Germany is currently experiencing a significant increase in cyber threats, with the risk of ransomware attacks considered exceptionally high, according to the latest report from the German Federal Office for Information Security.
Read the original German article here.
On Thursday (2 November), Germany’s Office for Information Security (BSI) presented its status report on IT and cybersecurity in the country, which covers the period from June 2022 to June 2023.
The report described the threat level “higher than ever before”, recording the highest average increase in malware types with 332,000 new variants per day in the period observed.
The number of German ransomware victims whose names and captured data were published on leak sites also reached an all-time high in the second quarter, with 65.
“The BSI report on the state of IT security in Germany in 2023 proves that the threat situation in cyberspace remains tense,” said German Interior Minister Nancy Faeser.
Ransomware and tech advancements
The report also found that ransomware remains the top threat.
Identity theft is increasing, and government institutions are noting an increase in advanced persistent threats (APTs) – cyber espionage or sabotage attacks carried out over time to gain information or manipulation.
As attackers take the path of least resistance, small and medium-sized enterprises (SMEs) and local governments are particularly vulnerable to cyber-attacks. With SMEs accounting for around 80% of the German economy, the threat potential is particularly high.
Supply chain attacks are another trend highlighted in the report. Here, companies are not directly targeted, but malware, such as viruses, is spread via third-party suppliers. This means that a large number of victims can be attacked at the same time.
Also challenging, according to the report, are advancements in tech.
In addition to the technological advances of generative AI, which has led to a qualitative improvement in deepfakes, phishing and fraud attacks, the advancement of powerful quantum technology and the likely cybersecurity threats it will foster is also seen as a challenge.
The report also recorded a 24% increase in the number of vulnerabilities found in software products. These are often the “first port of call for cybercriminals”. One in two of the 70 new vulnerabilities discovered on average per day were classified as critical.
“Cybercrime-as-a-service” is another security risk.
With the professionalisation of cybercrime and the growth of a cybercriminal shadow economy, it is increasingly becoming a service that attackers can purchase tools for online, the report notes.
During the reporting period, the BSI also recorded increased DDoS attacks by pro-Russian hacktivists.
“Since last year, we have had Putin’s terrible war of aggression in Ukraine. This year, we have a terrible war in Israel. We have this barbaric attack by Hamas. That poses an incredible challenge to security authorities,” Faeser said.
Cyber skills gap keeps widening, report warns
A new report on the Global Approaches to Cyber Policy, Legislation and Regulation gets to the bottom of the cyber skill talent gap, which increased in the EMEA region by almost 60%.
Countermeasures
The German government wants to give the BSI more decision-making power to counter this trend, expanding it to play a central role in federal-state relations.
“Germany must see itself as a cybernation and act accordingly. For the BSI, the creation of a nationwide central office for cybersecurity is essential in this context – if only to be able to create a uniform national picture of the situation,” says BSI President Claudia Plattner.
The BSI, as a central office, should enable a more coordinated response to cyber attacks on critical infrastructure.
“If, for example, the lights go out in Munich and Bremen at the same time due to a cyberattack that may be politically motivated, I don’t want to discuss who has the authority to decide and who is in charge,” says Faeser.
With a glance at EU legislation to improve cyber resilience, the BSI bets on its effectiveness.
For example, EU countries have until October 2024 to implement the revised Network and Information Security Directive (NIS2) – a new rule that subjects cloud computing services to the same stricter obligations as critical infrastructure operators.
Additionally, EU institutions are currently negotiating the proposed EU Cyber Resilience Act, which aims to introduce EU-wide cybersecurity requirements and put more responsibility on manufacturers.
“I expect a lot of movement here in the next few years. We are already preparing for this in the BSI to see how we can help to shape the market accordingly,” said Plattner about the Cyber Resilience Act.
[Edited by Oliver Noyan/Luca Bertuzzi/Alice Taylor]
Read more with EURACTIV
Experts question EU report on emerging deep tech
Experts have criticised a new report by the European Innovation Council (EIC) on emerging deep technologies, breakthrough innovations, and early-stage research projects, calling into question its approach to quantum computing and semiconductors.