Frau versucht sich mit Smartphone für Notebook zu authenitifizieren

IT security through the ages

The Federal Office for Information Security (BSI) is celebrating its 30th birthday. Reason enough to take a look back at the development of IT security in Germany.

When IT security was still new territory

When the Federal Office for Information Security (BSI) was founded in 1991, most federal citizens could only read about it in the newspaper. As the world wide web, which we use today to learn about all global events almost in real time, still had its training wheels on. The internet’s widespread use first began in the mid-1990s. And social media did not exist as a source of information. But since then, information technology (IT) and, with it, the subject of IT security has developed rapidly. Because even ‘bad apples’ quickly made use of these technologies and attacked computers with.

With the founding of the BSI, IT security in Germany now had a legal basis. Since then, more than a dozen institutions have worked alongside the BSI on behalf of or with the support of the federal government on the subject of German IT security and more recently also cyber. The most recent example is the Agency for Innovation in Cyber Security (cyber agency), which is under construction at an interim location in Halle (Saale). 

The BSI, meanwhile, had already put together the first ‘Computer Emergency Response Team (CERT) in 1994: The policy had recognised that not only are defence against malware programmes and notification of weak points important, but so too is reacting to IT security incidents. In the same year, the BSI published the basic IT protection manual, which is a standard reference for IT security management in Germany today.

The population learned new vocabulary

The population at large learned new vocabulary in the context of IT for the first time at the turn of the century; In 2000 the worm ‘LoveLetter’ was spread massively because email recipients were taken in by the subject line “I love you” and thus became victims of malware. The total cost of the resulting damage around the world: an estimated 10 billion dollars. In response to this, the information service BSI für Bürger BSI for citizens) began in 2002 - at the time on CD-ROM, but this service now has a comprehensive online service range. 

Unfortunately, even today internet users repeatedly fall into the trap of phishing emails and similar threats. And more and more companies are falling victim to targeted espionage or sabotage. In the year 2019, the Federal Office of Criminal Investigation (BKA) in Germany registered around 100,000 crimes in the area of cyber crime. According to Statista, in September 2020 alone, around 199,000 phishing websites were discovered worldwide. And the number of people networked via the world wide web around the globe continues to grow. In July 2020, around 4.6 billion people - almost 60 percent of the global population - were using the global data network. 

Consistent protection for sovereign documents too

September 11th 2001 brought about an entirely new level of alarm. After the terror attack in the USA, it was clear that the advantages of IT had to be used in global mobility too. And so the electronic passport was introduced in 2005 by Bundesdruckerei GmbH with such features as a radio frequency identification chip, which stores the passport photograph and personal data, as well as the fingerprints as of 2007. Precisely five years later, the new personal identity card, produced by Bundesdruckerei, enabled people to securely and easily identify themselves to authorised companies and authorities online.

Attacks escalate

In 2010, “Stuxnet” emerged: a malware initially specialising in process management systems. This brought into focus how vulnerable industry systems and critical infrastructure were. As such, the current draft bill for the IT Security Act 2.0 included new obligations for the operators of critical infrastructure. The goal is to strengthen sensitisation to cyber security and to significantly increase the level of security.

IT security needs a holistic approach. It is only as secure as the weakest link in the security chain.

BSI President Arne Schönbohm on Twitter

One year later the National Cyber Defence Centre took on its work. It serves several security authorities as a shared platform for fast information exchange and better coordination of protection and defence measure against IT security incidents.

The moment when digital sovereignty was born

The secret documents published in the daily newspapers “The Washington Post” and “The Guardian” in 2013 showed that the American and British secret services conduct surveillance on a large scale over global telecommunications and especially the internet. Following this, it was publicised that top German politicians had also been wiretapped. Numerous political discussions on cyber security and secret service practices followed the “NSA scandal” that this triggered and this was more or less the birth of the political call for digital. Digital sovereignty is understood to be the self-sufficient action and decision-making of citizens, companies or states in the digital space. A fundamental requirement for this is a secure data infrastructure, which enables all parties to communicate confidentially and with protection in the digital space. Accordingly, consciousness about how to navigate the internet securely plays an elementary role, as well as data protection and data security.

Coronavirus pandemic needs IT security

Since then the world of IT has changed even more. Above all, increasing flexibility and mobile working make it necessary to think about securing sensitive data in new ways. Ten years ago it was still enough just to secure individual perimeters, but today this approach is not sufficient. Since then it has become standard procedure to secure all network areas and transition points - not just those to the internet. The following applies: The more strongly digitised and networked the company processes are, the more potential entry points for cyber attacks. Accordingly, digitisation and IT security must be addressed together. 

Today, IT security is called for significantly earlier than it was in the past. For a long time the first reaction came when an incident had already occurred, but today the need for “security by design” is the focus. As such, IT security is already taken into consideration in the development of a product and integrated.

Since spring 2020 - due to the coronavirus pandemic - the securing of the home office has also played a greater roll, both for companies and for authorities. The BKA is currently registering a significant growth in DDoS attacks. Accordingly, with the establishment of the mobile workplace, IT security and organisation-specific conditions should be the focus.

Now one in four people work exclusively from home. That makes up over ten million working people.

Bitkom study on working from home (home office), December 2020

The level of IT protection for many companies in Germany thus far has fallen somewhat short, as Bundesdruckerei found in a study. This improves as the company size increases. As most companies in Germany are still small firms with fewer than 100 employees, however, it is precisely the companies that make up the bulk of the German economy that are especially vulnerable on a technical security level. “With the help of IT security measures, the risk when using IT systems is significantly reduced and thus damage is prevented. IT security measures are an investment in the future,” says Professor Norbert Pohlmann from the Institute for Internet Security at the Westphalian University, Gelsenkirchen .