Hacking your refrigerator
November 3, 2014
DW: Mr. Tschersich, who's ultimately responsible for IT security?
Thomas Tschersich: Everybody who uses the Internet. Cyber security needs to start in primary school. I have two children myself, and the teachers encourage them to use the Internet to do research for their homework. This means that we also have to teach them how to deal with the Internet in a responsible way. Children already learn traffic rules before they've started school. But we don't teach them how to get around safely in the digital world. After the Cyber Security Summit, which starts on November 3 in Bonn, we'll hold a children's summit to raise awareness about this topic in educational institutions.
Your company's website, Telekom, actually displays cyberattacks in real time.
Yes, we operate a speedometer. This website collects data from an international sensor network that includes 180 honeypots. Honeypots are computers with simulated security gaps. And they register every attack hackers attempt against that computer. This way, we get valuable information: How do the attackers operate? Where do they come from?
We register up to a million attacks against our honeypots per day. But not all of these attacks are that serious: Mostly, we're dealing with automated software scanning the Internet systematically for security gaps. But we can also see that, once the malware has identified such a gap, it doesn't take long before a highly professional attack starts and makes use of those weaknesses.
The data from the honeypots goes directly to your Cyber Defense Center in Bonn. Does this bring a benefit also for regular Internet users?
Once we know who's attacking our honeypots, we also know, who the "bad guys" are on the Internet. We can build this information into our routers, which people have in their homes. We can include a filter, which we then feed with up-to-date data via the Internet, and which effectively locks out any traffic coming from suspicious sources - sources known to operate malware. This way, normal costumers can benefit from our Cyber Defense Center, even though our primary customers are large companies.
Which kind of attacks worries you most?
The biggest challenge, which also involves considerable economic damage, is organized crime, like the phishing and abuse of bank data. This is a multi-million-dollar business and gives much more reason for concern.
We also see a trend towards attacks on mobile phones - particularly the Android operating system. To put it into perspective: With the Windows operating system, we found 350,000 different tools designed to attack it over the course of 14 years. With Android, we got a similar figure within just ten months.
There is also talk about "cyber warfare," meaning states - often undemocratic ones - using malware against political enemies or economic rivals.
In the past, states waged war to gain access to raw materials. In the digital world, this is not necessary anymore. You can exploit the "raw materials" from home.
With the value-added processes increasingly being digitalized, possibilities are emerging that necessarily result in the question: "Will the next war be about data?"
Most people know that they have to keep their operating systems up to date, but what about the "Internet of things?" Most people who operate a network printer, a webcam or a scanner probably never thought about protecting those against malware?
For the first time, a refrigerator in the US sent out spam emails at the beginning of this year. Clearly this is an issue. The problem is that we connect devices that were never meant to be interconnected. If we don't include security as a system requirement from the beginning, we should not be surprised if we don't get security in the end: It works as designed.
Right now, the situation is this: I buy Swiss cheese from the hardware producer and then I have to close all the holes by myself. This is the wrong approach. We have to get everybody working together on this: Lawmakers, hardware producers, Internet providers and the users. If the customer switches off the automatic security updates, he himself creates a security gap. But we have to make it easy and user-friendly for the customer to achieve security.
Is there something you hope to achieve at the end of the conference - like an agreement about industry-standards?
It would be great, if we could get a self-commitment by the important actors. But one should not expect too much from a conference with only 200 participants. This does not cover the entire industry. But what we can achieve is sending out impulses – somewhat like seeds - that then develop into something bigger.
Thomas Tschersich is the head of IT security at Deutsche Telekom in Bonn, Germany. Telekom is one of the two organizers of the 3rd Cyber Security Summit, along with the Munich Security Conference.