What if, suddenly, ATMs weren't issuing any more money, or airport security technology failed, or if hackers suddenly attacked critical infrastructure in Germany? Responses to scenarios like this were the subject of rehearsals by state and federal government in this week's LÜKEX crisis management exercise.

The Academy for Crisis Management Emergency Planning and Civil Protection is one of Germany's lesser-known federal bodies. Located in the quiet green hills above the Ahr valley near Bonn, it's a heavily guarded facility. At the end of November it saw a frenzy of activity as a nationwide IT crisis was simulated.



Norbert Reez worked for 18 months to get to this point. With countless meetings, he planned, coordinated and developed a detailed script for the scenario. For two days, all of his work was put to the test as he directed a simulation of how Germany would react if national computer systems were to suddenly fail, ATM machines no longer paid out cash right before Christmas or if safety systems failed at airports.

In an interview with Deutsche Welle, Reez proudly pointed out that this simulation had already been in place before the Stuxnet worm, which burrows into vulnerable critical infrastructure, was discovered. As the physical world and cyberspace grow together, the more seriously Germany took the threats put forward by this exercise.

Government alone can no longer protect its citizens

The simulation involved thousands of participants from public and private sectors

The exercise throws new scenarios at the participants every year. This time, about 3,000 people from 100 different institutes were involved. These included 11 federal departments led by the Home Office, 21 federal and 37 state ministries and 33 private companies - operators of so-called critical infrastructure - such as telecommunications, air transport or water utilities.

Christoph Unger, president of the Federal Office for Civil Protection and Disaster Relief (BBK) maintained that private sector participation is crucial. He spoke of a "whole society" approach to crisis management because there are no longer any guarantees that the state can protect the population by itself.

Pandemics and "dirty" bombs



This was the fifth such strategic crisis management exercise. Its name, LÜKEX, is a German acronym for Transnational Crisis Management Exercise. The first LÜKEX was carried out in 2004 when it simulated terrorist attacks akin to 9/11 and the Elbe floods of 2002. In 2007, reactions to a major flu pandemic were practiced and in 2009 terrorist attack scenarios included a "dirty" bomb and chemical accidents.



The key to LÜKEX is that the genuine task force rehearses possible events, with the decision-making chain going all the way up to the highest administrative levels. There were no stand-ins; only the actual members of the institutions involved participated,. The real state secretaries and their staff, genuine members of the board and press secretaries all ran through the scenario.



False headlines for real stress





A previous LÜKEX exercise simulated a terrorist attack on an aircraft

Stress events were created for the exercise to apply pressure to the participants. One group at the control center in the Ahr valley simulated the behavior of the population through contributions to a social network specially created for the exercise, or by overloading the telephone hotlines of banks.

Another group simulated the press. Ulrich Twrsnick's team produced evening news broadcasts with alarming headlines such as "Broken ATMs cause run on cash" or annoyed the press offices of the agencies involved with mountains of requests for interviews and tough questions.

The behavior of the various actors was recorded by academic observers and will be evaluated over the next four months. The results of LÜKEX 2011 will be available in April next year. By then Norbert Reez and his team will already be busy planning LÜKEX 2012.

Author: Matthias von Hein / sjt

Editor: Michael Lawton