>> Lese diesen Blogpost auf Deutsch.
Following a hacker attack on the IT systems of the Anhalt-Bitterfeld district in July 2021, the district declared the first cyber disaster in Germany. The IT was completely paralyzed. The district was still expecting problems weeks after the attack. Among other things, it could no longer pay out social benefits and benefits in the area of advance maintenance payments (Deutschlandfunk Nova 2021).
So far, there is no precise overview of the extent to which public administration in Germany is affected by hacker attacks. However, according to research by Bayerischer Rundfunk and Zeit Online, there have been more than 100 cases in the past six years of public authorities, local governments and other state public agencies in which IT systems were encrypted by attackers. The investigation also showed that there is a particular fear of damage to critical infrastructure (Zierer/Tanriverdi 2021). Such must be reported since 2015 and operators of certain facilities must allow regular inspections (Sempf 2019).
Critical infrastructures (CRITIS) are „organizations and facilities of critical importance to the governmental community, the failure or impairment of which would result in sustained supply shortages, significant disruptions to public safety, or other dramatic consequences.“ (translated from Bundesamt für Sicherheit in der Informationstechnik, Bundesamt für Bevölkerungsschutz und Katastrophenhilfe). This includes
These systems are sensitive to attacks mainly because many of them were developed a very long time ago – a time when IT security aspects played a lesser role. In modern industrial operations, however, many components are now connected to the Internet, which results in a higher vulnerability to cyberattacks (Sempf 2019).
SIn 2020, for example, there was a ransomware attack on the electricity and water supplier Technische Werke Ludwigshafen (TWL). Afterwards, the company’s customer data was available on the darknet. The attackers had demanded a ransom of millions – the utility had not complied with this demand. However, encryption of the systems or access to the process control technology was prevented. (Tremmel 2020).
The situation was different five years earlier in Ukraine, where there was a cyberattack on the power grid. Malware brought 30 substations and switching stations to a standstill. The entire power supply no longer functioned. Almost 230,000 people were left in the dark, and hospitals had to resort to emergency generators. Such a scenario can have far-reaching consequences, causing supply bottlenecks and paralyzing entire countries (Handelsblatt 2018 und Sempf 2019).
Experts suspect state-sponsored Russian hackers behind the attack on Ukraine’s power grid. The European Union alone recorded around 450 attacks on critical infrastructure in 2019 (Benediek/Kettemann 2021, 1). Only recently, NATO also warned of increasing cyberattacks on these same and democratic institutions. China in particular was criticized in this context.
Accordingly, what matters locally is also playing an increasingly important role transnationally: In a Bitkom survey in 2019, 67 percent of Internet users surveyed in Germany therefore said they would like to see increased investment in the security of critical infrastructure. Almost half of the respondents were also in favor of cyber alliances with other states (Statista Research Department 2020).
This raises the question of how the European Union is arming itself against such attacks. Since 2015, the European Union has been working on various initiatives to respond to cyber attacks (Benediek/Kettemann 2021, 2). IIn 2016, the European Union adopted the first cybersecurity measures with the Directive on the Security of Network and Information Systems. In the fall of 2017, at the Digital Summit in Tallinn, leaders called for the European Union to „become a global leader in cybersecurity by 2025 to ensure the trust, confidence, and protection of citizens, consumers, and businesses online and to enable a free, more secure, and law-enforced Internet“ (translated from Amtsblatt der Europäischen Union 2021).
Strategy for cybersecurity and resilience
Finally, in December 2020, the European Union presented a new strategy for cybersecurity and resilience. According to it, it is the increasing interconnectedness of consumers and businesses – spurred in particular by the Covid 19 pandemic – but also geopolitical tensions related to the global and open Internet that require action. The latter are reflected in particular in the growing number of nation states erecting digital borders – a threat to the EU’s fundamental values. Cyber space is increasingly becoming a site of growing polarization at the international level and hybrid threats such as disinformation campaigns and cyberattacks on infrastructures, economic processes, and democratic institutions are emerging.
