Panel Report: Cybersecurity - (K)Eine Chance Gegen Internetspione? Is There (No) Chance

Stefan Peintinger*

Panel Report: Cybersecurity - (K)eine Chance gegen Internetspione? – Is There (No) Chance Against Internet Espionage?

As part of the DAJV Annual Conference 2014 in Berlin, Dr. Olaf Christiansen, LL.M., DAJV Board Member with Bertelsmann, organized a panel on cybersecurity together with Dr. Katja Gelinsky, LL.M., Coordinator “Recht und Rechtspolitik” at the Konrad-Adenauer-Stiftung e.V.1who moderated the panel. The Konrad-Adenauer-Stiftung hosted and co-organized this event with the DAJV. Mrs. Gelinsky welcomed the audience by pointing out that cybersecurity is an issue affecting everyone. Not just Hollywood stars, whose private pictures have recently been published online, are victims of cybercrimes, but also hacked eBay customers or bank businesses as well people, whose credit cards or e-passports got stolen. Furthermore it is a transatlantic issue. This is underlined by the rather unusual step of the German Federal Ministry of the Interior to release an English summary of the proposed German regulation on a new cybersecurity law (“Entwurf eines Gesetzes zur Erhöhung der Sicherheit informationstechnischer Systeme (IT-Sicherheitsgesetz)”). Usually, legislative proposals are not translated in such an early stage of the political discussion. The aim of the new cybersecurity law is according to Thomas de Maizière to create the most secure IT infrastructure around the world. Therefore, types and risks of cybersecurity need to be addressed and various interests need to be balanced.

Mr. Klaus Beucher – Introduction

Mr. Beucher, LL.M., Partner and Co-Head of the Cybersecurity Group with Freshfields Bruckhaus Deringer, Cologne, gave an overview of recent cybersecurity events. He pointed out that the US is a forerunner in this area. As a trend, the risk perception is increasing. Within the last five years, the perception of cybersecurity issues has dramatically changed. Until five years ago, the general public was not as aware of cybersecurity issues compared to today. Only nations and companies paid attention. The recent case involving Hollywood stars, however, is showing today’s perception of cybersecurity issues. This event has been covered by mainstream media and not just because of the people involved and the content of the pictures. The general public is more aware than five years ago. Another example is the hack of Home Depot’s payment system. After this hack was made public, management of Home Depot was replaced, underlining today’s emphasis on cybersecurity. In order to show the scope of cybersecurity attacks, Mr. Beucher displayed a website by the German Telekom AG.2 This site is live indicating cyber attacks measured by the German Telekom AG with attacks per month well into the millions. Moreover, the Symantec Internet Security Threat Report 20143 points out that there has been a 100 percent increase of cyber attacks over the course of one year compared to the time period 2012-2013. One out of 400 emails is used to launch an attack. At first sight, this

** Stefan Peintinger, LL.M. (Georgetown), is a law clerk (“Referendar”) with the district court of Munich and a doctoral candidate with Professor Stefan J. Geibel, Maître en droit (Université Aix-Marseille III) at the University of Heidelberg. Furthermore he is a research assistant with the “IP/IT & Commerce” department at King & Wood Mallesons SJ Berwin in Munich.

1 All slides can be found on the DAJV website (www.dajv.de) and via the website of the Konrad Adenauer Stiftung (www.kas.de/wf/de/33.38739/).

2 http://www.sicherheitstacho.eu/. might not sound a lot. However, if someone is just thinking about his or her regular email behavior, the numbers are indicating how many times such an attack occurs. Furthermore one out of eight websites has a security issue. Some websites, especially with adult content, are used more often as a platform for cyber attacks than others. Mr. Beucher pointed out that three different types of cyber attacks need to be distinguished. The first category comprises of private companies being attacked. Recent cases include Vodafone Germany, data of 2 million customers captured, and Barclays, theft of £ 1.3m by computer added robbery. The second category is called “state sponsored attacks”. This means that a state is somehow involved, either as the attacker, i.e. Stuxnet, where a computer worm was designed to attack nuclear power plants in Iran (2008) and Russia (2013), or as a target, i.e. the telephone hack of a government member. Edward Snowden’s revelations are part of this category. The third category is called “Hacktivism”, meaning a single person or a group is attacking a private company in order to achieve a certain goal. One example is the group called “Anonymous”, who – among other things – threatened Goldman Sachs to shut down their social media pages. Based on these targets, the reactions are differently. For example, states can invest in system security and they can adopt and enforce regulations. On an international level, states are discussing to amend Art. 5 of the North Atlantic Treaty (NATO Treaty) (requiring member states to come to the aid of any member state subject to an armed attack) to include cyber attacks. Companies can introduce data classifications and they can adopt different security strategies with regard to each classification. They can also develop a cyber response and a PR strategy. Individuals can choose trusted providers, keep up-to-date with security updates and they can adopt their online behavior with regard to different activities. In general, the risk perception has dramatically changed. Today, 45.1 percent of people asked in the US feel that cyber warfare is the biggest threat to US security.4 Furthermore, Mr. Beucher pointed out the different sources of cyber security regulations. In the US, regulations are coming from the banking and financing sector. In Germany, cyber security regulations derive from aspects of data protection. On the European level, the General Data Protection Regulation aims at establishing a modern data protection approach. However, this might not happen anytime soon because of conflicting concepts. The Organisation for Economic Co-operation and Development (OECD) is also thinking about adopting guidelines. Summing up, Mr. Beucher stated the current questions of cybersecurity regulation: 1. Which industries are affected by (proposed) Cyber Security laws? 2. Mandatory vs. voluntarily obligations? 3. Reporting obligations? 4. Audit requirements?

