrived after the apparatus changed hands. The transparency of well-engineered fail-safe instruments is what survives hostile takeovers, while the rushed self-certified covert stuff like this always gets studied later as a blunt takeover instrument.

The AfD Wolf Cried Not-Sheep and the German Flock Elected the Wolf

The herd is built for one safety, using cohesion against a predator. That instinct is so reliable, ironically it also becomes easy for a predator to manipulate and steal.

Here is how the theft works, to understand how the AfD seizes power. The predator declines to hunt the herd directly. It invents a second predator, points at it, and offers to lead the herd defense. The herd closes ranks. It closes them around the exact wrong thing.

Germany needs immigration. Germany does not need AfD. The demography is not in dispute: a fertility rate stuck near 1.4, well below replacement, and a workforce that shrinks without net arrivals. The Institut für Arbeitsmarkt- und Berufsforschung puts the gap around 400,000 net immigrants a year just to hold the labor force steady as the boomer cohort retires. Immigration is what keeps the pension system solvent and the factories staffed. It strengthens the herd. The AfD, self-described outsiders offering to “reform” the herd, points at that strength and names it the threat, then convinces the flock to break itself apart.

And the AfD response to fact is lies. You say a fact, they say can’t be true and that’s it. You say another fact, they say you can’t trust it and that’s it. Their signature move is to reactively undermine all trust systems, attack the cohesion that makes a herd safe and successful. Pick it apart with surface level lies, instant denial. Repeat.

This is the whole architecture of Nazism, and it was assembled from forgeries the movement plagiarized. The “stab in the back” fraud came from the wartime high command who knew why they lost, and Hindenburg spread it by 1919: falsely grousing Germany lost the war to betrayal at home rather than to actual surrender and loss in the field. That was a political move that pointed the herd inward, to attack its own defenders. The Protocols of the Elders of Zion, fabricated by the Russian secret police and exposed as plagiarism by the Times of London in 1921, supplied a Jewish target for that political machinery. Judeobolshevism welded the two into one. The predator works lazily, using adoption and fusion. The counterfeit threats already in circulation were aimed at a vulnerable group, and fear was spun up with heated rhetoric to strip domestic resistance from its own path.

A Chancellor named Hitler was appointed (NOT ELECTED) in January 1933, The Reichstag burned in February 1933. Within a day the government held a decree suspending civil liberties, aimed fraudulently to stop an uprising that had been conjured for the occasion. The counterfeit threat wrote the emergency powers. The wolf told the frightened flock of sheep that the dogs and shepard were not their friend.

Dachau was opened in March 1933 to imprison anyone caught actually protecting the herd, or trying to keep it together. Its first prisoners were Communists and Social Democrats, the organized core of the herd’s defense. Weeks later, on 2 May 1933, the regime crushed the free trade unions in a single coordinated strike, occupying their halls, arresting their leaders, and absorbing the workers into a Nazi front. The unions were destroyed precisely because they existed to organize the herd against actual threats. Elections after that point were no longer free.

Creating the counterfeit predator has a major defect. There is no actual threat, so the fraud of fear it generates must be fed forever, and a machine built to fabricate threats eventually runs short of them. It inevitably can’t hide how it has thinned the herd it was guarding, eating its own. Within eighteen months the Nazi apparatus murdered its own leadership in the Night of the Long Knives. It managed a genocidal con for twelve years, which left Germany in ruins, lucky to be occupied before it self-eliminated entirely. The false threat is a device for converting a herd into prey and shamelessly naming that conversion to weakness a protection from outsiders.

The device continues to be used over and over. Trump is one example. Elon Musk and AfD are another. Replacement rhetoric is the same forgery: the whole lie of deliberate erasure by outsiders is sold as an excuse to allow a predator into power over the herd. The threat is invented. The herd effects are real. A UC Davis team led by Garen Wintemute measured that herd in PLOS ONE and again in 2024: a majority calling political violence justified, almost none willing to lift a hand themselves. Approval of self harm without agency. A flock becomes certain of a predator that is a fiction, while opening the door to a real one.

We reach for the fable, a boy who cried wolf, when talking about predators, because it’s such a compelling frame. Aesop gave us two animals and a liar who loses his flock to a real wolf that finally comes. The modern predator of AfD however, actually fuses the two into a wolf that cries not-sheep. The AfD is the wolf. They cry not-sheep while being the wolf, and the crying is the hunt. No real wolf arrives to vindicate the wolf’s alarm. There is only AfD, inside the flock, pointing at the treeline while he kills from behind.

The fable teaches the flock to distrust alarms, so the true warning about the actual wolf lands as a boy who always overreacts. The story of a boy who warns becomes the muzzle that lets the wolf, dressed as the boy, convince the flock to separate itself and give control to wolves warning against non-sheep.

Brexit was the Wolf platform. “Leave” sold the benefits of migrants instead as a “Breaking Point”, and claimed sovereignty was stolen when strengthened by Brussels. The threat was entirely forged, to hide the actual threat of being cut off. The severance was real, and the herd destroyed its own market. Britain’s economy has plummeted, and the EU is being targeted by the Russia/AfD with further leave campaigns.

The one defense that works is the thing the predator spends everything to break: cohesion. A herd that stays together, trades honestly, and trusts its own defenders cannot be preyed on easily. This is why the AfD wolf goes after the unions, the press, the courts, and the neighbor first. Forged fear is cheap and manipulates the herd into separation. So the predator does not build trust, it dismantles it to reduce everyone’s safety and prosperity except their own.