Malicious attacks on critical infrastructure posed the greatest threat worldwide. The latter are driven by the concentration of essential services in the hands of a few private companies and the European Union’s dependence on them. The lack of „collective situational awareness for cyber threats“ in the association of states is particularly problematic. Only a fraction of incidents are reported by the member states and the exchange of information is neither systematic nor comprehensive (Europäische Kommission 2020a). Some of these points relate to the strategic goal of strengthening the digital sovereignty of the European Union. I have already written a blog post on this: Digital sovereignty in the EU – A brief overview.
The following aspects are listed in the Cybersecurity and Resillience Strategy:
Regulation establishing the European Centre of Excellence for Cybersecurity Industry, Technology and Research and the Network of National Coordination Centers
Building on the Cybersecurity and Resilience Strategy, the Regulation establishing the European Center of Excellence for Cybersecurity Industry, Technology and Research and the Network of National Coordination Centers was adopted on May 20, 2021. This is intended to help increase the security of critical infrastructure and the Internet. According to the regulation, the starting point is the European Union’s current overdependence on non-European cybersecurity providers. There is a wealth of expertise and experience in the association of states, but this is not sufficiently bundled and networked and is still fragmented. Civic tech projects are also of great interest to society. However, the European Union „still does not have sufficient technological and industrial capacities and capabilities to autonomously secure its economy and critical infrastructures and to become a leading global player in the field of cyber security“. (translated from Amtsblatt der Europäischen Union 2021).
To this end, the first step under the 2021 regulation will be to create a cybersecurity center of excellence based in Bucharest. This is to be „the most important instrument for bundling investments in research, technology and industrial development in the field of cybersecurity“. (translated from Amtsblatt der Europäischen Union 2021). The aim is to protect the economy and society from cyber attacks, to ensure excellence in the field of research, and to promote industry and make it competitive – all under the maxim of promoting the EU’s „open strategic autonomy.“ (translated from Europäische Kommission 2020b). In particular, it appears important that the new center and the network of associated national coordinating centers will provide research and industry with testing and experimental facilities that would otherwise be prohibitively expensive for individual member states. The network of national coordination centers will continue to help promote and disseminate cybersecurity education programs. By the end of 2021, it will be up to each member state of the European Union to nominate a facility that meets the criteria to become a so-called national coordination center in the network (Amtsblatt der Europäischen Union 2021).
The European Union has been making increasing efforts in the area of cybersecurity since 2020 and is pushing ahead with its December strategy with the first regulations. In the background of all this is the idea of digital sovereignty – that is, autonomy from other regions and companies from abroad. The first step seems to be the development of a dedicated research infrastructure. Furthermore, legal changes are being sought and various diplomatic efforts are being made. The goal is to maintain an open Internet that is secure and based on European values. Third countries, in particular, which pursue the opposite approach and rely on censorship policies and territorial isolation, are perceived as a potential source of danger. These are to be countered in particular by participation in international standardization bodies and closer cooperation with the United Nations. The question arises to what extent all these supranational strategic goals also have an impact at the local level and whether the European Union’s cybersecurity measures can provide a toolbox for hacker attacks on critical infrastructures in the future.
