How strong is German cybersecurity?
5 min read
The statistics show steadily rising numbers of cybercrimes being committed each year. The threat level has increased, not least because of the Russia-Ukraine war. But what exactly does this mean for users and companies? Is the legislator doing enough to protect the general public? We talk about this with Prof. Dr Dennis-Kenji Kipker.
Dear Prof. Kipker, you are an expert in IT security law, teach at numerous renowned universities, and work as a consultant in this field. How do you assess the state of cybersecurity in Germany?
In Germany, we have definitely recognized the acute and increased threat situation and set out on our path, but we are still a long way from reaching our goal. After all, the vulnerability of not only our critical IT infrastructure becomes clear on a regular basis – and that applies to both the public and private sectors. Attacked municipalities and federal institutions and infiltrated universities and colleges as well as many companies from the German SME sector that were confronted with cyberattacks, especially last year, clearly demonstrate the criticality of the current situation.
However, it is all the more frightening that the most fundamental knowledge and thus basic technologies are often lacking in order to implement effective cybersecurity. And in many cases, this is not a question of a lack of human or financial resources but rather of ignorance – the much-cited awareness of a multitude of cyberattacks that are raining down on us en masse and in a standardized manner every day. The government and legislators are making efforts to take action, but ultimately the state can only provide support and cannot fully secure all IT infrastructure in Germany unless companies, public authorities, and consumers also take action to protect their IT and important data.
Is the privacy of people in Germany really protected on the internet? How should regulations be designed to protect both our security and privacy on the internet?
The German level of protection for citizens’ privacy online is significantly higher than in many other countries – and that is, of course, primarily due to European law. We have had regulations in place for years, such as the GDPR, which have now even become a global model. Nevertheless, there are always gaps in protection.
This starts with the use of secure digital identities on the internet, continues with the simplest possible ways to use encrypted communication, and ends with seemingly insoluble problems such as transatlantic data traffic that is secure and complies with data protection requirements. And at this point, we see once again that laws can ultimately only provide abstract specifications. If these laws cannot be technically implemented in practice, even the highest level of data protection on paper is of little use.
Studies show that cybercriminal threats to users and businesses will continue to increase this year. Which threats are on the rise, and what do you think might explain the increase?
We’re currently seeing another bloom of ransomware incidents, but digital collateral damage as a result of the Russia-Ukraine war is also commonplace. Increasingly, however, attacks are also targeted precisely because there is something to be gained and, as an attacker, you can enrich yourself economically as a result of the attack. Moreover, the topic of the IT supply chain will certainly not leave us in peace this year.
In addition to the corporate issue of cybersecurity compliance, digital consumer protection will also play an important role in 2023. We are not just talking about abstract cyber dangers here but about very concrete threats such as phishing, identity theft, fake stores, and sextortion. For consumers in particular, it is therefore not just a matter of safeguarding the functionality of their IT but in particular of digital privacy protection. That’s why you should think carefully in advance about who you share which data with because sometimes the cyber threat can also lie in the immediate social environment.
What vision do you have for implementing effective cybersecurity for companies, critical infrastructures, and users that may become a reality in the next five years?
To speak of a “vision” would probably be too optimistic. First, I hope that in five years we will have succeeded in establishing basic protection for the vast majority of institutions, businesses, and infrastructures as well as for citizens that is suitable for countering at least the standardized attack vectors.
Vita
Dennis-Kenji Kipker is one of the leading minds in cybersecurity in Germany. He works as a professor of IT security law at the University of Applied Sciences Bremen at the interface of law and technology in the area of information security and data protection. He is also active as a legal advisor to the VDE, CERT@VDE and is a member of the board of the European Academy for Freedom of Information and Data Protection (EAID) in Berlin. He plays a key role in shaping future European and German cyber policy. As managing director of the consultancy Certavo in Bremen, he is also committed to the development and implementation of pragmatic solutions for the digital compliance of companies internationally.