Politics and Cyber-Security Strategy

Mansfeld-Südharz, Germany - October 9, 2025

How the word "firewall" became the rarest piece of vocabulary in one budget line

In most municipalities, cyber security is filed under “IT stuff” and handed to the youngest official who once reset the mayor’s router. In Anhalt-Bitterfeld it sits in the same portfolio as snow removal and flood control, because the council voted to classify ransomware as a natural disaster. That semantic shift did not happen because councillors suddenly understood asymmetric cryptography; it happened because they understood arithmetic: one day of plant shutdown costs 1.2 million euros in lost tax revenue, the same as the worst snow storm in a decade. Once cyber risk acquired a snow-day price tag, it became weather, and weather is the one topic every politician already agrees to fund. The rest was choreography—keeping the term “firewall” out of the resolution and replacing it with “civil-protection infrastructure,” a phrase that unlocks federal co-financing and does not require anyone to admit they still use Yahoo Mail.

The choreography began with a risk matrix that speaks human. Instead of colour-coded heat maps, we presented a single slide: a bar chart showing the number of industrial jobs that would still receive wages if the county’s three largest employers lost their ERP systems for 48 hours. The shortest bar represented 4 200 pay-cheques, the exact number of households that vote in local elections. No one asked whether the threat vector was SQL injection or phishing; they asked how fast we could make the bar taller. The answer was 18 months and €6.3 million, a figure that happens to equal the cost of rebuilding the flood-damaged A-road that every councillor had already stood beside in rubber boots. By placing the two price tags side by side, we created a choice no politician wanted to own: save the road but risk 4 200 pay-cheques, or save the pay-cheques and risk the road. The council solved the dilemma the way councils always solve dilemmas—by funding both and spreading the cost over fifteen years, the longest tenor the regional development bank allows. Cyber thus became infrastructure, and infrastructure is bipartisan by definition.

The second manoeuvre was coalition arbitrage. The county is governed by a three-party coalition that ranges from market-liberal to post-communist, a spread that normally agrees only on the need for more daylight saving time. We inserted cyber resilience into the coalition agreement under the heading “economic sovereignty,” a term that each faction could colour with its own ideology: liberals read “competitiveness,” socialists read “protection from foreign monopolies,” populists read “we decide what runs on our wires.” The genius of the phrase is that it is empty enough to host every interpretation yet specific enough to survive a change of government. When the populist faction doubled its vote share last spring, the new faction leader demanded a review of all EU-funded projects, but he left the sovereignty clause untouched because it carried his own party’s watermark. Cyber had become identity politics without the culture war, a feat that even snow removal has never achieved.

The third manoeuvre was budget camouflage. Instead of creating a new line item called “cyber,” we split the request across three existing chapters: civil protection, economic development and vocational training. The civil-protection slice bought the shared SOC, the economic-development slice bought the edge gateways for SMEs, and the vocational slice bought the cyber-apprenticeship programme. Each slice was small enough to stay below the threshold that triggers a mandatory public tender, but together they added up to the full €6.3 million. More importantly, each slice had its own constituency: the fire brigade lobbied for civil protection, the chamber of commerce lobbied for economic development, the teachers’ union lobbied for training. The distributed coalition outnumbered any single opposition voice, a tactic that political scientists call “log-rolling” and that practitioners call “survival.” The council passed the budget 41 to 9, the widest margin in a decade, and no voter ever saw the word “cyber” on the ballot.

"We turned cyber risk into weather, and weather is the one thing every councillor already knows how to fund."

The fourth manoeuvre was opposition insulation. The largest opposition party campaigned on a promise to “stop the IT spending spree,” a slogan that tested well until we invited their finance spokesman to chair the oversight committee that audits the SOC invoices. Chairing the committee gave him access to the same threat-intelligence briefings the coalition received, and the briefings showed ransomware demands that would have covered his party’s entire annual campaign budget. After the third briefing he stopped using the word “spree” and started using the word “prevention,” a linguistic pivot that neutralised the only organised resistance. The lesson is not that politicians are venal; it is that information asymmetry is the root of all fiscal fear. Once the opposition possessed the same classified histograms, the histograms became common ground, and common ground is where bipartisanship grows.

The fifth manoeuvre is perpetual storytelling. Every quarter we publish a single-page infographic that shows one non-technical outcome: number of industrial wages protected, number of apprentices hired, number of SMEs that renewed their cyber insurance at a lower premium because they could show an auditor a SOC dashboard. The infographic is mailed to every councillor, every mayor and every local newspaper editor, but it never mentions packets, ports or protocols. Instead, it uses the vocabulary that councillors already use when they cut ribbons: jobs, savings, resilience. Over time the vocabulary becomes muscle memory; councillors begin to repeat the numbers in speeches that have nothing to do with cyber, embedding the programme into the baseline narrative of county success. By the time the next election arrives, opposing the programme would feel like opposing the fire brigade: theoretically possible, politically suicidal.

The final safeguard is a sunset clause that is never invoked but always visible. The coalition agreement states that the entire cyber-resilience budget will be zeroed after fifteen years unless renewed by a two-thirds majority. The clause sounds like a death sentence, but it functions as a vaccine: it forces every incoming council to re-ratify the programme, ensuring that no future majority can claim they inherited a fait accompli. Each renewal becomes a fresh mandate, a fresh headline and a fresh opportunity to broaden the coalition. After the first renewal vote passed 46 to 4, even the remaining sceptics switched from opposing to amending, moving the debate from “whether” to “how much,” which is the definition of policy maturity. The clause thus converts cyber resilience from a project into an institution, and institutions are the only policies that outlive their authors.

What emerges is a local political technology that is independent of party colour, technological fashion or federal wind direction. It works because it speaks the language that councillors already speak—jobs, budgets, disasters—and it gives them a story they can repeat without understanding the difference between AES and RSA. The story is simple: we pay a little every year to avoid paying a lot one year. That story is older than the internet, older than electricity, older than democracy itself. All we did was change the word “flood” to “ransomware” and watch the same levee logic take root. When the next crisis hits—whether it is a zero-day or a snow-day—the council will not ask whether to fund the response; it will ask how quickly the bar chart can be made taller. And that, in county politics, is the definition of strategy.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.