Digital Inclusion Through Security

Mansfeld-Südharz, Germany - December 7, 2025

A county-wide programme that treats connectivity as a public utility and privacy as a civil right—without asking users to become sysadmins

The first batch of matte-grey routers arrived at the county warehouse on a foggy Monday morning, stacked on euro-pallets like shrink-wrapped loaves of bread. They look unremarkable—six antennas, one status LED, no brand logo—but inside each casing lies a quiet revolution: a dual-core RISC-V chip running an immutable Alpine Linux image compiled in Bitterfeld itself, firmware signed by the county’s own certificate authority, and a default configuration that routes every packet through WireGuard tunnels terminating in the Alliance’s sovereign cloud. By the end of the winter, 3 200 of these boxes will sit on windowsills from Köthen to Zerbst, quietly replacing the cheap consumer-grade hardware that today leaks DNS requests to foreign clouds and ships telemetry back to Shenzhen. We call the programme “Sicherheit vor Ort” (Security on Site), and it is the first European initiative to treat secure connectivity as a municipal service rather than a retail product.

The eligibility rule is deliberately simple: any household whose taxable income is below 60 % of the county median receives a router plus five years of managed service—no installation fee, no credit check, no opt-in data sharing. The county’s social-welfare database already holds the relevant records; recipients are notified by ordinary mail containing a QR code that books a two-hour installation slot. A technician—usually a local student enrolled in the Alliance’s dual-study curriculum—arrives with a pre-provisioned unit, swaps the ISP-supplied plastic box, and within ten minutes the family is online behind a firewall policy that blocks inbound IPv4 by default, redirects all DNS to a local resolver running on encrypted DNS-over-TLS, and mirrors anonymised flow metadata to the county’s threat-intelligence lake. The old device is taken away and either flashed with open-source firmware for reuse in community mesh nodes or shredded for rare-metal recovery, ensuring that no second-hand market can re-import vulnerable chips.

Funding comes from a 1.8 million euro slice of the EFRE digital-infrastructure envelope, but the operating model is designed to be cash-positive after year three. The county issues a social-impact bond backed by projected savings in three areas: reduced ISP help-desk escalations (estimated 180 000 € annually), avoided malware clean-up costs for small businesses that share the same eyeball network (220 000 €), and lower demand for federal social-security benefits linked to digital exclusion such as unemployment extensions due to failed job-portal access (340 000 €). If an independent auditor confirms the savings, investors—mostly regional savings banks—receive a 4 % coupon, after which the routers transition to ordinary municipal depreciation. The bond structure keeps the programme off the county’s balance sheet while aligning investor returns with measurable social outcomes, a structure the European Commission now cites in its upcoming Digital Inclusion Directive.

Technically, the router is a zero-touch device. On first boot it performs a one-time key exchange with the Alliance’s provisioning service, obtains a signed certificate, and then refuses any further configuration changes unless the new firmware image is co-signed by both the county CA and the resident’s private key, a feature borrowed from secure-boot schemes used in German eID cards. Users cannot accidentally disable the firewall or change DNS to an open resolver, eliminating the most common attack vector that turns home gateways into botnet conscripts. Remote updates are delivered every Tuesday at 03:00; if an update fails hash verification the device rolls back automatically and opens a ticket in the shared SOC, so no household ever runs orphaned firmware. Should a resident wish to run a gaming console or a home server, the technician adds a secondary VLAN during the initial visit; the administrative interface is reachable only from that VLAN and only via a hardware button that times out after thirty minutes, ensuring that casual users cannot expose themselves while preserving tinker rights for enthusiasts.

"A secure router is the twenty-first-century equivalent of clean drinking water: if you have to think about it, the city has already failed."

Privacy design follows the same philosophy. Flow records are converted into bloom-filtered histograms before they leave the device, stripping source IPs and retaining only protocol distribution, byte volumes and time-of-day patterns. Those histograms are aggregated at the county level to detect botnet outbreaks—say, a sudden spike in outbound TCP/445 traffic—but they cannot be reverse-engineered to identify individual households. The municipal council adopted a retention horizon of thirteen months, after which even the encrypted blobs are erased, a schedule shorter than most commercial ISPs and one that can be reduced to zero if the resident files an opt-out form that takes effect within twenty-four hours. Because the legal entity holding the data is the county itself—public body, subject to administrative law—citizens can invoke freedom-of-information procedures to see what is stored about their connection, a transparency right no private ISP currently grants.

The social dividend already shows up in small, human-scale statistics. After one hundred pilot installations in the village of Raguhn, the local job centre recorded a 28 % increase in successful online job applications, mostly among long-term unemployed women over fifty who previously cited “internet too complicated” as the primary barrier. The village library cancelled its weekly “how to open an email” course because attendance dropped to zero; instead, demand shifted to advanced Excel classes now that the basic hurdle of trust had been removed. A bakery that supplies buns to the school canteen reported that online ingredient orders now arrive on time because the owner no longer fears clicking on phishing links, a confidence boost worth 1 200 euros a month in avoided spoilage. None of these figures are dramatic in venture-capital terms, but they aggregate into a perceptible uplift in municipal tax revenue that exceeds the coupon owed to bond investors, proving that inclusion can be fiscally additive rather than charitable expenditure.

Replication beyond the county line is baked into the hardware bill of materials. The router uses only components available through European distributors, eliminating export-control surprises; the firmware repo is licensed under EUPL-1.2, forcing anyone who modifies it to publish the deltas. The county’s CAD files for the plastic casing, the antenna placement and even the recyclable cardboard sleeve are downloadable under Creative Commons, so any region can commission its own run through a local electronics assembler. In effect, the programme is not a product but a recipe: follow the same bond template, the same privacy schedule, the same governance spice rack, and you can serve your own households without negotiating a franchise fee. The only constraint we impose is a naming clause: if you use our firmware image, you must call the service “Security on Site—powered by the Cyber Resilience Alliance,” a small price for keeping the open-source lineage honest and the update channel unified.

By 2028 we expect at least six other counties to have rolled out similar fleets, pushing the total number of sovereign routers beyond 25 000. At that scale the aggregated telemetry will form the most granular public-interest data set on residential internet behaviour in Europe, a resource we will feed into EUROSTAT’s cyber-crime observatory and, paradoxically, use to argue for shrinking the very programme that created it: once secure-by-default devices are the norm, the need for municipal giveaways should disappear, replaced by market incentives that reward vendors for shipping trustworthy hardware instead of data-harvesting toys. Until then, the grey boxes will keep blinking on windowsills, silent proof that digital inclusion is not about cheaper Netflix but about the right to participate in society without first becoming a system administrator.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.