Politician’s Reactions on VIP Hack in Germany

by Roger Halbheer on January 7, 2019

I recently complained about the Swiss government and our inability in Switzerland to really drive Cybersecurity forward (Federal Council not deciding again – Switzerland falling behind on Cybersecurity). It was one of the most-read blog posts I wrote during the last few years… In one of the discussions on LinkedIn I talked about one of my fears: Something bad will happen and the politics will have to show how upset they are and that they have everything under control by asking for regulations and pushing stuff, which most probably will be counter-productive. Interestingly a German friend of mine told me to come to Germany, as it seems to be even worse across the border.

Now we probably all know what happened: German politicians targeted in mass data attack – Politicians and celebrities in Germany got hacked at a large scale. We do not know enough publicly about it but according to the BBC article we get some indications:

Interior Minister Seehofer said preliminary analysis showed the data had been obtained through “wrongful use of log-in information for cloud services, email accounts or social networks”.
A cyber analyst told the BBC there was speculation that hackers might have exploited weaknesses in email software to get hold of passwords that those targeted had also used on social media accounts.
Data was published in Advent calendar-style daily releases on Twitter. The first “doors” at the start of December featured TV presenters, then rappers, and from 20 December it focused on politicians.

That there is some suspicion of a political motive in the current situation in Germany with EU elections coming up (and the right-wing AfD not being hit) is normal and probably not completely wrong. What really concerns me is the reactions of some politicians according to the NZZ (which is known for a well-researched journalism) today – Der Hackerangriff bringt Deutschlands Cyber-Abwehr in Erklärungsnöte.

It seems that BSI did not really look good when it comes to coordinated incident response and communication. However, it is interesting that the coordination between the government organizations seems to have been poor as well – leading me back to the need for a decision in Switzerland.
Mr. Seehofer said that the public will learn everything they know – full transparency and he expects significantly more information by mid-week. Given that these cases are typically spawning across several countries and legislations, he seems (to me) a tiny bit too optimistic. Additionally, such cases often have a political side-note as well. We will really get full transparency? I doubt. If it is really APT 28 behind this attack – as speculated – I doubt it even more…
Several politicians now ask for stronger laws and regulations – as predicated. We do not know what happened and why it happened, but we ask for stronger regulations. I am not necessarily against better regulations, however (at least in my limited understanding of how the world should work) regulation should target something of interest for the overall society and addressing a gap, which could harm society, right? So it makes sense to understand the eco-system and have a sound understanding, what makes sense to regulate.
The last statement is kind of cute: One person is requesting that the police should be allowed to recover the stolen data from the perpetrator. I do not disagree but just to be clear: The data was publicly available on the Internet, distributed via Twitter and other means. Let’s start with the basics: Something, which is on the Internet will never ever disappear again…

Before we call for regulation, we should probably ensure that our politicians start to understand Cybersecurity, right? And part of it – to be crystal clear – if up to our profession: We need to stop speaking dolphin talk and explain stuff simple and make it easy to understand. But the politicians should be willing to listen as well (comping back to my initial blog post).

And, BTW, let’s get rid of passwords