Bitkom sensitises companies and authorities to the area of cybercrime. And warns of current dangers. In North Rhine-Westphalia, Baden-Württemberg, Rhineland-Palatinate, Hesse, Saxony and Lower Saxony, Bitkom works together with the state criminal investigation offices for this purpose. Findings from the Federal Criminal Police Office, the Federal Office for the Protection of the Constitution and the Alliance for Cyber Security are included. The goal is to build an IT security ecosystem between the state, business and science. Bitkom’s Stephan Ursuleac spoke to Diplomatisches Magazin about this.
DM: Are cyber attacks an issue for the German economy?
Stephan Ursuleac: Absolutely. Last year, over €200 billion in damage was caused by sabotage, espionage and data theft. It is often about communication data, about email content; about finding out what structures exist, what relationships there are with other business partners, and about customer data. The more sensitive the data, the more potential there is for blackmail, for example patents and the like.
DM: Is this also about industrial espionage?
Stephan Ursuleac: What we found out in our study is that about 8 % of all attacks involve classic espionage activities, i.e. foreign intelligence services are suspected to be behind them. The main targets are, among others, scientific institutions, such as universities or research institutes. And in the course of the Ukraine war, it is also the defence industry that is being attacked; attempts are being made to withdraw know-how or paralyse structures.
DM: The issue of phishing and ransomware seems to have changed due to artificial intelligence. Europol says artificial intelligence is an “ideal resource for criminals”. Why is that?
Stephan Ursuleac: We have known phishing mails for many years. They are still the main gateway. Phishing mails are used to try to obtain certain data or to get the mail recipient to click on a link that contains infected files. In the past, phishing emails were characterised by poor spelling, grammar or poor or incorrect wording of the email texts. But now we see that these areas are becoming more and more professional. And this has mainly to do with artificial intelligence, which generates perfect texts. The mass emails generated by AI are sent millions of times in several variants. And the system can evaluate successful variants in a matter of seconds: they are then followed up accordingly. So, with automated processes, you can achieve greater success rates with little effort. At some point, someone will click on the link and perhaps download something or disclose information.
DM: What can companies do to protect themselves?
Stephan Ursuleac: Basically, every company and every authority can become a victim of a cyber attack. What we also find quite often is the attitude, “I am far too insignificant, a small local administration or a small company. A few employees somewhere in the Swabian Alb or something, who is going to attack me?” However, these attacks are automated and not always targeted against individual actors, it affects everyone. Every company, every authority should therefore have a security concept and contingency plans in order to build resilience accordingly. In advance, it is important to consider: Who has access rights within the company network or within an authority, so that they can be restricted if necessary. What is my most sensitive data and what scenarios and countermeasures are conceivable? It is important to have self-sufficient backups in order to be able to work again quickly in the event of an attack. Is there backup IT for an emergency? Will it still be possible to communicate? This kind of provision should exist. Discussions with security consultancies and the police are also important. There are different ways of working together, depending on the federal state. The analogue aspects should not be neglected either: Who comes into the building or onto the company premises? For example, service providers who have normal access, etc.
Of course, the human factor is always part of the precautionary measures. Among other things, staff should be trained, e.g. in phishing and social engineering. Finally, structures and processes must be clarified in order to be able to act in the event of an attack. Do I have available partners to support me? Who has to be informed when and about what (e.g. reporting obligations)? The following applies: IT is the boss’s business!
DM: What should companies do if their data has been stolen and ransom demands have been made, for example?
Stephan Ursuleac: It must be very clear when the company or the authority gets into such a situation, which structure applies. Who is responsible? What does the crisis team do, etc.? In any case, this must be clarified in advance.
The police always recommend: Do not pay a ransom! We don’t know whether this ransom demand really leads to the encrypted data actually being decrypted again. It is also possible that additional demands will follow, according to the motto: Whoever is willing to pay 100,000 €, will also pay 200,000 €. One could also violate sanction regulations by paying. There are sanctions at the European level, e.g. against North Korea in payment transactions. Companies may therefore be liable to prosecution. Companies with business relations to the USA could even be suspected of supporting some kind of terror financing if they end up on a list of companies that finance terror organisations.
However, the practice is often a grey area. For example, if companies are threatened with insolvency if they fail to pay, their backs are against the wall. Such a scenario should definitely be discussed with the authorities.
Interview Marie Wildermann