German Government Commissioner for Information Technology Klaus Vitt | German Federal Ministry of the Interior
Klaus Vitt discusses his role protecting Germany from cyber attacks.
3/20/17, 7:54 PM CET
Updated 3/20/17, 8:10 PM CET
BERLIN Meet the man in charge of protecting Europe s largest country against the ever-changing threat of hacking: the German government s IT commissioner, Klaus Vitt. During an interview with POLITICO at the German Interior Ministry, Vitt described the country s current cyber threat level as increasingly critical, announced plans to cooperate with private companies and explained why his analysts believe most professional hacking attacks on Germany come from Russia or China.
In September, Germany elects a new parliament . Could the vote be manipulated by cyber attacks?
We have analyzed all processes during election day . Wherever we found weak spots, we have introduced measures and taken precautions. In Germany, there are no electronic voting machines or automation .
The vote, therefore, is not that big of a target . However, there s never a security of 100 percent.
You re talking about potential attacks on the IT network on election night . Another issue is cyber attacks that could happen in the run-up to the election . People are concerned that stolen material from hacks could be used to compromise candidates . Do they have a reason to be afraid?
The danger is real . This is why our Federal Office for Information Security (BSI) advises parliamentarians and their groups in the parliament how to protect themselves . It starts with using virus protection software on your private computer but certainly doesn t end there.
Have cyber attacks increased during the last couple of years?
Yes, the threat situation is becoming increasingly critical . We still observe many security breaches in software and hardware, as analyzed in the BSI s annual report on the state of IT security . This in itself is critical . At the same time, however, our society, economy and state are increasingly becoming more digitalized, which also makes them more vulnerable . On top of that, attackers are becoming more professional, and they are using more intelligent malware.
In 2015, a broad-scale cyber attack on the Bundestag, the lower house of the German parliament, made headlines . What consequences did the government draw from the incident?
The Bundestag is in charge of its own IT security . However, there have been numerous consultations on how the parliament should make its network more secure, and the government took part in them . These recommendations were put into action very consistently . The network and its security components were completely rebuilt from scratch.
Could foreign intelligence services be involved in attacks like the one in 2015?
We are dealing with very professional attackers, that s why only in rare cases can you identify them indisputably . We analyze serious attacks very thoroughly to find out from where they originate . In order to do that, we take patterns from comparable attacks in the past as a reference . Based on such analogies, one can say with a certain probability where those attacks originate from and those analogies suggest that a majority of attacks comes from Russia or China, at least geographically.
How can Germany protect itself?
Attackers want to produce the largest effect possible . That s why they target their attacks primarily against critical infrastructure.
With Germany s IT security law introduced in 2015, we have created legislation that focuses on such infrastructures . On the one hand, it introduces minimum standards for IT security: how operators need to protect themselves against cyber attacks . There are regular checks to make sure they still follow those standards . On the other hand, they are obliged to inform authorities about any critical IT security incidents . If operators are affected, they need to alert the BSI about it, which in turn can analyze it, assess the threat and inform other operators as fast as possible so that they can protect themselves in time. I would like to apply a similar model to other companies which are not operating critical infrastructure and the public administration.
In November 2016, Germany introduced a cyber security strategy: a plan for the country on how to protect itself and how to best react to cyber attacks. What about attacks that have already happened and data that may have been taken?
A cyber attack can have different goals . One aim can be to extract information . If you have no possibility to prevent this, you need to cut off access to the internet . This was one of the measures taken during the cyber attack on the Bundestag . From this moment on, no more information can be extracted. However, in the aftermath, it s difficult to detect where malware could possibly have had access to and which data has been extracted.
What measures are you taking?
To guarantee an appropriate IT security level, we will consolidate the data centers and the networks of the national government and its institutions. Today, we have around 1,000 rooms with servers: large ones, medium-sized ones, small ones . We will centralize them at three or four highly-protected, locations . The same thing will be done with the networks . This is how we will protect the administration with a high standard of IT security.
Another measure is expanding our Cyber Defense Center opened in 2011 . The goal is to always have a clear description of what s happening in cyber space . To do that, we will analyze and assess cyber incidents, with all national security agencies exchanging technical information about the incidents with each other . Needless to say, cyber space is not limited to just Germany. And there s another plan we are pursuing: In Germany, we have large international companies with their own cyber security units, who observe cyber attacks, similarly to what our Cyber Defense Center does .
Four DAX companies have joined forces in the so-called German Cybersecurity Organization (DCSO) cooperation . Our idea is to work with them through exchanging technical information . However, we need a contractual basis for that . This is about highly sensitive data.
When in 2015, a Bundestag subcommittee met to discuss the hacking attack, a BSI official told the MPs that only around 15 employees inside his office had the expertise to analyze and deal with such an attack . This doesn t sound like a lot of people?
The BSI is only one unit in our Cyber Defense Center . We have more experts in the Federal Criminal Police, in the Armed Forces, and in both our domestic and the foreign intelligence agencies.
Talking about personnel: Part of the cyber security strategy is hiring more cyber security experts . How easy or difficult is it to find candidates with the necessary expertise?
