Cybersecurity in Germany – Toward a Risk-based Approach
Cybersecurity has become a new buzzword in the German security policy discourse. Nearly every day German media cover stories of high-profile attacks in Germany or abroad – and with the advent of the German Pirate Party, cybersecurity and other issues of internet freedom, online transparency, and privacy are making their mark on Germany’s political agenda.
As such, the cybersecurity debate in Germany is rapidly evolving from what was once a technical issue among information technology experts toward a public policy issue along with a growing foreign and security policy component. This shift brings with it a number of challenges in better understanding Germany’s cybersecurity risk profile as well as in leveraging effective risk management strategies – for German citizens, businesses and government alike.
To help clarify the discussion, this article focuses on what the German Government describes as “IT-Security” (which the U.S. and other governments call “cybersecurity”). While issues of privacy, access, and internet freedom are critical to a comprehensive understanding of cyber public policy and cyber foreign policy, describing risks and challenges in those categories is beyond the scope of this article.
Understanding the Cybersecurity Risk Profile
A key challenge policymakers (as well as businesses and even regular end-users) face is a better understanding of the cybersecurity risks for their respective environment. Unlike the threat posed by teenage hackers at the advent of the Internet, today’s threats can broadly be classified into four different categories: 1) cybercrime; 2) economic espionage; 3) military espionage; and 4) cyber-warfare. While motivations can differ widely, attack methods can often be similar as the Internet is a shared and integrated domain. Identifying motivations, actors, and methods is extremely difficult as attributing attacks to a particular actor continues to be one of the main challenges in the cybersecurity arena.
Attackers typically exploit vulnerabilities in either the operating system, the browser, in applications, or in a combination thereof. The threat categories range from adware and unwanted software to worms, backdoor Trojans (including bots/botnets), viruses, and spyware. In addition, security research shows a significant increase in social engineering—a technique that defeats security mechanisms by exploiting human vulnerabilities with the intention to get the targeted user to perform an action of the attacker’s choice.
Within this threat environment, much of the recent media attention has focused on high-profile attacks against companies such as Google, RSA, and Sony as well as against government networks such as the U.S. Department of Defense and many others. While the damage from these attacks was particularly significant, according to the recently released Microsoft Security Intelligence Report (SIR) volume 12, “more than 700 million pieces of malware were detected on computers around the world in the second half of 2011.” For Germany, Microsoft’s SIR data shows a significant uptick in the detection and removal of malware from computers in Germany—up 30.4 percent in the fourth quarter of 2011 over the previous quarter, primarily because of increased detection of a number of prevalent trojans. Even with detection and removal of malware improving, statistics show an overall increase of attempted and successful cyberattacks. The U.S. Government Accountability Office recently stated that cyberattacks on the U.S. Federal Government soared 680 percent between 2006 and 2011. The German government’s Federal Office for Information Security (BSI) has pointed repeatedly to an increased threat environment, in particular with regard to attacks against the German federal government’s networks, which suffered 1,761 targeted attacks in 2010.
Given the evolving nature of attack vectors, malicious actors, and motivations in the cyber-ecosystem, cybersecurity experts on both sides of the Atlantic increasingly believe that it is not a question IF a cyberattack is successful but WHEN—in particular with regard to targets such as governments, large enterprises, and increasingly small and medium businesses who are often not even aware that they are under attack. While it is challenging for non-IT experts to develop a sufficient understanding of the cybersecurity threats, challenges, and risks, such awareness is critical for policymakers, government leaders, or senior management in the private sector to implement appropriate risk management decisions.
Building an Effective Risk Management Framework
Leading cybersecurity experts have started calling for a more advanced risk management framework that goes beyond merely trying to prevent a cyberattack and focuses on building the needed capabilities to respond and recover from such an attack. Such a risk management framework should also include abilities to:
- detect attempted security breaches (based on data generated by the network, available tools, and analysis capabilities);
- contain an attacker once the network has been penetrated; and
- recover from an attack as quickly as possible.
In order to better address its cybersecurity risk, the German Federal Ministry of the Interior launched the first “Cyber Security Strategy for Germany” in February, 2011. The Strategy spells out ten strategic areas, ranging from “Protection of Critical Information Infrastructures” to creating “Tools to respond to cyberattacks.” While much has been written about the utility of the Strategy itself, effective cybersecurity risk management from the German government’s perspective will rest on successful implementation of the Strategy’s various components.
Risk-based Cybersecurity Approaches in Germany
One important aspect in this regard is the collaboration between governments and the private sector, in particular with regard to Critical Infrastructure Protection (CIP). Germany first spelled out its “National Plan for the Protection of Information Infrastructure” (NPSI) in 2005, followed by a more detailed “Implementation Plan – KRITIS” in 2007, which had been developed in collaboration with relevant private sector stakeholders. Information and Telecommunication Technology (ICT) is identified as one of nine distinct critical infrastructure sectors. In order to ensure better information sharing and coordination of incident response, the German government has strongly encouraged the private sector to work closely with the recently established German “National Cyber Response Center,” which is situated within the BSI in Bonn, in particular with regard to information-sharing and cyber-incident disclosure.
In fact, the Minister of the Interior recently warned the four sectors defined as baseline technology sectors (Water, Energy, Transportation, and Communication) that should voluntary cooperation not become more effective, the German government would start developing new legislation requiring companies in these sectors to disclose cyberattacks as well as security vulnerabilities in order to foster better preparedness and response across the board. While effective collaboration between the public and the private sector is challenging for both, it is important to keep in mind that a commitment to compliance is not the whole answer with regard to security. Governments can spell out a set of requirements and the private sector can be compliant. That does not necessarily mean that either is more secure. Instead, a collaborative, risk-based approach can foster both higher degrees of compliance and increased security.
