Federal Office for Information Security: 2021 report on the status of IT security in Germany

Stefan Hessel

In its recently published report on the state of IT security in Germany for 2021 (only in German), the Federal Office for Information Security (BSI) draws a worrying conclusion: The IT security situation in Germany was "tense to critical" during the reporting period (1 June 2020 to 31 May 2021). In addition to a general increase in malware variants to a total of 144 million new variants (394,000 new variants per day), this was primarily due to the expansion of criminal ransomware, hush money extortion and protection rackets against companies.

For example, in March 2021, four critical vulnerabilities, known as hafnium vulnerabilities, in Exchange Server caused a stir. The BSI classified the situation as "extremely critical" because the vulnerabilities were easy to exploit using so-called "exploit kits" and large-scale scans for vulnerable Exchange Servers were observed immediately after the vulnerabilities became known.

Increased danger from data leaks

The number of data leaks also increased during the reporting period: According to the BSI, online retailers in particular are repeatedly the focus of current skimming attack efforts due to the immense amount of customer data. In the process, legitimate websites of online merchants are compromised, sometimes without the operators of the platforms noticing this directly.

The use of ransomware now also poses the risk of data leaks: The BSI observed an increasing number of cases in which the blackmailers not only encrypted the data of the respective company and demanded ransom, but also threatened to publish the data at the same time in order to improve the chances of success of the ransomware.

According to the BSI, however, it is not only the attackers' improved methods that are the reason for numerous data leaks, but also the lack of protective measures for (online) databases: “This repeatedly results in sensitive (often personal) data leaking into the public domain without the involvement or even, in many cases, the knowledge of the data subjects," the BSI said. Victims included, for example, well-known technology companies, medical practices, hospitals, companies from the transport and logistics sector, as well as public institutions and social networks.

In the event of stolen personal data, it is extremely important for companies to comply with the requirements of the GDPR in order to avoid risking fines. This includes, in particular, the obligation to notify personal data breaches to the supervisory authority, if possible within 72 hours (only in German), and, in the case of a high risk to the personal rights and freedoms of natural persons, also to notify the data subjects.

Increased threat level due to Covid-19

Due to the massive shift of various areas of life into digital space as a result of the Corona crisis, the BSI was also able to identify numerous new threats in this context, such as cyberattacks on video conferences. This was achieved, among other things, by phishing emails marked as session invitations, which then redirected to fake websites.

The aim of the attackers is to obtain information from private conferences - sometimes with serious consequences for the affected companies, as the content of video conferences can give the attacker profound insights into internal processes, software used and confidential information or trade secrets. It is not uncommon for another targeted cyberattack on the company to take place using the information obtained in this way.  

The sharp increase in the number of home office users as a result of the pandemic also poses additional risks: The frequent use of private IT devices such as computers or smartphones is a convenient solution for employers and employees, but the linking of these devices, which usually have weaker security, to the corporate network also harbours numerous dangers and gateways for malware.

The home office is also generally less protected against unintentional disclosure of information by third parties: For example, they can gain insight into data and software used via documents still on the home workstation or unlocked computers.

In this context, companies are therefore advised to establish a binding policy for employees for home offices (PDF) and also to check compliance with the policy.

Increase in threats in the automotive industry as well

In the status report, the BSI also explicitly addresses the growing threats posed by increasing networking and automation in road traffic: According to the BSI, numerous attacks on vehicle systems, especially via wireless interfaces, highlight the threat potential here.

To address these threats, rules for vehicle cybersecurity were adopted in June 2020 and came into force earlier this year, becoming mandatory from July 2022 via transposition into EU law. This obliges automotive manufacturers to arm themselves against possible IT-related hazards by means of suitable development and response processes. Indirectly, however, this also results in new obligations for suppliers.

In addition to BSI cooperations with the Federal Motor Transport Authority (KBA) and the German Association of the Automotive Industry (VDA) to promote competencies and understanding in the area of cybersecurity, the BSI is also addressing the security aspects of artificial intelligence in connection with self-driving vehicles.

Cybersecurity in the supply chain is gaining importance

The increasing networking of the supply chain in the course of Industry 4.0 offers new attack surfaces and gateways that, according to the BSI, "can reach deep into companies and into the production environment.” In some cases, this can have fatal consequences, as the attack on the "Orion" software from the manufacturer SolarWinds showed: In this case, unknown persons had inserted a backdoor in "Orion" update files. This update was downloaded and installed by up to 18,000 SolarWinds customers. With selected companies and government agencies, the attackers used the backdoor to load additional malware.

In order to effectively counter such dangers, lawmakers have enacted new rules to protect companies and consumers: By means of the IT Security Act 2.0 and the associated introduction of the concept of "companies of special public interest", companies of a certain economic significance are to be registered and, in the future, will be subject to special protection and reporting requirements similar to CRITIS operators.

Security for consumers is also to be improved by the introduction of an IT security label: Through the IT security label, consumers are to easily find out about security features of products and services assured by the manufacturer. Conversely, companies will be able to make the security features of their IT products easily recognisable in the future through the labeling and can thus stand out in the market.

Summary

The BSI's status report for 2021 once again shows that, parallel to the steadily increasing networking of companies, production facilities and products, the threats posed by cyberattacks are also on the rise. This trend was intensified through the corona pandemic and the resulting massive increase in the use of digital technologies, especially in the home office. Attacks can take many forms. On a technical level, threats include malware, identity theft, social engineering, and advanced persistent threats used for targeted information gathering. An IT security incident at a single supplier can affect the entire supply chain or even the security of a product on the market.

Companies should therefore strive to use cybersecurity compliance management to preventively check and secure their corporate structures regarding potential risks and threats and to strategically implement legal requirements for cybersecurity.

The complete BSI status report is available here (only in German).

[November 2021]