The ICS team recently facilitated an event on limitations of active cyber defense postures during a recent IFSH “Kurz erklärt” roundtable at the Berlin office.
Cyberattacks against Germany are increasing in both number and complexity, raising calls for more proactive responses. Germany has been debating “active defense” for a while now. However, previous theoretical proposals are too slow and ineffective in practice to counter ongoing and fast-paced cyber operations by numerous threat actors. Deterrence by punishment or stopping ongoing attacks are thus unrealistic goals for offensive cyber operations given the time requirements of responses. During the talk, we highlighted lessons learned that our allies have gathered while conducting offensive cyber operations. One example is the U.S. model of “persistent engagement,” which other countries such as Japan and South Korea are implementing as well: instead of reacting only after incidents, it promotes continuous and preemptive cyber operations. While it faces legal and ethical challenges, the underlying strategy better matches the high-tempo, structural environment of the cyber-domain.
We argued that if Germany wants to develop an active response to cyber operations, it should develop a responsible, offensive cyber doctrine with clear and realistic strategic goals and strict protection of civilian and global commons infrastructure. A combined command structure bringing together cyber command, law enforcement, and intelligence services, supported by diplomatic coordination, could help manage risks and prevent escalation while tailoring operations to the specifics of the target. However, offense alone is not sufficient, and investments into defense are required. A regulated vulnerability equities process is needed, as is the decriminalization of vulnerability research. To boost cyberdefense, threat intelligence gathered through offensive operations should be shared between authorities and industry, mimicking a purple team approach. Offensive and defensive postures have to work in conjunction to have a positive impact on cybersecurity.
The next session of the “Kurz erklärt” will take place on January 28, 2026 and it will be devoted to climate change as a security policy challenge. The event series is held in German and is by-invitation only.