Article-Germany Michael George

Companies underestimate the danger

In his book "Geh@ckt" ("Hacked"), Michael George discusses the danger cyber crime poses for us today. At stake is the security and prosperity of every individual. Few besides the author know that the idea of a massive hack does not exist only in legends. George is currently working for the Bavarian Office for Constitutional Protection and supports businesses as well as agencies in protecting themselves against cyber attacks. In an interview with GSC, the author discusses how businesses can manage the balance between security and profitability, how important communication among affected businesses is, and what you should know about industrial espionage today.

GSC: In your book Hacked: How Network Attacks Threaten Us All, you write that companies today are trying to find a balance between having data and networks be as easily accessible as possible (to ensure smooth, efficient operations) while still maintaining the highest level of network and data security possible -- and they want to do all of this at the lowest possible cost. But this balancing act isn't working, you say, as evidenced by numerous hacker attacks against German companies. How then should companies shift their thinking about cybersecurity and protecting themselves against attacks? What changes need to happen in terms of how businesses approach this balance between accessibility and security of networks and data?

Michael George: This tension you mention between high security on one hand and low cost as well as practicality on the other hand certainly exists, and at first glance it might seem that they cancel each other out. But this is not so. Contrary to what many think, it is neither purposeful nor practical to involve the entire company in the practice of the highest protection measures – if you do this, it is impossible for a company to operate normally. In order to manage this "balancing act" as successfully as possible, companies should establish which information needs to be protected so that not everything in the company is subject to the same level of protection. The crown jewels of the company – that is, the information that absolutely must stay under the control of the company – usually amount to no more than 5 percent of the total data in the company. This information must be particularly well protected against unwanted dissemination.

GSC: One problem you identify in how businesses have addressed cyber attacks in recent years is the lack of communication about these attacks among companies. Since companies tend not to publicize known attacks or share details of them with each other, it makes it harder to identify attacks that may be related and thus harder to put an end to them. This creates what you call a win-win situation for attackers. Since your book came out, have you seen increased efforts among German businesses to share this type of information? What can be done to encourage businesses to be more open in this regard?

Michael George: I call this "the law of silence". The Omerta code of silence known from Italy in which people remain silent to protect themselves also plays out in the area of cybersecurity. If your own network is successfully attacked, it's better not to speak about it, because in addition to the already incurred losses, you run the risk of damaging your reputation and the trust customers and suppliers place in you. This fact is a gift for attackers, because when victims remain silent, others can be attacked using the same method. So what is needed more urgently than ever is a central (government) body that can guarantee confidentiality and anonymity so that those potentially at risk can be informed preventatively. This idea has been implemented with the creation of the Cyberalliance Center Bavaria by the Bavarian Constitutional Protection Office. And in fact, companies are changing their views on this issue and starting to break the code of silence.

GSC: Are there any misconceptions businesses tend to have about the risk of industrial espionage or about how to prevent it that end up putting them more at risk? I.e., things many people think or believe about industrial espionage today that aren't entirely correct?

Michael George: This is correct. Many companies, especially medium-sized companies, underestimate the risk of an electronic attack or a targeted attack on their company's know-how. Here, the middle class is especially vulnerable due to its innovative strength. In addition, medium-sized companies often do not have the resources to intensively address security issues, as is the case in the industry. Here, investments in know-how protection sometimes emerge as direct advantages against competitors, a concept highlighted by this phrase: You don't have to run faster than the lion at your heels, but rather faster than your neighbor. Attackers too take the path of least resistance.

GSC: How has industrial espionage changed in recent years? Are there any identifiable trends or recent developments that suggest attackers and spies are changing tactics or moving in a certain direction?

Michael George: Espionage is often called the second-oldest profession in the world, so in the long run it is apparently considered to be a business with strong continuity and little change. However, technical developments are increasingly changing the methods and ways of espionage. What was formerly laborious, details-oriented work can often be done today in seconds -- at least when it has to do with people -- through social networks and the internet. This information can then be used to help prepare actions related to electronic attacks. In addition, one technical fact contributes enormously to this matter: as soon as data leaves a computer, smartphone or a similar device, it is exterritorial, so to speak. If it is not encrypted, it can be read by third parties, a fact of which the general public at least is aware since the publications on the subject of the NSA. So the determination for how successful attacks on our data will be rests on our shoulders. The same applies when it comes to active intrusion into computer systems. What data the attacker finds when he is able to successfully access it and how he can then make use of it is in our control. The recommendation: the establishment of separate, purposefully protected networks for crown jewels and the utilization of encryption protection wherever possible, in conjunction with awareness campaigns for employees on the proper use of data and technology.

The greatest challenge presents another problem: people can spy on systems but also sabotage them. Thus, the issue is no longer "just" data, but the availability and integrity of systems. This applies to industrial and manufacturing facilities as well as to efficient energy networks, autonomous vehicles, the e-health sector, public administration, transport, banking and insurance, just to name a few. On closer inspection, you quickly notice how dependent our lives as well as a company's production processes are to IT. In this context, consumers, operators and businesses have to rely on suppliers and manufacturers and are forced to utilize systems that have only just entered the market. And it is clear that functionality is still prized above security in the development of new hard and software components. In order to change this, we need a public discussion around the topic of IT security to generate political signals that will shift the demand toward more secure IT in jobs and products. This is important because our future will depend crucially on how smoothly the pursuit of a connected society with functional and secure IT progresses.