Podcast INTO GERMANY!
Episode 11: Digital Dragons
- October 2023 -
The threat of cybercrime is at an all-time high. That’s due to a variety of factors including companies’ increasing digitization, vast amounts of work now being done in home office and the war in Ukraine.
Oct 01, 2023
That’s created huge demand in Europe’s largest market, Germany. We talk to an expert and a business executive about the current state of cybersecurity and what opportunities are opening up for international companies in Germany.
Like Into Germany? You can get every episode on your favorite podcast platform: |
Our guests
Pierre-Alain Mouy | ©Pierre-Alain Mouy
is the managing director of NVISO GmbH, part of the NVISO Security Group funded in Brussels in 2013, and is responsible for the customers in the DACH region (Germany, Austria and Switzerland). He has 20 year experience in the field of Cyber Security and has been a penetration tester for more than 12 years. He started his career in Paris and worked at EY as Cyber Security consultant. He moved to Germany in Frankfurt in 2010 and, in October 2018, he started the DACH entity of NVISO, as partner and managing director.
Thorsten Strufe
is professor of IT Security at Karlsruhe Institute of Technology (KIT/KASTEL), and adjunct professor for Privacy and Network Security at TU Dresden. He is a deputy speaker of the Excellence Centre for Tactile Internet with Human-in-the-Loop (CeTI), and a PI in the national
IT security competence center KASTEL Security Research Labs. His research interests lie in the areas of privacy and network security, especially in the context of social networking services and novel mixed reality applications. Recently, he has focused on studying privacy implications of user behavior and possibilities to provide privacy-preserving and secure networked services. Previous posts include faculty positions at TU Dresden, TU Darmstadt, and Uni Mannheim, as well as postdoc/researcher positions at EURECOM (France) and TU Ilmenau.
Transcript of this episode
Presenter: Hello and welcome to Into Germany. The German business podcast brought to you by Germany Trade & Invest, GTAI, the German government’s international business promotion agency. On this episode we’re talking about a global crime wave. Can you guess which one?
Presenter: No? Well, that’s precisely the problem. Some background. Last summer, more than 600 organizations worldwide were compromised by a hydra-headed breach at US software company Move-It. According to Microsoft, the United States and the Ukraine are by far the two most targeted countries for cybercriminals. The United Kingdom comes in at a distant third, followed by Germany, Belgium and Japan.
Still, Germany’ Federal Office of Information Security - the BSI - says the threat in cyberspace is at an all-time high. Cyberattacks have sharply increased in the recent months. The incidents range from a ransomware attack on water works in July in the city of Stade to a distributed denial of service attack at German airport websites in February.
Those incidents led to only minor disruptions, but nearly half of all businesses surveyed by the digital industry group Bitcom say they now see cybercrime as an existential threat.
There was one incident, in Saxony Anhalt, where a local government was blackmailed two years ago by a nebulous group called Double Spider . Authorities did declare a state of emergency, the first ever brought on by a cyber attack in Germany. The municipality was unable to pay bills, and deliver social security and other vital services.
Pierre-Alain Mouy has over two decades of experience as a cyber-security specialist. The Belgian entrepreneur says attacks from on the internet are here to stay:
Pierre Mouy: There is never going to be an end really to this entire attack and defense activities. I think really that we will be able overall to minimize the impact of such attacks.
Presenter: Mouy’s company N-Viso has expanded to Germany to take advantage of the need for digital protection in Europe’s largest economy. We’ll talk to him later in this podcast.
Presenter: But first let’s hear from Torsten Strufe. He's a cybersecurity expert from the Karlsruhe Institute of Technology. He says hacking the internet at someone else's expense appeals to a growing cabal of thrill-seeking activists, criminals eyeing huge profits and state-backed actors. Hello, Torsten, what’s the state of play at the moment?
Torsten Strufe: So we have some people who are just looking for fun and who are then disclosing the vulnerabilities to the, to the victims that they hit or to the software vendors that are in essence responsible for the vulnerabilities in the systems. And they don't do any harm. Right. And then there is also a large market, actually. So when you think about spam and all the extortions that we have seen where corporates have been encrypting the large data or exfiltrating large databases or files, entire hard drives, folders and so on and deleting backups, then this is not so much the sports side of things as it used to be, maybe 20, 25 years ago. But those really a for profits activity. So I mean, of course there are some state level adversaries or like some. We know that there are a couple of hacking groups that are working in foreign nations and in the national interest of of certain nations. And that case, it's not for profit. But most of the other things are really just for profit.