„Blackout – A Novel“ – by Marc Elsberg
On a cold February day, all the power grids in Europe collapse. A total blackout. Italian computer scientist Piero Manzano suspects a hacker attack and tries to warn the authorities – unsuccessfully. When Europol commissioner Bollard finally listens to him, dubious emails turn up in Manzano’s computer that cast suspicion on himself. He has become the target of an adversary who is as cunning as he is merciless. Meanwhile, all of Europe is in the dark, and the fight for survival begins … (translated from Elsberg)
Amtsblatt der Europäischen Union. 2021. „Verordnung (EU) 2021/887 Des Europäischen Parlaments und des Rates vom 20. Mai 2021 zur Einrichtung des Europäischen Kompetenzzentrums für Industrie, Technologie und Forschung im Bereich der Cybersicherheit und des Netzwerks nationaler Koordinierungszentren.“ < https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32021R0887&from=EN > (22.07.2021)
Benediek, Annegret; Kettemann, Matthias C. 2021. „EU-Strategie zur Cybersicherheit: Desperat Cyberdiplomatie.“ SWP-Aktuell 12 < https://www.swp-berlin.org/publications/products/aktuell/2021A12_EUCyberdiplomatie.pdf > (22.07.2021)
Bundesamt für Sicherheit in der Informationstechnik, Bundesamt für Bevölkerungsschutz und Katastrophenhilfe. „Glossar – Kritische Infrastrukturen (KRITIS).“ < https://www.kritis.bund.de/SubSites/Kritis/DE/Servicefunktionen/Glossar/Functions/glossar.html?lv2=4968594 > (22.07.2021)
Chaosradio. 2020. „KRITIS – Kritische Infrastruktur.“ < https://chaosradio.de/cr263-kritis > (06.08.2021)
Deutschlandfunk. 2021. „Nato warnt vor zunehmenden Cyberattacken auf kritische Infrastruktur.“ < https://www.deutschlandfunk.de/hackerangriffe-nato-warnt-vor-zunehmenden-cyberattacken-auf.1939.de.html?drn:news_id=1282263 > (22.07.2021)
Deutschlandfunk Nova. 2021. „Erster deutscher Cyber-Katastrophenfall“ < https://www.deutschlandfunknova.de/nachrichten/hack-in-anhalt-bitterfeld-erster-deutscher-cyber-katastrophenfall > (11.07.2021)
Elsberg, Marc. „Blackout – Morgen ist es zu spät“ < https://marcelsberg.com/buecher?isbn=9783442380299 > (06.08.2021)
Europäische Kommission. 2020a. „Gemeinsame Mitteilung an das Europäische Parlament und den Rat – Die Cybersicherheitsstrategie der EU für die digitale Dekade.“ < https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:52020JC0018&from=EN > (22.07.2021)
Europäische Kommission. 2020b. „Kommission begrüßt politische Einigung über das Kompetenzzentrum und das Netz für Cybersicherheit.“ < https://ec.europa.eu/commission/presscorner/detail/de/IP_20_2384 > (22.07.2021)
Handelsblatt. 2018. „Im Fadenkreuz der Hacker.“ < https://www.handelsblatt.com/technik/it-internet/kritische-infrastruktur-schuetzen-im-fadenkreuz-der-hacker/20877220.html > (22.07.2021)
Sempf, Julia. 2019. „Kritische Infrastrukturen – der wohl verwundbarste Punkt eines Landes.“ < https://www.hornetsecurity.com/de/security-informationen/kritische-infrastrukturen/ > (22.07.2021)
Statista Research Department. 2020. „Umfraeg zu Vorbereitungen auf künftige Cyberattacken in Deutschland 2019.“ < https://de.statista.com/statistik/daten/studie/1088587/umfrage/vorbereitungen-auf-zukuenftige-cyberattacken-in-deutschland/ > (22.07.2021)
Tremmel, Moritz. 2020. „Daten von Stadtwerken Ludwigshafen im Darknet veröffentlicht.“ < https://www.golem.de/news/nach-hack-daten-von-stadtwerken-ludwigshafen-im-darknet-veroeffentlicht-2005-148484.html > (22.07.2021)
Zierer, Maximillian; Tanriverdi, Hakan. 2021. „Zahlreiche Fälle von digitaler Erpressung in deutschen Behörden“ < https://www.br.de/nachrichten/deutschland-welt/hacker-angriffe-digitale-erpressung-in-deutschen-behoerden,SbduLPs > (11.07.2021)