Growth potential versus Internet threats? Germany's national cyber security strategy

Embargo: delivery. Check against delivery.

Ladies and gentlemen,

It is a pleasure to be here for the 2012 Symantec Government Symposium. 

I am pleased to be able to accept Germany's Cyber Award in the category "National/Federal: Civilian" in person, for two reasons: 

First, as a representative of the Federal Government, I would like to thank you for this award. We are delighted to have this confirmation from a major global IT security company like Symantec that we are on the right track in improving cyber security in Germany. This award will challenge us to keep up our efforts to protect cyberspace in the coming years; I will come back to this point in a moment. 

I am also pleased to be here, because just a few days ago we weren’t sure it would be possible. 

In Germany, we have been following the news of Sandy closely and were shocked by the images of devastation. 

I have the greatest respect for the American people and the U.S. government for dealing with this difficult situation in a remarkably calm and rational way.  

Right now, right here, we are seeing just how crucial prevention and information are for managing such situations and working with the public. 

For us, as participants in this symposium, the crisis scenario is especially significant in another way: 

It helps us understand the importance of preparing civil society for a silent, invisible threat which will hardly announce its approach the way Sandy did. 

I am referring to serious cyber attacks on civil society and our critical infrastructure. 

A cyber incident would not necessarily be restricted to one region or one country. To prepare and protect our societies in the best possible way we need secure channels of information. They must be used to share information on the signature of an attack quickly and confidentially with our trusted partners. 

The Internet: Growth potential versus threats 

In our thoroughly networked world, government, critical infrastructure, business, industry and private citizens all depend on cyberspace that works reliably. 

Cyberspace, that is, global networks of IT systems at data level, has been the driving force behind unprecedented economic growth over the past twenty years.

  • Global communication,
  • enormous growth in productivity,
  • radically new business models, and
  • cycles of innovation as short as 18 months for ICT products form the foundation for this success.

According to one study, half of all businesses in Germany today are dependent on the Internet. 

At the same time, we are standing on the threshold of new levels of networking: Cloud computing, smart grids, e-mobility and e-health are only a few of the new buzzwords. 

And the number of Internet users around the world will continue to grow: Today, more than 2 billion people are online. 

As networks expand in the BRICS nations, Central and South America, Africa and Asia, this number will soon reach three billion or more, leading to new markets, new opportunities for ideas, research and development, democracy and freedom of expression. 

But our dependence on IT makes our societies much more vulnerable. The potential for damage caused by IT failures or disruptions is especially great when it comes to critical infrastructure. 

We all face the challenge of taking the right measures to safeguard the integrity of cyberspace for all segments of society, and to keep the risks to an acceptable minimum.

In view of this dependence, how do we, how do you, ladies and gentlemen, deal with threats to the freedom and security of cyberspace? 

In the 21st century, this has become a question of life or death. 

The threat situation: Eight trends 

The entire IT security situation is critical!

Threats can affect anyone at any time, with unforeseen consequences. 

If all IT systems went down, an estimated twenty-five per cent of companies in Germany would fail unless the problem were fixed within one or two days. 

Government systems are also under attack: German government systems face five espionage attacks a day, and this number is only rising. 

New malware such as Stuxnet, Flame and Gauss, which penetrated several layers of IT security, were a wake-up call for many starting in 2010. DDoS (distributed denial of service) attacks on American banks in October showed that a new level of threat had been reached. 

And it is no secret that these and other widely discussed security incidents are merely the tip of the iceberg. Unofficial surveys and estimates count the economic damage in the billions.

  • Some victims are not even aware when a criminal offence has been committed, or intentionally fail to report it.
  • In addition to worrying about the confidentiality of sensitive data, companies fear their image will suffer. 

Looking at IT incidents, we can identify eight trends: 

  • While the number of cyber attacks remains high, attackers are increasingly focused and professional, displaying a new quality of attacks. 
  • We are seeing widespread abuse of cyberspace as a place to assert political, military and economic interests. 
  • A sophisticated criminal shadow economy has developed on the Internet. 
  • Attackers no longer need to be IT experts: They can simply shop for the services they need – and even buy the complete package to carry out attacks, including support, bulk discounts and guarantees. 
  • We know that cyber attacks are carried out by a variety of actors with very different motives. 
  • In most cases, it is impossible to identify the origin and background of individual attacks. 
  • Nor is it possible to distinguish precisely between privately motivated hacker attacks and targeted, state-sponsored attacks. In some cases, there is no clear distinction. 
  • But most attacks succeed only because basic security measures were lacking.

 What conclusions can we draw from this?

Efficient cyber security can – and must – be ensured primarily through preventive measures.

Private operators of critical infrastructure also have a major responsibility. 

This raises the question whether the choice of IT security measures, the level of protection, or even whether security measures are taken at all, can be left to private companies, or whether the government must play a guiding role at least in those areas of infrastructure most critical to daily life. 

One thing is certain: Cyber security is a central, shared task of government, business and society. 

The response: The national IT security strategy 

Here, government has a dual role: 

  • One the one hand, as an outstanding actor it must safeguard cyber security for its own area and set a good example.
  •  But what is even more important is it’s responsibility to set the framework for IT security, especially in those areas of critical infrastructure on which the security and prosperity of the entire country depends.

Germany's Federal Government adopted a national cyber security strategy in February 2011, making it one of the first countries to take a strategic position.

