12 minute read
Interview with Arne Schönbohm, Bonn Europe needs coherent national strategies and EU operational concepts Make cybersecurity a top priority
Europe needs coherent national strategies and EU operational concepts
Interview with Arne Schönbohm, President of the Federal Office for Information Security (BSI), Bonn
The European: Mr Schönbohm, you have been the President of the German Federal Office for Information Security (BSI) since early 2016. In February of that year you were given the task of re-designing and building up this agency on solid foundations and with a budget allowing you to pursue ambitious objectives. On the national level, you developed the BSI into the German cybersecurity agency with the obligation to help the private sector develop security standards. Within the European Union you cooperate with your counterparts from other Member States, supporting the EU to ensure coherence and efficiency in cybersecurity. Have you been able to realise your ambitions and what is the status of German cybersecurity today? Arne Schönbohm: Indeed, we have made great progress in the field of cybersecurity in general. The IT-security law of 2015, which was a great effort by the Federal Ministry of the Interior and the federal government, has had a big impact, especially for critical infrastructure, and will continue to do so. We have developed a common and widely regarded cloud security standard (C5) with our French partner agency ANSSI. Last but not least, the EU Cybersecurity Act was passed.
The European: What are its advantages? Arne Schönbohm: This legislation will allow us to develop a more streamlined European IT security certification policy which will improve the security features of IT products potentially having a large impact on the unregulated market for the Internet of Things (IoT) consumer devices and more. Together with the new and improved mandate for the EU Agency for Cybersecurity (ENISA) we are heading steadily in the right
direction. But make no mistake, we still have a long way to go. We still see a very high level of threat. We have seen a new quality in cyber-attacks and we have all witnessed successful cyber-attacks with enormous economic damage. We need to make cybersecurity a top priority at all levels of our society, in business and industry, consumer markets and the government. The European: As you said, there many examples of successful responses at the administrative level, but have you succeeded in helping the private sector, the more vulnerable part of your system, to correct its weaknesses? Arne Schönbohm: We are working hard to prepare all small and medium-sized businesses for their digital future. We have a lot to offer and our approach is widely accepted. Our Cybersecurity Alliance offers close to 4,000 companies, organisations and institutions the right setting for the exchange of best practices and practical IT security measures. For example, we support the development of sector specific “IT Basic Protection Profiles” and have launched many awareness campaigns. But again, cybersecurity needs a permanent effort to succeed. The European: Allow me to come back to Small and Medium Enterprises (SMEs) in Europe, the backbone of our industry. What about their security? Allensbach in cooperation with Deloitte state in their 2018 Security Report that SME CEOs’ awareness of the likelihood of a cyber-attack is falling. Arne Schönbohm: I think it is clear that we have made significant progress here. The 2019 Cybersecurity Report states that managers see a rising threat level, especially for data theft or data abuse. Almost 90 percent of small and medium-sized businesses have seen attacks on their networks. Four out of five companies are in favour of a strengthened Federal Office for Information Security. That same report states that only 25 per cent of company CEOs are regularly informed about the state of cybersecurity in their companies. We need to raise that number to close to 100 percent! The European: When you compare the German system of cybersecurity with those of your partners in Europe, what are the lessons we have learnt from the most recent cyber-attacks? Arne Schönbohm: We have seen data leaks, ransomware attacks and industrial espionage all over Europe. Like all of our partners, we are therefore directing our efforts to address these issues more robustly. As cooperation is key, we see great value in the collaboration with our European partners and ENISA. Our success with preventative actions is encouraging, for example, in our successful efforts to secure the EU elections in each Member State. These preparations were started in a timely manner and included preparations and exchanges on a European level with the relevant Union institutions and the involvement of many Member States. The European: Does this mean that you take your cue from ENISA? Arne Schönbohm: The extension of ENISA’s mandate has further supported its mission to increase the maturity of cybersecurity within Europe. At the same time, we must not slow down our efforts at the national level. Each national agency must continue to increase its own capacities – especially in the field of detection and responses to cyber-attacks. The good news is that I do not see any of our partners falling back here. Without any doubt, these efforts will bear fruit by making cyber-attacks more difficult to perpetrate and reducing their possible impact all over Europe. The European: Let us turn now to the European Union, your other strategic terrain as you mentioned: didn’t the EU Global Strategy from 2014 open more than an interesting discussion on cyberspace and defence, meaning “Integrated Cyber”. Does this mean that cyber will never stand alone? For any nation, for any purpose? Will it be sufficient to “think integrated” – or do we need advanced operational planning? Arne Schönbohm: