Cyberattacks are on the rise worldwide, but many countries are making strides in promoting and developing cybersecurity by developing policy frameworks, encouraging investment in research and development, and by driving awareness of cybersecurity best practices. Germany is one of the countries that has been trying to increase the cybersecurity of its broader online ecosystem for a number of years and is today more committed to that goal than ever. And what Germany does matters not just because it is one of the top five global economies, but because it is one of the leading European Union (EU) member states. What German policy-makers think and feel can have a major effect on the EU, a trading block of 500 million people with a GDP – on a par with the USA.
Microsoft’s Security Intelligence Report (SIR) shows Germany performs well compared to the global average when it comes to encounters with malware and the scale of infected computers (see the regional breakdown specific to Germany). Overall, the SIR shows the ongoing nature of the conflict between those delivering cybersecurity and those trying to break through, and even in the Germany of 2016 there was an uneven but upwards trend in encounters and infections.
A fundamental part of responding to these threats and the potentially significant economic damage they pose is, in my view, cooperation between government and the private sector. The new cybersecurity strategy seems to indicate that this is also the view of German policy-makers. Germany’s recognition of the importance of developing and implementing effective cyber security norms – along with the necessary means of verification/attribution – is very encouraging. And German support and leadership in the pertinent multi-lateral discussions will be crucial. In this context, it is worth noting that German leadership, during its 2016 Chairmanship of the Organization for Security and Co-operation in Europe, yielded concrete positive results in the related field of developing cybersecurity related confidence-building measures – which critically rely on different segments of society working together.
The strategy builds on Germany’s IT Security Law (IT-SiG), passed in 2015, which promoted cooperation between the German Federal Office for Information Security (BSI) and the industry in protecting critical infrastructure. Infrastructure protection is, of course, only one aspect of cybersecurity, and cooperation between governments and the private sector is only one part of the overall solution (for example, my Microsoft colleagues have also been arguing strongly for risk-based approaches to cybersecurity). Nonetheless, both the IT-SiG and the proposed strategy seem to be steps in the right direction. Cooperation between states and the private sector, including those who create information and communication technology (ICT) products and those who use them, seems like a very good way to develop effective cybersecurity policies and practices. What is true for Germany should be equally true for other EU member states.
The challenge is that, currently, not all companies may be happy about information exchange with the authorities (only 13 percent of companies in Germany are). It would be a terrible irony that just as governments realize the need for public-private partnerships in cybersecurity, companies start to step back from the opportunity. To prevent such a development, IT regulators will have to demonstrate the added value of receiving this information. They can do this by anonymizing it, and then sharing it with those private sector entities that need to know about it, and then acting on it to protect their systems and their customers.
Looking ahead, in order to enhance IT security in general and increase the protection of critical infrastructure in particular, public-private partnerships are essential, but they require commitment and buy-in from both sides. Microsoft is ready to play its part.