News Articles

IT security crisis: Who blocks IT network security?

In the subchapter “The Causes for the IT Security Crisis” which is part of the book Cyberwar, The Danger from the Net (September 2018), the authors Constanze Kurz and Frank Rieger, both proven experts of the global IT scene, made some remarkable statements.

Protection against attacks launched by malicious people

Relating to the weak spots of the network they succinctly stated: “In our latitudes, topics such as stability, security and reliability are since long an accepted and important component in the education and training of different professions. A continuously developing culture of safe engineering … ensures that steam generators do not explode in rows, that bridges and houses don’t collapse and that the use of electrical devices is not associated with high risks. This implies that we are protected from the effects of the laws of nature and natural forces and from human error, but this does not include that we can protect ourselves from malicious people.”

 

What is needed is a socio-political movement that restructures the security architecture of the global network

In reference to the above mentioned good tradition, the authors outline how “safety” (i.e. inherent technology safety) and “security” (i.e. protection against attacks launched by malicious people) should be better balanced. Of course very powerful examples are listed about startups and software developers (without naming the names), where usually- given the cost and time pressure in programming  (“you want to be first on the market”), a schedule is imposed, where security aspects play a subordinate role or are not even considered. The reason given is that this represents a major cost factor for the financial investors (see: Cyberwar, The danger from the network, September 2018. Constanze Kurz is a graduated computer scientist; Frank Rieger is, inter alia, a spokesman for the Chaos Computer Club.)

What is needed is a socio-political movement that restructures the security architecture of the global network that “hardens” it, or better said, reforms it in the interest of personal protection of the citizen on a global scale.

Data theft of 1000 prominent figures sets off alarm

In the beginning of January 2019, a stormy debate broke out in Germany. Approximately 1000 deputies from the federal and state parliament, entertainers and Youtubers were since some time robbed of their data, including private numbers, bank statements, and in some cases very private family chats and data’s of young children. Some very private data were then distributed on the net via Twitter accounts and made public. A 20-year-old young man from the federal State of Hesse was arrested (by now released). The investigations into how the young man carried out this (data) theft are still ongoing.

 

The role which the use of such profiles in elections played for Cambridge Analytics and the SCL Group – Strategic Communications Laboratories Group- has still not been fully analyzed and scrutinized in public

Previously, there were much bigger data thefts. One only has to remember the theft of the private data of hotel guests of the Marriott hotel chain (according to reports this involved the theft of up to 400 million data records including passport numbers et cetera). Or one should remember that last year, nearly 30 million Facebook profiles were “skimmed” (given away in a deal). The role which the use of such profiles in elections played for Cambridge Analytics and the SCL Group – Strategic Communications Laboratories Group- has still not been fully analyzed and scrutinized in public. There are regular reports about phishing attacks. While the author of this article is writing this commentary, the next wave of a huge data leak has hit: According to an Australian security expert, 700 million email addresses in combination with 22 million passwords have been posted (“Collection 1 #”), including probably more than 140 million unpublished addresses. The perpetrators of this operation are not yet known.

The average Internet user is bombarded after every major data theft with the piece of advice that tell him, that he personally is to blame that his private data are straying in the net and become public. He is informed that because of the widespread lack of concern, users make it easy for some criminals to commit data thefts. But even in the “real world” of houses or apartments, citizens lock their homes with a functioning key. It took a while until new police methods were devised that could help track down burglar gangs who with their professional approach had been able to overcome such security systems. With the help of new methods it was possible to prevent further large-scale burglaries including improved security systems.

Data theft and law enforcement

Something similar has to be done against data theft. The criminal machinations of those who spy out and go around selling these stolen data, are usually downplayed. These criminal acts must be prosecuted and not get sabotaged by arguments that this is a danger since it “would curtail the freedom of the net”, or “it is impossible to identify the perpetrators”. On the basis of the (by now tightened) German law and according to § 202d of the German Criminal Code (StGB), the receiving and disposing of stolen data constitutes an offense, which “can be punished by imprisonment with up to three years or by a fine.” Computer sabotage and distribution of viruses, computer espionage, computer forgery, and computer fraud and new forms of committing offences (e.g., computer manipulations) are to be punished. “Violation of personal life by taking pictures or intercepting data can be punished with up to 2 years.” Generally in case of violation of the telecommunication law this can be punished with up to 5 years. (§§ 202-206 StGB)

Obviously, these criminal acts could be punished more rigorously; but to do this there must be the necessary will and trained professionals as well as “technical hardening”. It would also imply that one would get into conflict with the four American giant Internet companies (“Gafa”), other international internet providers and with those who politically oppose a more rigorous punishment. The summoning last year of Facebook chairman Marc Zuckerberg to come to an EU hearing to be questioned could have been a good start, but it completely failed for political-organizational reasons.

What about consumer protection? Only because the chairman of the Greenies Robert Habeck is now personally concerned, some Greenies in Germany are coming forward with weak demands for new control measures. In the past they were the first to attack any attempt that would look for harsher control of freedom in the Net. The countless self- proclaimed IT experts would tell the IT user that such “countermeasures” will not protect either against any deliberate attack.

Reform the IT security architecture world wide

The proven IT security expert Sandro Gayken has demanded since several years a higher level of network security and stated that -the in relation to the recent data theft in Germany- the “dangers (are)… gigantic” (8.1.19 FAZ.NET). “Even a single madman, who is not very talented, can do such things”, he commented. According to FAZ.NET, the German researcher has warned since years that an increase in the global technical integration of the Internet will exponentially increase the attack potentialities, this at a time when fitness bracelets, digitally networked heaters and the 4.0 industry were still dreams of the future. As FAZ underlines, Gaycken is convinced that the dangers will grow exponentially. Even if private users were to change their passwords more often, this would happen more frequently in the future. He advocated decoupling and separating as many systems as possible from the Internet. This would be especially necessary in respect to military computers and critical infrastructure. Only this way they could be protected from cyberattacks. If the current development of an exponentially growing networking continued, Gayken warned according to FAZ NET, “all kinds of threats would emerge.”

The legal instruments to combat cybercrime are available. The responsibility of the Internet companies at home and abroad concerning data security should be enforced more rigorously with the help of all existing legal, technical and diplomatic means.

Recent announcements