Mr. Michael Hange – German and European Legal and Policy Issues The second presentation was by Mr. Hange, President of the Federal Office of Information Security (BSI), Bonn. Mr. Hange, a veteran of cyber security, started his presentation by underlying the role of the BSI. It's the biggest civil IT security agency in Europe and has three main tasks. Foremost, the BSI designs, secures and protects the governmental IT networks and systems. Furthermore, the BSI warns federal and Länder institutions as well as

3 http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en- us.pdf.

4 http://www.defensenews.com/section/STATIC26/Leadership-Poll. producers, users and distributors in matters of information security. The third main task of the BSI is to give advice regarding information security matters. IT security is often realized by Krypto security. In today's world, this is a real challenge and not comparable to fighting a computer virus, which once detected and analyzed, can be prevented by updated anti-virus software. Krypto security means to secure computer algorithms. The practical problems are: “Where to get a key?” and “How to implement such a key correctly?” In order to enhance cyber security, “end-to-end” and “transport” encryption need to be in place. Mr. Hange pointed out some of the commonly used attack scenarios, being: Zeroday Exploit, Trojans, IT vulnerability, backdoors and manipulation of hard- and software. These are resulting in: cyber espionage, cyber sabotage, identity theft and cyber blackmailing. The main issues are that it is hard to identify the attacker and many attacks are possible at the same time. The general population is in a state of “digital unawareness”. Furthermore, the quality of an attack can be great. As an example, someone might just realize an attack has happened 200 days after the actual attack took place. The internet provides many tools and there is a “market” for cyber attacks. There is no 100% security, however, with normal protection measures such as anti-virus and firewalls, which can be used by everyone, 90% of security could be provided. This means i.e. using a firewall, regularly updating security software and using encryption methods. Finishing his speech, Mr. Hange concluded that data protection is not such a good term. “Information security” is a better term. His main message is that "information security concerns us all"! Therefore, the state has to balance, if self-regulation is sufficient or state regulation is required. In the case of critical infrastructures, which play a significant role in the services for the public, Germany is currently discussing a draft proposal regarding an IT security law.

Steven Wares – Risk Perception of the Industry

Mr. Wares is Cyber Risk Practice Leader with Marsh Ltd., London. As an insurance broker and risk advisory firm, Marsh helps organizations to develop their cyber risk profiles and designs insurance solutions for the transfer of risk. Mr. Wares has specialized in insuring technology related risks both on the supplier side and for business users. First of all, in order to design an insurance solution, each risk needs to be identified. Secondly the risk needs to be valued. Afterwards a transfer of risk is possible via insurance. The development and take up of cyber insurance over the past 20 years is another indication how perception of cyber risk has changed within organizations. During the 1990s, many companies thought that by not having a trading website, there could be no IT security issue and applications for cyber insurance were dominated by dot com businesses. Companies were not fully aware of their other IT dependencies, though admittedly, at the time, those dependencies were far more limited than today. With regard to the last decade, the preoccupation of risk managers and insurance buyers has been the potential for material losses arising from privacy related events caused by the loss of personal data. Today, cyber risks are firmly on the corporate agenda and a main concern for companies. Thereby everyone is looking beyond privacy and taking a more enterprise wide approach, asking “what could happen?” and “which type of cyber attack is possible?”. Attitudes have developed from an initial culture of denial: this is not going to happen to me. To draw a comparison with burglary, people thought, my neighbor was just unlucky. I'm luckier. As time moved on and more cyber events took place, a more questioning culture developed, but this wholly depended upon technical measures to deliver the assurance required. Now, there is increasingly a realization that despite reasonable efforts to secure the organization and protect it from the consequences of cyber attack, 100% security is not feasible and firms must also focus on post event preparation and response to gain an understanding of “how to react with regard to an attack?”. Today, a lot of money is being spent on cyber insurance, mainly in the US because of privacy related class actions and mandatory breach notice law. Take up of cyber insurance has been led by those industries storing high volumes of personal data including financial institutions and retail companies. Customers are asking Mr. Wares, if they can insure cyber risks, but the starting point is to determine how to define “cyber risk”? This is not a traditional insurance business. Insurance companies face challenges too as they cannot simply look back at their historical loss data to determine future loss activity as the nature of the exposure is too dynamic. With regard to IT security, even data from five years ago could be of limited value. Mr. Wares predicts that the take up of cyber insurance will continue to increase and become a standard purchase for businesses. As insurers gather better risk intelligence through their increased volumes of data, they will become a key driver of corporate behavior. We are likely to see insurers mandating specific mitigation practices in just the same way as they do in other classes of insurance, such as property.

