Schönbohm: According to the information and evaluations of the BSI, the existing dangers have become more diverse overall and continue to be quite numerous, but have taken on a new quality. The attacks are targeting the cornerstones of secure IT and IT architecture: update mechanisms, processors, and encryption technologies. Hardware security vulnerabilities like Spectre/Meltdown and Spectre NG have the potential to make current business models and basic IT security approaches obsolete. The affected chips are integrated into millions of devices and form the basis of the modern computer. This is a new kind of challenge.
International and German law enforcement agencies are seeing “normal” crime increasingly moving online. Crimes, such as scamming, blackmail, theft, and drug trafficking, have moved there and are expanding on classic cyber criminality, e.g. account information theft, identity theft, or hacking. Perpetrators exploit the opportunities provided by digitization and we still make it far too easy for them. IT products and related software are showing a considerable lack of quality with respect to IT security, users are not yet sufficiently careful—despite all the negative experiences.
To date, few companies explain these hazards, e.g. phishing, to their employees and the topic of cyber security is not discussed at all in schools. And on vacation, there is a “nothing will happen to me” mentality. Free Wi-Fi is the only thing that matters. What has to happen to give Germany a “cyber jolt”.
Schönbohm: I really hope that a massive negative experience is not necessary. There are enough international examples of this, for example the manipulation of the US election, attacks on the power supply in Ukraine, and production downtimes and idle factories for multiple days in numerous European countries and the USA due to the WannaCry ransomware. Damages are estimated at several million to four billion dollars worldwide. All in all, ransomware cost companies more than 8 billion dollars globally in 2017, according to published estimates.
I’m counting on citizen education, on a growing understanding of security at companies, on increased governmental efforts to continue to develop a consistently robust and flexible legal framework.
Until now, we’ve had to deal with attacks on Windows computers and Android smartphones, but the next wave could go beyond anything we’ve seen before. In an average smart home, most IoT devices are not sufficiently protected, or have no protection, making them the perfect playground for cyber criminals. Are you dreading this development, or is the BSI saying “Now more than ever!”?
Schönbohm: Of course we are saying “Now more than ever”. We cannot and do not want to stop or reverse digitization. It will continue to permeate all areas of our lives more deeply, it will revolutionize production processes at companies, it will be an important factor for administration and government action. Without a doubt, it has many benefits and advantages for each of us, but also presents challenges.
However: Cyber security is the prerequisite for this. Therefore, we have to act in the face of the fast pace of digital innovation. We now need to step up our efforts to make digitization more secure through information security. There can be no successful digitization without cyber security. Just as it is politically and socially acceptable to allocate a certain percentage of the gross domestic product for defense spending, a certain percentage must also be allocated for IT, in order to securely structure digitization.
On the internet, users in all corners of the world can acquire new products and then integrate them into their networks at home. Wouldn’t we need to influence suppliers before the sale and commit them to certified safeguards?
Schönbohm: Yes, that is correct and important. The security of products in use, the IT services and systems, in government administration, in the economy, and by end users must be ensured via “security by design” and “security by default” from the beginning.
Germany must take a leading role in this issue. In the cyber security strategy for Germany published in 2016, the federal government announced a seal of quality for IT security. This intention was confirmed in the 2018 coalition agreement. The BSI already certifies products that are primarily used in the government’s digitization projects. Existing processes must be further developed in a user-friendly manner to take into account products and services for the consumer market. The BSI is currently working on this. We put a very high priority on digital consumer protection.
The BSI’s IT situation and analysis center monitors the security situation on the internet around the clock and sounds the alarm should critical situations arise. How does the normal user in Germany benefit from this, and how can they help make Germany a bit more cyber-secure?
Schönbohm: If there is a cyber security incident, we warn the affected parties, for example critical infrastructure, either directly or via our networks, like the Alliance for Cyber Security. We also inform providers and share our findings so that they can inform their customers. Or we go on location with a Mobile Incident Response Team (MIRT) in order to lend concrete assistance and get the IT infrastructure back online after an attack. This benefits government institutions, critical infrastructure, the economy, and citizens.
And all of them can help make Germany a little bit more cyber-secure. By not opening every email and sending their account information all over the world, by using encryption technology, by simply seeing if they have applied security updates to their computer, in addition to having closed the windows and doors and secured their property in a safe. When we’ve learned to treat our virtual property as carefully as our physical property, we will have made great strides.”
The interview was conducted by @AxelTelzerow