Interview with Michael Hange, President of the Federal Office for Information Security

At the beginning of 2011, people still laughed at the idea. “In Germany there is incessantly some form of attack on the Internet.” But the German federal government was being serious, and the cabinet approved a cybersecurity strategy for Germany. Three years later, what has become of the cybersecurity strategy?

Cyberattacks take place on a daily basis. They affect not only businesses but also government and private users. Attacks are becoming more professional and more targeted. Back in 1991, the growing importance of information security was institutionally acknowledged with the formation of the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI). Of course, the situation has changed dramatically since 1991 as a result of greater IT penetration and interconnectedness – which has brought a sharp rise in the number of attractive attack targets – while attackers exploit the anonymity of the Internet. The German federal government’s 2011 cybersecurity strategy is still in force, and at the moment, for example, we are continuing to develop our National Cyber Defense Center (Nationales Cyber-Abwehrzentrum, NCAZ), which is geared to prevention.

How great is the threat to our country’s security?

Cyberattacks happen every day, and affect all target groups, the government and administration just as much as businesses and private users. Attacks are becoming more professional and more targeted. A threat to citizens, for example, is identity theft, which is becoming a daily phenomenon. As far as businesses are concerned, there is always a threat wherever you have anything of value. Especially in Germany, very many small and medium-sized enterprises are considered to be particularly innovative. They possess extensive specialized knowledge and expertise, many are “hidden champions”, and lots of firms own patents and important intellectual property. That inspires covetousness. So it’s a mistake for businesses to think that being small makes them safe, or to assume that not being widely known means they are at low risk of cyberattacks. Patents and research findings from a small business can be just as lucrative for attackers as the management board decisions of a major corporation.

In the case of businesses, Internet-based attacks can have a considerable impact on our economic prosperity and technological competitiveness. What are you doing to prevent this?

Businesses are essentially responsible for protecting themselves against cyberattacks. But when it comes to critical infrastructures and maintaining business processes and services that are clearly in the common interest in Germany, then the state should intervene in a protective capacity. This is why the German Federal Ministry of the Interior has produced a draft bill for an IT Security Act that addresses these aspects.

The German Federal Court of Auditors (Bundesrechnungshof) had doubts about the effectiveness of the National Cyber Defense Center, saying it was unsuited to pooling defense capabilities against online attacks, and that there was just a single daily briefing. Specifically, they said that the Defense Center was “not suitable for pooling the competences and capabilities distributed across government institutions for defense against attacks from cyberspace”. What do you think about that?

Since the Federal Court of Auditors has not yet completed its review of the Cyber Defense Center, I do not wish to say anything more on the subject.

What kind of security do you offer for users?

As a national security authority, the Federal Office for Information Security (BSI) has the goal of promoting IT security in Germany. We are primarily the central IT security provider for the German federal government. But as part of what we do, we also turn to manufacturers as well as private and commercial users and providers of information technology, since only concerted action can be effective.

Cybersecurity strategy – malicious software is installed unnoticed in businesses, in homes. What can you do if legitimate websites are suddenly manipulated – a case for the German Federal Criminal Police Office (Bundeskriminalamt, BKA) – and how do you do it?

The respective operators are responsible for the security of websites. If BSI receives information concerning websites that are distributing malware, BSI will usually inform the operators, who should then take steps to disinfect the site.

To what extent do you assist the German armed forces (Bundeswehr) in cyber defense?

BSI is a civilian and preventive authority. More particularly, it has a protective function for key government networks. BSI detects targeted and non-targeted attacks on key government networks and defends against these attacks, in its role as an IT security provider. BSI’s further responsibilities include approval of IT security products and services used within the German federal government. This leads to cooperation between the German Federal Ministry of Defense and BSI. The Bundeswehr is responsible for cyber defense in the military sense.

The threat from botnets, which generally comprise infected PCs owned by private users, has also increased. Botnets are now being professionally leased and used for IT attacks. The motive is often financial gain. To this can be added “hacktivism”, as a means of expressing political views via IT attacks, for example. In view of the rapid spread of smartphones, tablets and netbooks, attacks and eavesdropping using mobile devices are an increasing danger. Even members of the German Parliament (Bundestag) are coming to you. What remedies are effective against this threat?

Here you need to distinguish between the individual phenomena. Botnets are indeed a threat to IT security in Germany. To prevent their computer becoming part of a botnet, users should follow the security advice issued by BSI, which we provide e.g. on our website www.bsi-fuer-buerger.de. As far as mobile communication is concerned, here too there are new challenges. More and more people are using and benefiting from smartphones. But you should keep an eye on the risks and modify your behavior accordingly, e.g. with regard to installing apps or using interfaces such as Bluetooth and WLAN.

Your website www.bsi-fuer-buerger.de and the warning service www.buerger-cert.de provide current information and recommendations for businesses. In addition, BSI supports initiatives by civil society groups to enhance IT security for the public and for businesses. Electronic identities and De-Mail are further approaches that BSI is taking to increase the level of IT security. How many visits do you get each day?

The BSI cybersecurity recommendations are aimed at businesses and professional users, not at the general public. The recommendations that we publish within the Alliance for Cyber Security have been very well accepted. The alliance recently welcomed its 1,000th member. In the space of just two years, the Alliance for Cyber Security has become an established platform for discussing cybersecurity issues.

How can businesses protect themselves against economic and industrial espionage? What is the most important thing they should do?

Awareness of IT security issues has increased – we have noticed this in many talks with business representatives. That is an important first step. There is still some work to be done in terms of implementing security measures, including some standard measures. IT security is a diverse field that includes organizational and human resource aspects as well as technological measures. The procedures set out in the BSI “Basic Protection Catalogues” have become established as a standard concept for information security. The IT-Grundschutz (or “basic protection for IT”) scheme helps in the development of a security organization and also provides a comprehensive basis for risk assessment, reviewing the existing security level and implementing appropriate information security. We advise smaller businesses to stay informed about IT security, e.g. via the Alliance for Cyber Security website. The alliance offers an extensive and constantly growing knowledge base plus the opportunity for confidential dialog with other members, as a way to benefit from each other’s experiences.

Experts such as Dr. Sandro Gaycken claim that it is impossible for computers and software as we know them to be secure. Do you agree?

It is true that it is not possible to achieve one-hundred-percent security. Software is usually made by people, and people make mistakes. But not every error is automatically a security problem. Systematic implementation of standard security measures provides protection against more than 80 percent of known cyberattacks.

How many attacks currently take place every day or year? 

The German government network is subject to thousands of non-targeted attacks every day. These are primarily broad-based attacks. But every day we also see three to five targeted attacks on the government network.

What does the Snowden affair mean for the digital arms build-up?

It was known that foreign intelligence services posed a threat in principle, but the extent of their activities was not known. It is important and right to be addressing this issue, but it not should direct attention away from other threat scenarios such as cybercrime.

What do you think about the idea of creating more or less reliable European systems that meet strict data-privacy and rights-protection criteria?

The Internet is and remains global, and offers enormous capabilities for private as well as business users. We should preserve these capabilities, but we must not ignore the risks.

At the moment, Internet infrastructure is clearly dominated by non-European products. It is not realistic to challenge this dominance in the short term. It is more expedient to ask non-European providers to ensure greater transparency. Also, it should be possible to protect non-European system components like routers with national, trusted crypto-algorithms, and so achieve sovereignty over our own communication.

Questions by Gertrud Maria Vaske, chief editor of “Ethics and Armed Forces”