Less transparency does not protect critical infrastructure — it harms it: why KRITIS is short-sighted

The German federal government plans to better protect critical infrastructure in Germany through the KRITIS Umbrella Act. The objective is absolutely right – our energy infrastructure, water networks, and IT systems must be protected against sabotage and terrorism, especially in times of hybrid warfare. However, a core element of the draft legislation (as of January 2026) clearly misses the mark. It explicitly states: “We must move away from very extensive transparency and toward greater resilience.”

Security through secrecy? A dangerous fallacy.
The logic behind this approach sounds simple: if terrorists, saboteurs, or hostile intelligence services do not know exactly where power lines run or how a substation is secured, they cannot attack it. But this form of “security by obscurity” is an illusion in the 21st century.

The main problem is the asymmetry of information:

Those who need the data:
Urban planners, architects, environmental organizations, and companies building the infrastructure of tomorrow depend on precise data. Less transparency hinders development, delays the expansion of renewable energy, and makes coordination in the event of a disaster more difficult.

Those who will get the data anyway:
Professional attackers are not deterred by missing public registers. Thanks to high-resolution satellite imagery, drones, and modern sensor technology, targets can now be identified with meter-level precision from space. Anyone who wants to sabotage a power line does not need access to the land registry – they need Google Earth or a €500 drone.

Reality shows that reduced transparency does not prevent attacks on critical infrastructure. Here are three prominent examples:

Damage to Baltic Sea cables:
The routes of fiber-optic cables or gas pipelines in the Baltic Sea do not need to be taken from official nautical charts. Professional actors use simple side-scan sonar to map the seabed in great detail.

Energy infrastructure in Ukraine:
Since 2022, Russia has been deliberately attacking the Ukrainian power grid. Some of these facilities are decades old, and their locations were often officially “secret” or at least not publicly highlighted. Nevertheless, missiles and drones find their targets—guided by satellite reconnaissance and military intelligence.

The Stuxnet attack (Iran):
The nuclear facilities in Natanz were among the most closely guarded secrets in the world. They were physically isolated (“air-gapped”) and highly classified. Yet attackers succeeded in infiltrating the specific control software of the centrifuges and physically destroying them. Secrecy did not protect against technical expertise.

The right approach: resilience instead of hiding
Instead of locking away information and thereby blinding our own society, we must make the infrastructure itself more resilient. Real security does not come from paper walls, but from two principles:

Decentralization:
A centralized power plant is an attractive target. Thousands of decentralized solar installations, wind farms, and local storage systems are not. Failures in subsystems can be far more easily compensated for in a decentralized network.

Flexibility & redundancy:
We must build systems that can “yield intelligently.” If one node fails, others must automatically take over. This requires more storage capacity, connectivity, and data exchange.

Transparency is a crucial catalyst in this context. It is no coincidence that the EU Open Data Directive (2019/1024) and the Open Data Strategy of the previous federal government explicitly call for increased publication of geospatial data.

Conclusion:
A law that sacrifices transparency without strengthening physical resilience is like a padlock on a glass door. What we need is not secrecy that stifles progress, but a robust, decentralized infrastructure that continues to function even when the adversary knows exactly where it is located.