The Covid-19 crisis has changed social life in Germany and worldwide in a way that few could have imagined. Within a very short time, society, business and public institutions have reorganized the way they live and work together. Companies and public authorities have creatively and pragmatically found solutions to ever new challenges. Now it is time to consolidate and optimize. After all, the systems and processes implemented in record time will form the basis for further measures to deal with the crisis.

Covid-19: Catalyst of the digital transformation

At least in one respect, the virus also seems to have a positive effect: COVID-19 is acting as a kind of catalyst for a wide variety of digitalization processes, and most likely beyond the as yet unforeseeable end of the crisis. It has led to the relocation of many jobs to home office working. Applications for the emergency aid measures for companies, which were decided on short notice, have been made via hastily set up Internet platforms. And a tracing app for smartphones has been developed to identify and break infection chains.

The examples mentioned have two things in common: First, they are based on state-of-the-art information and communications technology. Secondly, the systems and processes already implemented were developed extremely quickly under high pressure and were hastily “cobbled together”. This circumstance harbors some risks.

Crisis management at the expense of security

The threat posed by cyberattacks has become much more serious. The problem is particularly evident in the example of the large-scale establishment of home office workplaces. Authorities that previously handled remote access to their IT systems and data restrictively have now taken risks that would probably never have been approved under other circumstances: The use of private computers for official purposes, communication via unencrypted lines or weakly secured access procedures at the interface between administrative networks and the Internet are just a few particularly critical vulnerabilities.

And this increased vulnerability of public IT systems is faced by globally active cybercriminals and intelligence actors. Initial fraud attempts have become known and recall headlines from the pre-Corona era: The cyberattacks on the Neuss Clinic¹, the Court of Appeals in Berlin² or the University of Gießen³ resulted in protracted system outages and enormous damage. A very recent example is the attack on Technische Werke Ludwigshafen⁴, in which business and customer data was accessed on a large scale.

Insecure systems meet unscrupulous perpetrators

The fact that hackers and cybercriminals are ready to exploit these new vulnerabilities is underscored by the security authorities' situation reports. EUROPOL, for example, concludes that the effects of COVID-19 are more noticeable in no other crime field than in the cyber sector^.5. New encryption trojans, phishing campaigns and a realignment of the underground economy are dark sides of digitalization. The result is damage due to criminal cyberattacks that may paralyze entire agencies and then cost a lot of time and money to eliminate. So what can be done?

Digitalization needs a substantial risk analysis

Only digitally supported processes make it possible to achieve the speed of response required in a crisis, for example in tracing infection chains during pandemics and notifying those affected. That is why rapid digitalization is necessary. In practice, anything that could be an obstacle to this is initially pushed aside. For example, securing digital processes that have been hastily rolled out with information security tools is often perceived as such a slowing element - and therefore neglected. The resulting inadequate security then remains in place in the long term and permanently provides gateways for attackers.

When digitally supported processes are created, changes are made to existing systems, or new systems are developed, the first step is to identify the new or additional risks that arise in the process and to deal with them in a targeted manner, at least in a very timely manner. This is a task for experienced specialists who know about the threat scenarios, recognize all vulnerabilities and draw the right conclusions in a dynamic process. External experts from specialized consulting firms, organizations, CERTs or the like have an overview of the technical and organizational consequences, can classify and assess them, and accompany the process through to the implementation of an information security management system (ISMS).

Basis of holistic protection measures - a customized ISMS

Shortly after the turn of the millennium, the federal administration had already recognized that the (then still) novel threats from cyberspace had to be adequately countered. Starting in 2005, the National Plan for the Protection of Information Infrastructures (Nationaler Plan zum Schutz der Informationsinfrastrukturen (NPSI)) was then formulated, which was concretized with the Federal Implementation Plan (Umsetzungsplan (UP Bund)) in 2007. In July 2017, the Federal Cabinet (Bundeskabinett) approved a new version of the UP Bund. This is the guideline for IT security in the federal administration that is valid today.⁶

The UP Bund sets binding framework conditions for the protection of information processed in the federal administration and the systems, services and infrastructures used for this purpose. It obligates the authorities to have a sustainable and standardized information security management system (ISMS) and to ensure an appropriate level of security. Such ISMS are not yet in place or effective everywhere in the federal administration today. However, institutions that have a functioning ISMS, which is also tailored to the specific concerns in each case, are quicker to respond and adapt while maintaining a high level of security than institutions without an ISMS.

Dynamic processes and agile developments can also be designed securely

An essential characteristic of an ISMS is its ability to renew and take into account developments that were not foreseeable when this ISMS was originally set up. For this purpose, it is necessary from time to time to review the fundamental paradigms of the ISMS. This is especially true now during the crisis: The ISMS in use must be readjusted to take into account the changed threat situation. This includes, for example, organization-specific measures that enable a dynamic response to crisis-like developments. For example, it may be necessary to set up crisis response teams (even across organizations) or to keep equipment on hand for secure remote working. At the very least, plans must be drawn up and rehearsed to maintain or quickly restore the availability of operational processes in a crisis.

But adjustments are also possible and necessary beyond the crisis. For example, agile development environments have also been created in the federal administration in recent years to supplement the classic V-Modell XT. An ISMS tailored to this can influence the sprints of agile projects and, if necessary, prevent them if the IT security of an increment deviates (too far) from the requirements. As a result, errors in conceptual specifications or their implementation cannot even creep in. This means that the rules based on ISO standard 27034-3 (Application Security Management Process) are also implemented for agile processes in software development.

Risk limitation through cost-benefit analysis

A standardized procedure for dealing with risks is recommended, which is based on ISO 31000, but takes the shortcuts within the standard that are necessary for quick reactions. ISO 31000 emphasizes completeness, but also allows freedom in design and implementation. In addition, it is possible to align the risk management process with other existing management systems and thus benefit from knowledge that already exists within the organization. The holistic approach does not consider IT risks in isolation, as is the case, for example, with an ISO 27005 or BSI 200-3 approach. Rather, generalized business risks that take effect within IT are assessed and quantified overall. In this way, risks are minimized without the effort required (in terms of time and money) exceeding the intended benefits. •

Sources

¹ https://www.kma-online.de/aktuelles/klinik-news/detail/900000-euro-gesamtschaden-durch-cyberattacke-a-31629 (accessed on 15.07.2020).
² https://www.tagesspiegel.de/berlin/cyberangriff-auf-berliner-kammergericht-russische-hacker-koennten-justizdaten-gestohlen-haben/25477570.html (accessed on 15.07.2020).
³ https://www.forschung-und-lehre.de/politik/uni-giessen-nach-cyberangriff-groesstenteils-wieder-online-2652/ (accessed on 15.07.2020).
⁴ https://www.ludwigshafen24.de/ludwigshafen/ludwigshafen-hacker-twl-deutschland-angriff-technische-werke-strom-kunden-daten-passwort-gefahr-13748874.html (accessed on 15.07.2020).
⁵ https://www.bild.de/news/ausland/news-ausland/wegen-corona-europol-warnt-cybercrime-betrug-und-diebstahl-nehmen-zu-69658798.bild.html (accessed on 15.07.2020).
⁶ https://www.bmi.bund.de/SharedDocs/downloads/DE/publikationen/themen/it-digitalpolitik/up-bund-2017.html (accessed on 15.07.2020).