On responsibility for IT security
The hacks and security vulnerabilities of the year 2018 made it abundantly clear: Neither the current IT products, operating systems and services, nor cyber space itself currently offer sufficient protection against the diverse threats of a digitalized world. Despite what can be seen objectively as myriad improvements and stepped-up efforts by manufacturers, the situation is perceived to be worse than ever – a perception which can be attributed, at least in part, to increased media attention.
As society becomes more and more digital, increasing volumes of private and personal data are being inexorably transferred into cyber space, either with voluntary consent, or also sometimes involuntarily. This occurs, for example, on the basis of our own activities in transferring private communication into message groups or cloud backups, through IoT devices, through e-health activities such as the health card or electronic patient files, and not least, through e-government activities such as online administration or tax offices.
Unfortunately, as it appears, neither private companies nor public administrations are currently equipped to store and manage our data securely and reliably. It is of the utmost importance that the security level of IT systems, solutions, and services be immediately and significantly increased in a consistent and sustainable manner, as must the protection level of data transmission, and that appropriate protective measures such as consistent data encryption are brought into play.
Of course it is true that many attacks are only enabled by the careless handling of users’ access data and the neglect of even the most basic security precautions – the digital equivalent of the open front door, so to speak, with the letterbox located in the entrance hall. However, while user training and a heightened awareness of problems, especially with regard to the significance and security of one’s own digital data, are important and necessary, the everyday use of digital life’s basic components must also be fundamentally secure for the “not-so-tuned-in” user. To expect all users to understand the function, structure, and interaction of systems and applications, and that every user will become a cyber expert, is simply unrealistic – rather, the use and operation of secure, encrypted systems must be made as simple as child’s play, to enable even the inexperienced user to manage their data securely in the digital world.
Similar requirements must be met in the area of targeted data alteration and the uploading of false or inaccurate data, which form the basis not just of insurance company assessments and trading platforms’ economic positions, but also of influencing and opinion-forming in social networks or similar platforms – here, in the absence of tried and tested methods, the door is still wide open to abuse. The development of countermeasures is often still at a very early stage and usually requires elaborate, partly AI-supported systems in order to be effective. Here, too, it must be possible in the medium-term for the individual user to know the source of the data and to carry out a control, a “fact check”, of the presented data, at least in principle.
There is a political trend towards shifting the responsibility for even the most elementary of state tasks to the private sector and to want to hold the operators alone accountable (mostly on a pre-emptive basis) for not only the security, integrity, and authenticity of data, but also for assessing the legality of a use. This tendency clashes in practice with the simultaneous demands of stringent data protection, absolute protection of privacy, and the data sovereignty of users.
At this juncture, the state will have to decide which tasks and priorities it should assume responsibility for in a digital society, and when the needs of all citizens in cyber space justify or even require a restriction of state action.
The present demand for secure systems, applications, and networks, as well as a consistent increase in system security, conflicts with the steady expansion of state control in all areas of the Internet and, in particular, with the call for security authorities to exert more rights in the digital world. In an increasingly interwoven system of access rights and access possibilities, access to digital data is regarded not just as the sole remedy for combating what is perceived as “Internet crime”, but also for the investigation of all forms of crime and the “protection of national security”. If one then leaves the boundaries of national law – as would currently be the case in line with the European Commission’s draft regulations on so-called “e-Evidence” – user data will be tossed around by a multitude of national legislations that have not been harmonized to even a rudimentary degree, without users being given suitable legal redress in return.
These demands for universal access for the security authorities are contraindicative and actually stand in the way of protecting the population in cyber space. Practically all of these access options require a weakening even of the existing, mostly insufficient protective measures of services and applications, as well as a deferred closing of known security vulnerabilities. The inescapable fact is that each of the forced vulnerabilities in the overall system that can be exploited by the security authorities is also an open door for cyber criminals and attackers from all over the world, and thus pose a threat to the security of the population as a whole.
To return to the question of priorities: Shouldn’t the protection of the population and companies in general be the primary protection goal of state actors – and even be a state goal? Any threat from existing vulnerabilities is concrete, tangible, and above all avoidable. Such threats affect every citizen and every company in their daily application, unlike the indeterminate danger impelling the pursuit of criminal elements or groups and actors that undermine the state.
In investigating criminal activities or going after terrorist groups, the problems therefore need to be weighed up and measured against the everyday dangers that threaten each individual in the daily use of IT systems, and this needs to happen as long as no consistent, government-sponsored measures are taken to increase IT security.
Government activities such as those in Australia, for example, where a new law provides for a state right to permanently weaken encryption and where access to all equipment can be enforced through its being subject to a manufacturer’s liability, must therefore be viewed with concern. In Germany, too, one gets the impression that, in the kind of race that is underway to achieve the most far-reaching police law, a maximum weakening of the safety of users and companies is not only being tolerated with eyes wide open, but also is being tacitly endorsed.
Such activities, however, weaken cyber security to a point where legal entities and natural persons are endangered by the state to such an extent that the activities of the state itself can and will only be seen as a threat.
Unfortunately, this situation is not new, and is already familiar from the field of secret services, where all the rules of the game and laws on data protection and the protection of the privacy of one’s own citizens and companies are regularly circumvented or deliberately broken – partly by applying risky legal constructions. On more than one occasion, the tools developed to these ends later ended up in the hands of criminals and became a global threat to cyber security – and this trend is growing.
In a world in which the boundaries between the actions of criminals, terrorists, abstract cyber threats by “state actors”, and the current or at least desired actions of the state’s own security authorities continue to merge (indeed, become virtually indistinguishable for the user), we must ask ourselves the question: Where does a “threat” actually begin? Which activities and actions define a criminal and which define a terrorist – or, in the abstract, a “threat”? Where are the boundaries between a legitimate action of security authorities for the good of the population or “national security” on the one hand, and crime and terrorism on the other, in a world in which neither the tools and methods are distinguishable, nor in which states in cyber space restrict themselves to their national territory or their national laws?
Thus the defenders on the one side quickly become the (cyber) terrorists on the other, “hack backs” become attacks, laws to strengthen national security become a danger to our democracy, and measures to combat crime become the greatest threat to security in cyber space.
Klaus Landefeld is Vice-Chair of the Board and Director of Infrastructure & Networks at eco – Association of the Internet Industry.
Since 2013, he serves as Chief Executive Officer of nGENn GmbH, a consultancy for broadband Internet access providers in the field of FTTx, xDSL and BWA. He also serves as network safety and security officer as well as data protection officer for several German ISPs.
Before establishing nGENn, Mr. Landefeld held a number of other management positions, including CEO at Mega Access and CTO at Tiscali and World Online. He was also the CEO and founder of Nacamar, one of the first privately-held Internet providers in Germany.
Mr. Landefeld is a member of a number of high-profile committees, including the Supervisory Board of DE-CIX Group AG, and the ATRT committee of the Bundesnetzagentur (Federal Network Agency).