Presenter: Hacks are big business – and do tremendous financial damage. Bitcom says German companies now lose over two hundred billion euros annually due to cybercrime, a figure that has doubled in five years. Strufe believes that only government agencies can now effectively defend against large scale, targeted attacks. So Torsten why is this?
Torsten Strufe: So the situation, I think, is that, of course there are a few very rare, very targeted attacks on companies and it's going to be very difficult or maybe next to impossible to defend the company against such kind of rare attacks. I mean, the governments authorities would probably have very high level security and be comparatively secure against also such targeted attacks. But I think as a company is comparatively difficult to defend against such attacks.
Presenter: Instead, you say that the biggest threat to most companies from cybercrimes comes from employee’s habits on their workplace computers. Can you expand on that?
Torsten Strufe: What we see in reality is really that people have been trained to work with emails. People are working on Windows systems with Active Directory servers, and then they click on links because that's what they do in their day to day life or they open attachments and then they install them. And then from then on, then essentially the attackers have a foothold within the systems of the company and from then on the attackers can run their second very good touch you attacks, for instance, encrypting hard drives or expediting data or whatever.
Presenter: As data theft, sabotage and espionage have increased, more and more software vulnerabilities have been discovered. In Germany, the situation is unique because of the large numbers of SMES that are now digitizing. That trend has coincided with a dramatic increase in home office work and collaborative co-working and communication software, triggered by the Covid pandemic lockdowns. Torsten, where does Germany stand in all this.
Torsten Strufe: I think there is a large problem also in German companies, not only in Germany, it's all around the world. I mean, also when you look at the universities, we've seen that some of the universities have been hacked over the last 18 months, and it's always the same with the same thing. So usually there's like an employee clicking on a link and then canceling malware.
Presenter: Then there’s the war in Ukraine. An attack on a satellite system used by the Ukrainians has already halted the turbine blades at a wind park in the north of Germany. Federal authorities also say Russian aggression has increased the threat of DIRECT attacks on Germany’s critical infrastructure.
The Federal Office of Information Security - the BSI - has appealed to corporate and institutional Germany to review and test all cyber security protocols and upgrade if necessary. So Torsten, how hard will it be for the government to convince the population of the extent of the threat?
Torsten Strufe: The cyber security era. Security is a quite complex problem, let's say. Right. And and if you look at the situation of climate change, for instance, we realize that we have a problem which is much easier to understand and politics is already not able to cope with it. And I have the feeling that for for cyber security already security, the situation is much worse because it's not quite so obvious what the actual problems are, because, of course, there are also large financial interests involved. Microsoft is not going to tell you that running a microsoft environment poses a large risk to you if if one of your employees is clicking on the link at some stage. And of course, there's also a large market in what we call security snake oil with some companies who will happily sell some stuff which does not actually provide any security, but can be sold at large prices or at high prices. And that also, of course, lobby towards politics and are making a lot of PR towards companies. And so I think that the my impression is that what politics see, sort of the view that politics has on this situation, this is heavily skewed. So it's not like they actually see what I would say happens objectively and what objective objectively be the best for for for society or for the for industry. And hence I think it would be a little bit unfair that they're not doing the right thing or they're not doing enough.
Presenter: That sounds pretty gloomy. Can you offer us some positives?
Torsten Strufe: However, I do believe that. I mean, there are many things that are done right? So, for instance, there's BSI in Germany, which which gets some funding and and which is who's trying to do the right thing, helping authorities and industries to to make the systems more secure. So in that regard, this also so but again to I think which is even going in the direction of restructuring in the right direction. But I think it's a very from my perspective, it's a very difficult thing to pinpoint, and that is for industry or for the politics to pinpoint what would be the right way and and then to actually choose this sensible strategy.
Presenter: Difficult but NOT impossible. Although it’s probably inevitable that some major corporations will have their systems breached, successful targeted attacks are still comparatively rare. Torsten, what are your biggest concerns? What steps can companies take? And what sort of services are they looking for that create a market for international companies?
