Weaknesses in the vulnerability analysis?

The working group set up to identify potential threats to the "Critical infrastructures" Working group convened presents initial results

The data floods on commercial websites at the beginning of February also set alarm bells ringing in the Federal Ministry of the Interior: Last week, Minister Otto Schily put a stop to the alleged "Hacker attacks on the Internet", as it misleadingly states in a press release, a task force (Schily’s Cyberwar) a. The working group, which is composed of members of the Federal Ministry of the Interior, the Federal Office for Information Security (BSI) and the Federal Criminal Police Office (BKA), will jointly assess the threats to Germany and whether countermeasures are necessary.

However, a similar mandate has already been given to the working group coordinated by the BSI "Critical infrastructures" (Kritis), which has been searching for open flanks of networking across departments since 1997, mainly in the area of federal administration and ministries. The first fruits of more than two years of research were presented by Joachim Weber of the BSI at the Fundamental Rights Conference in Berlin (What fundamental rights remain for networked people?)?).

To put it right up front: Who of the still in departmental vote "Sensitization report" or concrete indications of the vulnerability of the communications infrastructures of nuclear power plant XY will be disappointed. At least the short report does not seem to contain more than a general analysis of weaknesses in networked information technology. According to Weber, it is now available in numerous versions, but without a specific publication date, and is to be supplemented by a detailed long version that will not be available to the public. Whether the report in the administration or in companies with these results, however, anyone actually "sensitize" The fact that the report can find a way around standards will have to be seen after publication.

The working group’s mandate, Weber said, was to define threat scenarios, define critical infrastructures, identify and assess vulnerabilities, propose remedies, and outline an early warning and analysis system. The difficulties had already begun with the clarification of the actual object of the work, as "tend to consider every major agency as critical infrastructure" perceive. Ten "really" The remaining areas of critical infrastructure include energy and water supply, telecommunications and transport systems, the banking sector, and the administration, including the armed forces and the judiciary. Kritis uses the results of similar studies in the USA or Switzerland for the listing. However, Weber explains that there are problems of demarcation in almost all of the areas identified. For example, it was not possible to work out clearly to what extent the judiciary could really be affected. Thus, one must ask whether a short-term failure of the judicial system would really affect human lives or threaten damage to property.

The report distinguishes between external and internal threats. Attackers from outside, Weber explains, could target the manipulation of communication links, could introduce software into computer systems and thus cause damage, or could target application software directly. Hardware could also be damaged or destroyed with electronic weapons. bombings are not among the forms of attack dealt with by Kritis.

Internal perpetrators, according to Weber, are able to introduce programs with damaging functions, to misuse system resources or to manipulate devices or software. To the "other" The report identifies outsourcing, which is always associated with a loss of control and dependence on a service provider, as well as the increasing complexity and density of integration of hardware and software areas. Y2K was a good example of this, Weber explains, even if it did not result in a major incident. Nowadays, even the smallest overvoltages are enough to immediately paralyze electronics.

Weber sees a need for action above all in the development of communication links between the individual infrastructure areas. "They don’t talk to each other", complains the technician. In addition, expert knowledge needs to be expanded, a more detailed risk analysis needs to be carried out, and the "Establishment of initiatives" to drive forward. When developing protection measures, international coordination must not be forgotten.

Overall, Weber questions the extent to which the protection of critical infrastructures can or should be a government task at all. Telekom, for example, the pillar that connects all sectors, is privatized, and the remaining telecommunications providers are also private companies. It would also be impossible for the working group to find a solution for the "Transport association Schleswig-Nord" to speak. However, the dialogue with the business community was only just beginning and needed to be intensified.

The fact that the insights into the report provided in advance are not very sensational compared to similar studies in the U.S. may be due to several reasons: For one thing, it is possible that in Germany, the infrastructures of the water supply "safer" are more important than on the other side of the Atlantic. Thanks to the stricter data protection regulations here in Germany, which also included provisions on IT security, network infrastructures in Germany were generally built with a relatively rough hand, believe Ute Bernhard and Ingo Ruhmann of the Forum InformatikerInnen fur Frieden und gesellschaftliche Verantwortung (FIfF). The USA had "the internet connection of authorities on the other hand often pushed forward without paying attention to risks."

However, it could also be amed that the political will to disclose vulnerabilities is not very pronounced in Germany. With two and a half authorized positions, the Critis working group is very generously equipped for the clarification of cyber risks, criticizes Frank Rieger of the Chaos Computer Club (CCC). When the President’s Commission on Critical Infrastructure Protection (PCCIP) presented its detailed report on vulnerabilities to Bill Clinton in 1997, which at times involved more than 200 staff members, the German government at the time initially even took the view that a comparable group could be set up "not necessary" is. A few weeks later, however, former Minister of the Interior Manfred Kanther ied an instruction to the BSI to establish Kritis. But whether and when the working group will ever complete its work remains up in the air, given the sensitivities in individual departments.