
Germany, seeking independence from U.S., pushes cyber security research - e15ctr0n
https://www.reuters.com/article/us-germany-cyber/germany-seeking-independence-from-u-s-pushes-cyber-security-research-idUSKCN1LE1FX
======
reacharavindh
I used to work in the US as a perf engineer, and now live in Europe(Denmark).
I made a conscious choice to live here despite a drastic cut in pay. Europe
just does not pay anywhere near what US does. Unless this changes, majority of
top tech talent will always be in the US.

Want top notch Cyber Security in Germany? Start by paying well for the
engineers... then may be they want to stay.

~~~
Fnoord
This comparison is very complex. You cannot just compare European wages with
US wages [1].

For one, the cost of living is going to depend on where you live. Which
country, which city, which town. And you cannot just compare the costs. Each
person has different values. Some prefer to live in a village, other in an
apartment in a city. Some are cool with 1500 EUR rent a month, some find that
ridiculous. Some can't stand the smog, others don't mind. If you live in a
village the value of a car increases, while in a city the public transport
system is invaluable. Each has their + and -, beyond just the cost of living,
and how important these values are is _also_ going to differ.

On top of that you get healthcare in Europe, even if you end up sacked. You
pay more tax in Europe, but this also gives you more social security. Then
there's state pensions.

In the USA the native language is English, and its settled on that. In Europe,
this isn't the case (though it is in Amsterdam) with e.g. the stoic French and
Germans. Not even the EUR is the main currency in whole of EU.

[1] I suppose we'd need some kind of statistical analysis.

~~~
reacharavindh
True that I generalized too much. But, I did so for brevity of my point.
Comparing EU salaries with US is not apples to apples. Because EU has
different cost of living regions & benefits vs similar differences in US.
However, as a personal anecdote from someone who moved from SouthEast
USA(Raleigh, NC) which I consider as neither too high end like Bay Area nor
too low like somewhere in Montana to Denmark, which is rather higher cost
example within Europe, I see a big difference in the money I can retain every
month after my expenses. Admittedly, I did not count healthcare costs because
it was covered almost entirely by my employer in the US. Here, the Danish
government does from my taxes..

If I were a young new graduate tech engineer with aspirations of being among
the best, and getting paid well, from anywhere in Europe, it seems almost 90%
logical to look at moving to US. Cultural, political and family reasons to
stay in Europe is a different story.

I have a friend in DK, who bluntly said that "he will not consider the US in
the argument because of Trump, and the society that would elect an idiot like
him". People have different priorities at the end of the day. But, money wise,
it is still the US of A...

~~~
pedroaraujo
I think you are undervaluing a lot the benefits of the European culture [1].

It's just not health care, it's also the safety of not being spontaneously
fired, the work-life balance, the vacation time, the paternity leave, and so
on.

[1] I know that the mileage can vary from country to country.

~~~
reacharavindh
I didn't mean to undervalue the benefits. I need to communicate better. I only
intended to state a part of the argument that US generally pays substantially
more than Europe. There are many (including myself) that choose to stay in
Europe in-spite of it, valuing other benefits such as (better healthcare,
work-life balance, education, involved society, gun control etc). It still
does not change the fact that US pays better, and that it would be better for
Europe to do so as well if they want to attract top Engineers aways from US...

------
TACIXAT
Germany has a pretty awesome computer security base already. Look at CCC. The
government may need to better align their values with the people's to harness
that talent though.

~~~
ur-whale
This, a 1000 time.

Germany's (and western Europe's in general) biggest problem is not lousy
compensation and sky-high taxes (although these are a huge problem as well).

The biggest thing that prevents Europe from innovating is _culture_.

Risk-taking, innovation, doing crazy "unthinkable" things is something that
has simply _deserted_ the European DNA a long time ago (probably over a
century by now).

Almost all the important technical inventions of the 19th century happened in
Europe. Almost all the important technical inventions of the 20th century
happened outside Europe.

If you've ever worked in Germany in a tech company you will very likely know
what I am talking about here: when you throw a new and crazy idea on the
table, the immediate reaction of the crowd is to carefully explain to you the
myriad of ways in which your idea is just "not possible" and "will fail".

Getting a brainstorm-type session going with a group German engineers is darn
near impossible.

And much less so with management.