Torsten Strufe: First of all, make somebody responsible for security within your company and make sure that they have enough resources that they can actually be responsible. So it doesn't help if you say, no, no, it's your fault that somebody could take. I mean, also with regards to privacy. So it would be good that somebody within the institution is responsible for that, but that they also have the resources to actually not only be the good, the bad guy, but also do something about this. So they will need resources, they will need some control to some extent over what happens in the company so that they can do their job, in essence. The second thing would be, I mean, this what these people then will do is make sure that systems are patched so that all the vulnerabilities that are known. So, of course, as soon as vulnerabilities are getting known, usually the vendors are trying to fix them and provide patches so that you can update your systems to remove as many one of these vulnerabilities as possible. So you should always make sure that all of your systems are pitched up to date and you have the latest software running in your systems. And the third thing would probably be that indeed, training your employees to at least not fall for very simple phishing attacks or very simple malware would be useful so that somebody, even if they're stressed out because, you know, the project has to be finished or the boss has been putting pressure that something has to be done and they receive an email with an attachment that they actually know the potential ramifications of what could happen if they click on a member who happened to install a member so that then they're at least aware. So like that, I think that would be something that should be done and that is comparatively easy to do there. The simple fact that there are a lot of trainings around the companies that offer such kind of trainings so that then your employees at least are aware of the potential risks and the cybersecurity environment.
Presenter: Thanks, Torsten! We’ll hear a bit later from an international company, Belgian cybersecurity company N-Viso, doing business in precisely those areas in Germany. And Torsten Strufe from the Karlsruhe Institute of Technology will return at the end of this podcast with a simple suggestion to improve your own cybersecurity measures that will benefit you at home and the office. But first, let’s look at some other top business news from Germany.
+++
Prestigious Park
The Innovation Park Artificial Intelligence in Heilbronn has announced a public-private partnership with the highly-touted fledgling company Aleph Alpha. The nine-figure project will create a 30-hectare AI research park with laboratories, a data center and a start-up center. The park will focus on digitalization of production, logistics and trade as well as public administration applications.
New Growth Fund
The German national government and the state economic development bank KfW have agreed upon a new 450 million euro instrument to finance innovative startups and SMEs. Called RegioInnoGrowth, it will spur growth smaller companies with great creative potential in future technologies. Firms will be eligible for up to EUR five million in support, for example in the form of mezzanine capital or subordinated debt.
Airport Power
The airport servicing Germany’s second biggest city, Hamburg, is investing
70 million euros to construct a windpark that will begin generating electricity by 2027 or 2028. The plans foresee the construction of six wind turbines that will generate enough electricity to supply the airport’s more than one hundred buildings as well as its entire infrastructure. The aim is to become carbon-neutral within the next twelve years.
Top Ranking
The Swedish non-profit, venture capital investment Norrsken foundation says that Germany leads in Europe for impact start-ups. An impact startup is a company founded to address a major societal problem In Norrsken’s top one hundred, Germany has 15 impact start-ups – far more than anywhere else on the continent. Energy is a particular German strong suit as was food.
Going Digital
Frankfurt group Euro Kartensysteme calculates that debit cards, known as Girocards, were used for 3.65 billion purchases in Germany in the first half of 2023. That represented a 15 percent increase over the same period in 2022. The popularity of payments using smart phones and smart watches is also growing in Germany.
+++
Presenter: So Germany is continuing its trip down the digital pathway. That’s generally good news, but it also brings with it challenges like cyber-security. Last year Germany’s interior minister announced a major initiative designed to sharply boost investment in that area. And the EU Commission proposed the Cyber Resilience Act to help protect consumers and businesses against products with inadequate security.
All this spells opportunities for foreign companies providing software and services to help keep German companies compliant with increasing cybersecurity regulations. The global market for cybersecurity products and consulting could reach 162 billion dollars this year, and grow by nearly 50 percent in four years. The current market in Germany is worth about six-and-a-half billion dollars.
The Belgian cyber security consultancy N-Viso is one international company competing for a share of this business. Pierre-Alain Mouy is its managing director. Hello, Pierre, how have you and your company been doing in Germany?
Pierre Mouy: So in the last three year, it's a really growing market. To give an example was when we established in October 2018, we started with with five employees really integrated with Belgium's and two days are are expected by the end of the year we are going to be around 80 people within within the German Austrian team. So this is a really fundamental growth.
Presenter: One of N-Viso's specialties is simulating a real-world cyber attackers’ tactics and techniques to test a client’s ability to take a hit to its digital infrastructure. The procedure is known as adversary simulation, or red-teaming and involves providing a CISO – a Chief Information Security Officer. Tell us more.
