The cyberattack on Germany's government network tells us nothing new about espionage but a lot about risk in the digital age. And that calls for some rethinking, says DW’s Matthias von Hein.
What is still safe in the digital age? What can even be kept safe? Those questions are a cause for public concern after it was revealed that hackers had successfully breached Germany's well-protected government network — copying, stealing and spying for more than a year. The only thing that is clear at this point is that the digital cat-and-mouse game is heading into the next round.
Once again, the prime suspect in the attack is a hacker group with links to Russia’s GRU intelligence agency. Thus far, however, German authorities have found no solid evidence leading to the perpetrators. But the fact that hackers exhibited no interest in economic gain after infiltrating a government network would seem to point away from ordinary cybercriminals.
This was clearly a case of espionage. And that – as long as one is not dealing with corporate espionage – is something conducted at the behest of the state. And it is most certainly the case when such attacks are carried out with a great deal of sophistication and staffing resources over a long period of time.
Governments are the natural target of espionage
But is such activity a declaration of digital war? Espionage has always existed. Ministries, especially those such as defense, are the logical target of foreign intelligence services. And since the 2013 revelations that the US National Security Agency (NSA) had tapped German Chancellor Angela Merkel's cellphone, we also know: friends do indeed spy on friends.
As if to evidence that fact, the German Intelligence Agency (BND) also undertook such activities, spying on allies from its Bad Aibling listening station at the request of the NSA.
But espionage has gotten much easier in the digital age. The most recent report compiled by the German Federal Office for Information Security (BSI) lists some three dozen globally-active cyber espionage groups that have their sights set on the German government.
Beyond APT28, the prime suspect in the current attack, other groups known by names like "Machete," "Lotus Panda" or "Shamoon" – hint at the vigorous intelligence-gathering of the Chinese and Iranian governments.
New revelations of Russian cyber espionage are no surprise. The most astonishing aspect of the entire affair is that the Bundestag, Germany's parliament, was not informed about the security breach until months after it was discovered.
Another astonishing aspect is the fact that German authorities are still secretly purchasing so-called zero-days — unknown software vulnerabilities — in order to develop offensive cyberattack weaponry rather than closing vulnerabilities and shoring up the defense of existing systems.
Another thing that has become glaringly clear is that seven years after the much-celebrated creation of the Cyber Defense Center and one year after the passage of the government's cyber security strategy, the government's highly protected offline digital information network in Bonn and Berlin is not truly safe from attack.
In the age of the global digital superhighway, with its connections extending into the most intimate areas of a person's life, there is simply no way to guarantee security due to the sheer number of software vulnerabilities, and thus, hacking opportunities.
The advent of the Internet of Things and Industry 4.0 — and the exponential amount of data that both will generate — will only create more vulnerability. As logical as it may be to create "smart" cities as a means to conserve resources: networks are vulnerable. In 2016, the BSI was obliged to inform companies operating waterworks in Germany that their control systems could be infiltrated via the internet.
Read more: Seven ways to keep the CIA out of your home
Cyber security has to be built-in from the start
Consequentially, Germany, with its ambitious Industry 4.0 aims, will have to invest much more in cyber security. And that cyber security must be considered from the very earliest stages of system's development and not as an add-on at the end. Security breakdowns and digital infiltration must be considered from inception and systems designed to withstand disruptions. Ultimately, we will have to live with the reality of espionage — but we also have to make it as difficult as possible.