~~~
qznc
I think you are somewhat correct with your brainstorming scenario, but Germany
was still plenty innovative in the last century.

Software technologies like MP3 came out of Germany. Companies like SAP and
Hetzner are successful and german. Berlin has a healthy startup scene. Green
technologies and automotive is dominated by Germany.

Overall I think Germany has plenty of risk taking engineers but the capital is
more risk averse than in the US. Capital includes angel investors and pension
funds and everything in between.

~~~
ur-whale
>Software technologies like MP3 came out of Germany.

With one of the most restrictive IP licensing scheme I've encountered in my
professional life. Way to promote innovation indeed.

>Companies like SAP

At the risk of sounding sarcastic, I have a very hard time putting SAP and
innovation in the same sentence. They're basically the Oracle of Germany.

> Green technologies and automotive is dominated by Germany.

I do not know enough about green tech to comment, but for automotive, I
strongly disagree: incremental improvement, yes. Innovation? certainly not.
Case in point: how many German company dominate in self-driving cars? All the
German car makers are buying the tech. from elsewhere.

As a matter of fact, thanks for picking that example: where did Sebastian
Thrun have to go in order for his ideas to take flight? Why did he not choose
to do his thing in Germany?

>Overall I think Germany has plenty of risk taking engineers but the capital
is more risk averse than in the US. Capital includes angel investors and
pension funds and everything in between.

You are correct that Venture cap in Western Europe is risk averse. All they
invest in is European versions of stuff that's already been proven successful
in the US.

But what you're not seeing is that the aversion to risk from European VC is a
_symptom_ of a larger/deeper problem: statistically speaking, there is no
appetite for risk and innovation in Europe. VC risk-averseness is just one
facet of that.

And why should there be? Given the regulatory and tax burden you're going to
be subjected to when you try to do anything over there, why even effing try?

~~~
whyever
> With one of the most restrictive IP licensing scheme I've encountered in my
> professional life. Way to promote innovation indeed.

I feel like you are moving goal posts. Also, do you think IP in the US
software industry is any better?

~~~
ur-whale
No, I am not moving the goal posts.

Patents, while they were invented to promote it, end up being a major drag on
innovation, which bears to my point: innovating in Europe is a major PITA.

>Also, do you think IP in the US software industry is any better

The way IP is managed in the US is terrible, granted.

But I would say that these days, and specifically for software, things are
_way_ better than they used to - say - in the 80's and 90's.

A number of tech. companies are starting to recognize that sharing IP is
actually making them more money in the long run and are actually publishing a
lot of what they invent.

For example, and while I am no fan of Google, they tend to open source a ton
of non-obvious stuff (e.g. the recently discussed s2 library).

On the flipside, and as an experiment: if you work in a German tech. company,
try and ask their legal dept how they'd feel about open-sourcing some of their
stack. See what they say.

~~~
qznc
How much a tech company open sources their stuff depends much more on their
industry sector. The web industry makes a lot Open Source. The embedded
industry does not. Do General Motors, Boeing, or Tesla open source a lot?

My employer, Bosch, does open source a few things. For example:
[http://www.amalthea-project.org/](http://www.amalthea-project.org/)

------
mschuster91
> Interior Minister Horst Seehofer told reporters that Germany needed new
> tools to become a top player in cyber security and shore up European
> security and independence.

Good grace. The man is so horribly incompetent at everything he does and his
party (CSU) are even worse. I don't trust this proposal even a bit.

In addition:

1) how on earth are they planning to _fund_ and _staff_ all of this? I worked
for local government and it paid shit, and from what I hear state/fed
government doesn't pay much more either, so no way to attract talent by pay.

2) Like many gov positions, this will be German nationals only (or EU
nationals, not sure if German-citizens-only is still allowed under EU
regulations?). Definitely no jobs for non-EU applicants.

3) Ever got a conviction for hacking or a (known) weed/other drug habit?
Automatic no-go. Which is the reason why there is a _severe_ lack of IT
competency in government, no matter the level or agency.

