Since Russia's invasion of Ukraine, the subject of cyber security has been discussed intensively by many experts. Even these days, hardly a day goes by without warnings of an imminent major cyber attack on German companies or critical infrastructure. But how great is the danger really? That is what we asked Manuel Atug. He is a cyber security expert at HiSolutions AG and a board member of the Cyber-Security Cluster Bonn.
- NRW.Global Business: Mr. Atug, since the war broke out in Ukraine, there have been growing warnings about Russian hackers. How great is the danger of a cyber attack really?
Manuel Atug: The situation is clearly tense and the risk is indeed significantly higher than without such a war. But it is not the case that we are in a catastrophic situation at the moment. It is that high-value targets in particular are more at risk.
- NRW.Global Business: What are high-value targets?
These are, for example, high-ranking politicians, important companies and critical infrastructure players. These may be the focus of hacker attacks.
- NRW.Global Business: How highly does the BSI (Federal Office for Information Technology) rate the danger at the moment?
So far, it has not yet issued a red alert; according to the experts, we are at alert level orange. The BSI therefore currently assesses the situation as above average, but not critical. This means that the Federal Office has come to the same conclusion as our experts.
- NRW.Global Business: But many other experts are warning of a great cyber war.
Considering that many supposed cyber war experts have warned massively of an imminent cyber war in colorful PowerPoint presentations, things have been comparatively quiet so far. Therefore, we must first ask ourselves the question: Who could be the perpetrator of an attack and what would be their goal? If we now look at Russian President Vladimir Putin and his military, the current likelihood of an overt cyber attack by which he makes himself known is relatively low.
- NRW.Global Business: You must explain that to us.
An open attack on German infrastructure that works and causes a prolonged outage of, say, electricity or water, will also inevitably cause fatalities. If that is the case, NATO will very quickly invoke Article V and that would activate the Western military. Putin will certainly not want to take that risk at this time. And state cyber attacks pose a further incalculable problem.
- NRW.Global Business: Which problem is that?
If I fire missiles at a waterworks, the waterworks will almost certainly be destroyed afterwards. If I want to paralyze the waterworks for a long time by means of cyber attacks, the probability that it will work is much lower: First of all, the cyber attack has to be successful, and the more long-term and permanent the failure of the plant is supposed to be, the more complex the undertaking is. And even if I succeed in all this, the probability is relatively high that I will cause collateral damage in the process.
NRW.Global Business: Like the attack on Ukrainian communications satellites?
Exactly. The satellites were attacked to disrupt communications in Ukraine in order to gain a tactical advantage. But they took out, as collateral damage, nearly 6,000 wind turbines in German wind farms that were controlled by the satellite network. Modems in emergency response command vehicles in Germany were also crippled by the attack. In the end, the Ukrainian communications outage lasted an hour, but the collateral damage will require weeks of repairs.
- NRW.Global Business: Are there other actors involved in the war?
IT reflects our society, and it reflects it globally – we have a cyberspace for everyone. And we find everything from "very good" to "very bad": Whether it's the economy and the population or all state actors who drive cyber espionage or attacks, or even the non-state actors who think they have to be involved in the case of attacks.
- NRW.Global Business: You mean so-called "hacker collectives", right?
Yes, there are such collectives, for example Anonymous. On the other hand, there is also organized crime on the Internet. And then, of course, there are those who want to exploit a war to make money. But none of this is structured. It is civilians who get involved – and that's always problematic, of course.
- NRW.Global Business: If hackers act without a large-scale plan, does that also mean that any company can fall victim to an attack?
Exactly. It can very well be that a medium-sized company is targeted, and the same goes for municipalities. This can happen, for example, when hackers feel compelled by patriotism to go after anything that looks Russian. Then they destroy and rampage through a company's IT infrastructure because it has also made its website available online in Russian. And it can all happen insanely fast once an ethically wrong-headed hacker realizes: I can cause great destruction here with relatively simple means.
- NRW.Global Business: Let's get back to the "great cyber war". Why do people keep warning about it, but in fact we get very little notice of large-scale attacks? Is Germany perhaps simply very well protected against cyber attacks?
Most of the attacks – as already mentioned – are not about destroying, they are about data espionage, information gathering, reconnaissance and propaganda. These attacks are aimed at obtaining information or spreading false information. The actors are often intelligence services, and they try to do their work in secret. This is not only true among "enemies," of course, but is also a constant issue among states that maintain friendly relations.
- NRW.Global Business: What do you think a good cyber defense system in a company should look like?
Cyber security actually looks very boring. It's not enough for a company to buy a super security product and then have a license and everything is secure. The solution is also not to rely on a hype technology like blockchain. The basics are more important.
- NRW.Global Business: What would those be?
Let me describe one thing in more detail: It is not enough to make a backup of your system. The backup needs to be made regularly, the backup needs to be kept offline, and it needs to be practiced to restore the backup. If I have never tested whether restoring my system works, then I don't know if my backup is useful at all.
- NRW.Global Business: How can I tell?
Companies need to know how long it will take to restore their systems. If I, as a medium-sized company without IT systems, am unable to work and am insolvent after two days, but it takes two weeks to restore the backup, then unfortunately even the fanciest backup is of no use to me. Ask companies or startups whether they really have a backup concept in the form described. Many will honestly have to answer this in the negative. Just take a look at the Anhalt-Bitterfeld district: It was the victim of a huge hacker attack last summer, and the entire system landscape was affected.
- NRW.Global Business: What was the problem?
Backups existed, but not everything was saved and not everything could be restored properly. They have now reached the point where they were able to let the catastrophic event run its course. But they still won't be able to operate properly for several months – a whole year after the attack.
- NRW.Global Business: How can a company prevent something like this?
Apparently, in Anhalt-Bitterfeld, but also in many other companies and municipalities, not enough thought was given to what plan would be followed once everything was virtually in ruins and how it would have to be rebuilt: Do we have enough computers, do we have enough personnel to restore the data, which critical systems need to be restarted first, what do we have backups of, can they be restored without problems, and is it all happening fast enough? Ideally, every company and every administration must be able to answer these questions in advance.
- NRW.Global Business: What can be done preventively?
Putting fixed cyber protection procedures in place is already a great help. But it is also important, for example, to delete user accounts when employees leave the company. After all, these accounts are not just carte blanche, but also offer unauthorized persons the opportunity to gain access to the systems. The same applies to a firewall that was installed at some point, but whose rules and regulations were never adapted and developed in a structured manner afterwards. Hackers can find loopholes here, too. Or take patches from important software. Here, too, it must be clearly regulated who installs them. Is it the company itself or a service provider? You see: These simple basic measures, which do not sound very hyper or glamourous, are existentially important. But unfortunately, they are not really practiced in many places.
- NRW.Global Business: When I as a company read this and have to admit to myself: I really haven't done enough before now – Who can I turn to if I want to find out about good cyber security?
Many organizations offer basic IT security checks. Here, I as a company can find out where I have deficits. We as the Cyber-Security Cluster Bonn also publish information material that can help companies. In addition, we offer a series of events that deal with the subject of cyber security. The newly created state-owned competence center Digital.Sicher.NRW also helps companies with these issues. The BSI also provides extensive information. But there is one point that is most important.
- NRW.Global Business: Tell us what it is.
Companies really must be prepared to do something. It's not enough to listen to expert tips, they also have to be implemented. This requires time and resources. Cyber security in companies must be a matter for the boss.
NRW.Global Business: Mr. Atug, thank you very much for speaking with us.