Kommando Cyber- und Informationsraum

Audio readout of this profile.

Overview

The Kommando Cyber- und Informationsraum (Cyber and Information Domain Command — abbreviated KdoCIR, and informally CIR) is the sixth domain of the German Bundeswehr (Federal Armed Forces), established 5 April 2017 as a co-equal service command with the army (Heer), navy (Marine), air force (Luftwaffe), joint support service (Streitkräftebasis), and joint medical service (Zentraler Sanitätsdienst). CIR consolidates the Bundeswehr's military computer-network-defence, offensive-cyber, signals-intelligence, electronic-warfare, and information-operations capability under a single unified command — institutionally analogous to United States Cyber Command (USCYBERCOM) and the United Kingdom National Cyber Force, though with substantially broader institutional scope across the full information-operations domain.¹

CIR is institutionally distinct from Germany's civilian-intelligence cyber capability — which is distributed across the Bundesamt für Verfassungsschutz (BfV, domestic security), the Bundesnachrichtendienst (BND, foreign intelligence), the Bundesamt für Sicherheit in der Informationstechnik (BSI, federal information-security agency), and the Zentrale Stelle für Informationstechnik im Sicherheitsbereich (ZITiS, central federal-government technical-capability office). The German civilian-and-military cyber-architecture distribution reflects the German constitutional and legal framework's strict separation between military and civilian security mandates.²

CIR has not been tracked under a single canonical APT designation in the threat-intelligence-industry's vendor taxonomies — the German military-cyber operational profile has substantially overlapped with the broader Western Five-Eyes operational record, and German-attributed activity has not generally surfaced in the threat-intelligence-industry's threat-actor tracking. The institutional identity is established directly through German government acknowledgments, parliamentary documentation, and the academic secondary-literature record.³

History & Origins

CIR was established 5 April 2017 by ministerial decree of Defence Minister Ursula von der Leyen, following a 2015–2016 institutional-design study that concluded the Bundeswehr's prior distribution of cyber-and-information-operations capability across multiple service commands and the joint-support service was operationally insufficient for the post-2014 threat environment. The 2015 BlackEnergy attacks against Ukrainian electricity infrastructure (GRU Unit 74455) and the 2015 GRU intrusion of the German Bundestag (GRU Unit 26165) substantially structured the institutional case for CIR's establishment.⁴

The 2017 establishment consolidated approximately 13,500 prior Bundeswehr personnel across the antecedent commands into the new CIR command structure: the Bundeswehr's prior Strategische Aufklärung (Strategic Reconnaissance) command (signals-intelligence and cyber-reconnaissance), the Führungsunterstützung (Command Support) command (military telecommunications and IT-systems operations), the Geoinformationsdienst der Bundeswehr (Bundeswehr Geographic Information Service), the Operative Kommunikation (Operational Communications) elements (information-operations and psyops), and additional smaller elements. The command's personnel strength has subsequently grown to approximately 17,000 as of 2024.⁵

Operational footprint (documented)

The publicly-attested CIR operational footprint is substantially defensive in character — the Bundeswehr's cyber-and-information-operations mission has been primarily framed in the publicly-acknowledged operational record as the defence of Bundeswehr networks and the support of conventional military operations in the cyber-and-electromagnetic domains. The principal publicly-documented operational elements include:

Bundeswehr network defence. CIR operates the Bundeswehr's centralised computer-network-defence capability — defending approximately 200,000 Bundeswehr-employee endpoints, the Bundeswehr's classified and unclassified network infrastructure, and the German military's overseas-deployment cyber assets. The operational record is partially documented in successive Bundeswehr public reports and in the Bundestag Untersuchungsausschuss (parliamentary investigative-committee) materials on cyber-defence questions.⁶

Operational cyber-support to conventional military operations. CIR personnel are deployed alongside Bundeswehr conventional units in NATO-led operations and in German national operations — Resolute Support / Resolute Support successor in Afghanistan (through August 2021), MINUSMA in Mali (through December 2023), EUTM and EU NAVFOR MED across the post-2014 period. The specific operational-cyber tasking in these deployments is not publicly disclosed but is generally framed as defensive-and-supporting rather than offensive.⁷

