Political tensions are increasingly being played out in the digital space. Infrastructure, institutions and companies are also affected. How high is the actual risk of state hacker attacks?

Steffen Ullrich: In general, more and more critical processes are being digitized and networked. This increases society's vulnerability to cyberattacks. Such attacks can be carried out with comparatively little effort. An unclear legal situation and the unreliable traceability of attackers make it possible to carry them out outside of 'official' wars.

State hacker attacks essentially serve two purposes: espionage and sabotage. Both become more important in crisis situations. Gathering information through political and military espionage makes it possible to react proactively to potentially undesirable decisions. In other words, the aim is to take precautions at an early stage in order to minimize the impact; or to delay or defuse decisions by deliberately influencing opinion leaders. The infiltration of infrastructure or even sabotage helps to trigger economic and social instability and can also be used as a means of exerting pressure.

Russia has often demonstrated its excellent cyber attack capabilities in the past. In 2020, attackers infiltrated American authorities via a backdoor in the Solarwinds Orion network management platform. In 2015, a successful espionage attack was carried out on the German Bundestag. And in recent years, there have been several Russian attacks on Ukrainian infrastructure, which have led to large-scale power outages lasting several days, among other things. These offensives have intensified with the current conflict.

What support are state institutions in Germany and Europe providing?

Ullrich : Several government institutions such as the BSI, the Federal Office for the Protection of the Constitution and the Federal Criminal Police Office work together in the National Cyber Defense Center. They offer companies analyses and recommendations for action to improve security and provide support in the event of incidents. Important Europe-wide cooperation takes place within the European Cybersecurity Agency (ENISA). However, state criminal investigation offices are also available as contacts in the event of cyber attacks.

What are the potential points of attack for companies and how can they protect themselves against them?

Ullrich : In terms of potential attack vectors, the first thing to do is to protect externally accessible resources. These include internal systems exposed via remote desktop or VPN, company data and cloud services. In addition to restrictive access control using multi-factor authentication, securing the access perimeter is essential. This is because critical bugs in VPN products or Microsoft Exchange have made it possible to bypass access controls in recent years.

However, the attacker is often brought into the network indirectly, for example through compromised websites, email attachments or phishing. Even those who only visit external websites can cause unexpected access to internal websites. In addition to restrictive content control, it is therefore important to secure internal systems. This means that you should not just rely on perimeter protection.

Ultimately, you have to assume that an attacker will make it into the internal network at some point. Zero trust concepts such as micro-segmentation then proactively prevent the attacker from spreading further, while monitoring and anomaly detection contribute to early detection of the attack and thus to damage limitation. With the amended §8a (1a), attack detection systems are explicitly part of the technical and organizational security precautions in KRITIS facilities.

How exactly can zero trust concepts help?

Ullrich : Zero-trust concepts focus on the granular protection of individual services instead of securing an entire network. This reduces complexity and supports the implementation of security measures tailored to the actual requirements of the respective service. Zero Trust makes it possible to operate individual services with higher security requirements without compromising the usability and efficiency of less sensitive services through network-wide restrictive security measures. However, service-based access control is not necessarily error-free, as we experienced with the critical ProxyLogon vulnerability in MS Exchange 2021. For high resilience, a multi-layered defense strategy should be chosen, e.g. network-based access control via VPN combined with service-based access control. And the Log4j vulnerability at the end of 2021 shows once again that not only communication to the service should be restricted, but also communication from the service.