Alarmed by the pervasiveness of cyber hacking, the German business community and the government have been spurred into action. But the threats evolve constantly and hackers are becoming increasingly malicious.
It happened sometime over the past eight weeks. A German engineering firm specialized in high-precision manufacturing was assembling a prototype for a new machine. Still reeling from an earlier outsourcing attempt gone sour - their prototype ordered to be built in Asia was copied - the company decided to build the next model on its very own premises in Germany.
The prototype included a CNC molding cutter, a computer-controlled high-precision tool, which the German firm did not build itself but bought from a well-known manufacturer based in Asia. Shortly after the molding cutter was assembled and connected to the prototype, the weary German engineers noticed what they considered to be strange behavior coming from their expensive new tool.
It turns out their computer-controlled molding cutter came spiked with sophisticated malware that automatically transferred sensitive data about the new prototype to Asian-based Internet Protocol Addresses.
What reads like a plot plucked straight out of a John Le Carre novel is just one of the more egregious cyber attacks that, according to interviews with half a dozen IT security experts, take place everyday in Germany.
"I was stunned by the malice and audacity of this attack," says Thomas Roth who runs Leveldown, an IT security consultancy, and who was called in by the German engineering firm to investigate the case.
Cyber attacks are common place
A study published last fall by Germany's Economics Ministry concludes that practically all small and medium-sized companies (99.7 percent) use IT applications to conduct their business and that almost all of them (93 percent) have experienced IT security problems. Every fifth company reported that security issues disrupted their business activities for one day or longer.
While it's difficult to assess the economic damage done by cyber attacks, last year's "Cost of Cyber Crime"- study by US IT firm Hewlett-Packard found that cyber attacks cost a German company on average 4.8 million euros ($6.2 million) per year. The companies surveyed in the study reported more than 1.1 successful cyber attacks per week.
With the attacks increasing every year in number and scope, Berlin and the EU now want to force companies that have been hacked to register cyber attacks. This week Germany's Interior Ministry released a first draft of a new law aimed at "raising the security of IT systems." The move shows just how wide-spread and critical the problem is - and how little we know about it.
"This is a very sensitive topic. Companies are very reluctant to talk about it," says Alexandra Horn, who heads an IT security project recently launched by the German association for small and medium-sized businesses (BVMW) which make up 99 percent of all German companies. Due to the existing hush-hush culture, concrete examples of cyber attacks are hard to come by and naming names is generally considered a taboo. That's why the recent revelations of cyber attacks against some major German companies made the headlines.
But it's not just businesses that are affected by increasingly sophisticated cyber attacks. Ivan Bütler, CEO of IT firm Compass Security, cites a case involving the government as his most dramatic IT security breach yet. According to Bütler, over a period of four years the computers of a group of federal employees were compromised by foreign hackers. Their data and the resources they had access to were copied and stolen.
The original attack against government computers was carried out through a computer game. "It was really just a game," explains Bütler, but it routinely updated itself via the Internet and this loophole was used by hackers to gain access to the computers.
While no one active on the Internet is immune to attacks, big companies at least can afford to set up their own in-house IT security teams to deal with the constantly evolving security landscape and try to protect against known threats.
Small companies and government at risk
That's far more difficult for smaller firms and the government.
"If you are a small or medium-sized business, you can't afford 10 people to focus on IT security. It's just too costly," says Joachim Posegga, chair of IT security at Passau University.
The same is true for the government, adds Posegga: "When you look at the salary structure in the German public administration, I doubt whether they can recruit the best experts. These people are highly sought after and rather well paid."
While the experts and German intelligence reports point to China and to a lesser degree Russia as the most aggressive cyber attackers, to single them out obfuscates the broader picture.
"Espionage has become a popular pastime," says Bütler. Not only are most countries themselves engaged in cyber espionage, ordinary citizens are too.
It has never been easier and required less knowledge to hack into someone else's computer to steal his data without the person finding out, explains Bütler. Via the Internet ordinary citizens nowadays deploy cyber attacking tools that earlier were only in the remit of national intelligence services, he adds.
"Today everyone has access to these technologies and can become a little James Bond."
Cyber hacking has become so easy, pervasive and lucrative that it appears impossible to root it out, concede the experts. Therefore, they say, the best option is to make it harder for cyber attacks to be successful and to mitigate the damage done by them.
Politically, a first step to combat cyber hacking, says Posegga, would be to let the public know how bad the problem really is and then try to agree on international rules that shun the practice.
Secondly, suggests an IT security consultant and Internet activist who goes by the name of Fukami, companies should be made legally liable for shoddily programmed software that makes it easy for intruders to manipulate it.
And third, adds Roth, companies would not necessarily have to invest more money, but more time to figure out what protection they really need instead of buying expensive one-size-fits-all products that won't provide protection in the face of a sophisticated attack.