No Cyber Resilience, No Economic Resilience

Barbara Engels

German Economic Institute

Barbara Engels is Senior Economist for Sustainable Digitalization at the German Economic Institute in Cologne. In the research unit Digitalization and Climate Action she conducts research on how digitalization must be designed so that economy and society benefit from in a sustainable manner. Her research interests include cybersecurity, data economy, digital markets, and digital sovereignty. As part of her research, she lectures internationally and gives workshops for academia, companies, and the public sector. Previously, she supported German-Israeli economic cooperation at the German-Israeli Chamber of Industry and Commerce in Tel Aviv and worked as a freelance journalist for several German media outlets. She studied Economics (B.Sc. and M.Sc.) in Berlin, New York, and Barcelona.

Hubertus Bardt

German Economic Institute

Prof. Dr. rer. pol. Hubertus Bardt is Managing Director at the Institut der deutschen Wirtschaft, Köln (German Economic Institute). Since 2022, he is an honorary professor at the Heinrich Heine University in Düsseldorf.

He studied economics and business administration in Marburg and Hagen and received his doctorate in economics from the Philipps University Marburg. He joined the German Economic Institute in 2000 and has been head of Research Unit Environment, Energy, Resources from 2005 to 2014.

When Russia attacked Ukraine starting in late February 2022, it did so not only with bombs, missiles, and tanks but also with hackers. Massive cyberattacks were carried out on Ukraine’s government agencies, administration, military, and numerous other infrastructures. Although German Chancellor Olaf Scholz spoke of a so-called Zeitenwende—a “turning point in time”—shortly thereafter, it was not new for Ukraine to be attacked from Russia in the digital space. In 2015, the Ukrainian power grid had already been temporarily paralyzed, and in 2017 the malware NotPetya, originating in Russia, spread massively. Accordingly, Ukraine had already been active in the field of cybersecurity in the years before the current war. With support from other countries, first and foremost the United States, it armed itself against cyberattacks and, for example, equipped its rail network against malware. Ukraine invested intensively in its cyber resilience and thus was able to successfully react to the Russian attacks. Germany, on the contrary, has not experienced such a threat situation before 2022—and has accordingly been much less active in cybersecurity matters, resulting in weaker cyber resilience.

The Zeitenwende is typically discussed as a matter of reorganizing natural gas supplies and qualifying the Bundeswehr in order to meet the requirements defined by the new security situation. Replacing Russian energy imports turned out to be possible but costly. Due to the energy price shock, production in energy-intensive industries has shrunk by about 20 percent within one year—and many capacities like ammonia or aluminum production will remain closed indefinitely. The military dimension of the Zeitenwende is even more critical. The pledge to fulfill the 2 percent NATO target might be fulfilled for the next two or three years if the 100 billion special fund is used quickly enough to plug the most critical holes. But using these resources, about 35 billion euros have to be mobilized in the federal budget—annually!

Also, the 100 billion euro special fund will be dedicated to traditional military activities but not to Germany’s cyber defense—although Germany is far from being adequately protected against cyberattacks. Neither the state and its institutions nor the private sector is sufficiently prepared. If any were heavily attacked, the probability that these shocks could not be properly absorbed would be high. The lack of cyber resilience has consequences for the economy and society: Economic well-being and prosperity are at stake.

Nowadays it is not a question of whether a company is attacked, but when and how often—and how long it takes for the company to notice the attack. There are numerous security gaps in many companies, which had already been widely and successfully exploited before the Ukraine war. The increase in working from home during the COVID-19 pandemic has also led to a tightening of the cyber security situation, multiplying the number of points of attack. According to a representative study by the German digital industry association Bitkom, cyberattacks caused damage to 86 percent of companies in Germany in 2021 or 2020. Damage from ransomware attacks, associated with the failure of systems or the disruption of operations, has increased by 358 percent since 2019. The average cost of a data breach worldwide reached an all-time high in 2022 of 4.35 million U.S. dollars, according to IBM’s annual cost of a data breach report.

Taking these figures into account, it is not surprising that companies worldwide have identified cyber risks such as IT outages, ransomware attacks, or data breaches as their top concern for 2023. According to the Allianz Risk Barometer, which includes the expertise of more than 2,700 risk management experts from 94 countries and territories, cyber incidents beat business interruptions, macroeconomic developments, and energy crisis, among others. In Germany, experts rank business interruptions higher than cyber incidents. This might be the case because business interruptions are more generic and may have many causes—one of them being cyberattacks. 45 percent of respondents worldwide said that the cause of business interruption that they fear the most is cyber incidents, followed by an energy crisis (35 percent) and natural catastrophes (31 percent). Once a company is hacked, it may take days or even several weeks until it can fully operate again. Moreover, companies are not lone warriors. Every company is networked with other companies that are dependent on it in the supply chain. Every successful cyberattack is not only a danger for the directly attacked entity but also for all others that are connected to and dependent on it.

The lack of cyber resilience has consequences for the economy and society: Economic well-being and prosperity are at stake.

Thus, cyberattacks can add significant damage to entire industries and thus to the economy and society. This danger is already extremely high in peacetime. In times of war, it increases exponentially due to the growing role of cyber warfare. Cyber warfare aims at crippling the communications infrastructure, disrupting critical activities, and further destabilizing the situation. Since almost all areas of public and private life are digitally networked, all of these areas can also be attacked digitally. This can be done regardless of location and does not necessarily require extensive human resources, making these attacks particularly attractive. The political activism of non-state hackers (“hacktivism”) in Russia, Ukraine, and other parts of the world can neither be comprehensively monitored nor controlled but has the potential to further endanger the global security situation.

Hence, the impact of digital attacks extends beyond Ukraine. No one can or should feel safe. But we do not have to bury our heads in the sand either, because we can do something. We must make strengthening cyber resilience a top priority. Because without cyber resilience, there can be no economic resilience. Companies must be cyber-resilient in order to survive and be able to cater to a prosperous society.

In order for companies to be more defensible against cyberattacks, they also rely on rapid support from government agencies. This requires more financial and human resources as well as clear responsibilities. According to the chart on the state cybersecurity architecture in Germany, which is regularly updated by the think tank Stiftung Neue Verantwortung, 75 bodies—including ministries, committees, and government organizations—are responsible for keeping damage away from IT systems at the federal level alone. These are joined by international actors, UN, EU, and NATO actors, and numerous state institutions. This fragmentation means a high coordination effort that does not match the dynamics and reach of digital attacks. Bundling competencies is urgently indicated.

It is all too easy to neglect cybersecurity because it has a visibility problem. When it is there, it is not noticeable. When it is not there, it hurts. Very, very much.

The views expressed are those of the author(s) alone. They do not necessarily reflect the views of the American-German Institute.