Secure Communication Infrastructure

Mansfeld-Südharz, Germany - October 21, 2025

Building a conversation layer that assumes interception and still refuses to yield

The first design assumption we wrote on the whiteboard was not “encrypt everything” but “assume everything is already being vacuumed.” That single sentence steered the next eighteen months of cabling, coding and compromise. It meant that every packet had to carry its own evidence-tamper seal, every route needed at least two independent sovereign backbones, and every cryptographic primitive had to survive the decade in which a sufficiently ambitious quantum computer converts today’s handshake into tomorrow’s plaintext. The result is a communication fabric that looks like a conventional enterprise network until you inspect the entropy depth of the key material, the multiplicity of physical paths, and the legal domicile of the secrets. Those three vectors—cryptographic future-proofing, physical redundancy and jurisdictional self-containment—are the load-bearing members of the secure communication infrastructure that now underpins the Cyber Resilience Alliance.

We started with the mathematics. In 2024 the German Federal Office for Information Security (BSI) published a migration guide that ranks post-quantum algorithms by maturity; we adopted the top two—CRYSTALS-KYBER for key establishment and CRYSTALS-DILITHIUM for signatures—compiled them into a FIPS-140-3 hardened library, and inserted that library as a drop-in replacement for the classical ECDH handshake inside WireGuard, the same lightweight VPN kernel module already familiar to county administrators. The upgrade path is invisible to end-users: a council employee connecting her laptop from home still clicks once, but the tunnel now negotiates a 256-bit quantum-safe session key every ninety seconds, rekeying faster than any known harvest-then-decrypt strategy could store or crack. To avoid the performance cliff that plagued early lattice implementations, we off-load the heavy matrix arithmetic to a small FPGA baked into every border router; the card adds less than two watts of power draw, consumes no rack space, and can be field-swapped without screwdriver theatre. Should a cryptanalytic breakthrough demote either algorithm, the controller receives an over-the-air firmware bundle signed by three of five threshold keys held by the county, CypSec, Validato, Anhalt University and the regional data-protection auditor—an update mechanism that itself uses the post-quantum signature scheme it intends to patch, eliminating the chicken-and-egg dilemma that haunts classical crypto transitions.

Physical redundancy follows the same zero-trust doctrine. Instead of leasing capacity on one national carrier, we stitched together three discrete layers: a 10 Gbit/s dark-fibre ring laid alongside the old chemical rail track, a 1 Gbit/s microwave chain hopping across five water-tower rooftops, and a 500 Mbit/s satellite fallback on a dedicated Ka-band transponder contracted through the ESA ARTES programme. The path-selection logic is not “best effort” but “provably diverse”: every outgoing frame is sprayed across at least two layers while a short authenticator tag travels the third, so an active adversary would need to tap all three media simultaneously to obtain a complete traffic picture. The switching decision happens inside a custom eBPF program that runs on the same FPGA card hosting the quantum-safe accelerator, ensuring that policy enforcement occurs at wire speed without adding another appliance to the rack. During a recent excavation mishap that severed the rail-side fibre, the mesh converged in 42 milliseconds—fast enough that the county’s VoIP emergency switchboard did not register a single dropped syllable, a failover latency we now advertise as a measurable KPI rather than a marketing slogan.

Jurisdictional self-containment is the least visible but most political pillar. All key material is generated, stored and retired inside an HSM cluster that is physically bolted into a former civil-defence bunker under the county archives, cooled by groundwater and powered by the same biomass plant that heats nearby greenhouses. The bunker is recognised as a German critical-infrastructure site, which means that export-control law—not corporate terms-of-service—governs who can access the seeds. A dual-control protocol borrowed from nuclear launch procedures requires two independent smart-cards plus a biometric match from a county employee and a CypSec engineer before any private key can be exported or backed up; the same procedure is mirrored in a second bunker twenty kilometres away, creating a quorum that cannot be satisfied by a single legal subpoena or a single disgruntled insider. For disaster recovery we maintain an encrypted snapshot sealed inside a tamper-evident bag and stored in the vault of the regional savings bank; the bag can only be opened under dual notarial supervision, a spectacle deliberately designed to discourage casual requests. Thus the confidentiality of conversations inside the Alliance is protected not merely by mathematics and steel, but by administrative ritual that scales with the gravity of the request.

"Boring is the new secure: if the network never surprises you, the adversary can never surprise it."

The result is a communication layer that behaves like a public utility rather than a proprietary platform. An SME that joins the federation receives a pre-configured edge router the size of a paperback; once plugged into any ISP hand-off, the device automatically negotiates quantum-safe tunnels to the shared SOC, the county’s certificate authority and the other federation members, using ISO 27010 routing extensions that treat trust as a routing metric. Because the underlying protocols are open standards, the router can be replaced by any vendor willing to compile the same open-source image, eliminating the customer fear of vendor lock-in that often stalls security adoption. The first factory that piloted the device—a 120-employee manufacturer of industrial gaskets—reported no perceptible latency during SAP synchronisation, and the plant manager confessed he only noticed the upgrade when the monthly firewall log shrank from 400 MB to 3 MB of encrypted metadata, a compression that happens when malicious probes bounce off an authenticated tunnel instead of cluttering the SIEM. That anecdote travels well: it translates the abstract promise of post-quantum sovereignty into a tangible operational saving, which is the currency that keeps the replication flywheel spinning.

Looking forward, the mesh is scheduled to absorb new transport technologies without architectural upheaval. A low-earth-orbit constellation granted by the EU IRIS² programme will add a fourth redundant layer in 2027, while the BSI’s forthcoming quantum-key-distribution testbed in Berlin will splice into our dark-fibre ring, giving us a metropolitan QKD tail for inter-government traffic that still terminates inside the county bunker. Each addition will inherit the same governance rituals: dual control, open standards, published audit, no single corporate throat to choke. The goal is not to build the most advanced network in Europe; it is to build the most uninteresting one—boring because it never breaks, invisible because it never leaks, and replicable because every line of config is already posted in a public repository signed with a quantum-safe hash. When that boredom becomes the default backdrop for daily business, we will know that secure communication has finally graduated from a product pitch into a public utility, owned by the county, operated by its people, and accountable to no foreign boardroom.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.