One night in late summer, paramedics are treating a 78-year-old woman who is in critical condition. They rush her into an ambulance. But when they call the local hospital, they are told: We are very sorry, but we can’t accept the patient.
They have to drive to another hospital, 32 kilometres away. This delay seriously affects the condition of the patient – and the woman dies shortly afterwards.
When I read this in the newspaper, I thought: That cannot be true; in Germany, hospitals don’t reject patients in emergencies. But then I read on – and the article explained that the reason why the hospital couldn’t accept the patient was because of a ransomware attack on its servers. Hackers encrypted the hospital’s data and then demanded payment to release it. The hospital was therefore forced to suspend emergency care and postpone operations.
This is not the plot of the next Matrix movie. This happened at the University Hospital of Düsseldorf in September 2020.
These kinds of cyberattacks – on hospitals, on electricity grids or against companies – are carried out every day, in many places around the world.
Just recently, Montenegro and Albania have been hit by attacks which paralysed their economies and public life.
In Costa Rica, an attack crippled the Ministry of Finance and public health networks, forcing President Rodrigo Chaves to declare a national state of emergency.
And we all remember the ransomware attack that shut down the Colonial pipeline, affecting consumers and airlines across the US.
All of this shows that the damage caused by cyberattacks is real.
Germany’s tech industry association, Bitkom, estimates that they cost the German economy over 200 billion euro during each of the last two years.
Often, criminals are behind such attacks.
But states, too, use cyberspace to spy on industry and politicians, to spread disinformation and to meddle in democratic processes.
We saw this in the run-up to our Federal elections last year, when the group Ghostwriter, which is steered by the Russian state, targeted numerous members of parliament with phishing attacks on their private and official email accounts.
Cyber technology has also become part of modern warfare – as we have seen in Russia’s war of aggression against Ukraine.
On the day of the invasion, the 24th of February, Russia attacked the Viasat communication network, causing a communication outage for Ukraine.
When I was in Kyiv earlier this month, I learned how experts at Ukraine’s cyber security authority are taking action against Russia’s cyber-aggression: they use crowdsourced intelligence to report troop movements, they deploy Starlink terminals to keep Ukrainians connected online and they have fought off attacks on their energy systems.
Germany, like many other countries, supports Ukraine in these efforts – by providing hardware and by funding projects that help people stay connected online, even in combat zones. Often, these connections are the only way they can make sure their loved ones are safe.
What’s clear to us is that today’s wars and conflicts are fought not only with bullets and cruise missiles, but also with bots and malware.
Cyberspace will therefore be a key factor in our National Security Strategy, which the Federal Government is currently working on.
Because keeping our citizens safe means not only protecting them against war and violence, but also protecting the fundamental freedoms that define our society.
In our digitalised world, we need a secure cyberspace for the interactions that we engage in every day: from messaging our children to online shopping, and medical treatment using digital tools.
Making cyberspace secure therefore goes to the core of our security policy.
We are taking a four-pronged approach to this:
First, together with our partners we will strengthen our ability to detect cyber threats, to protect ourselves from them and to recover from them. If we are hit by a cyberattack, we will ensure that people can still use railways and receive medical treatment and that police forces can still operate. To do so, we need stronger and more resilient infrastructure.
Second, cyberspace is not an unregulated area. The provisions of international law also apply to cyber activities. But we must do much more to implement agreed norms. This is the objective of our work within the UN and the OSCE.
Third, we will effectively fight cybercrime. This means that we will act quickly and decisively against hackers – with state-of-the-art cyber units and technology. But it also means holding states that tolerate or support criminal activities accountable – as difficult as that may often be.
Fourth, we will strengthen international cooperation, dialogue and development. Our security also depends on the security of our neighbours and friends. We are joining forces within the EU – and at the last NATO Summit we took the decision to set up virtual rapid response teams that will bring together our most skilled experts after cyberattacks to help fight off hackers.
To make progress in these four areas, we have important work to do at the national level. In Germany, we know that our systems urgently need updating.
The first question that we have to ask ourselves is: do we have the right set of laws and institutions to deal with cyberattacks?
The Federal Government has to set out the legal basis for countering cyber threats, including when they affect multiple Federal states. At the moment, there are too many different procedures and institutions in our different Federal states and cities. That needs to change. To act more effectively, we need to assign clear responsibilities for cyber defence, including below the threshold of military attacks.
I personally strongly believe we need to pool our forces – even if this means amending our Basic Law.
The second question is: do we have the right methods and procedures to ensure cyber security?
To avert cyberattacks at an early stage, risk analysis and early warning are key. Germany’s Federal Government needs to obtain all relevant information quickly, and it needs a strong National Cyber Response Centre. The Federal Foreign Office can contribute to these efforts with its international network of government officials, as well as by providing intelligence and access to cyber experts and civil society representatives from around the globe.
And, crucially, the German Government needs secure communication – even though in the year 2022, it seems hard to believe that we still have to work on this.
This is particularly important for the Federal Foreign Office, with its more than 230 embassies and consulates worldwide, and given the interest that various actors have in its data. Our IT experts are therefore setting up new, highly secure channels which all Federal agencies and German missions abroad can use to communicate with each other. Beginning in 2023, we will also be developing highly secure channels of communication with other countries.
In addition to this, we are working towards opening the first German “data embassy” – a data centre located outside German territory where we will store critical information and protect it from attacks on our systems.
Professor Meinel, you mentioned that you have a master programme on cyber security here at your institute. To all those students graduating in the near future: the Federal Foreign Office is a great place to work– and so is the public sector in general.
Ladies and gentlemen,
I have spoken very openly about all of these issues, because we really have to step up our efforts.
Putin’s war of aggression is confronting us with a new reality. It has underlined the need for greater international dialogue on security and cyber policy.
To defend cyberspace and ensure it remains free, open, stable and secure.
To ensure that it protects the basic freedoms of our citizens.
To ensure a society where we can communicate safely with our loved ones,
where we can hold free and fair elections,
where our universities and our businesses can function safely,
and where our hospitals can deliver essential services to the people who urgently need them.
Because cyber security is human security. It’s our security.
That is why I am so pleased to welcome you all here to Potsdam today.
This event is an opportunity for you to share your ideas on how to tackle one of the greatest challenges of our digital age.
We need all areas of society to be involved: governments and civil society, industry and academia. And we have to think outside the box.
When I was in Kyiv, as I already said earlier, I visited the cyber security authority. I walked into a room and there were students sitting there, I guess aged between sixteen and twenty-two. And I said: You are our true experts.
I think that is how we should approach things in Germany and also in other European countries – we need more courage to think outside of the box to counter cyberattacks.
That is the idea behind this conference.
I hope you all have stimulating discussions.