German election: “Responsibility for cyber security remains with the private sector”

Last Sunday, Germany elected a new government. Well, to be precise, they elected a new parliament, but nobody knows yet who will actually lead the government. The new chancellor will have to deal with several major topics as it is – which is why the topic of cybersecurity never made it into the discussion prior to the election. A good reason to talk about it now.

CyberDirekt, a sales platform for cyber insurance, has analyzed the election programs of the major parties – CDU/CSU, SPD, Bündnis90/Die Grünen, FDP, Die Linke and AfD – regarding measures to protect the German economy and citizens from cyber attacks and asked the parties’ representatives for digital policy for additional statements.

Sobering results

“The result of our examination of the election programs is thoroughly sobering. Even in the next legislative period, no groundbreaking changes in the legal framework to improve cyber security for companies, organizations and administrations are to be expected. The fact that we are facing around 300 cyber attacks per day and 223 billion euros annual damage to the German economy allows only one conclusion: all players in the market must proactively protect themselves against cybercrime in the coming years. In addition to investments in technical and organizational measures, cyber insurance will also be an essential part of every company’s own precautionary measures in order to cover the majority of the financial risk,” explains Hanno Pingsmann, Managing Director of CyberDirekt, based in Berlin.

Germany left behind

In other countries, cyber security for business and consumers has long been a top priority. Just recently, U.S. President Joe Biden invited representatives of the largest technology companies, online retailers and insurers to the White House and swore them to a joint fight against cyber criminals. In the U.S., fuel supplies collapsed and long lines formed at gas stations this May after a hacking attack on a major oil pipeline. In Sweden, stores of the grocer Coop were unable to open for several days because the cash register system had been affected by a cyber attack. In Germany, supplies to end consumers have not yet been affected to this extent by cyber attacks, and one would hope that it will stay that way. However, cybercrime does not stop at national borders and it would be negligent to believe that the U.S. or Sweden have been affected by isolated cases, Pingsmann said. Coverage of cybercrime in the German media currently tends to revolve around cyber attacks on individual companies or hacker attacks on members of parliament. Most recently, in early September, the German government blamed Russia for an ongoing wave of hacker attacks on German politicians.

But citizens should not ask what the future federal government plans to do to cope with this massive threat situation. A look at the election programs of the federal parties leads to a sobering result: the topic of “cyber” is certainly included in the election programs, but it is more likely to be linked to the military sector – cyber war – or the social sector – cyber bullying. According to the analysis of CyberDirekt, a reference to cyber security for business can only be found very sparsely among the mainstream parties CDU/CSU, SPD and FDP.

Direct request to the political parties

“Since the current election programs do not offer much in the way of protection for business and consumers, we have asked the digital policy spokespersons and experts of the parties for their opinion. Some of the responses paint a different picture than the election programs. The threat situation seems to have been recognized to a certain extent, although not to the same extent in every party,” explains Pingsmann. When asked, we learned from the CDU/CSU that they want to “continually assess what is necessary to respond appropriately to the dynamic developments in cyberspace. However, a consistent political agenda sounds different. After all, the CDU/CSU want to “create structures that enable industry to increase their protective measures against cyber attacks.” The SPD highlights the need for “regular training and awareness measures for employees” and thus addresses an important instrument for responding to the continuously growing threat situation for public authorities and medium-sized companies. Bündnis90/Die Grünen want to “support SMEs much more strongly through a decentralized and independent IT consulting network.” In the run-up to the election, much is being demanded and desired – but concrete ideas for implementation, for example in the form of legislation, remain absent for the time being.

The bottom line, however, is clear: The responsibility therefore remains with the private sector. Particularly when a company is acutely affected by a cyber attack, it becomes clear that the authorities can provide little direct support in dealing with the situation. “Filing a report against unknown persons with the police does not help any entrepreneur if production is paralyzed and the company cannot be reached by e-mail” emphasizes Hanno Pingsmann. With cyber insurance, the insurance industry has created an effective instrument with which companies can protect themselves against the consequences of a hacker attack. For this purpose, every insurer has mandated IT security service providers who are available to the affected companies 24 hours a day with technical support, IT forensics and crisis management in the event of a claim. “The structures are reminiscent of the historical development of fire insurance, which was even compulsory insurance in many areas of Germany,” comments Hanno Pingsmann, “Insurers played no small role in promoting the development of the fire brigade in Germany. As long as the state cannot actively support companies and citizens in coping with cyber attacks, every entrepreneur should consider the offer of private emergency assistance in the event of a cyber attack.”