Adam Golodner – US Legal and Policy Issues

Mr. Golodner is a Partner and the Leader of the Global Cybersecurity & Privacy Practice Group with Kaye Scholer LLP, Washington, D.C. He explained the US position with regard to cyber security, highlighting the fact that Germany is a key partner. Cyber security issues are global because we have a global network. The key questions are, “what do we do about cyber security issues?” and “what can companies do about it?”. The global network is a result of the internet's history. First, the internet protocol was voluntarily established as an international standard through the Internet Engineering Task Force (IETF). Hereinafter, interoperability of communications, products and standards has been a major concern. As is security. Further, interoperability and security have to work together. In the extreme, if the regions of the world would have set up different technical approaches, they might not have been able to talk to each other. This is also true, when someone today is thinking about setting up a closed regional internet zone. If a region or a company is coming up with its own non-standard security system, this might tend to pull apart the basic functionality, and end-to-end security, of the internet. Understanding what “cyber” is about is also important. The same things we are concerned with in “cyber” – theft, fraud, espionage and war, are the same things we have been dealing with in the off-line world for centuries. Over time, society has built-up principles, laws and norms to deal with these issues, both within countries, and between countries. Today’s “cyber” discussion is all about applying these new facts (the use of the on-line tool instead of the off-line tool) to age old principles, laws and norms of acceptable behavior. Then enforcing those rules globally. It's a fundamental question, what to do about cyber security issues. Thereby, we need to ask, what is the role of the government? Is there any delta, between what the market has to offer and what the government needs? This is still unanswered, and fact, and sector, and enterprise specific. Public-private partnerships and information sharing approaches might work best in order to tackle cyber security issues. However, different countries are using different approaches. But one thing is for certain, it is the ability to move, react and recover quickly – innovation -- that is the key. Finishing his remarks, Mr. Golodner said that companies should analyze their business risks and take reasonable steps to manage those risks. In many cases, a core risk is loss or theft of “intellectual property.” Of top priority are those assets and things that are “core” to the company’s ability to provide services, and maintain competitive advantage. In any case, good corporate governance suggests that companies should undertake a risk management analysis, ensure their processes allow for prioritization of “crown jewels,” put in place proper defenses, and exercise how they will respond to, fight-through, and recover from any cyber incident. Getting ahead of the curve is now table stakes in the cyber game.

Panel Discussion and Questions by the Audience

The panel speakers concluded that privacy and cybersecurity are for everyone. Accordingly, the audience responded with a broad range of questions. Among other aspects, the scenario of non-cyber responses to cyber attacks by changing Art. 5 of the NATO Treaty was discussed. Furthermore, the participants debated “how to create incentives for private individuals to increase their own IT security?”. This could happen by requirements of insurance companies. If an insurance company demanded on a contractual basis to meet a certain level of IT security, this needs to be implemented and kept up-to-date by the policy holder. Another incentive might be the liability, deriving from IT security breaches. Besides such instruments, there is the need for a global law enforcement regime. Another challenge is the assessment of, the damages based on losing data. These damages might not be internalized in a business plan because they are hard to quantify. Events, which used to occur “analog”, are now happening “digital”. A “digital” bank robbery, for example, involving a cyber attack might make a larger haul compared to a classical “analog” bank robbery. The questions and the discussions between the audience and the panel speakers proved cybersecurity issues having caught on general awareness. If everyone understands IT security as his or her own personal benefit, a major step towards an increased level of cybersecurity will have been taken. This would, among other aspects, diminish chances for cyber espionage.