Opinion on the German IT security debate: "The outraged are naked"
Germany's politicians are complaining about Russian hackers. Rightly so – but they should take action themselves. An opinion by Falk Steiner.
(Bild: Shutterstock.com/janews / Compostion: heise online)
There has been a great deal of public outrage from official bodies about the spying attack by the Russian Federation's military intelligence service on the SPD, infrastructure operators, foundations and associations just over a year ago. Germany's and the Czech Republic's ministers are outraged, with full solidarity from the EU and NATO. Foreign Minister Annalena Baerbock (Greens) announced consequences, Interior Minister Nancy Faeser (SPD) spoke of hybrid threats and, ahead of the European elections in June, got carried away with the sentence: "We must also protect our democracy in the digital world."
This all sounds like determination, or at least it should sound like it. But it is clear that the attackers from the Russian military intelligence service did what their job is: espionage. According to the authorities, they did not carry out sabotage operations. So these are not hybrid attacks, even if they could be preparatory actions, a look through the keyhole for further options for action. Now, such espionage is definitely not a trivial matter and anyone caught doing it must expect a formal protest. But apart from a loud stomping, those responsible in the Federal Republic obviously have little idea.
There are actually a lot of measures that could be taken to significantly reduce the problems. The very methods used by the GRU unit known as "Fancy Bear" are part of what has long been criticized and could have been addressed long ago. Another name for the unit is APT28.
Warm words instead of concrete measures
Let's look at Microsoft's security problem first: More than two months after the Russian attackers exploited the vulnerabilities, Microsoft published an initial CVE with instructions on how to mitigate the threat. Security updates followed. Two months is a very long time in an emergency,. This is not the only reason why Microsoft has to ask itself whether it can guarantee sufficient security in the current global situation. Seemingly without consequences.
The second problem: networked devices. When an Ubiquiti EdgeRouter botnet was taken offline by the FBI, BKA and others a few months ago, the problem was quickly described: Autoupdates are often not activated in the delivery state, firewalls are deactivated and default credentials are used. There is no doubt that these devices are easy victims. However, the legal standards for networked devices are still low, and the Cyber Resilience Act is still to come – with transition periods lasting years. The fear of overburdening providers is still greater than the fear of malicious actors. Preliminary result therefore: none.
This also applies to another part of the Ubiquiti problem: the legal basis for emergency patching of insecure systems for German authorities is still extremely shaky. This is also due to the fact that this is linked to political "hackback" requests, which could be highly problematic. Dividing up the activities and, for example, transferring the emergency patching activity to the BSI as active consumer protection would be a conceivable alternative – but the BSI would be a foreign body in the police threat prevention logic. And so nothing happens.
Zero-day problem
Another problem is also home-made: the zero-day problem. If ZITIS, police or intelligence services in Germany find a security vulnerability, they are not obliged to report it to the manufacturers immediately. This is exactly what should change – according to the coalition agreement of the traffic light coalition. It has not been implemented for two and a half years, and not only at this point. But the Fancy Bear case shows just how urgent this would be. Of course, it is tempting for hackers on the self-perceived good side to exploit security loopholes that are supposedly only known to them for as long as possible. The only problem is that there can never be a guarantee that the vulnerability is not already known elsewhere – and actively exploited. The Federal Ministry of the Interior has still not been able to come up with a sensible proposal for this. So what we have to show for it: Nothing.
And then there is the question of whether the IT security regulations as a whole should not be significantly tightened up. In principle, the EU has already done some preliminary work here with the revision of the Network and Information Security Directive, NIS2. However, it still needs to be transposed into German law. Since the first proposal was presented last summer, there has been a struggle over this. Behind the scenes, it is all about costs, cost assumptions, political porcelain, removal, installation and conversion obligations. The same applies to operational technology, which is also subject to regulation as part of the operational security of critical infrastructure operators. And even the criteria for physical security, for example with surveillance cameras, sensors, access systems and the like, where Chinese providers are often used for cost reasons, would actually be part of the current legislative process. However, the Kritis umbrella law, the young and smaller offline sister of the NIS2 implementation law, is just as stuck. So in practice, as you can guess, nothing is happening for the time being.
Like in fairyland
The responsible Minister of the Interior, Nancy Faeser (SPD), appears before the people, praises the counterintelligence, the "protective measures against hybrid threats", and says: "We will not be intimidated by the Russian regime under any circumstances."
This is fatally reminiscent of Hans-Christian Andersen's famous fairy tale about the emperor who adorned himself with virtual clothes that the stupid and incompetent supposedly could not see. None of his subjects criticized this, nor did the people, until a small child spoke the truth: "But he's not wearing anything!" The emperor then decides to go his own way to avoid having to admit his deception.
This legislature still has a year and a half to run - a long way to go for those in charge under the current circumstances. These are not likely to be good times for real cyber security.
(nie)