To be clear on your question, cyber definitely never stands alone. Cyber threats may often appear in isolation, no matter what kind of actor we are dealing with. At the same time, “hybrid threats” are high on the agenda in discussions in different forums. In principle, hybrid threats are nothing new. There are many examples in the past of a mix of methods. The new development today is the scale of hybrid threats. Clearly, cyberspace works like a catalyst and cyber threats are an important component. However, it is only one component in a number of potential threats, ranging from external players fomenting social strife to military attacks. In order to optimise our preventive and defensive measures against potential hybrid threats, BSI therefore has to cooperate closely with other security authorities. This is not only true for hybrid threats but also for cybersecurity itself. “ We need to make cybersecurity a top priority at all levels of our society, in business and industry, consumer markets and the government.”
26 the less advanced. As national responsibility comes first, how might the EU support its less advanced members to do more and better? Arne Schönbohm: The most important step in this regard was the NIS Directive, which sets the framework for a higher level of cybersecurity in Europe and guarantees a minimum level of cybersecurity with respect to critical infrastructures as well as a functioning cybersecurity architecture. In addition, the establishment of new cooperation formats like the NIS Cooperation Group or the CSIRTs Network are of great value and definitely support smaller Member States and nurture an enhanced spirit of cooperation and communication between all European stakeholders on cyber issues. Next year, there will be an evaluation of the NIS Directive and I am confident that we will identify the next steps that we will need to take. The European: This is a positive development, but all this is purely defensive. The EU as a whole has a multitude of industries and our welfare depends on their capacity to produce. The protection of European critical infrastructure is essential for all of us across Europe. Do you believe that the EU can survive just with a handful of sophisticated measures to ward off attacks and no deterrence? Hackers, from wherever they come, may have no fear of retaliation. Might a hack-back strategy not be more appropriate? Arne Schönbohm: The first thing we need is preventive measures. We need to ensure that cybersecurity becomes one of the top priorities in the whole of the ongoing process of digitisation. We need to make sure – as a society – that we protect our critical infrastructure. We have made progress with the IT security law, which will be evaluated and updated. Regarding active cyber defence we already stated in the Cybersecurity Strategy 2016, that serious cyber-attacks are conceivable where preventive measures are not sufficient for an effective and immediate defence. We must examine the extent to which The European: Ultimately, that means that effective cyber resilience has to be embedded in the whole of society. Where do we stand in this regard, both in Germany and the EU? Arne Schönbohm: I am convinced that cybersecurity is the premise for successful digitisation. Only if we implement adequate security measures consistently, in every digital product and in every single IT network, will we be able to enjoy the wider benefits of digitisation. No one will use self-driving cars if they can be taken over remotely. No one will trust the underlying infrastructure if it can be hacked. That is why we are working on securing car-to-car and car-to-x communications. The European: How far do you see this “security strategy” going? Arne Schönbohm: Without any doubt, the same is true for the security of our personal data, our health care data, our financial services and our power grid. From IoT to International Card Services (ICS) products, security and robustness must be an integral part of implementation from the outset. At the same time, users must be able to choose the products that put them at lesser risk. Ultimately this requires better labelling and awareness about the processing of their data. So yes, effective cyber resilience has to be societal. And we are working very closely with our research clusters and data protection offices as well as our police authorities, civil defence authorities, armed forces and so on to achieve the highest possible level of cybersecurity for our society as whole. The European: President, these are the national efforts. What about efforts in other countries? Arne Schönbohm: These efforts must not stop at our national borders. I think there are promising approaches in the EU as well, ranging from legislation to other measures like awareness raising. The EU Cybersecurity Act and the “European Cybersecurity Month” (October 2019) are just two examples. The European: I agree with you that, when you are operating within a coalition, the more advanced will be held back by “ I firmly believe that the best way to increase trust between partners is to engage in dialogue at a bi-or multilateral level. Europe is the natural forum in this regard.” Arne Schönbohm has been President of the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik –BSI) since February 2016. Born in 1969 in Hamburg, Germany, he studied International Management in Dortmund, London and Taipeh. Mr Schönbohm worked in different positions at EADS, inter alia as Vice-President for commercial and defence solutions. In 2008, he became Chairman of the board of the BuCET Shared Services AG (BSS AG). Prior to his current position, Mr Schönbohm was President of the Cyber-Security Council Germany. Throughout his career, he has been security expert and advisor for several political decision-makers at the regional, federal and European level.