4) Who in living hell wants to work that job? I'd expect to be kicked out of
any political or hacktivist group if I were to work for our increasingly
authoritarian government, let alone under Seehofer, and that with reason. That
leaves as candidates only those with no other options left, and authoritarians
at the best, Nazis at the worst. The police of Saxony showed on the weekend
what is the result.

~~~
mikejb
I've worked on projects for the German govt before, and I was never employed
by them. Points 3 and 4, possibly also 2 are handled by hiring companies to do
the work.

~~~
mschuster91
Seehofer wants to create an entire agency. Makes sense given that this is
national security matter, I can't believe he'll (be able to) outsource this.

And the other points are still valid even if outsourced, as the requirements
will be part of the outsourcing contract.

~~~
atlasunshrugged
I don't know if it's not possible to outsource it, if you look to the U.S. an
absolutely massive amount of work (intelligence and military ops) is
outsourced to private contractors

Ex source (sorry, old one, don't have time right now to find a more recent
article I was thinking of for reference):
[https://www.salon.com/2007/06/01/intel_contractors/](https://www.salon.com/2007/06/01/intel_contractors/)

~~~
mschuster91
> I don't know if it's not possible to outsource it, if you look to the U.S.
> an absolutely massive amount of work (intelligence and military ops) is
> outsourced to private contractors

And Snowden was one of the inevitable results. I mean, I'm happy the leak
happened, but it is a perfect example of what can go wrong with outsourcing to
the cheapest bidder. In total it would be better for the government to do in-
house, but how else are you gonna shift citizen money into the hand of already
ultra rich people... the only thing where outsourcing is profitable and worth
it is for exclusively short term things (e.g. constructing buildings or
developing a specific software), but long term stuff? Cut the profits of the
company and hire the employees yourselves.

~~~
mikejb
It wasn't outsourced to the cheapest bidder; actually, limitations on govt
salaries is one of the reasons to outsource: you can attract better talent
with competitive offers. And plenty of whistleblowers at the CIA and NSA were
direct gov employees, not contractors.

------
dschuetz
> FILE PHOTO: A German flag is seen on the laptop screen in front of a
> computer screen on which cyber code is displayed, in this illustration
> picture taken March 2, 2018. REUTERS/Kacper Pempel/Illustration

Cyber code. Reuters. Cyber code.

~~~
x220
I'd estimate that a solid 90% of the mainstream news I read about computer
science subjects has factual errors. Not interpretations different than mine--
stuff that just ain't true. It makes me wonder how competent the writer is,
and makes me wonder if 90% of the rest of mainstream news is written just as
incompetently, but I just can't notice it because I'm not an expert in
everything.

~~~
black_puppydog
I can't find the name for it right now, but for me that has been a common way
to think about why some "news" items stick around, even when they're total BS.

People read an item within their own field and go "what a load of crap, they
can't even get the basics right _rage_ " then they turn the page, read
something from a different field and go "my, that's so interesting, these
people really know their stuff!"

~~~
adrianN
You're looking for [https://en.wikipedia.org/wiki/Gell-
Mann_amnesia_effect](https://en.wikipedia.org/wiki/Gell-Mann_amnesia_effect)

~~~
lloeki
I posited recently that news in areas we're not expert in are basically
processed as entertainment, which is why we don't give a damn about its
accuracy whereas we're comparatively so enraged about gross mistakes in areas
we're well-versed in.

------
adrianN
A good start would be switching all government systems from the Microsoft
stack to a home-grown alternative. But efforts to switch to Linux are
regularly stopped.

~~~
sidstling
It’s because it’s not really doable without tremendous effort. I work for a
muniplavity in Denmark, and we’re a big participants in an open source group
for public software called OS2, we’re also members of a group of
municipalities that own our own ESDH software and codebase and pay private
companies to support and maintain it. Our libraries operate on 100% open
source with Ubuntu supported by a local company.

So we’re actually pretty progressive in terms of pushing open source while
also supporting local business.

