Berlin / Düsseldorf For the USA it was the biggest cyber accident to be expected: via an update from the Texan software supplier Solarwinds, highly professional hackers were able to penetrate the computer systems of around 18,000 companies and authorities, including sensitive government agencies such as the nuclear weapons authority or the Justice Department. A number of IT providers whose software is widely used were also attacked by the attackers, for example Microsoft and Fireeye. The US government blames a group from the Russian secret service.
In Germany, the attackers seem to have caused less damage. The Federal Ministry of the Interior and the Federal Office for Information Security (BSI) assume that no data has leaked from the three federal authorities concerned. Apparently they were lucky and were not interesting enough for the attackers, said Interior Secretary Günter Krings in the interior committee of the Bundestag. The affected software came from Telekom and Siemens for use.
Nobody gives the all-clear, on the contrary: The Solarwinds case showed those responsible for IT in government and industry how vulnerable even elaborately secured networks can be if the attackers attack the weakest link in the chain of hardware and software suppliers. “In view of the potential of this attack route, it cannot be assumed at present that Solarwinds will have been the last case of supply chain attacks,” warns BSI President Arne Schönbohm in the Handelsblatt.
Manuel Atug, cybersecurity expert at the consulting firm HiSolutions, even assumes that there are already “other such attacks that have not yet become known”. There are indications that the – presumably Russian – hackers also gained access to IT networks in other ways. The American authority CISA, which coordinates countermeasures in the USA, stated in the “Wall Street Journal” that the operation should no longer be viewed as a pure Solarwinds case.
Top jobs of the day
Find the best jobs now and
be notified by email.
Politicians and experts are now looking for ways to limit the risk. The topic is on the agenda at the BSI’s IT security congress on Tuesday and Wednesday with Chancellor Angela Merkel. But no one has simple answers.
The problem: The users, whether companies, government agencies or private users, are hardly prepared for this type of infiltration. The attackers took advantage of “a very human quality, namely trust,” says Schönbohm. Customers assumed that software and updates obtained from trusted suppliers were clean. But if the manufacturers themselves have been successfully attacked beforehand, users unintentionally open a back door for them.
In addition, many of the established security mechanisms are ineffective in this type of attack. Manufacturers usually protect their software with a digital signature. In order to manipulate them, attackers need access to the cryptographic key.
The Solarwinds hackers bypassed this hurdle by intervening in the programming process and implanting the malicious code in the software. According to experts, such signatures are no longer too high a hurdle for savvy cybercriminals. So what should be done?
Higher security standards in critical areas
As professional as the state hackers may have been in the case of Solarwinds, there are indications that the company had glaring weaknesses in protecting against cyberattacks. The SPD digital politician Jens Zimmermann therefore calls for the requirements on providers to be increased, at least in critical areas of application: “When logistics companies supply an airport, they have to meet the same high security standards as the airport itself,” he says. This principle should also apply to software manufacturers.
Zimmermann sees himself confirmed in the pressure from the Social Democrats to stipulate strict test procedures for suppliers of critical components for the construction of the new cellular networks: “We are now in exactly the same scenario that we warned about in the context of 5G and Huawei.”
The federal government had long struggled to deal with the Chinese network equipment suppliers. In the draft of the new IT Security Act, it has now included a clause that makes providers more responsible: Anyone who supplies network operators with critical components must have them checked by the BSI and guarantee the trustworthiness of their own products and suppliers by means of a guarantee. This mechanism initially only applies to the telecom sector, but could later be extended to other important infrastructures such as electricity and water supply.
Given the potential of this avenue of attack, it is currently unlikely that Solarwinds will be the last case of supply chain attacks. Arne Schönbohm, Federal Office for Information Security
But even this approach has its limits: “Even experts can only find something if they know what to look for,” says the chairman of the digital committee in the Bundestag, Manuel Höferlin (FDP). If the security authorities have no evidence of new malware, they are unlikely to find anything.
Security expert Atug also warns that the new clause is of little help in cases such as Solarwinds: There, standard software for IT monitoring was attacked that was not classified as critical. It was similar with hacking attacks in Ukraine in 2017, when an update to a widespread accounting program included the extortion Trojan Notpetya.
In any case, the planned legal requirements only apply to a very limited group. Other companies can require suppliers to be certified. The ISO 27001 standard, which sets requirements for the management of information security, is widespread. On this basis, the Association of the Automotive Industry (VDA) has developed its own standard called Tisax, which suppliers must comply with.
“Certification can improve IT security on the organizational level,” says Dror-John Röcher, board member at DCSO (German Cyber Security Organization), Allianz, BASF, Bayer and Volkswagen have founded. “But just because a company adheres to a standard is far from safe,” warns Röcher. Rules alone cannot guarantee that.
Companies can also exert influence by setting IT security requirements in their ‧ tenders, for example regular reviews of the program code, so-called audits, and the obligation to provide regular updates. Siemens has formulated such minimum requirements, which are aimed primarily at suppliers of safety-critical components such as software and processors.
However, this is not common practice. DCSO manager Röcher observes that so far there have only rarely been tenders that oblige suppliers to meet certain IT security standards. “These requirements cost money,” he emphasizes. “If they are not included in the tenders, they will not be fulfilled.”
Difficult discussion about product liability
The security of software is not necessarily a priority for IT providers, at least from a commercial point of view. The customer’s awareness of the problem and willingness to pay are often low. There are also few legal obligations. “As the BSI, we would of course like manufacturers to do more for the IT security of their products than they currently have to,” says Schönbohm.
Number of the day
According to one estimate, percent of German companies are resilient to cyber attacks
In politics, there has been a long discussion about introducing product liability for manufacturers. “If IT companies encourage attacks through gross negligence, they should be liable for any damage incurred,” says FDP politician Höferlin. After all, a user can’t help it if a software manufacturer delivers belated security patches.
However, product liability for software is associated with a number of imponderables. So the question arises when the threshold is reached – sometimes a missing semicolon is enough to open a security gap. HiSolutions manager Atug also warns: A product liability is incompatible with – frequently used – open source software, as no one can assume liability for it.
IT security experts agree that, despite all certificates and obligations, there cannot be 100 percent security. Therefore, the paradigm of resilience is spreading in the scene. “Every organization has to assume that it will be hacked at some point and prepare for it,” says Sven Herpig from the New Responsibility Foundation. It is about a meaningful risk assessment. There are a number of measures for this:
- A system for monitoring IT operations can – like an alarm system – report digital access from outside as well as unusual processes within the network.
- A strategy for backing up and restoring data takes effect if, for example, blackmailers paralyze the network and demand a ransom.
- The division of the network into small segments makes it difficult for criminals and spies to spread.
- Cyber insurances cover certain risks – “They are relevant if they induce the insuring company to increase the status quo of their IT security,” says Herpig.
However, the picture in the German economy is mixed at best. Companies are investing more in cyber defense, around eleven percent on average, like Accenture raised in summer 2020. However, the consulting firm assesses only seven percent of the companies as resilient – the investments “usually only focus on essential fundamentals”.
The crux of the matter: Investments in IT security rarely pay off directly, which means that management faces a problem. “Resilience costs money and effort”, emphasizes Röcher – “the company has to have the will”.
More: Every organization must assume that criminals will one day break into their network – and prepare themselves