Risk-based Cybersecurity Approaches in the U.S.
By comparison, the U.S. Government started its CIP efforts in earnest in the late 1990s. In 2003, the Department of Homeland Security identified 18 critical infrastructure sectors in the United States, ranging from agriculture to water and designated a federal Sector-Specific Agency (SSA) to lead protection and resilience-building programs and activities. Legal authority for CIP has been developed through the Homeland Security Act of 2002, the Homeland Security Presidential Directive (HSPD) 7 of 2003, and the National Infrastructure Protection Plan (NIPP) of 2006 (revised in 2009), along with a series of other frameworks and systems to protect the public.
It is noteworthy to point out that the IT Sector-Specific Plan employs a different approach compared to the 17 other designated sectors. Government and industry agreed that while sectors such as chemical, dams, or nuclear reactors were “asset-based” (what are the assets and how can they be protected), a “functions-based” (what are the critical functions) approach was more appropriate for the IT sector. The Department of Homeland Security ultimately identified six critical functions, including IT Products and Services; Incident Management Capabilities; Domain Name System (DNS) Services; Identity Management/Associated Trust Support Devices; Internet-based Content/Information/Communication Services; and Internet Routing, Access, and Connection Services.
Lessons learned from years of trying to identify a more effective approach to this aspect of cybersecurity included that building an effective public-private-partnership (PPP) needed to be based on a collaborative risk assessment and effective information sharing. Thus, in 2009 the Department of Homeland Security and the Information Technology Sector Coordinating Council (comprised of private sector stakeholders) conducted a joint “IT Sector Baseline Risk Assessment” to “identify and prioritize national-level risks to critical sector-wide IT functions.” This process was praised by both the government and the private sector as a “major step forward in mitigating risks to critical infrastructure functions that are essential to both homeland and economic security.”
With regard to effective information sharing between technology companies and the government, numerous legislative proposals debated in the U.S. Congress over the last decade have highlighted the challenges of getting the balance right between security, privacy, and other concerns. One metric for effective information sharing is that the government and the private sector should agree to share the right information, to the right people, at the right time. It cannot be about “all data to everyone”— and it will always be important to understand what the intended use of the shared information is. Information sharing succeeds only when there is a strong and trusted relationship between the stakeholders involved and a clear understanding of the objectives and goals.
In light of an ever evolving threat landscape consisting of a significant range of actors, methods, and degrees of persistence, cybersecurity as a discipline is rapidly moving toward risk-based approaches. Recognizing that there is no perfect security and that attacks will invariably happen is a key first step in developing an effective strategy to identify and mitigate the risks associated with an attack. Protection of critical information infrastructure is a good example of the utility of a risk-based approach to security, and one where Germany can look to others – including efforts undertaken in the U.S. – to better understand the lessons learned in this space.
Jan Neutze is a Senior Security Strategist in the Office of Global Security, Strategy, and Diplomacy at Microsoft. The opinions expressed in this article are his own and do not necessarily reflect those of Microsoft.
 See U.S. Government Accountability Office, “Cybersecurity: Threats Impacting the Nation,” Testimony by Gregory C. Wilshusen, Director, Information Security Issues Before the Subcommittee on Oversight, Investigations, and Management, Committee on Homeland Security, House of Representatives, 24 April 2012, http://homeland.house.gov/sites/homeland.house.gov/files/Testimony-Wilshusen.pdf.
 See “Cyber Security Strategy for Germany,” Bundesministerium des Innern, March 2011 http://www.bmi.bund.de/SharedDocs/Downloads/DE/Themen/OED_Verwaltung/Informationsgesellschaft/cyber_eng.pdf?__blob=publicationFile
 Bundesministerium des Innern, “Nationaler Plan zum Schutz der Informationsinfrastrukturen (NPSI),” July 2005, http://www.bmi.bund.de/SharedDocs/Downloads/DE/Themen/OED_Verwaltung/Informationsgesellschaft/Nationaler_Plan_Schutz_Informationsinfrastrukturen.pdf?__blob=publicationFile.
 Bundesministerium des Innern, “Umsetzungsplan KRITIS,” http://www.bmi.bund.de/SharedDocs/Downloads/DE/Broschueren/2007/Kritis.pdf?__blob=publicationFile.
 Henning Krumrey and Thomas Kuhn, “Innenminister Friedrich droht mit gesetzlicher Meldepflicht,” Wirtschafts Woche, 28 April 2012, http://www.wiwo.de/technologie/digitale-welt/it-kriminalitaet-innenminister-friedrich-droht-mit-gesetzlicher-meldepflicht/6561524.html
 U.S. Department of Homeland Security, “Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection”, 17 December 2003, http://www.dhs.gov/xabout/laws/gc_1214597989952.shtm.
 U.S. Department of Homeland Security, “Information Technology Sector-Specific Plan,” 2010, http://www.dhs.gov/xlibrary/assets/nipp-ssp-information-tech-2010.pdf.
 U.S. Department of Homeland Security, “Information Technology Sector Baseline Risk Assessment,” August 2009, http://www.dhs.gov/xlibrary/assets/nipp_it_baseline_risk_assessment.pdf.
 U.S. Department of Homeland Security, “DHS and the Information Technology Sector Coordinating Council Release Information Technology Sector Baseline Risk Assessment,” 25 August 2009, http://www.dhs.gov/ynews/releases/pr_1251249275263.shtm