How to organize effective protection against cyberattacks

The cyberthreat platform

By Klaus Brisch, LL.M.

Download article as PDF

Every year, cyberattacks cause considerable economic damage. According to one study, worldwide losses of approximately ­$600 billion were incurred in 2017 alone. In Germany, for instance, total damages to businesses were estimated at 143.4 billion through September 2018. Experts expect the risk of becoming a victim of cybercrime will continue to grow. Among other things, increasing digitalization leads to greater potential for cyber-attacks, and with time and experience, attackers can enhance the technological efficiency of their cyberattacks.
Most large companies recognize the importance of cybersecurity. Small and medium-sized enterprises (SMEs), how-ever, act quite differently. They assume they won’t be affected because other companies are much more interesting for hackers. People in positions of responsibility are unaware that hackers are sometimes not interested in the company itself, but rather in accessing data or computing capacity. This can affect SMEs at any time, causing long-term damage to their businesses. In such cases, it is likely that some alarmed customers will no longer want to transfer their sensitive data to the affected company.
Though regular installation of IT system updates and periodic password changes have become normal, it is clear that these steps alone do not provide adequate protection against cyberattacks. It is equally important to be informed immediately about any security gaps discovered in software programs, as only then can a company react accordingly. However, this has not yet been organized on a national level in Germany.

The legal situation in Germany: No ­nationwide warning system, IT Security Act 2.0 in its preparatory stages
Germany does have a Federal Office for Information Security (BSI), an authority whose responsibilities include such tasks as providing information on current IT threats. There is even a specific law (BSIG) that regulates communication and information paths for security-related subjects and events in information technology. Under current legislation, however, only operators of critical infrastructure must report their IT failures to the BSI without delay. Additionally, the BSI only informs and warns certain economic players about current IT threats. This means there is no nationwide warning system.
The IT Security Act 2.0 is currently being prepared. Among other points, the current draft includes an extension of the obligation to report IT attacks, meaning the legally standardized exchange of information would also encompass the defense, automotive and chemical industries, the media and some others. This can certainly be seen as a step in the right direction. The current draft, however, does not address all the weaknesses in current legislation, especially from the point of view of the business community. In the future, the BSI’s flow of information — about existing security threats, for example — would remain restricted to certain segments of the economy. This would not be a comprehensive solution. In addition, not all economic players would be obliged to report cyberattacks. Furthermore, the BSI lacks networks and regulated cooperation with authorities and offices in other countries. Finally, the draft legislation contains no concept that would directly connect providers and users of security services.

What needs to be done …
It is therefore all the more important to create an electronic B2B platform solution that brings together all parties: as many businesses as possible, security authorities and cybersecurity companies. This platform could also enable information to be exchanged among all parties in real time. The cyberthreat platform would then receive alerts directly from cybersecurity companies regarding potential threats. The users of the platform, and thus the recipients of such alerts, could be companies from the private sector as well. Unlike in the past, industry and company size would be irrelevant. Of course, government agencies should be connected to this platform as well. They could also contribute insights and relevant information regarding security issues. However, it would be important for these institutions not to have full access to company data, as that could look like government monitoring and deter some companies. It is also important to note that companies who report an attack on their IT system to the platform should be allowed to remain anonymous to avoid damage to their reputation. Nevertheless, the list of companies connected to the platform needs to be transparent for all users.
A cyberthreat platform of this type would obviously have a number of legal implications. For example, the cybersecurity companies that would be involved are usually competitors, thus requiring the signing of some kind of cooperation agreement. This agreement would regulate the respective rights and obligations of the cooperating companies. It would also be necessary to establish clear conditions for the companies’ participation. These would need to include minimum requirements for IT standards within the companies as well as specific codes of conduct within the platform to protect the users’ reputation and integrity.

… and how it should be done
These kinds of platform solutions are by no means new. Comparable approaches already exist on both a national and an international level. Thus far, however, they have been limited to clearly defined groups of participants. There are two basic types of platforms. First, there is a group of Information Sharing and Analysis Centers (ISACs). These centers are more technologically oriented. One such center is the Malware Information Sharing Platform (MISP), which is cofinanced by the EU Commission. Here, participants exchange information regarding malware, imminent IT attacks and possible defensive actions. There are other cross-border ISACs specifically created for certain sectors, such as the finance industry or energy suppliers.
The second type of platform focuses on networking. These platforms intend, for instance, to bring cybersecurity companies together with companies that want to protect their IT infrastructure. Germany, for example, has the Alliance for Cyber Security (ACS) — with more than 3,600 participants — and the Initiative Wirtschaftsschutz (Initiative for Economic Protection), for whom cybersecurity is only one of several elements. Comparable networking platforms also exist in some federal states.
The experiences gleaned by these existing platforms would certainly be useful when developing the cyberthreat platform outlined above, facilitating a relatively quick implementation. A solution of this kind would help strengthen the industry’s competence in the realm of cybersecurity, make it easier to identify threats more quickly and enable those potentially affected to address threats in a comprehensive manner. As a result, preventative measures could effectively limit economic damage.

klaus.brisch@def.law