The head of Germany’s Federal Office for Information Security, or BSI, has called for greater international cooperation in the wake of a successful operation against a global cyber crime network – a rare success story amid a flurry of hacker attacks on the German government and consumers in the past few years.
“We need this cooperation because the culprits often sit in different countries or use foreign IP addresses for their attacks,” Arne Schönbohm, head of the BSI since February, told Handelsblatt.
His comments came after authorities in 39 countries stopped a criminal network that was targeting online banking customers, the state prosecutor in the German city of Verden announced on Thursday. At least 50,000 Internet users in Germany were targeted by the cyber criminal network.
“We need a European solution. Germany can be the tip of the spear.”
The operation, targeting a network that had been building a Botnet of interconnected infected computers since at least 2009, led to the identification of 16 leaders of the alleged criminal group. The servers have been shut down and authorities have taken control over the Botnet. The revelation comes after a separate cyber attack interrupted the service of 900,000 Deutsche Telekom customers earlier in the week.
Mr. Schönbohm said that such Botnets, which criminals can use either for gathering information on people’s digitial identities or simply spamming emails, represented “one of the biggest threats to digitalization.” He called for stronger regulations and certification standards to ensure that IT devices are secure.
“We need a European solution,” he said. “Germany can be the tip of the spear and work on solutions.”
Mr. Schönbohm said the German government was addressing the issue with a new IT security law, which demands minimum standards for IT security and sets up a framework for reporting security breaches. The BSI has also talked to other European countries about cyber security during important times.
Germany is holding federal elections next year, something Mr. Schönbohm is also keeping an eye on, particularly after a massive attack last year that targeted the German parliament, not to mention ongoing reports of interference in the November elections in the United States.
“We are constantly improving the defense capabilities of the government network, and this is a particularly sensitive issue when it comes to elections. We have people advising parliament on how to better protect the government from attack,” he said.
The BSI fashions itself as a central services provider for IT security in Germany, leaning on other government agencies but also increasingly on businesses and even consumers to help improve network safety in the country. But the agency, part of Germany’s interior ministry, has often been overwhelmed by the task amid a lack of personnel. Mr. Schönbohm himself, who studied business and has held leading positions in security at companies including EADS, has come under criticism for his lack of technical expertise in the field.
“If I buy a car, I expect it to be safe. And if an IT device is unsafe, no one is responsible? That is unacceptable.”
The BSI has been beefing up its operations to meet its growing responsibilities, and plans to hire more than 80 new staff. By the end of 2017, it will have around 84o employees. As part of its expansion, it plans to set up rapid response mobile units that will be available around the clock to deal with significant data breaches.
“If there is a real crisis, we can call on all BSI employees to deal with it. But at the same time, we want to certify private IT security services on our behalf,” he said. “This increases our flexibility as it makes no sense to have a lot of highly paid IT specialists sitting idle at times of calm.”
Mr. Schönbohm said the recent hacks should not deter companies and individuals from taking advantage of digitalization. “Networking contributes to our wellbeing,” he said. “It is just that security is an indispensable part of this.”
He also called for a standardization of security measurements, so all companies knew what requirements they had to meet.
“The electronics industry sells some devices that are very difficult or almost impossible to secure against cyber criminals. Imagine being able to sell fire extinguishers where one in five did not work. It is not acceptable. That is why we want cyber security certification, to show that a product meets certain safety standards.”
He said customers needed to make sure they asked about security when buying anything that may be networked, to put pressure on suppliers to take security seriously. He also wanted to make manufacturers responsible for security breaches on their devices.
“I believe in liability in the market place,” he said. “If I buy a car, I expect it to be safe. If it doesn’t meet certain safety standards, it should not be for sale. And if an IT device is unsafe, no one is responsible? That is unacceptable.”
Dana Heide is a correspondent for Handelsblatt in Berlin, focusing on energy policies, small and medium-sized companies and innovation. Christof Kerkmann is an editor for Handelsblatt Online and writes about the technology sector. To contact the authors: email@example.com and firstname.lastname@example.org