Fede­ral Office for Infor­ma­ti­on Secu­ri­ty: 2021 report on the sta­tus of IT secu­ri­ty in Germany

In its recent­ly published report on the sta­te of IT secu­ri­ty in Ger­ma­ny for 2021 (only in Ger­man), the Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI) draws a worry­ing con­clu­si­on: The IT secu­ri­ty situa­ti­on in Ger­ma­ny was “ten­se to cri­ti­cal” during the report­ing peri­od (1 June 2020 to 31 May 2021). In addi­ti­on to a gene­ral increase in mal­wa­re vari­ants to a total of 144 mil­li­on new vari­ants (394,000 new vari­ants per day), this was pri­ma­ri­ly due to the expan­si­on of cri­mi­nal ran­som­wa­re, hush money extor­ti­on and pro­tec­tion rackets against companies.

For exam­p­le, in March 2021, four cri­ti­cal vul­nerabi­li­ties, known as haf­ni­um vul­nerabi­li­ties, in Exch­an­ge Ser­ver cau­sed a stir. The BSI clas­si­fied the situa­ti­on as “extre­me­ly cri­ti­cal” becau­se the vul­nerabi­li­ties were easy to exploit using so-called “exploit kits” and large-scale scans for vul­nerable Exch­an­ge Ser­vers were obser­ved imme­dia­te­ly after the vul­nerabi­li­ties beca­me known.

Increased dan­ger from data leaks

The num­ber of data leaks also increased during the report­ing peri­od: Accor­ding to the BSI, online retail­ers in par­ti­cu­lar are repea­ted­ly the focus of cur­rent skim­ming attack efforts due to the immense amount of cus­to­mer data. In the pro­cess, legi­ti­ma­te web­sites of online mer­chants are com­pro­mi­sed, some­ti­mes wit­hout the ope­ra­tors of the plat­forms noti­cing this directly.

The use of ran­som­wa­re now also poses the risk of data leaks: The BSI obser­ved an incre­asing num­ber of cases in which the black­mailers not only encrypt­ed the data of the respec­ti­ve com­pa­ny and deman­ded ran­som, but also threa­ten­ed to publish the data at the same time in order to impro­ve the chan­ces of suc­cess of the ransomware.

Accor­ding to the BSI, howe­ver, it is not only the atta­ckers’ impro­ved methods that are the reason for num­e­rous data leaks, but also the lack of pro­tec­ti­ve mea­su­res for (online) data­ba­ses: “This repea­ted­ly results in sen­si­ti­ve (often per­so­nal) data lea­king into the public domain wit­hout the invol­vement or even, in many cases, the know­ledge of the data sub­jects,” the BSI said. Vic­tims included, for exam­p­le, well-known tech­no­lo­gy com­pa­nies, medi­cal prac­ti­ces, hos­pi­tals, com­pa­nies from the trans­port and logi­stics sec­tor, as well as public insti­tu­ti­ons and social networks.

In the event of sto­len per­so­nal data, it is extre­me­ly important for com­pa­nies to com­ply with the requi­re­ments of the GDPR in order to avo­id ris­king fines. This includes, in par­ti­cu­lar, the obli­ga­ti­on to noti­fy per­so­nal data brea­ches to the super­vi­so­ry aut­ho­ri­ty, if pos­si­ble within 72 hours (only in Ger­man), and, in the case of a high risk to the per­so­nal rights and free­doms of natu­ral per­sons, also to noti­fy the data subjects.

Increased thre­at level due to Covid-19

Due to the mas­si­ve shift of various are­as of life into digi­tal space as a result of the Coro­na cri­sis, the BSI was also able to iden­ti­fy num­e­rous new thre­ats in this con­text, such as cyber­at­tacks on video con­fe­ren­ces. This was achie­ved, among other things, by phis­hing emails mark­ed as ses­si­on invi­ta­ti­ons, which then redi­rec­ted to fake websites.

The aim of the atta­ckers is to obtain infor­ma­ti­on from pri­va­te con­fe­ren­ces – some­ti­mes with serious con­se­quen­ces for the affec­ted com­pa­nies, as the con­tent of video con­fe­ren­ces can give the atta­cker pro­found insights into inter­nal pro­ces­ses, soft­ware used and con­fi­den­ti­al infor­ma­ti­on or trade secrets. It is not uncom­mon for ano­ther tar­ge­ted cyber­at­tack on the com­pa­ny to take place using the infor­ma­ti­on obtai­ned in this way. 

The sharp increase in the num­ber of home office users as a result of the pan­de­mic also poses addi­tio­nal risks: The fre­quent use of pri­va­te IT devices such as com­pu­ters or smart­phones is a con­ve­ni­ent solu­ti­on for employ­ers and employees, but the lin­king of the­se devices, which usual­ly have wea­k­er secu­ri­ty, to the cor­po­ra­te net­work also har­bours num­e­rous dan­gers and gate­ways for malware.

