Leading German cyberwarfare specialist Sandro Gaycken says that data is stolen from ministries all the time, and the government can do little about it. Hacking and being hacked, he says, is part of everyday state life.
Germany was rocked this week by the news that federal computer networks had been infiltrated by a major cyberattack for up to a year. But how worried should the country be?
Sandro Gaycken is the Founding Director of the Digital Society Institute in Berlin and former member of the Chaos Compuer Club. He's a leading researcher and expert on cyber-warfare and has worked for the military. On Friday, he met with foreign journalists in the German capital to share his thoughts on the hacking of the German Foreign Ministry and the general state of governmental cybersecurity.
DW: Were you surprised at the fact that the German Foreign Ministry has been hacked?
Sandro Gaycken: In specialist circles it wasn't surprising at all. For us, the news that there was a hacker espionage attack on the Foreign Ministry is about as spectacular as someone having a hamburger for lunch. It happens every day. The statements from the ministry are a bit hypocritical. They know that they're the target of espionage every day. It's completely normal. What's less everyday is that it was uncovered.
What specifically were the hackers after?
There were rumors that it had something to do with Ukraine, but they were never confirmed. We don't know much more than that. It's meant to have been very surgical and precisely directed again individuals. So it must be someone who knows who to keep under surveillance. For example, a larger intelligence service that was interested in the information.
Is it certain that Russia is behind the hack?
The question of attribution is very important. We do a lot of analyses of this sort, and I'm always very critical. The attribution to groups like APT 28 usually comes from cybersecurity companies in the US. And the earlier they can start yelling, "It was the Russians or the North Koreans or the Chinese," the more money they make. It gets them on CNN, and they're better able to sell their products.
On the other hand, the evidence that is then presented is almost always quite shallow. For instance that the attack was launched from a Russian server. For us experts, those are actually signs that it wasn't the Russians. If I want to hack another country, I send my spy with a stolen computer to a hotel on a Pacific island. I'm not stupid enough to do it from home or from my government ministry.
Intelligence services have also gotten very good at imitating one another's styles. Copying Russian or Chinese programs is no problem at all.
Do intelligence services really engage in this sort of behavior every day?
Yes. Intelligence services have learned in recent years that hacking is worthwhile and that you can get a lot done with no risk and relatively low costs.
The German Interior Ministry says that everything is under control and the attack has been isolated. Is that true?
The idea of a protected network is nonsense, and they know that. The networks are relatively secure compared to those of a medium-sized company. A lot of money, expertise and energy have been put into them. But they still use the same computers you can buy in stores and not some sort of specialized military hardware. They're connected to regular Internet routers that are full of vulnerable points. And the IT security systems are constructed by medium-sized companies: That means they aren't perfect. They contain programming mistakes and can be attacked.
I carry out tests with really good hackers, and they have no problems gaining access. Intelligences services don't have any problems either. Nothing is under control. That's nonsense.
What are the chances of the German government being able to trace the source of this hack?
You can try. But it's complicated because you usually have to reverse-hack via a number of different stations. And you have attack servers in other countries that don't belong to you. Then you can theoretically find out the original station, send your special forces there and arrest the hackers. You can try that. But I don't know of a single case where it's worked.
Does the government have any sort of effective forensics to find out what data has been stolen?
Not really. The problem with stolen data is that it's not missing. It's been copied. You can only examine the situation and try to figure out where the hackers have been.
So is the answer to fully decouple government systems from the Internet?
Yes. The government needs to realize that there's no technology that will help. Other experts and I have been telling them this for years. But then big telecommunications and software companies come and tell them they have a solution to make everything secure and that they should buy it. There's no intrinsic motivation in politics to solve this problem. Many of the solutions proposed are very time-consuming and expensive and conflict with existing government programs aimed at increasing digitalization and expanding networks. So they're politically unpopular.
Does Germany need to fear Russian attempts at political manipulation of the sort alleged in the US?
Cyberoperations are never completely decoupled from political motivations. On the contrary, they're closely connected. In the case of the Russians, they have very different relations with Germany than they do with the US. That's why we haven't seen a hardcore escalation by the Russians and don't expect one. The sort of spying they do on Germany is completely everyday, and I assume the Americans do much the same. With the Americans, the Russians have elevated things into a kind of information cold war.
How well prepared are German government IT experts to counter such cyberoperations?
We're talking about the same people who fifteen years ago hacked for fun and now work for the government. It's not as though the military has succeeded in training a new generation. The community hasn't really grown in Germany. There are only 50 to 60 really good hackers in Germany who can operate without using any pre-developed tools. It's a very small, tight-knit community, and it's tough to recruit them to work for the state. There are some good people working for government offices and ministries but not as many as in the world's big powers, which have been developing cybersecurity for fifteen years or so.