On 12 May 2026, Federal Interior Minister Alexander Dobrindt (CSU) announced that Germany would adopt an active cyberdefence posture, promising a cabinet law that month to let security services disrupt and destroy the server infrastructure behind cyberattacks. The cabinet delivered on 27 May 2026, approving a draft that grants the Federal Criminal Police Office (BKA), the Federal Police and the Federal Office for Information Security (BSI) powers to prohibit the operation of hostile IT systems, redirect or block data traffic, and read, delete or modify data on attacker-controlled machines — including servers located abroad.
The shift is significant. Until now, German authorities largely countered live attacks by rerouting them into harmless network segments. The new bill reaches outward, onto the attackers' own infrastructure. Berlin is careful not to call this a hackback, but that is the substance of what is being authorised.
The threat is real, and it is getting worse
The strongest case for the law is the threat picture, which is genuinely alarming. Germany registered around 334,000 cybercrime cases in 2025, with more than 1,000 reported ransomware attacks — a roughly 10% year-on-year rise — and over €12 million extorted, according to figures cited by the Interior Ministry and reported by Euronews. Denial-of-service incidents jumped about 25% to 36,706. The BSI itself states plainly that "ransomware and data leaks currently pose the greatest cybercriminal threat to the state, economy and society," and tracks more than a dozen active extortion crews — Clop, Qilin, Rhysida and others — running double-extortion campaigns against German targets (BSI).
Faced with two to three serious incidents a day and a steady drumbeat of state-linked sabotage and espionage, a government that only plays defence will keep losing. Dobrindt's instinct — that purely preventive measures are insufficient against professionalised, often foreign-based crews — is not unreasonable. That is the steelman, and it deserves to be taken seriously.
Where the logic breaks down
The problem is that offensive operations against infrastructure are a poor fit for the threat they are meant to answer, and the draft law underplays the costs.
Start with collateral damage. Ransomware operators rarely attack from servers they own. They route through compromised third-party machines — a hospital's misconfigured router, a small firm's hijacked cloud instance, a private citizen's home device. A power to "disrupt and destroy" such infrastructure is, in practice, a power to disrupt and destroy innocent parties' systems. Dobrindt's own analogy gives the game away: he compares striking an attacker's server to defusing an unattended suitcase, arguing that "who exactly is behind the system is irrelevant." But in networked systems, ownership is precisely the question — the suitcase is usually someone else's, and detonating it has downstream effects the state cannot fully foresee.
Then there is attribution. Cyber operations are routinely staged through layers of proxies specifically to defeat identification. Acting fast enough to disrupt a live attack means acting before attribution is settled — exactly when the risk of hitting the wrong target peaks. Dr. Sven Herpig of the Berlin think tank interface, in a written statement on the bill, warns that such measures carry "significant risks, including collateral damage, misattribution, and the proliferation of cyber tools," and typically "only slow down adversaries rather than stop them." A criminal crew whose server is taken down spins up another within hours; a nation-state actor is barely inconvenienced. The state, meanwhile, has expended a capability and possibly burned a vulnerability to achieve a temporary effect.
That last point matters for innovation policy specifically. Offensive operations create an institutional appetite for stockpiling software vulnerabilities rather than disclosing them so vendors can patch. Every unpatched flaw the state hoards is a flaw left open for the very criminals the policy targets — a direct tax on the security of every German business and citizen running the same software.
The proportionate path
There is also a structural defect. Germany's Basic Law assigns public-security and threat-prevention duties primarily to the Länder, and Dobrindt's claim that no constitutional amendment is needed is contested. Spreading new intrusive powers across three federal agencies — without, as heise and civil-society critics note, clear thresholds, oversight or systematic reporting — invites both legal challenge and operational confusion.
None of this means Germany should do nothing. It means the marginal euro is better spent on resilience than retaliation. Herpig's recommendation is the right one: the "core weaknesses lie in deficient IT infrastructure and insufficient baseline security measures." The majority of German ransomware victims are small and mid-sized firms that lack basic protections. Funding patch management, mandatory backups, multi-factor authentication and incident-response support for that long tail of SMEs would blunt far more attacks than a handful of high-risk strikes on foreign servers ever could.
Proportionate regulation here looks like hardening the attack surface, sharpening EU-wide law-enforcement cooperation to seize infrastructure under judicial control, and reserving genuinely offensive action for narrow, well-attributed, court-supervised cases. The cabinet has chosen the dramatic instrument over the effective one. Parliament should rebalance the bill before it becomes law.