“Security is not a static condition”
Cybercrime is a real threat of increasing proportions. VIVID spoke with Markus Hartmann, senior public prosecutor and cybercrime expert based in Cologne, about the highly professional level of attacks on the Net - and why the topic of security is an issue of top priority.
Mr Hartmann, how serious is the threat emerging from the Net?
Cybercrime today is a thoroughly professionalised business model. We have infrastructures based on the division of labour on the part of the criminals, who offer a whole range of services that make cybercrime so successful: One gang searches for security vulnerabilities and sells them to the next group. The latter in turn specialises in penetrating companies, encrypting data and extorting a ransom. Still other groups are responsible for financial transactions. Cybercrime has become a thoroughly industrialised business field that is highly successful and lucrative from the perpetrators' point of view. With every ransom demand, the market grows. In addition, beyond the financial motivation, more and more operators guided or motivated by their governments, pursue cyber espionage, cyber sabotage or access to intellectual property. In both areas, we are concerned about the increasing quantity and quality of attacks.
How has cybercrime changed?
The 18-year-old hackers we had to get out of the basement in the beginning because they hacked bank data are no longer our clientele receiving the most attention. More and more criminals are going online because more and more life is moving online. In the past, people still shot with a shotgun, so to speak, in the hope that the attack with malware would hit someone. In the second phase, there were already targeted attacks on companies, from which criminals hoped to receive a ransom. The third phase, which we are in now, is running at a complex, highly professional level. For example, as soon as a software update is released, the perpetrators analyse it to find the original vulnerability. From then on, a race begins. If the attacker finds the vulnerability first, while a company has not yet applied the update, he has won.
What are the biggest cyber threats to companies?
The overriding issue at the moment is so-called ransomware, a malicious software that encrypts data in the company and where the perpetrators demand a ransom for the release of the decryption key. It completely paralyses a company. Many companies have improved their backup structures as a result. Today, perpetrators not only blackmail with decryption, they steal customer data in advance and also threaten to publish it. One danger, especially for innovative companies such as start-ups and hidden champions in the mid-sized sector, is the theft of intellectual goods. The third threat is asset-damaging offences such as CEO fraud, in which perpetrators impersonate the head of a company and trick employees into transferring large sums of money abroad.
“I can be safe today and forget to apply a patch tomorrow and then the door is wide open.”
Should you pay a ransom in the event of an attack?
This is a very complex question and you should always be aware of one particular aspect: Whoever pays, feeds the extortion market. The times when you could buy your way out with half a Bitcoin are over. The demands are now adapted to the financial level of the attacked companies and often range from six and to seven figures. We would much rather companies set themselves up in advance in such a way that, in the best case, they will not be compromised at all, and if they are, that they have such good backup structures that they will not be permanently restricted in their business operations.
As an entrepreneur, how can I protect myself from cybercrime?
Asking yourself precisely this question is the first step. The biggest deficit is that cyber security is not a top priority, but a matter for those sitting somewhere in the basement in the IT department. This is a very urgent problem. Since infrastructures in companies are so different, there is unfortunately not a generally applicable checklist. You have to analyse where your own structures are vulnerable - technically and in terms of content, you have to make sure that qualified employees or service providers are able to carry out this ongoing monitoring process. Security is not a static state. I achieve security by asking myself anew every day: Where have risks arisen and how do I evaluate them? Establishing this process permanently and iteratively in the company is the only answer to the question. I can be safe today and forget to apply a patch tomorrow and then the door is wide open.
Where do dangers lurk in the future?
In our view, the degree of professionalisation on the part of the perpetrators has not yet been exhausted. We will see even more attacks of even higher quality. And: We will have to critically account for how endangered our own infrastructure is, not so much on a corporate level, but rather on the level of society as a whole. After all, no company can operate if the basic state infrastructures are not functional. With more digital infrastructures, the digital vulnerability also increases, of course. The case of the university hospital in Düsseldorf, for example, showed very clearly that a simple ransomware attack can put health, healthcare and even lives at risk. •
About ZAC NRW
The ZAC NRW conducts cybercrime proceedings of outstanding importance. In addition, it is the central point of contact for questions in the field of cybercrime for public prosecutors' offices and police authorities in North Rhine-Westphalia and other states as well as the federal government. Furthermore, it is available as a contact point for cooperation with science and industry, insofar as this is compatible with its task as a law enforcement agency.
Markus Hartmann
Senior public prosecutor as head of department at the Cologne public prosecutor's office
Head of the Central and Contact Point Cybercrime North Rhine-Westphalia (ZAC NRW)
Since 2006, public prosecutor, initially in the general and white-collar criminal divisions (corruption offences)
Since 2008 responsible for cybercrime and ICT offences
Founding head of the ZAC Cologne (predecessor of the ZAC NRW)
Head of the Central and Contact Point Cybercrime North Rhine-Westphalia since its foundation in April 2016
2016: 5 public prosecutors in the Central Unit, end of 2021: 38 public prosecutors in the Central Unit
Interview Karolina Landowski
Pictures istock; Andreas Brück, ZAC NRW