Germany needs an ambitious cybersecurity strategy
Munich, 30 November 2022
The latest report on the state of IT security in Germany by the Federal Office for Information Security warns that the threats faced by Germans in cyberspace are greater than ever before. Yet several obstacles stand in the way of higher security. The first publication from acatech’s “Cybersecurity” project presents recommendations for strengthening IT security in Germany.
Threats to cybersecurity have increased significantly in recent years. The proportion of German companies reporting some form of damage from cyberattacks rose from 70% in 2019 to 86% in 2021. According to a survey carried out by industry association Bitkom, the total losses suffered more than doubled over this two-year period, from €103 billion to €223 billion a year. And there has been a further significant rise in the number of cyberattacks since, not least due to the war in Ukraine. Germany’s critical infrastructure is especially vulnerable – an attack on a hospital, for example, could put lives at risk. Consequently, Germany must strengthen its cybersecurity. But to do so, it will need to overcome multiple challenges.
Germany lagging behind other nations
The German government’s recently published cybersecurity agenda aims to tackle these challenges. However, many of the proposed measures fall short of what is required. For instance, there are no regulations setting out how to implement an active cyber defence. The acatech research project is led by Claudia Eckert of the Fraunhofer Institute for Applied and Integrated Security (AISEC). In her view, “The Federal Ministry of the Interior’s cybersecurity agenda was an important first step. But it must now be swiftly followed by a cutting-edge cybersecurity strategy for the entire German government. This strategy should include concrete projects and should resolutely and boldly pursue and implement ambitious goals to deliver a genuine, lasting improvement in Germany’s cybersecurity.”
Other nations such as the US have already addressed this issue more extensively. The Biden administration’s recent Executive Order contains concrete, ambitious measures for implementing cybersecurity across all federal government agencies. It also establishes clear responsibilities, processes and deadlines. For instance, all federal government agencies must roll out a Zero Trust Architecture by the end of 2024. Zero Trust employs a data-centric approach. Instead of automatically trusting a user, e.g. in a company intranet, users are only assigned the access required to perform specific tasks.
In the light of other countries’ endeavours, the project group calls on Germany to become more active in this area – cybersecurity must be given greater priority throughout every part of German society.
Cybersecurity calls for digital sovereignty
In their recently published paper, the experts present two key ideas for strengthening cybersecurity in Germany. The first is that Germany needs an ambitious cybersecurity strategy embedded within a wider digitalisation strategy. The experts recommend that it should be based on the US cybersecurity strategy.
The second is that Germany must seek to strengthen its digital sovereignty. In essence, digital sovereignty affords individuals, private companies and government agencies greater independence, allowing them to provide or use alternative software and hardware systems, for example. It is vital to systematically build and strengthen core competencies – alternative systems cannot be developed and a technology’s security cannot be assessed without the relevant knowledge.
These two objectives are mutually dependent. “You can’t guarantee digital sovereignty without adequate cybersecurity”, says Claudia Eckert. For example, in the light of recent political and geopolitical developments, the Federal Office for Information Security (BSI) has issued a warning advising against the use of Russian firm Kaspersky’s antivirus products. However, this did not have any serious implications for Germany, since there are plenty of alternative products.
Implementation will involve multiple actors
The project members also formulated several recommendations for government, science, industry and the general public. The structure of the relevant government authorities must be streamlined, since it is far too complicated to coordinate the 75 institutions with cybersecurity responsibilities that currently exist at the federal level alone. Researchers must be granted access to data on cyberattacks so that they can learn from them. Businesses should view cybersecurity as a competitive advantage and make their products more user-friendly so that all users can easily implement secure processes. The public can also do its bit by acquiring a basic understanding of digital technology and processes. This will require policymakers to make the relevant changes to curricula or create easily accessible professional development opportunities.
These recommendations clearly illustrate the complexity of achieving a high level of IT security. Accordingly, decision-makers in government and industry must treat this issue as a matter of high priority. But perhaps even more importantly, public attitudes will need to change. After all, as project leader Claudia Eckert explains, “Cybersecurity is a challenge for society as a whole”.
About the Cybersecurity project
The project aims to provide an overview of the issues involved in cybersecurity and show how a lasting improvement in Germany’s cybersecurity can be achieved. The project is led by Claudia Eckert of the Fraunhofer Institute for Applied and Integrated Security (AISEC).