Germany’s Cybersecurity Strategy: How Will it Work?
Following a cyberattack that caused the German wire and cable manufacturer, Leoni AG, to lose more than $44 million, and an internal assessment from the country’s Federal Office for Information Security that Germany is under a state of near-permanent cyberattack, the country recently adopted a new cybersecurity strategy to stay ahead of those increasing cyber threats. The strategy will lead to the creation of a Quick Reaction Task Force, increased cooperation between the public and private sector to defend against cybersecurity threats, and a heightened awareness among businesses to help them recognize the threat that led to Leoni’s losses.
The new strategy follows a law that Germany enacted in 2015 to regulate cybersecurity practices among private industries. That law requires private companies to conduct security audits and to report hacking incidents to the country’s information security agency. The law has been criticized, however, as being too vague with respect to its definitions of minimum security measures. Companies that are subject to the law also noted that they are unable to determine their costs of complying with it, and that its reporting requirements will put them at a disadvantage against international companies that are not subject to the same requirements.
Germany has had a dedicated cyber defense center since 2011. The country’s formation of the new Quick Reaction Task Force is an implicit recognition of its cyber defense center’s limitations. Germany has apparently acknowledged that even the best government resources and defenses will not stop every cyberattack. It will continue to erect defensive barriers, but when a cyberattack breaks through those barriers, the country will work to quickly identify the attack and to marshal all resources to stop the cyberattack before it causes too much damage.
The extent and success of cooperation between the German public and private sectors will not be known until the new strategy is fully implemented and compliance with the law is measured. Private industry has bristled against requirements to report cyberattacks out of concerns over their reputations and the potential for loss of their value when they disclose that they were the targets of a cyberattack. Few companies are also willing to take on the added costs and administrative burdens associated with these reporting obligations. Still, cooperation among private industries can be crucial to the adoption of the best defensive practices against cyberattacks and the implementation of protocols to shut a cyberattack down as quickly as is possible after it is launched.
Heightened awareness of cybersecurity threats will be an ongoing initiative as hackers develop new threats to avoid existing cybersecurity defenses. If more individuals had been aware of the increase in the type of business “whaling” email scam that affected Leoni, for example, the employee who ultimately authorized the fund transfer might have been better able to recognize the initial transfer request as a scam.
Still, every threat and dangerous situation will be crystal clear in hindsight. Cyber security solutions that focus on quickly shutting down a threat and improving awareness of new threats will not provide an easy remedy for organizations that have been harmed by a cyberattack, but it will help. Right now, the most readily-available remedy comes through cyber security insurance that provides compensation for an organization’s direct and third-party losses resulting from a cyberattack.
This is not a critique of the new German strategy. Rather, it is a reflection of the real risks of economic losses that organizations face every day when they are under an onslaught of cyberattacks. Adding cyber security insurance to Germany’s strategy will provide the most complete and effective protection that is currently available against cyberattacks.