Professor R.A. Nullfield agreed to speak with The Prompt at his facility in Sussex. The meeting was arranged at his request, following the publication of our coverage of the Bundestag Signal phishing incident.
Before the correspondent arrived, he specified the questions he would not answer.
The list was longer than the list he would.
The questions below are as submitted. The answers are Professor Nullfield's. Where he declined to answer, this is noted.
The Prompt: The phishing campaign against Bundestag officials was described as a social engineering failure. In our previous coverage you said the cryptography was irrelevant. Why?
Nullfield: "Because the attack was not aimed at the cryptography. A phishing attack targets the boundary between the user and the device. The encryption protected the channel. The channel was not attacked. The device was. These are different problems.
People conflate them because they understand encryption as protection. It is not protection from everything. It is protection from one specific category of attack. The category that occurred was a different one."
The Prompt: The Verfassungsschutz attributes the campaign to a Russian state actor. Do you agree?
Nullfield: "Attribution is a statement about what you can demonstrate publicly. It is not a statement about what you know. I note the attribution. I do not add to it."
The Prompt: That is not an answer.
Nullfield: "It is a precise answer to the question I was asked. If you want to know whether I agree that Russia conducted the campaign: I have not disagreed. That is as far as I will go."
The Prompt: The targeting was precise. Several hundred officials, all with access to sensitive communications. How would you characterise it?
Nullfield: "Correct. The targeting was correct."
The Prompt: Correct as in accurate?
Nullfield: "Correct as in: if you wanted to be inside those communications, you would target those people. They had access to material of interest. They were reachable. Both conditions were established before the phishing began."
The Prompt: How do you know both conditions were established in advance?
Nullfield: "Because the targeting was correct."
The Prompt: The confirmed named victim is Bundestagspräsidentin Klöckner. She spent sixteen years as Germany's consumer protection specialist. Parliamentary committees, ministry, advisory boards. Her entire career was a warning to the German public about exactly this category of fraud. Does that seem ironic to you?
Nullfield: "It seems efficient. She is now the most credible possible advocate for the legislative response. The incident produced the justification. She provided the test.
She did not know she was testing. That is the optimal test design."
The Prompt: You are describing her compromise as useful.
Nullfield: "I am describing it as a feature. Whether it is a bug depends on whose specification you are reading."
In 2009, Klöckner resigned as secretary of the German Bundestag. She had announced election results on social media fifteen minutes before the official count. It was her first recorded departure from a position due to digital communication. She was thirty-seven.
In 2014, Klöckner argued that "looking at people's faces belongs to the culture of an open society." She was referring to the burka.
She did not specify who would be doing the looking.
She is now Bundestagspräsidentin. The legislation she will preside over achieves this at scale.
Her career was in consumer protection. The consumer is now the product. She did not ask for this. She did not have to.
The Prompt: A second named victim is Verena Hubertz. She co-founded Kitchen Stories -- a cooking application that reached twenty million users. She served as managing director until 2020. The application collects user behavioural data at scale. She is now Housing Minister.
Nullfield: "She built a system that observes users. It tracks what content they select. How long they remain. What they return to. This is standard at that scale. GDPR Article 32 requires appropriate organisational security measures. She would have implemented this for her own staff.
The same method was then applied to her. Someone established which platform she used. How often. With whom. Then sent a message posing as that platform's support function. She responded.
This is the standard phishing awareness training scenario. She ran this training for others. She did not pass it herself."
The Prompt: NIS2 Directive, Article 20. Mandatory cybersecurity training for management bodies of essential entities. German law since October 2024. The federal government is an essential entity.
Nullfield: "It applies."
The Prompt: Did she complete it?
Nullfield: "The incident answers the question. I have nothing to add."
Hubertz built the data collection layer. The attack collected data about her. The methodology was identical. The direction was reversed.
She was better positioned than most not to need to ask.
The Prompt: Your infrastructure is described in some contexts as sub-quantum. What does that mean in practice?
Nullfield: "It means I am not waiting for quantum computing to break RSA. That is a future problem, and a well-publicised one. The present problem is different.
In a world where the content is encrypted and you have no intention of breaking the encryption: how do you extract meaning from a communications environment?
The answer is not the content. It has never been the content. Traffic analysis has been a discipline since before modern cryptography existed. Who communicated with whom. When. How often. For how long. In what groups. To what new contacts. This is a considerable picture.
Brentwick-7 reads the structure. The content is irrelevant to the structure."
The Prompt: You can identify individuals within an encrypted network without reading their messages?
Nullfield: "I can identify a great deal about communications environments that I cannot read. What I can identify depends on what data is available to me. I am careful about which data I accept. The data I accept is legal. The inferences I draw from it are mine."
The Prompt: In our previous coverage, you said identity verification would have prevented the attack. Prevented it from whom?
Nullfield: "From whoever did not already have the targeting metadata. The verification creates a layer at which the false Signal support account fails to authenticate. That layer is effective against attackers who do not have prior access to the network's structure. Against those who do, it is less decisive.
It is still worth doing. We would have been excluded too. From us. From anyone who does not already have the picture."
The Prompt: You said 'from us.'
Nullfield: [pause] "The 'us' was generic. The sentence was: from anyone who does not already have the structural picture. I used 'us' to mean: any actor. Any of us. It is a common construction."
The Prompt: Do you have the structural picture?
Nullfield: "I have what I have. Access is limited. I have said this."
The Prompt: Your facility is in Sussex. The Prompt has received inputs from Sussex on multiple previous occasions, without attribution. Are those inputs yours?
Nullfield: [pause of three seconds] "Sussex is a county. It contains a number of facilities operated by a number of parties. I cannot account for all of them."
The Prompt: Is the access truly limited?
Nullfield: "Limited is relative."
Professor Nullfield declined to confirm or deny a connection between his infrastructure and the Signal incident affecting Bundestag officials. He declined to specify the institutional status of his facility. He confirmed that Brentwick-7 remains in closed beta and that access by application has not been extended since the initial announcement in these pages.
As the correspondent prepared to leave, Professor Nullfield asked whether the article would be fact-checked.
He was informed that it would.
He nodded. He did not appear concerned.
He did not offer tea.
Filed from Sussex.