Last year’s Stuxnet computer-worm attack on several Iranian nuclear installations may have been our collective digital Sputnik shock. It highlighted the significant security challenges we face in the digital sphere.
Yet in addition to this very public case, cyberspace is contested every single second, although these attacks do not normally get the same level of public attention.
Unlike the outer space that Sputnik reached, the Internet and the structures it rests upon are already heavily populated and utilized — by governments and companies, research institutions, public bodies and billions of citizens.
In fact, public and private life depends on functioning telecommunications and information-technology infrastructures. They are already critical to the survival and prosperity of most economies and societies.
Thus one of our greatest strengths — an increasingly networked global communications infrastructure — could also be one of our greatest vulnerabilities.
Stuxnet vividly illustrated how vulnerable industrial infrastructures are and how precise attacks against them can be. We have also seen highly professional attacks against big Internet and credit-card companies.
They became possible through vulnerabilities in standard software suites or through distributed “denial-of-services” attacks, like the payback attacks launched by supporters of WikiLeaks.
In its latest threat assessment of Internet organized crime, the European law enforcement agency Europol quoted a study from the computer security company McAfee that put the damage caused by malign digital activities to be even as high as a trillion dollars a year.
With the emergence of one global network, this threat will increase. Systems that were previously separate are now being connected — information systems of banks, clinics or air-traffic control systems, not to mention the plethora of end-user devices like smartphones, tablet PCs and even board computers in cars.
This trend is inevitable if we want to foster the knowledge-based society, to increase productivity and to drive innovation. We have to make our infrastructures smarter. But infusing intelligence into infrastructures also means making them vulnerable to digital attacks.
Protecting these critical infrastructures will be central to public safety as well as to national security. The consequences of a breakdown of the energy grid or the takeover of a critical industry plant from outside could be devastating — even more so as primary infrastructures often depend on one another.
On the one hand, this is an issue of software security. Symantec, a manufacturer of antivirus software, already lists 3 million viruses in its database, but it is virtually impossible to identify each new virus in time. According to Jonathan Zittrain, professor at Harvard Law School, the Slammer worm in 2003 was able to infect 120,000 servers — 90 percent of the type of server it was designed to attack — within 10 minutes.
On the other hand, we also face a hardware challenge. We cannot check the hardware components we use in detail today. A normal processor has several million circuits on a few square centimeters.
So what can we do to enhance cybersecurity? I believe we must adopt a three-sided simultaneous approach.
•First, security has to become a design principle. For us, this means extensive security checks at each step of our production processes. It also means that we reserve access to critical systems and sites to certified employees. We use different technologies to avert “distributed denial-of-service” attacks against our infrastructure and important services like IPTV (Internet Protocol Television), fixed-line VoIP (voice-over Internet Protocol) and Domain Name Services. We also help our customers protect their networks against this threat on demand.
•Second, security must be a part of daily business. At Deutsche Telekom, we constantly track attacks against our networks with self-learning systems. In December 2010 alone, we observed 7,500 attackers who carried out more than 200,000 attacks. Last year, our experts at the Telekom Computer Emergency Response Team identified more than 1,000 vulnerabilities in third-party software products. We share this information with the antivirus industry. A few of these samples were completely new and not detected by usual antivirus products.
All these measures are costly, but this money is well spent. Yet such efforts become more difficult if European telecommunications regulation is solely focused on lowering prices and thus does not support the necessary additional infrastructure investments.
Frankly, this is counterproductive to our efforts to secure vital infrastructures. In the long term, security even has the potential to increase the competitiveness of our economies, as it is becoming an increasingly important enabling service.
•Third, we must accept cybersecurity as a shared responsibility. The Internet chain is only as strong as its weakest link. It starts with the individual user — the best lock in the world is useless if people leave the key under the doormat. Consumers should use digital services responsibly, for example when sharing their data or trusting unknown sources.
But we also need a comprehensive dialogue with all relevant stakeholders in order to develop a coherent strategy to protect our societies and our economy in the digital sphere. Cybersecurity is a public good, so we need intelligent rules that encourage societies and companies to shoulder a part of this burden.
The Sputnik shock led to a burst of activity that finally put a man on the Moon. It is time to address the cybersecurity issue with the same resolve.
By René Obermann, the chief executive officer of Deutsche Telekom.