We operate more than 300 IT systems though, I’d say that around 75% of these
run on windows only, many without suitable alternatives. So even on the
technical side, we can’t swap our stack because our employees wouldn’t be able
to do their jobs. We’re working to lower this, and stuff like web-apps and the
rise of android/iOS devises has helped but it’ll probably take 25 years to
happen, and here’s the thing, Azure is actually the most EU friendly, secure,
stable and cost-efficient cloud platform, so a lot of those non-Microsoft
software actually still run on Microsoft.

Then there is the employee training. I’m not sure if you’re aware, but the
primary cost of running a public organization is your employees. They are the
most important resource and replacing them is really expensive. So is
retraining them, and it’s also something we already struggle with in terms of
IT.

Most times when we switch a system, the technical implementation will go
excellent. The organizational implementation will go horrible, however,
because learning how to use an IT system is hard. It’s even harder to learn
how to use it efficiently and often local management will be reluctant to
invest enough time or focus on what they view as IT changes, because they are
already understaffed in their primary function.

Windows, android and IOS are something most people have worked with before. So
is the office package, and again, where is the non-Microsoft alternative to
the office365 enterprise stack? Anyway, switching people who can barely “turn
on the internet” (talking of course about the browser, but that’s what you’ll
literally hear every day in our support center) to open source alternatives is
a tremendous effort that nobody, nobody, outside of tech wants to do.

Then there is IT, we’ve run Microsoft for decades. Our staff is trained for
it, they’re certified in it and despite what you may think, they’re actually
cutting edge in terms of skill. At least in my country they are, we’ve yet to
find an ADFS consultant that knows more about ADFS than our guys, in fact,
we’ve had to send most of them home because they weren’t able to help us.
Where do we find Linux replacements for those people? And how do we pay the 25
million it would cost us to replace the ones that don’t want to work with the
Linux stack?

Lastly there is support. Microsoft may have a spotty reputation in popular
culture, but their support has always been top of the class to the public
sector. If we file a primary incident report to Microsoft, Seattle will be on
the phone with us until it’s fixed. What Linux house will offer this service?
Even if we found one, I don’t think we’d really want to throw away decades of
partnership with an untested entity just because.

I wish we could run European based open source software, I really do, but the
truth is that it’s complicated, highly improbable and the business case isn’t
even there. Because it would be really expensive, and do you really want to
sacrifice welfare to run Linux? Would your political leadership?

~~~
gboudrias
Thanks for taking the time to write out your experience, it really makes me
think.

> so a lot of those non-Microsoft software actually still run on Microsoft

As a FLOSS advocate myself, this matters less than you seem to imply.
Microsoft is publicly traded, they'll pivot to goat herding if that's the way
to maximize profit. So avoiding it is (imo) less important than avoiding their
lock-in products. If Azure has little lock-in, might as well use it, icky as
it may feel to me personally. It's not inherently anti-FLOSS, because
Microsoft is not inherently anything.

> If we file a primary incident report to Microsoft, Seattle will be on the
> phone with us until it’s fixed. What Linux house will offer this service?

I think both Redhat and Canonical would love that business.

I'm not looking to argue as you seem to know what you're saying, but on the
financial side, how many millions are spent on Windows, Office and other
licenses every year? I'd say it's worth doing the math.

~~~
sidstling
I actually really like Azure. Orchestra and application insights have made
incident support so much easier, and it’s only as lock-on as you make it.

I also worry because of the political climate. It’s extremely unlikely, that
the relationship between the EU and the US will really go bad, but we have
contingency plans for things you wouldn’t believe, so naturally we have one
for Azure.

~~~
oever
Do you have one for Microsoft Office and for reading all your (hopefully
archived) documents? Rendering (and hence sometimes the meaning) of office
documents can vary significantly depending on your software.

------
siruncledrew
This seems quite reasonable for Germany to do. At some point, when you can't
trust others to do such important work you need, you have to do it yourself.

~~~
Krasnol
Nah, it's not.

Germany has already several established agencies in this area that could use
the money but wouldn't have to be build up from scratch.

~~~
tormeh
Is that a bug or a feature, though? Organizations often get stick in their
ways. It might be easier to start from scratch if you want something new.

