The discussion on cyberthreats has finally gone public. For years, governments have treated damage from cyberattacks as classified information, while the private sector has kept damage secret in order not to scare off customers and investors.
Recent high-profile cyberattacks such as those on The New York Times, The Wall Street Journal and the U.S. Federal Reserve are only the tip of the iceberg. Cyberattacks, whether random or targeted, whether successful or not, have increased to the point that we are seeing a paradigm shift: We have become aware that transparency and shared knowledge can increase protection and strengthen security.
The damage resulting from malicious cyberactivities, such as theft of personal data or intellectual property, is enormous, even if mainly economic for now. But, like any other terror attack, cyberattacks have the potential to damage critical infrastructure and to create unprecedented disasters.
Last year, Deutsche Telekom (I am the chief executive) started to disclose information about cyberattacks. To institutionalize this approach, we organized — together with the Munich Security Conference — a Cyber Security Summit with major German industries. The positive reception encouraged us to set up a follow-up summit in 2013.
A “neighborhood watch” is key to success in cyberdefense. We need to establish “single points of contact” for rapid alerts and information exchange across all industries. A good role model for this is the Community Emergency Response Team (CERT) in the information technology sector. To create additional awareness, we are developing a “real time situation monitor” with an actual overview on imminent cyberthreats. Sharing information while an attack is happening will allow us to update our security measures in real time.
Transparency about cyberattacks has only just begun and we need to accelerate our efforts. Attackers use the advantages of combined forces. They bundle the power of hundreds of thousands of computer systems in botnets in order to carry out large-scale attacks.
Why don’t we take the same approach when it comes to cybersecurity? Voluntary information sharing is one element of such a collaborative effort; another could be to share the resources already in place, including expert know-how, to make our defensive efforts more powerful and efficient.
Industry, for the most part, is willing to do what it takes to secure cyberspace. Other stakeholders have to do their homework as well. A concern of industry is that rules and regulations have not kept pace with the technological developments — both in offense and defense.
A set of basic and accepted rules-of-the-road protects our physical highways and traffic, and we have to have similar, internationally recognized rules for the information highway. We must define standards and functionalities in order to ensure a safe and coherent digital architecture. A good example is the German security standard for “smart meters” that monitor and bill power consumption.
This will not be easy for the I.T. industry. In Europe, the sheer number of Internet providers makes it difficult to find a common position. Again, transparency and information sharing is essential: Every sound effort to implement such rules and standards relies on feedback about vulnerabilities, as well as data on the quantity, quality and origin of attacks. One cannot manage a problem until one can measure it.
All stakeholders in the Internet ecosystem should join this “collective cybersecurity alliance.” Hardware and software suppliers have the same responsibility for cybersecurity as infrastructure providers, and must act on it. Once a vulnerable product has been supplied, it is almost impossible to achieve an appropriate level of security. The I.T. industry has to rethink this. Cybersecurity will become more of a consideration for consumers.
But the end user — the weakest link in cybersecurity — must also act responsibly. Homeowners secure their property when they go out; Internet users must be as diligent in protecting digital assets. If all users kept their I.T. systems up to date, most attacks would be unsuccessful.
Finally, we must accelerate innovation in cybersecurity. When the Internet was designed, security was not a priority. Today, we see constantly evolving new technologies — such as mobile networks, smart grids or cloud computing — and ever-increasing interconnection. This opens doors to advanced threats. Thus our defense capabilities need to be dynamic and flexible.
Very often, it is the agile, creative, technology-savvy start-up companies that are best able to deal with new cyberthreats. We need to work with them and equip them with appropriate venture capital.
In the long run, we simply cannot afford to lag behind the bad guys. To be sure, we will not erase cyberattacks, much as we are unable to erase crime. But we must at least aim to control and contain it, lest we find ourselves on the losing end of a battle that threatens our prosperity, public safety and ultimately national security.
René Obermannis the chief executive officer of Deutsche Telekom.