Cyber attacks are a criminal boom industry; the perpetrators abroad do not have to be very afraid of the judiciary. The digital association urges people to help themselves.
In view of the ongoing wave of cybercrime and often powerless law enforcement, the German economy is increasingly relying on preventive self-protection. According to the digital industry association Bitkom, cyber attacks are currently one of the biggest threats to the German economy and society.
“It is currently not foreseeable that the threat situation will ease,” says association president Ralf Wintergerst. Not only politicians, but also the companies themselves are challenged. “This means that IT security must be placed at the top of the company’s agenda and provided with the necessary resources.”
According to Bitkom estimates, theft of IT equipment and data, digital and analogue industrial espionage and sabotage caused damage totaling 206 billion euros last year. Almost three quarters of this sum – around 148 billion – was due to cyber attacks. “Almost two-thirds of companies in Germany recently stated that they expect to become victims of cyber attacks in the next twelve months,” says Wintergerst, whose day job is CEO of the Munich-based security technology and banknote manufacturer Giesecke + Devrient.
The actual damage could be even higher. “There is also a multiple dark field,” says Martin Kreuzer, the cyber expert at the reinsurer Munich Re. “Not only perpetrators want to remain anonymous, but also many victims. This makes prosecution difficult.”
Hardly any investigation into foreign perpetrators
Investigations often lead to nothing because many perpetrators attack from abroad. According to the BKA’s “Federal Cybercrime Situation Report” published in summer 2023, the clearance rate for crimes committed abroad is in the low single-digit range.
Both Wintergerst and Jörg Asmussen, the general manager of the General Association of the German Insurance Industry (GDV), are calling for better international cooperation between prosecutors. But the problem cannot be solved with law enforcement alone, says Asmussen. “Instead, we have to tackle cybercrime in several places: Politicians must create the framework for more cybersecurity, for example with threat analyses, concrete warnings and clear identification of the perpetrators.”
Large-scale attacks on private individuals and companies must be identified and made known quickly, ideally with information on how to ward off the attack. “In addition, the economy urgently needs to improve its level of protection,” says Asmussen. German medium-sized businesses in particular are lulled into a false sense of security regarding their cyber risks.”
New authority planned
Politicians and law enforcement authorities are by no means idle. The federal government is currently setting up the Federal Office for Combating Financial Crime, which is scheduled to begin work in 2025. The new investigative agency is not specifically designed to combat cybercrime, but money laundering – the funneling of criminal profits into the legal money circuit – naturally also plays a major role in cyber gangs.
And an example from Bavaria: The state government has increased the staff of the Bamberg Public Prosecutor’s Office’s central cybercrime office in recent years, and the number of investigations has risen steadily: in 2019 there were 14,198, last year over 18,400. However, these are not just cyber attacks; the figures also include, for example, the online distribution of child pornography or investment fraud on the Internet.
“You can make a difference through the interaction of risk carriers, the judiciary and intermediaries such as insurance companies,” says Munich Re cyber expert Kreuzer. “Many companies are investing more in prevention. Something is already happening, and there are certainly international law enforcement operations that are successful.”
Many attacks from organized crime
Nevertheless, the investigators are often powerless. According to the Bitkom economic protection report 2023, the electronic traces often led to Russia or China. “In other words, countries that cooperate little or not at all with German or European security authorities,” says Bitkom President Wintergerst. “The boundaries between organized crime and state-controlled actors are often fluid.” The proportion of attacks that can be attributed to organized crime is continually increasing. In 2023, 61 percent of the companies attacked by hackers reported that the attacks came from organized crime.
“The entry threshold for the perpetrators is very low; simple cyber attacks don’t require much more than a computer, electricity and internet access,” says Munich Re cyber expert Kreuzer. Programming knowledge is therefore little or no longer required: “You can find instructions and tools on the Internet for little money.” Cybercrime is a hydra: “As soon as you cut off a head, another one grows back.”
Bitkom calls for investments in cybersecurity
Conclusion: “Prevention is the best method to combat cybercrime,” says Matthias Baumhof, manager at IT security service provider Lexis Nexis Risk Solutions. “Preventing cybercrime would significantly facilitate the work of law enforcement agencies, which are already overwhelmed by the scale of cybercrime due to limited resources.”
For companies, prevention means, in addition to training the workforce, above all technical upgrades. Baumhof is head of technology for “Threat Metrix,” an identity verification platform. “Modern analytics and machine learning help predict and prevent fraud.”
The industry association Bitkom recommends that companies allocate no less than 20 percent of their total IT expenditure to IT security. “And finally, every company needs an emergency plan for cyber attacks,” says Wintergerst. “It must clearly regulate who will do what in an emergency. If you only start thinking about these things after a successful attack, it will be too late.”