~~~
Krasnol
If we'd have much money to spend, I'd say it's a feature. We don't however so
I'd say it's a bug. Also due to the persons involved, there might me some
unknown motivation behind it.

------
russianbandit
So, Germany is US controlled territory?

~~~
jolmg
If national critical systems are running Windows or other US closed source
tech, then technically yes. The US is potentially in control of these systems.
This is true in Germany and in many (most?) other parts of the world. From the
viewpoint of these nations, all the US needs to do is have Microsoft, Google,
or whatever tech company is in control of a system of interest to insert
malware or give the US government the private data it requests. I'm not saying
it happens, but rather that it's certainly possible and completely in the US's
playcourt to decide to control or not to control. This is why government
computer systems should be open source or self-developed.

~~~
mc32
>If national critical systems are running Windows or other US closed source
tech, then technically yes. The US is potentially in control of these systems.

What? So because US govt't systems run (or ran) Kaspersky (or TrendMicro) that
means the US is (was) controlled, technically by Russia or Japan? Huh!

~~~
jolmg
I don't know those software or how widely utilized they are in the US and
specifically in US national security critical systems.

The US in a unique position, though. Windows and OSX are operating systems;
they have complete control of everything else running in the systems they run
on. Google has view of the world's web navigation, email authentication, as
well as complete control over a grand portion of the world's phones (most of
the other portion is controlled by Apple, also a US company), including
knowledge of phone calls made between people, and their location at all times.
Facebook also has great knowledge of how all people are interrelated.

There's probably lots I'm missing, but the point is that most of the world's
cyberspace (a useful word apparently) is controlled by the US. If we translate
that to cyberwarfare, that means that the US practically has ALL the guns. A
couple guns from other nations are not going to make a difference in this
space.

~~~
mc32
At least Kaspersky was well deployed within DHS and DoD: a ban was set to
prevent new deployments: [http://www.executivegov.com/2018/06/dod-nasa-gsa-
issue-inter...](http://www.executivegov.com/2018/06/dod-nasa-gsa-issue-
interim-rule-to-ban-use-of-kaspersky-labs-products-services/)

------
h4b4n3r0
The salary of a skilled German software engineer in this field is about 1/4th
of the US counterpart. So I wish the German government luck in their endeavor,
because they’re gonna need it.

~~~
vinni2
I know plenty of smart Germans who do not want to move to USA even for 4-5
times the salary.

~~~
h4b4n3r0
I don't doubt it, but for the very best the multiplier is greater than that,
and not moving becomes harder. The difference is between lifetime wage slavery
and financial independence at that point.

~~~
ben_w
I’ve just moved _to_ Berlin to look for software development work, and it’s
nowhere near as bad as you are portraying.

Lower than the USA, yes; but even junior software roles are well above “wage
slavery”. Housing and medical insurance are both much cheaper here (also food,
but food is so cheap generally that it being cheaper here doesn’t make much
difference, unlike rent and insurance).

~~~
h4b4n3r0
Obviously this depends on the field and on your baseline in the US. I suppose
if you made $100k/yr here, then making 60k euro there would not be that big of
a deal, even though taxes are much higher. But if you made $500-700k/yr here
in total comp (a realistic proposition for senior engineers in hot fields),
such a move would be foolish. Remember, we’re not discussing the low end of
the market here.

~~~
MagnumOpus
> $500-700k/yr here in total comp (a realistic proposition for senior
> engineers in hot fields)

Sure, but that level is paid to maybe 1-in-25 staff/principal/distinguished
engineers at the top handful companies which make up maybe 1-in-25 of total
jobs in the industry (order of magnitude)?

So for the 1-in-500 talents in the German coding industry, maybe it might be a
worthwhile consideration to move halfway across the world with their families,
but for the 499 even doubling their salary isn't all that enticing...

~~~
h4b4n3r0
500 and 700k is about the level of comp of Google’s Staff and Senior Staff
levels correspondingly, assuming a high yearly review rating. Let me assure
you, there are a lot more of them than you think, at Google and elsewhere. It
is true that _almost_ all of the engineers at those levels are exceptional
however.

