Working for a company’s IT security in 2021 is nerve-wracking, but such jobs are crisis-proof. For several years now, increasingly brazen gangs have been attacking more and more companies with malware and extorting ransom. This has now become the sad normality. However, the following is not normal: In December it became known that allegedly Russian state hackers had infected the network software of the Solar Winds company with malware, which is used in hundreds of thousands of companies. Tens of thousands of companies became vulnerable to an update. At the beginning of this week it became public that allegedly Chinese state hackers were exploiting software gaps in Microsoft Exchange, which is also used for Outlook mail traffic. The company had been aware of the holes by the beginning of January at the latest. Microsoft made a security update available just over a week ago.
Originally, the Chinese state hackers apparently targeted US research. But they seem to have found out about the update plans and then changed their focus. Between February 26th and March 3rd, they automated their attacks, leaving backdoors in almost every Microsoft Exchange server they could find. Experts say: If you haven’t updated your system directly, you can assume that you now have a Chinese back door in the system. IT security companies don’t have enough people to help all companies that need help now. An IT professional speaks of a kind of cyber triage, i.e. help only for selected companies.
Actually uninvolved companies become collateral damage from unregulated cyber espionage. What the hackers did here is comparable to the use of cluster bombs on civilian infrastructure just because the enemy announced the construction of a wall. Hundreds of thousands of companies are likely to be affected. In the meantime, criminal hackers are also on the move, fighting over the back doors installed by the Chinese.
Uninvolved companies can expect great damage
The economic damage is likely to be immense. The Russian Solar Winds campaign was a high-precision operation against what the Chinese hackers did here. The Russians, who deny their involvement in the Solar Winds hack just as the Chinese are now denying the Microsoft hack, potentially had access to hundreds of thousands of targets, but only compromised a few dozen. Espionage experts therefore quickly agreed: What the Russians did was defensible. The Chinese hackers, on the other hand, did not adhere to espionage practices.
The cluster bomb comparison is drastic but illustrative. There is no military weapons convention in cyberspace, and states have not been able to agree to regulate state hacking internationally for years. The consequences of uncontrolled hacking actions for civil society are as great as those of the use of analog weapons. Strangers recently hacked a waterworks in Florida, and the same thing happened in Israel. In 2015, Russian hackers temporarily paralyzed the electricity supply in Ukraine. In 2017, an electronic malicious worm that was built for cyber war and that reproduces itself escaped the Russians and caused damage of around ten billion dollars worldwide. Incidentally, the “NotPetya” worm used security holes that the US secret service NSA preferred to keep secret instead of reporting them. Then he was hacked himself – and the vulnerabilities were exploited by others.
And what is Germany doing? Most comfortable with. The draft for the new IT Security Act 2.0 hides a passage that only requires the Office for IT Security (BSI) to report security gaps if “overriding security interests” do not oppose this. In plain language: If the BSI finds a Microsoft security hole that the Federal Intelligence Service could use, then the chances are not bad in future that the report will end up with the secret service instead of Microsoft.
Germany can only influence the strategic planning of the Russian, Chinese or even US secret services indirectly, if at all. However, it is irresponsible that one’s own services should play an active part in the uncertainty of cyberspace. So it is only a matter of time before German companies also turn German cyber insecurity policy into collateral damage.