Berlin’s chief diplomat didn’t beat around the bush. In order to ensure, according to Annalena Baerbock, that “our rail transport continues to function, medical treatment is still possible and the police can continue to work” after a major cyber attack, Germany must significantly expand its cyber security. “For this we need a stronger and more resilient infrastructure,” the German Foreign Minister recently told government representatives from all over the world at a conference in Potsdam.
Their warning underscored what experts at the meeting identified as a worrying development: States around the world are reporting increasing cyber attacks on their critical infrastructure, such as energy and water supplies or government agencies – facilities that are so vital to a country’s security and economy that without her everything could collapse.
Sees a need for retrofitting in Germany in the cyber area: Foreign Minister Annalena Baerbock (archive photo)
In August, for example, hackers paralyzed Montenegro’s IT infrastructure. In July, attackers crashed the government website in Albania. And in the spring, a ransomware gang blocked the computer systems of nearly three dozen government agencies in Costa Rica, the country’s first-ever cyberattack to declare a national emergency.
Behind most attacks are criminals who make billions by holding an IT structure hostage and demanding a ransom to unblock computer networks. But states, too, warned German Foreign Minister Baerbock, are increasingly using cyber attacks as a powerful tool to weaken their enemy in military conflicts: “Cyber technology has now become part of modern warfare – as shown in Russia’s war of aggression against Ukraine.”
Lessons from the war in Ukraine
The experience of the besieged country illustrates how cyberattacks are used as a military weapon. When Russia invaded in February, the number of hacking attacks on targets in Ukraine or linked to Ukraine skyrocketed, according to Oleksandr Potii of the State Service of Special Communication and Information Protection, Ukraine’s security and intelligence agency.
Ukrainian authorities later traced these attacks to state actors with ties to Moscow, Potii said. “Some of the attacks were carried out by cybercriminals but coordinated by special forces.” When these hackers attacked critical infrastructure, their main goal was to cause as much damage as possible to sow chaos.
This is also shown by an incident involving the US satellite company Viasat. Just before Russian tanks rolled into Ukraine, cyber attackers went to great lengths to cut some of the company’s satellite links, which the Ukrainian military used to command its troops – a major setback for the country in the early hours of the war.
Cyber war not only against states: Private satellite companies can also come into focus
The incident is considered the largest publicly known cyber attack on Ukraine’s critical infrastructure since February. However, Potii emphasizes that his country has fended off several attempts since then. Although Ukrainian authorities are currently registering relatively few cyber attacks, they suspect that Russia is preparing further attacks on critical infrastructure. The IT security expert warns that pro-Russian hackers are also targeting other Western countries. “We share the same enemy. And this enemy is ready for the next attack.”
Defense against cyber attacks
So how does a state make its critical infrastructure more resilient to cyberattacks? With a multi-track concept, experts advise.
On the one hand, governments must better protect their systems from falling into the hands of hackers, as the examples of Albania, Montenegro and Costa Rica show. That is why the German government is currently having the security measures for its communication channels overhauled. Germany is also setting up a data center outside the country to keep backup copies of critical data in case intruders manage to get their hands on the IT systems.
But such public efforts only go so far – not least because most of the world’s critical infrastructure is owned and operated by private companies, as the attack on the satellite company Viasat shows.
This wind turbine is currently being maintained by hand – but what if hackers break into the system’s IT control system?
Germany and the other EU member states are therefore developing new rules to force energy suppliers, telephone companies and other providers to protect their systems with a specific standard. And the USA passed a law in the spring, according to which providers must inform the authorities immediately of a cyber attack.
Beyond legal regulations, close cooperation between private technology companies and state authorities is also essential, says Kemba Walden from the Office for National Information Security in the US President’s Office.
There is no cyber security without cooperation
IT security experts also agree that like-minded states need to step up international cooperation in cyberspace. “We can’t do it alone,” says Christian-Marc Lifländer, head of NATO’s cyber defense division. “We all have different pieces of the puzzle, so sharing knowledge and intelligence is key.”
To date, law enforcement agencies have been reluctant to share information about cyber threats. There is still room for improvement, admits Sinan Selen, Vice President of the Federal Office for the Protection of the Constitution.
But the recent increase in cyber incidents, as well as the deteriorating security situation around the world, are prompting authorities to share more information, explains Manuel Atug of AG Kritis, an independent group of German experts on critical infrastructure. On the one hand, this is a good development, according to Atug. At the same time, he warns that a more holistic approach is needed to make critical infrastructure truly resilient to cyberattacks.
For decades, Germany missed the opportunity to raise public awareness of cybersecurity and train a new generation of experts. For example, Atug proposes that cyber security and programming skills should finally be taught in schools.
Foreign Minister Annalena Baerbock signaled in Potsdam that her government is aware of these deficits. When she was in Kyiv at the beginning of September, she visited the Ukrainian cyber security authority. She was led into a room with students aged 16 to 22. “And I said to them: You are the real experts,” says Baerbock. This is how Germany and other European countries should tackle the problem. “We need more courage, more fresh ideas and thinking ‘out of the box’.”
Adaptation from English: Beate Hinrichs
