What ‘G0d’ taught us about Germany’s cybersecurity

An advent calendar of cyberattacks revealing the confidential data of thousands of German public figures revealed just how far behind the country is when it comes to its cyberdefences 

The cyberattacks began in Germany last December. At first nobody paid much attention. But then the attacks started to become more frequent and more ambitious. Over the following few weeks, personal data relating to thousands of Germany’s most influential people was published on social media by a hacker called ‘G0d’. Links to confidential information, photographs and credit-card details were released daily in an advent calendar of attacks during the festive season. Panic ensued. Was this the work of a rogue nation state? Who would be next? But most troubling of all was how the security services seemed powerless to stop it.

Businesses are very hierarchical and steeped in tradition… many have until recently been sceptical towards digital innovation

When the authorities finally made an arrest in early-January, fear gave way to embarrassment and later to anger. The attack, it turned out, hadn’t been sponsored by a rogue state. Instead, the perpetrator was a 20 year old, who had been working alone and seemingly from a very low skills-base. A determined amateur, he’d found his way into people’s private lives by simply guessing passwords.

Why is Germany so behind when it comes to cybersecurity?

This attack, and another one, in which servers belonging to the German federal parliament were broken into four years ago, underlines just how far Germany is behind its European neighbours in cybersecurity. But it is not just politicians who have been affected. A recent report by German digital industry association Bitkom says cyberattacks have affected 47 per cent of Germany’s manufacturing companies. And a study by insurance company Hiscox reveals the highest cost for a single incident amounted to a whopping €5 million.

But why is Europe’s richest nation so cyber-unaware? Matthias Schulze, at the German Institute for International and Security Affairs, explains: “When it comes to the manufacturing sector, Germany is very different to the United States or UK. Its businesses are very hierarchical and steeped in tradition. This means many of them have until recently been sceptical towards digital innovation.

“It’s also very difficult to integrate cybersecurity awareness and training in this rigid structure, and therefore the German manufacturing sector, which includes many small and medium-sized businesses (SMEs), is exceptionally vulnerable to attack by opportunist cybercriminals.”

Britain quick to recognise the cyber threat and act on it

Curiously, UK SMEs – according to the Federation of Small Businesses there are 5.6 million operating at present – seem to be less vulnerable to cyberattacks than similar-sized companies in Germany. So why is this? Is it due to better preparedness?

Alan Woodward, a leading academic at the Surrey Centre for Cyber Security and an adviser to Europol, thinks so. He puts it down to the UK “creating a joined-up and agile network of organisations” which he says “form a powerful barrier helping the UK to fight cybercrime on many different levels”.

“It’s important to understand that cybercrime can manifest itself in many different ways,” says Professor Woodward. “It can be state sponsored, perpetrated by sophisticated cybercriminals, or in less serious cases, it can be carried out by so-called ‘hacktivists’. Britain was quick to realise the nuanced nature of the global cyberthreat and, unlike Germany, it created the National Cyber Security Centre (NCSC).

“The NCSC, while part of GCHQ [Government Communications Headquarters], was established to stymie the threat to British industry through initiatives like the Cyber Security Information Sharing Partnership, which any business, big or small, can access to protect themselves from cybercrime. This light-touch approach, which seeks to educate, to influence businesses, rather than strong-arming them into complying, has been remarkably effective.”

Partially blurred tweets by Twitter account @_0rbit, which calls itself G0d, that released an ‘advent calendar’ of daily links to personal data and documents of German politicians and public figures in December 2018

Germany introducing new cyber legislation, but it may not be enough

But with cyberattacks carried out by rogue states on the rise, it’s clear that Germany, which is ranked below the United States, UK and Australia in The Economist Cyber Power Index, is playing catch-up. Its politicians believe that legislation is the answer and they are due to bring in new cybersecurity regulation during the first quarter.

Dr Schulze thinks legislation, while not an absolute panacea, can help Germany combat larger threats from rogue states.

But Professor Woodward disagrees. “The theory that passing more stringent legislation somehow makes a country safer, does not add up in my view. Why? Because cybercriminals, whether they’re state sponsored or working for themselves, don’t have any respect for the rule of law.

“Secondly, regulation, no matter how robust, is not fluid enough to keep pace with the digital world. Take password security for example. Five years ago people were advised to change a login password regularly. Now, however, the latest research recommends the exact opposite as the more a person changes a password, the weaker it becomes. Now imagine if password protection had been somehow enshrined in law. It would be difficult to amend and easy for hackers to exploit.

“A much better approach would be to promote more information-sharing with other EU states through institutions such as the European Cybercrime Centre and actively champion cyber-awareness best practice.”

Threat to IoT devices may be smaller in Germany than elsewhere

However, with more household devices such as toasters and televisions utilising the internet of things (IoT), both Dr Schulze and Professor Woodward believe protecting homes from cyberattacks is a challenge that few countries are suitably prepared for. So how would such an attack manifest itself and what is the worst-case scenario?

Dr Schulze says: “The big worry for Germany and most other states is that a rogue actor tries to take down a country’s national grid by hacking into its smart meters and other strategic locations.”

Professor Woodward thinks the IoT opens up a myriad of opportunities for hackers to exploit. “It doesn’t have to be the grid that they try to compromise. Attacks seeking to penetrate the IoT will be much more subtle than that. In theory, if a nation state intent on cyberwarfare were to find a weakness in a smart TV, it could hack into it and create a YouTube video which would then instruct Alexa to order goods on Amazon.

“If the hackers could infiltrate enough households that have both devices, a hit like this could severely disrupt a nation’s supply chain. And given that most countries rely on international supply chains, this could be damaging for a number of states.”

But while America and the UK have embraced these smart devices, take-up in Germany has been slow, says Dr Schulze. This may be one cyberthreat that Germans don’t have to worry about, at least for now anyway.