Germany is fretting over whether the internet could be used by hostile forces to paralyze its critical infrastructure, and, according to the specialists who gathered at the Munich Cyber Security Conference on Thursday, there are all kinds of chinks in the armor.
"We're lacking a single authority for cybersecurity," said Oliver Rolofs, co-founder of the conference that acts as a prologue to the ensuing high-powered get-together, the Munich Security Conference (MSC), which begins Friday. "We need an agency to orchestrate all the responses to a potential risk."
That theme was picked up by Marina Kaljurand, chair of the Global Commission on the Stability of Cyberspace (GCSC), and a former Estonian foreign minister who knows a lot about cyberattacks from hostile nation states.
"I see that there is political attention to the topic, I see that there is much more awareness than 10 years ago," she told DW. "But I don't think politicians in any country are aware to the level that we can be satisfied."
Following the 2007 cyberattacks from Russia, the Estonian government became used to running "table-top exercises" to simulate a repeat: "All government ministers participated: the minister of culture, education, foreign affairs, everybody," Kaljurand said. "Because you can be minister of a specific field, but we all have to be IT ministers."
"Of course, at first ministers were not feeling comfortable, I wasn't feeling comfortable," she recalled. "It was something I didn't know much about, but after you go through the practical exercises, I would say they teach much more than the briefings and memos."
Complexity is dangerous
Over a decade later, Thursday's conference saw besuited government officials, tech CEOs, and cybersecurity professionals huddled in a narrow and luxurious conference hall on the sixth floor of a five-star hotel.
In this cramped but tastefully lit space, specialists described the weaknesses in our world: a digitized capitalist economy that favors a kaleidoscope of shiny extras, sellable features that increase the technological complexity of any given product. But as the truism goes, a complex system is a vulnerable system.
As one speaker, security technologist Bruce Schneier, author of the 2018 book "Click Here to Kill Everybody," pointed out, we're now living in a world where construction cranes and fridges can be hacked, and a stray click on a link could compromise an entire security system.
Germany had its brush with the potential nightmare of the Internet of Things just last week, when a debate flared up over allowing Chinese internet giant Huawei to help set up its 5G mobile network. Huawei's ties to the Chinese government, and the potential for built-in "backdoors" to Germany's critical infrastructure, has given many officials cold feet over the deal.
Andreas Könen, director general of cyber- and information security in the German Interior Ministry, said, "We need more IT that is produced in Europe," he said. "And we need it so in cybersecurity we get more insights into what safety is not designed straight into the equipment."
EU tech security hard to gauge
For many, the European Union appears to be lagging behind. As if to focus the minds of European delegates as they traveled to Munich, the MSC's report — issued a week ahead of the conference — included a graphic illustrating the aggressive increase in US spending on AI: From $13 billion in 2017 to $43 billion in 2018 (€11.5 billion - €38 billion), evidence of what the MSC called an "AI spring."
But Patryk Pawlak, coordinator of cyber-related projects at the European Union Institute for Security Studies (EUISS), doesn't think this is a good measure.
"The numbers game can be very misleading," he told DW. "The only reason why we think the EU is lagging behind is because the EU data is very difficult to aggregate between the member states." On top of this, the stats often don't show investments into creating what Pawlak called "the right environment": Human capabilities, preparing socio-economic conditions, and working through the ethical considerations.
Still, even if you do play the numbers game, Pawlak is optimistic: He pointed out that a European Commission memo released in December showed the EU was planning to invest some €20 billion per year into AI over the next decade. This is still only about half as much as the US spend, but it is nevertheless a massive boost.
"Can we do better? Of course, but I can't say the EU is lagging behind," Kaljurand agreed.
The European election threat
The biggest imminent target in the EU is obvious: The parliamentary elections in May, which presents what Pawlak calls "a pretty low-hanging fruit" for anyone interested in interfering in either the politics of member states or the EU itself.
"The resources that potential aggressors have are much more than we can devote on the European side to protect our infrastructures and democratic systems," he told DW. Alarmingly, he also warned that voter apathy about the EU could actually be a source of weakness: The generally low turnout makes it easier to influence the outcome.
But the threat is real. "We've seen in the past that there's a very close link between disinformation campaigns and online campaigns against specific candidates, that are very much linked to cyberoperations, hacking, trying to get access to the servers of political parties or individual politicians," he said. The stolen information could then be used to compromise certain candidates.
Könen agreed. "There's still a lot to do," he said. "But we're definitely better prepared than we were four years ago. We have learned a lot from events in the US and France, and the EU has moved to protect the elections — not only the elections themselves, but how the results are generated."
"I think everyone's expecting one big thing to happen, something we can put a finger on," said Pawlak. "But what is really dangerous is the attacks we will see on staffers or politicians who are maybe not front-page politicians, but who could potentially provide access to the whole system by clicking links or opening attachments they shouldn't."
In other words, the insidious nature of cyberattacks means that most people won't even be aware of them — until, that is, the systems they have relied on without thinking suddenly stop.