In May 2015, hackers infected some 20,000 computers in Germany’s parliament with malicious software designed to steal sensitive data. The vast and damaging cyberattack was the most expansive in the government’s history.
The culprits? Experts and officials blamed the hacking group "APT 28," the same outfit that the US government says hacked the Democratic National Convention in July 2015 and helped Russia execute an extensive influence operation to discredit Hillary Clinton's presidential campaign.
Now, a growing number of German politicians are deeply concerned that Russia will interfere in their own elections this coming fall, seeking to discredit pro-European Chancellor Angela Merkel as she runs for a fourth term, and strengthen support for the burgeoning populist party Alternative for Germany (AFD). In response, Berlin is considering new ways of blunting any attempt from Moscow to influence its political process through cyberattacks and misinformation.
In December, the German Interior Ministry proposed creating a Center of Defense Against Misinformation, to help hunt down and eradicate fake news or other false information from the internet. The ministry has already told political parties to disable bots, technology that automatically shares news, tweets, and Facebook posts, saying those can be easily tricked into distributing propaganda.
In fact, one German official has proposed fining Facebook 500,000 euros ($528,700) for failing to delete fake news stories and hate messages within 24 hours, describing the social media giant as a "value chain of digital propaganda."
Elsewhere in Europe, officials are also taking steps to defend against disinformation campaigns. The Czech Republic, set to hold its general elections in October, plans to open a fake news center ahead of the vote. Officials there say Russia is behind 40 extremist websites. These new efforts will build on a broader European Union task force that relies on native Russian speakers to comb through the web for Russian-language fake news stories.
"We have to learn how to deal with it," said Ms. Merkel recently, warning that Russian cyberattacks and propaganda campaigns have become the norm in Germany.
Russia is waging "aggressive and increased cyberspying and cyberoperations that could potentially endanger German government officials, members of parliament and employees of democratic parties," Hans-Georg Maasen, head of Germany’s domestic security agency, said in a recent statement.
Yet critics say it may be too late to short circuit hackers' attempts to disrupt the German elections and discredit Merkel and her allies.
In light of the German parliament hack, "there is a strong expectation that Russia has already collected material that will be released closer to the elections," says Joerg Forbrig, a Senior Transatlantic Fellow for Central and Eastern Europe at the German Marshall Fund in Berlin. “My hunch is that at some point in late spring or early summer, as the campaign reaches its peak and when everyone goes on holidays, that we will see releases on Wikileaks, perhaps elsewhere.”
In Germany, where privacy is considered a national right, there are already mechanisms in place to safeguard voter information from hackers. Interference in the voting process itself is prohibitively difficult, as the country legally requires the use of paper ballots in federal elections.
In order to increase information sharing about cyberattacks, Germany’s Interior Ministry created a National Cyber Defense Center in 2011 that has discussed or examined over 3,700 cases, according to a government statement. It plans to increase its number of staffers this year.
Until recently, "cybersecurity hasn’t been a main concern for political parties or individual politicians, like in the US," says Thorsten Benner, director of the think tank Global Public Policy Institute in Berlin.
In a recent article cowritten with his colleague Mirko Hohmann, he recommended that the German government incentivize political parties to improve their digital security, either through relying on government agencies or hiring private security companies, in part to better trace the origins of cyberattacks.
Furthermore, if secret services identified Russian government officials authorizing digital attacks, Russian diplomats would have to be expelled or new sanctions introduced, writes Mr. Benner. "Political response is key," he says, "since it is now too late to up the cybersecurity game in time for the elections in the fall."
One of the most prominent case of fake news in Germany, says European Journalism Observatory Direction Stephan Russ-Mohl, was last year’s “Lisa case” in which Russian media reported on a German-Russian girl allegedly sexually abused by refugees. By the time the story was revealed to be false, it had already caused political harm.
Last month, Social Democratic Party Chairman Thomas Oppermann suggested legislation that would fine Facebook if the company didn't take step to remove fake stories and news from its platform. The company would be responsible for setting up new offices to respond to complaints about defamatory posts.
Yet free speech advocates are skeptical of a strategy that makes a private company responsible for deciding what's good for the public interest.
Facebook will be driven to remove content only if it could hurt its profit margin, says Joe McNamee, executive director of European Digital Rights in Brussels. Facebook, through the trade group Computer and Communication Industry Association is lobbying for protection from liability for deleting legal content.
According to Facebook, the company is already taking steps to minimize the spread of fake news such as working with third-party fact checking organizations to flag suspicious stories and stopping fake news sites from purchasing ad space.
Politically, Mr. Oppermann's strategy to force Facebook to delete suspicious or fake news could backfire, says Mr. McNamee. "It is entirely imaginable that 'banned by Facebook' or 'the story Facebook didn't want you to read' could become a badge of honor for a populist campaign."