The home office is also gene­ral­ly less pro­tec­ted against unin­ten­tio­nal dis­clo­sure of infor­ma­ti­on by third par­ties: For exam­p­le, they can gain insight into data and soft­ware used via docu­ments still on the home work­sta­tion or unlo­cked computers.

In this con­text, com­pa­nies are the­r­e­fo­re advi­sed to estab­lish a bin­ding poli­cy for employees for home offices (PDF) and also to check com­pli­ance with the poli­cy.

Increase in thre­ats in the auto­mo­ti­ve indus­try as well

In the sta­tus report, the BSI also expli­cit­ly addres­ses the gro­wing thre­ats posed by incre­asing net­wor­king and auto­ma­ti­on in road traf­fic: Accor­ding to the BSI, num­e­rous attacks on vehic­le sys­tems, espe­ci­al­ly via wire­less inter­faces, high­light the thre­at poten­ti­al here.

To address the­se thre­ats, rules for vehic­le cyber­se­cu­ri­ty were adopted in June 2020 and came into force ear­lier this year, beco­ming man­da­to­ry from July 2022 via trans­po­si­ti­on into EU law. This obli­ges auto­mo­ti­ve manu­fac­tu­r­ers to arm them­sel­ves against pos­si­ble IT-related hazards by means of sui­ta­ble deve­lo­p­ment and respon­se pro­ces­ses. Indi­rect­ly, howe­ver, this also results in new obli­ga­ti­ons for suppliers.

In addi­ti­on to BSI coope­ra­ti­ons with the Fede­ral Motor Trans­port Aut­ho­ri­ty (KBA) and the Ger­man Asso­cia­ti­on of the Auto­mo­ti­ve Indus­try (VDA) to pro­mo­te com­pe­ten­ci­es and under­stan­ding in the area of cyber­se­cu­ri­ty, the BSI is also addres­sing the secu­ri­ty aspects of arti­fi­ci­al intel­li­gence in con­nec­tion with self-driving vehicles.

Cyber­se­cu­ri­ty in the sup­p­ly chain is gai­ning importance

The incre­asing net­wor­king of the sup­p­ly chain in the cour­se of Indus­try 4.0 offers new attack sur­faces and gate­ways that, accor­ding to the BSI, “can reach deep into com­pa­nies and into the pro­duc­tion envi­ron­ment.” In some cases, this can have fatal con­se­quen­ces, as the attack on the “Ori­on” soft­ware from the manu­fac­tu­rer Solar­Winds show­ed: In this case, unknown per­sons had inser­ted a back­door in “Ori­on” update files. This update was down­loa­ded and instal­led by up to 18,000 Solar­Winds cus­to­mers. With sel­ec­ted com­pa­nies and govern­ment agen­ci­es, the atta­ckers used the back­door to load addi­tio­nal malware.

In order to effec­tively coun­ter such dan­gers, law­ma­kers have enac­ted new rules to pro­tect com­pa­nies and con­su­mers: By means of the IT Secu­ri­ty Act 2.0 and the asso­cia­ted intro­duc­tion of the con­cept of “com­pa­nies of spe­cial public inte­rest”, com­pa­nies of a cer­tain eco­no­mic signi­fi­can­ce are to be regis­tered and, in the future, will be sub­ject to spe­cial pro­tec­tion and report­ing requi­re­ments simi­lar to CRITIS operators.

Secu­ri­ty for con­su­mers is also to be impro­ved by the intro­duc­tion of an IT secu­ri­ty label: Through the IT secu­ri­ty label, con­su­mers are to easi­ly find out about secu­ri­ty fea­tures of pro­ducts and ser­vices assu­red by the manu­fac­tu­rer. Con­ver­se­ly, com­pa­nies will be able to make the secu­ri­ty fea­tures of their IT pro­ducts easi­ly reco­g­nisable in the future through the labe­l­ing and can thus stand out in the market.


The BSI’s sta­tus report for 2021 once again shows that, par­al­lel to the ste­adi­ly incre­asing net­wor­king of com­pa­nies, pro­duc­tion faci­li­ties and pro­ducts, the thre­ats posed by cyber­at­tacks are also on the rise. This trend was inten­si­fied through the coro­na pan­de­mic and the resul­ting mas­si­ve increase in the use of digi­tal tech­no­lo­gies, espe­ci­al­ly in the home office. Attacks can take many forms. On a tech­ni­cal level, thre­ats include mal­wa­re, iden­ti­ty theft, social engi­nee­ring, and advan­ced per­sis­tent thre­ats used for tar­ge­ted infor­ma­ti­on gathe­ring. An IT secu­ri­ty inci­dent at a sin­gle sup­pli­er can affect the enti­re sup­p­ly chain or even the secu­ri­ty of a pro­duct on the market.

Com­pa­nies should the­r­e­fo­re stri­ve to use cyber­se­cu­ri­ty com­pli­ance manage­ment to pre­ven­tively check and secu­re their cor­po­ra­te struc­tures regar­ding poten­ti­al risks and thre­ats and to stra­te­gi­cal­ly imple­ment legal requi­re­ments for cybersecurity.

The com­ple­te BSI sta­tus report is available here (only in German).


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.