ENISA celebrated its 15th anniversary in March 2019 in Brussels, in the presence of its then Executive Director Udo Helmbrecht, who handed
over his duties to his successor, Mr. Juhan Lepassaar on 15 th October 2019
photo: © European Union, 2019; Source: EC – Audiovisual Service/ Jennifer Jacquemart
we need measures that are more active to stop the negative effects of such cyber-attacks. But that has nothing to do with a hack-back deterrence strategy.
The European: Cybertechnologies, because of their importance for a nation or a coalition, are in many cases highly political and controversial. This is the case in the discussion of equipment for future 5G networks. Mr Trump has advised his European partners via Twitter not to buy from “enemies”, which means to not to cooperate with Chinese providers namely Huawei. Is this a question of trust? What exactly is the problem? Arne Schönbohm: We need to make sure that we protect the integrity and the availability of our communication networks. This is why we are working closely with the German Federal Network Agency on the development of a catalogue of minimum standards for 5G networks. We are confident that this catalogue will provide a robust technical basis to ensure the security of 5G networks. Furthermore, we are also working within the EU on this matter and have concerted our efforts for making 5G highly secure. The EU has initiated a process to develop a combined risk assessment as well as a toolbox with effective mitigating measures to be available by the end of this year.
The European: Isn’t it frustrating to hear from time to time from politicians, corporate leaders and academia that cyber is an issue of national sovereignty and therefore that cooperation must be restricted? There is mistrust at all levels. Arne Schönbohm: I really do not agree with this perception! There is no need to be afraid and to lose a lot of sleep over cybersecurity. Sure, there is work to do, but Europe generally is still in good shape. We should value the partnership we have and the good work that has been done on so many levels rather than downplay these advances. I firmly believe that the best way to increase trust between partners is to engage in dialogue at a bi or multilateral level. Europe is the natural forum in this regard.
The European: And looking across the Atlantic? Arne Schönbohm: Well, we must not lose sight of transatlantic cooperation. But we must never forget that in some instances, cybersecurity is definitely a national issue when it affects our local or national networks. Not everything can be solved on an EU or international level. This is why national Cybersecurity Agencies are still so essential. Only capable national agencies can contribute to an effective exchange and the construction of an international ecosystem in cybersecurity.
The European: President Schönbohm, I am grateful for your openness and wish you every success in your future endeavours.
Cybersecurity Alliance The CybersecurityAlliance (Allianz fürCyber-Sicherheit) was founded in 2012. This platform for cooperation with business, government, research and science and other institutions offers a wide range of information on cybersecurity issues. The initiative focuses in particular on small and medium-sized enterprises. With the Cybersecurity Alliance, the Federal Office for Information Security (BSI) is pursuing the goal of strengthening Germany’s resilience against cyber-attacks. > Web www.allianz-fuer-cybersicherheit.de