Pierre Mouy: We are structuring the services in three main pillars. So we have a prevent, detect and response which generally really follow the entire lifecycle of cybersecurity. And prevent means that this is CISO as a security services, who is a chief information security officer as a service means that generally companies with not necessarily have a chief information security officer and they come to a point that they need to address the cybersecurity topics and we support them in setting up their priorities and setting up the organization related to cybersecurity to be able to return to a better maturity. We we also perform penetration testing and start assessments. It's really testing programs and infrastructures, seeing our resiliency or to attacks. we have a prevent, detect and response which generally really follow the entire lifecycle of cybersecurity. And prevent means that this is ciso as a security services, who is a chief information security officer as a service means that generally companies with not necessarily have a chief information security officer and they come to a point that they need to address the cybersecurity topics and we support them in setting up their priorities and setting up the organization related to cybersecurity to be able to return to a better maturity. We we also perform penetration testing and start assessments. It's really testing programs and infrastructures, seeing our resiliency or to attacks.
Presenter: And what else?
Pierre Mouy: And as well, we're performing what we call red-teaming and reacting is really simulating realistic attacks against organizations. So we've been really active in the field of of red taping in Germany, especially with the type of program which is from the Dutch Bundesbank, which is globally a program from the ECB, the European Central Bank, that promotes the times of exercises for financial institutions. And we have really to emulate to reduce our research about potential attacks for these specific establishments and run these attacks, the resilient they are. And if there is any flows or any abilities that it can to remediate them before the bad guys do.
Presenter: The prevalence of small-and-medium-sized enterprises is a unique feature of the German business sector. Experts say that SMEs particularly need help meeting cyber threats. Would you agree?
Pierre Mouy: I would say that historically, the companies we working with are banks and insurances, and they are also the main target as well for attacks. And this is why they have realized relatively early that they needed to invest in cybersecurity. So we can safely say that today at a good level of maturity compared to other companies. They also are the ones who are the most regulated, which means that organizations such as the Dutch Bundesbank also ensures that a minimum level of controls are in place in banks and insurances through frameworks code such as the BATF. But it is also important to say that there is the other side of the coin. Germany is really mainly driven by SMEs, which represent more than 99% of the companies. It's a bit less than 60% of total employment. And we see that these companies have a lesser awareness when it comes to cybersecurity and is also have less budget. So unfortunately, they are also one of the one of the targets for attacks, such as ransomware, which has been seen in their lives lately.
Presenter: Thanks, Pierre, for sharing your story with us. All the best for N-Viso. Now, as promised, let’s hear again from Torsten Strufe from the Karlsruhe Institute of Technology. He says a low-cost way to boost your cyber defenses is to use password manager, a tool that can generate safe passwords and store them for you.
Torsten Strufe: So many people have passwords and since they have to keep so many different passwords in my virtual suite, passwords that are easy to guess, or they use the same password, even if it's difficult on many different services so that once one of the password databases makes this password is jeopardized and compromised and then hence, for instance, password managers make a lot of sense because they just automatically generate strong passwords. They keep the passwords for you and they avoid. That's your that you're using. I don't know, one, two, three, four, five, six, seven or something of the password, which of course is terrible. So there are some software that of course, makes sense to to use a lot of those actually also much more expensive than there's other software where I personally have not super confidence that it aktuell improves the situation.
Presenter: Thanks, Torsten. Well, it turns out that password is just about the last word in this edition of Into Germany! But before you head off to download your own password manager, here’s some brief insight into HOW GERMANY WORKS.
+++
Presenter: As we’ve heard there’s considerable public money available for cyber-security in Germany. But who decides where it gets spent? Responsibility for security in general in Germany resides with the country’s Interior Ministry. The ministry in turn delegates issues of cybersecurity down to the BSI, the Federal Office of Information Security. Headquartered in Bonn, the BSI was formed in 1991 and currently employs over 1500 people. Among its many functions, it’s responsible for recognizing and defending against attacks on the government and testing and certifying IT products and services. And that’s HOW GERMANY WORKS
+++
Presenter: That's it for this episode. We’d like to thank our guests for their insight and you for listening. We hope you found some useful information on how to keep the digital dragons at bay – and perhaps even expand your business! If so, Germany Trade & Invest can help you set up shop in Germany - at no charge because we’re a government agency.
Get in touch at gtai.com.
We’re also keen on your opinions, suggestions and questions. Please leave a comment in your favorite podcast app or drop us a line. You’ll find all the details in our show notes.
So, till next month, stay safe, Auf Wiederhören and remember: Germany means business.
This transcript was created with speech recognition software for accessibility purposes and then obvious mistakes have been corrected. Though, it does not meet our requirements for a fully edited interview. Thank you for your understanding. |