The 2024 BÜRGEL doctrinal framework. In April 2024 the Bundeswehr formally published the BÜRGEL (Bundeswehr-Übergreifende Richtlinie für den Einsatz im Cyber- und Informationsraum, "Bundeswehr-wide Guideline for Operations in the Cyber and Information Domain") — the first publicly-released German military doctrinal document specifying the legal framework, command structure, and operational authorities for German offensive-cyber operations. The document substantially elaborates the institutional shift toward an operationally-capable offensive-cyber command and is the most authoritative publicly-available account of CIR's contemporary doctrinal mandate.⁸

Sustained signals-intelligence and electronic-warfare operations. CIR's Strategische Aufklärung element operates the Bundeswehr's strategic signals-intelligence capability — institutionally distinct from but operationally coordinated with the BND's signals-collection mandate. The specific operational targeting is not publicly disclosed but is broadly characterised in successive Defence Ministry budget documents as foreign-military-signals-collection in support of Bundeswehr operational and strategic-warning requirements.⁹

Post-February-2022 institutional expansion. The Russian invasion of Ukraine in February 2022 substantially expanded the political mandate and budget for CIR. The 2022 Zeitenwende ("turning point") defence-spending package of €100 billion specifically allocated substantial CIR-related capability investment, and the 2023–2025 Lehre aus der Ukraine (Ukraine-learning) institutional process has substantially structured the CIR operational doctrine toward more operationally-capable offensive-cyber posture.¹⁰

Standing

CIR is publicly acknowledged in all senior official Bundeswehr publications and is the subject of substantial Bundestag parliamentary oversight through the Verteidigungsausschuss (Defence Committee) and the Parlamentarisches Kontrollgremium (Parliamentary Control Panel for intelligence services). The command's commander is named in published Bundeswehr personnel materials. The specific operational targeting and tooling are not publicly disclosed.¹¹

See also

• Bundesnachrichtendienst (BND) — civilian foreign-intelligence service (separate mandate from CIR, separate cyber capability)
• Bundesamt für Verfassungsschutz (BfV) — domestic security service (separate mandate)
• APT designation — naming-conventions context (and the structural reason CIR has not been tracked under a single canonical APT designation)
• Snowden disclosures — context on the Five-Eyes signals-intelligence operational record alongside which Germany's signals-collection capability operates

Sources & Further Reading

1. Bundeswehr official CIR organisational page; Bundesministerium der Verteidigung, Abschlussbericht: Aufbaustab Cyber- und Informationsraum (April 2017) — the founding institutional documentation.
2. Bundesministerium des Innern und für Heimat, Cyber-Sicherheitsstrategie für Deutschland 2021 (September 2021); subsequent academic analysis of the German civilian-and-military cyber architecture in Sirius — Zeitschrift für Strategische Analysen and Cyber Security Review.
3. Mandiant, CrowdStrike, Microsoft, and Kaspersky threat-actor profiles — none of which track a distinct German-attributed APT cluster as of the contemporary period.
4. Bundesministerium der Verteidigung, Aufbaustab Cyber- und Informationsraum, op. cit.; Bundesministerium der Verteidigung communications on the CIR establishment; subsequent academic analysis of the 2014–2017 institutional-design study in Stiftung Wissenschaft und Politik publications.
5. Bundeswehr official CIR organisational page, op. cit.; successive Defence Ministry budget documents.
6. Bundeswehr cyber-defence public reports (multi-year); Bundestag Untersuchungsausschüsse materials on cyber-defence-related questions (multiple sessions across 2017–2024).
7. Bundeswehr published operational records for NATO-led and German national deployments (multi-year); academic analysis in Aus Politik und Zeitgeschichte of the German Bundeswehr's contemporary operational record.
8. Bundesministerium der Verteidigung, Bundeswehr-Übergreifende Richtlinie für den Einsatz im Cyber- und Informationsraum (BÜRGEL) (April 2024); subsequent commentary in Frankfurter Allgemeine Zeitung, Süddeutsche Zeitung, and Internationale Politik.
9. Defence Ministry budget documents (multi-year); academic analysis of the German signals-intelligence-and-cyber operational record in Intelligence and National Security and Aus Politik und Zeitgeschichte.
10. Bundeskanzler Olaf Scholz, Zeitenwende address to the Bundestag (27 February 2022); subsequent Defence Ministry implementation documentation; Lehre aus der Ukraine institutional materials (2023–2025).
11. Bundestag Verteidigungsausschuss and Parlamentarisches Kontrollgremium public reports; Bundeswehr personnel-announcements materials.