There is a great demand for IT security experts . The BSI has hired several people recently . It wasn t easy to fill those positions placing an ad in some newspaper wouldn t be enough .
All those positions could be filled; in the meantime, however, we have new open positions.
How attractive a job is, however, is not only defined by its salary but also by how exciting or dynamic its environment is and by its compatibility with having a family.
The interview has been edited and condensed for clarity.
Related stories on these topics:
Albert Camus | WikiCommons
Merck CEO says pharma has a vital role in building global security.
2/16/17, 4:40 PM CET
Updated 2/17/17, 3:39 PM CET
In 2014, the devastating Ebola outbreak in West Africa took the world by surprise . The virus claimed more than 11,000 lives in Guinea, Liberia and Sierra Leone and caused immense suffering. Nevertheless, the world avoided a much larger catastrophe by a hair s breadth . Ebola revealed many shortcomings in health crisis preparation . Just imagine what would have happened had the virus been airborne . It would have taken just a few days for the disease to spread around the world.
As Gro Harlem Brundtland, a former director general of the World Health Organization, noted: In an interconnected and interdependent world, bacteria and viruses travel almost as fast as email messages and money flows. The Ebola crisis clearly demonstrated that health is a major dimension of global security . Apart from the immediate human toll, crises caused by viruses and the like can destabilize countries, ruin entire economies and severely affect international stability. Rising population numbers, rapid urbanization, increased mobility and failing political systems in many parts of the world further aggravate the challenge .
Health is a precondition for social and economic development and, ultimately, for international security . It is therefore more than justified that health security is now firmly anchored on the agenda of the Munich Security Conference, which begins Friday. First and foremost, we have to strengthen health systems in low- and middle-income countries. The next health security challenge is a known unknown . While it is impossible to predict exactly what it will be, we do know that it will come .
And we need to be prepared . In my view, there are three crucial topics that we must address. First and foremost, we have to strengthen health systems in low- and middle-income countries . After all, health systems that are able to provide quality services during normal times not only bring vast social improvements, they also deliver essential care during crises . And preparation literally pays off: The cost of preventing a full-scale health crisis is far less than responding to one . While the Ebola response in Sierra Leone, Guinea, and Liberia cost at least $4.3 billion, only $1.6 billion is considered sufficient to achieve the minimum package of essential health services for these countries.
However, many governments in low and middle-income countries lack the resources or the political will to provide adequate health services . Therefore, secondly, we need an approach involving stakeholders from all sectors . Governments must make health a priority and use their clout to champion better health care . The private sector, including the pharmaceutical industry, must also play its part . Given our ability to mobilize resources, scale up efforts and innovate, companies have a lot to contribute . We can help to strengthen health systems in two ways . Companies can engage in multisectoral partnerships . There already are many successful cases, for example when it comes to neglected tropical diseases or HIV/AIDS .
The recently launched Coalition for Epidemic Preparedness Innovations (CEPI) specifically addresses the development of vaccines against epidemic threats . Moreover, companies can contribute by sharing their expertise and experience in a wide range of business disciplines, such as research and development, manufacturing or supply chain management.
A Liberian health worker speaks with families in a classroom used as Ebola isolation ward
Thirdly, an effective global governance framework is critical for cross-sectoral collaboration to yield the best possible results . Consequently, we need to further enhance the effectiveness of the World Health Organization . The WHO is of tremendous importance owing to its legitimacy in addressing health concerns across borders, its authority to communicate about health as a global public good and its ability to work together with different sectors and industries . The next director general2 will need to strengthen accountability and transparency to gain significant funding and improve efficiency . He or she will also need to set priorities . Given the experience of the Ebola crisis, this should include health security.
Seventy years ago, in his novel The Plague, Albert Camus wrote, There have been as many plagues as wars in history; yet plagues and wars always take people equally by surprise . We must not content ourselves with this notion . By strengthening health systems, intensifying cross-sectoral collaboration and improving the WHO s effectiveness, we can make sure that the next plague does not catch us completely off-guard . We can prove Camus wrong . The time to act is now.
Stefan Oschmann is chairman of the executive board and chief executive of Merck.
Related stories on these topics:
It is alleged the youths were verbally and physically aggressive
By Reporter,1 Dec 2016 6.00am
Police in Dundee were called to a fast-food restaurant after reports of youths spitting and abusing security staff. The incident happened at the Camperdown McDonald s at Kingsway West Leisure Park on Friday night. It is alleged the youths were verbally and physically aggressive to staff.
A spokesman for McDonald s said yesterday: We can confirm that an incident occurred at our Camperdown restaurant on Friday evening in which the police were called to assist.
The safety of our staff is of the utmost importance and we take a zero-tolerance approach to any activity that puts this at risk. A police spokeswoman said: Police Scotland received a report that a group of teenagers was causing annoyance at McDonald s, Dayton Drive, Dundee, at about 9.15pm on Friday . The group left prior to police arrival and inquiries were made with security staff, who advised that no complaints were being made.