Cyber attacks in Germany: cyber warfare continues…

Today most companies and governments are focused on the GDPR (General Data Protection Regulation), but cyber security is not only about data protection, it is also about protecting the key services of a country. That’s the role of the second EU directive, the NIS Directive (Directive on security of network and information systems), which is mostly outshone by the GDPR. German authorities have had a bitter taste of this type of attacks recently.

The attack is a "technically ambitious attack and had been prepared for a long time," said Germany's Minister of the Interior, Thomas de Maizière. This "serious event confirms what we already know: various players are for different reasons threatening the computer security" of the country, he added. It is too early to assess the damage done, even if German authorities claimed that the cyber attack was "under control" and "isolated". According to the German news agency DPA and the weekly Der Spiegel, the attack was organized by a group of Russian hackers called "Snake", "Turla" or "Uruburos". They seem to be linked to Russian intelligence and preferably attack ministries, but also embassies or military installations.

The latest attack on several ministries is worrying because the government's internal computer networks are supposed to be much better protected than those of parliament, where elected officials are often on the move and use their personal, mobile computers, which are less well protected than parliament's desktop computers. Hackers are suspected to have hacked into the systems of the German Ministries of Defense and Foreign Affairs for at least a year and obtained plenty of data. German intelligence services were warned of the attack on December 19 "by information from a friendly country," according to radio rbb and DPA.

It is not a premiere in Germany; for example, Angela Merkel's mobile phone was hacked in 2013; in 2015, Germany's parliament, the Bundestag, was attacked, and in 2016, several German political parties, including Merkel's CDU, were attacked.

While German authorities are adamant about personal data protection (including the GDPR), they seem to be ill prepared when it comes to protecting their critical infrastructures (the goal of the NIS Directive). This is clearly a weakness for Germany – mostly caused by lack of investment into the subject – especially when compared with the far better situation of Germany’s largest European partners, France and the UK. This might ultimately jeopardize Germany's digital transformation centered on concepts such as Industry 4.0.