Yvonne Hofstetter, a lawyer and best-selling author, is one of the most prominent thinkers on digital transformation, and does not shy from voicing provocative ideas. In an interview, she warns of criminal hackers who on behalf of their governments endanger the economy and world peace.
43 billion euros: According to a study* by industry association Bitkom, that‘s the cost of hacker attacks to Germany’s manufacturing sector in the past two years alone. Who is behind the attacks?
Yvonne Hofstetter: There’s a huge gap between what people think and what’s really happening. Many think it’s some 18-year-old nerds somewhere cracking foreign computers from their bedrooms. Granted, these hackers do exist. But slowly, awareness is growing that hacks may be motivated by countries mounting attacks on businesses and institutions for strategic reasons. For example, the Russian secret service and the Chinese state both make use of private hacker groups.
What do the hackers hope to achieve?
They have three major goals: espionage, sabotage and subversion. Some attackers aim to steal information for economic and political gain. Others attempt sabotage by seeding malware into sensitive or system-relevant infrastructures, the idea being to trigger them at a politically opportune moment and wreak maximum damage. And we experienced what subversion can mean during the US presidential elections in 2016:
ultimately, it wasn’t about data, it was about power. Hacker attacks are often directed at critical infrastructures such as power grids or water utilities. What’s the worst damage that cyber criminals can wreak in these installations?
In the worst-case scenario, they could take the entire infrastructure down for several hours. This wouldn’t push the country instantly back into the pre-digital era. But the economy would falter, transactions would be far slower to execute, and there would be widespread anxiety and confusion. If failures like this were to become common, confidence in structures would take a real hit, especially in an open, pluralistic society like ours. This is precisely the aim of hacker attacks: not to cause immediate destruction, but to sow insecurity.
Hacker attacks are getting better and better, with many now difficult to detect even by experts.
There’s already widespread talk of a possible cyber war. To what extent can code be weaponized?
Code itself has never killed anyone, even though malware can weaponize industrial installations for example by causing a gas pipeline to explode. However, a NATO expert committee has decided that a cyber attack cannot be equated with an armed attack because no kinetic energy is released. So when cyber attacks take place, they are regularly below the threshold that would trigger war. This also has consequences under international law.
Only an armed attack triggers a country’s right of self-defense. There are extremely tight legal constraints on the permissible responses to a hacking attack – but these permissible responses include tanks or fighter jets. Every government that suffers a cyber attack must therefore answer one question for itself: can it ride out the escalation? Because even a minor escalation in cyberspace would be enough to trigger what nobody wants: a hot war outside cyberspace.
In your view, what’s the level of awareness in the German economy of the problem of cyber attacks?
People duck the issue and say: I’m just an SME; I’m not important enough for a global attack. But that is not true. Ransomware and malware are spreading incredibly fast – and they won’t necessarily distinguish between strategic and non-strategic targets. In 2017, the damage caused by
ransomware NotPetya began in Ukraine but then swept all over the world: the Trojan was able to spread rapidly, spying and installing malware. The cost to businesses ran into hundreds of millions of dollars. So should companies focus on prevention rather than skirting around the issue altogether?
Prevention is a tricky question actually because you can’t really protect yourself. The attacks are getting better and better, with many now difficult to detect even by experts. They often draw on social engineering: a supplier is compromised, and customers receive a deceptively real-sounding mail from the supplier with attachments that they proceed to open – without ever suspecting anything is wrong – and suddenly they have malware in their systems. Or the victim clicks a link and is taken to a fake website that skims personal information.
Many companies are still running critical infrastructure on insecure software.
Defenses include staff awareness training, working with “good” hackers or using AI: what else can companies do to protect themselves against attacks?
I know that many companies in the security sector already promote their use of AI as a selling point. In my view, it’s just marketing talk. We’re still a long way from genuinely detecting anomalies with AI, and being able to tell attackers and normal staff apart. Awareness-training is also a difficult issue. Many places still run their IT on Windows XP software, which is no longer supported. From 2020, the same will go for Windows 7. But updating the software would result in the loss of certifications for expensive X-ray equipment or weapon systems that are linked to a particular operating system. For this reason, critical infrastructure in many companies still runs on insecure software. Raising staff awareness won’t make any difference to this at all.
What solution would you recommend instead to managers and decision-makers in organizations to protect against hacker attacks?
One solution would be not to go digital with everything that can be digitized, and especially not to connect everything to the open Internet. Passenger airplanes, for example, never used to be hooked up to the Internet, and nor were defense systems – but they were still connected. There used to be segregated networks for system-critical infrastructure.
Germany’s government recently defined what sectors its Critical Infrastructure Protection program covers: the sectors range from food and transport to water. In the Industry 4.0 and cloud computing era, is it truly realistic to roll back development?
We shouldn’t assume Industry 4.0 is already a widespread standard, even if media or IT consultants claim otherwise. I know of companies that began digital transformation of system-critical infrastructures, but have since partly reverted to analog functionality. They realized that their digital infrastructure is so complex and expensive to maintain that troubleshooting takes far longer than with their old system approaches.
Anyone who says that new technologies lead to greater democratization must have been asleep for the last few years.
You yourself don’t use a smartphone. What else do you do to protect your data?
I don’t have Facebook or Twitter because I can well do without this kind of advertising. I still don’t have a smartphone, but the other day I had to buy an iPad. I use it for my online banking – my bank is now forcing me to work with an app. But I still keep telephony and data backup separate.
As a digital transformation expert, how do you stay up-to-date in the professional context if you choose largely to do without apps and digital devices?
I am online too, but rarely use mobile connections. E-mails can comfortably wait a couple of days for a reply. In the office I use laptops and desktops. We have a red network and a black one. Red is not connected to the Internet. It contains critical proprietary developments and copyrights. Black is allowed to be online, but the connected machines don’t store any data of relevance. We take care to keep our data volumes down; we don’t use public clouds, only private European clouds. Staff who are on the move use MiFi, and surf exclusively via the company’s own secure networks. We steer clear of American and Chinese systems wherever possible, and use European alternatives instead.
With all these developments, have you at least retained some optimism that technologies can be harnessed for liberal and democratic purposes – or does the apprehension predominate?
Anyone who says that new technologies lead to greater democratization must have been asleep for the last few years. We’ve seen that for example Facebook, Twitter and other platforms have attacked democracy. The anti-democratic attitude is embedded in their business model; the platforms thrive by generating fake news, filter bubbles and echo chambers. There are so many anti-democratic tendencies in digital transformation that I’m certain it will end up like coal. After the end of the war, coal was celebrated; now we’re trying to close down all the coal-fired power stations because they pollute the air.
Yvonne Hofstetter’s take on data security and protecting against attacks:
The expansion of connectivity at all levels increases the danger of cyber attacks.
Hackers are pursuing three major goals: espionage, sabotage and subversion.
German industry has low awareness of issues around data security and defending against attacks.
Any company can fall prey to a cyber attack – because malware spreads rapidly.
If possible, companies should not attach system-critical infrastructures to the open Internet.
* Business Insurance, 2018:
Header Image: depositphotos/everythingposs