The cyber security strategy focuses on prevention , response and sustainability and includes the following points: 

1. Greater protection for critical infrastructures and government IT systems against cyber attacks.

Already in 2007 the Federal Government started building the necessary public-private partnership in which government agencies work closely with operators of critical infrastructure. We conducted our first cyber exercise in 2011, with more than 3,000 participants from various federal and state governments and critical infrastructure. 

2. Protection of IT systems in Germany, including greater public awareness. This includes the anti-botnet initiative we carried out in partnership with service providers. 

3. Creating a National Cyber Response Centre:

At this information clearing house, security officials with IT expertise work together to be able to respond rapidly and efficiently to IT incidents. The aim is to avoid or minimize damage by quickly analysing and assessing the situation and recommending appropriate protection. 

4. Creating a National Cyber Security Council at state secretary level, which I chair. This government body, which also includes industry representatives, discusses new issues of cyber security, their possible impacts on Germany and what position the Federal Government should take.

And another very important goal of our strategy is 

5. Working together effectively on behalf of cyber security in Europe and the world. 

The latest developments: The IT Security Act

So for more IT security, do we need more government action, or should we rely on individual responsibility and the power of the private sector to regulate itself? 

There may be different assessments and ways of looking at this issue. However, as the example of Hurricane Sandy has shown once again, in times of crisis, only the government is capable of maintaining public security, coordinating clean-up, and if necessary granting special rights to benefit society at the expense of individuals.

For example, it was the New York police presence at almost every intersection that maintained law and order when Manhattan was without power or lights.

And it is the government authorities who are coordinating the clean-up. 

In Germany, the majority of business and political leaders surveyed in September said they wanted more government action on cyber security. 

Fifty-seven per cent of these leaders think government should be responsible for ensuring that communications and data transmission networks function, while only twenty-three per cent think this should be the responsibility of private companies. 

What does this mean for critical infrastructure protection? To analyse the situation, the Federal Minister of the Interior held intensive talks on the level of IT protection with stakeholders in eight critical infrastructure sectors from April to September this year. 

On its own, this dialogue increased awareness of the need for IT security. But it also revealed that the various industries are in very different states of readiness. 

The talks led to the realization that more steps are needed to improve IT security in Germany: 

1. Because of the possible consequences of critical infrastructure failure or disruption, operators of critical infrastructure have a special responsibility to society and must be required to upgrade the protection of the IT they use and improve their communication with government. 

2. Providers of telecommunications and telemedia services have a key role in ensuring security in cyberspace and must be held more accountable for doing so; and 

3. The Federal Office for Information Security must be given more responsibilities and authority in its function as national IT security agency.

One way to achieve these aims is by enacting appropriate legislation. 

This is why we are planning an IT Security Act which aims to

• set minimum IT security standards for operators of critical infrastructure;

• require critical infrastructure operators to report significant IT security incidents;

• require providers to inform their customers about malware and offer the means to deal with problems; and

• require websites to be protected against unauthorized access.

• require industry to be accountable. 

However, we must also expand government services:

The Federal Office for Information Security is to receive more resources to advise and assist critical infrastructure and the private sector overall.

Now we need to talk with all stakeholders in order to achieve the broadest possible consensus on the necessary legislation. 

Cooperation with industry partners 

However, beyond legal obligations, I believe the private sector should also take responsibility. 

IT products are more and more complex and therefore more vulnerable to misuse and manipulation. Especially in security-critical areas, reliable manufacturers are crucial. But makers of IT products themselves increasingly depend on suppliers of IT components and services. We cannot let this situation leave us dependent on only a few or, even worse, only one source country. 

So we must think of ways to maintain and further develop expertise in strategic core components, in order to have a say in creating international standards.  The only way to survive in our networked industrial society is by contributing to standards, investing in research and development and having trustworthy manufacturers. Basic research will also help us shape future generations of technology. 

In the process, we must identify future areas of technology, such as secure clouds, which create new consumer demand and lead to flourishing markets. So we must try harder to combine available public-sector resources with those of the private sector. 

International cyber security challenges 

Rapid technological progress has created global digital networks within a very short time. For this reason, difficult questions also arise at international level, especially in the area of international law: 

To what extent is a country responsible for preventing cyber attacks that originate on its territory? Should governments be allowed to operate outside their own networks to fend off serious attacks in case of imminent threat, also beyond their national borders? 

These and other questions concerning the international community are being addressed by various bodies. Germany is taking part in this discussion. 

In its cyber security strategy, the Federal Government has set the goal of achieving effective cyber security cooperation in Europe and around the world. 

At international level, we are workingto create, as a first step, norms of state behaviour for security- and confidence-building measures in cyberspace based on current international law. 

To master the asymmetrical global cyber threats, we need to share sensitive cyber security information confidentially as the next step of international cooperation.

The aim is to draw up a valid cyber threat assessment with trusted partners to be able to take the appropriate strategic decisions.

Let’s call it a cyber weather forecast. 


The Federal Government realizes the importance of cyberspace as an area of freedom, security and justice, nationally and internationally.

With its cyber security strategy, the Federal Government has prepared the ground for organizational and legislative measures to safeguard the opportunities cyberspace offers and protect them from attack. 

IT security is the key to a successful future. It truly depends on each and every one of us. 

Success must always be measured against the current threats; this is the only way to remain prepared. 

With this in mind, I would like to thank you once again for the Cyber Award, and I wish you all much success, interesting forums and a lively exchange here at the 2012 Symantec Government Symposium. 

Thank you very much.