Posted in:

Face-to-face with Arne Schönbohm, BSI

The forthright head of Germany’s national cyber security authority explains how it is leading the initiative to make certification key to the country’s defensive strategy. Interview by James Hayes.

Arne Pchönbohm is President of Germany’s national cyber security authority, the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik (known as the BSI for short). The agency upholds and promotes IT security throughout the federal republic. Formed in 1991, the BSI is primarily the central IT security service provider for the country’s central government. However, it also offers its services to a range of technology manufacturers, the internet industry, along with private sector and commercial users.

The BSI investigates cyber security risks associated with IT operations, and develops preventive security measures. This aspect of its work includes IT security testing and assessment, in co-operation with industry. It also analyses development and trends in IT. In addition, the organisation issues warnings about emergent cyber security threats, such as ransomware. It acts also as a go-between, when security industry researchers discover stolen data in the Dark Net and want to alert the data’s legitimate owners to their loss.

Arne Schönbohm leads a BSI team of more than 600 employees, based across the agency’s various Bonn headquarters, where its specialist departments also issue a range of technical guidelines, standards and certifications.

CYBER SECURITY EUROPE: From your previous experience as a senior business executive, what has proved most valuable in your current role as President of the BSI?

ARNE SCHÖNBOHM: The BSI President needs to be an advocate in the matter of cyber security. The BSI has established an intensive dialogue with all relevant stakeholders, in particular with the public and private sectors. The German Alliance for Cybersecurity, initiated by the BSI, is a good example for a joint platform that includes valuable recommendations and ‘best practices‚ to protect enterprise networks against cyber attack incidents, for both technical and non-technical audiences. The German Alliance for Cybersecurity also promotes and organises meetings, workshops and congresses, to foster information exchange.

CSE: In many European organisations today, the responsibility for cyber governance is now moving from a solely IT remit to a one that is shared with senior executives in non-technological roles. What effect will this transition have on enterprise cyber governance as we enter the 2020s?

AS: This change is a necessary and natural development, I would say. The secure handling of information has become one of the key factors for the success of a company. Subsequently, the corresponding infrastructure – the information technology – has [what could be called] existential meaning for every organisation.

CSE: And what do you see is the result of this change in operational terms?

AS: This development has certainly changed the perception of governance and of security professionals in many organisations: CEOs used to think that IT experts would prevent – or at least, decelerate – organisational decisions – it was more comfortable to ignore them. Now, they often sit next to the board to influence strategic thinking [around cyber governance].

CSE: How does the BSI now work with the non-technical executive management in German organisations to help improve their understanding of the cyber security threats they face, and to improve their knowledge of enterprise cyber security in practice?

AS: Many executives have already realised that information security is a prerequisite for a successful [transformational] digitisation process. Hence, they are more open for arguments and measurements with regard to cyber security than they were three or four years ago. The BSI takes part in various events, working groups or publications – technical as well as non-technical – to improve the awareness in German organisations. We also attend events focused on CEOs and board-level executives, hoping to achieve a drop-down of cyber security understandings to every part of the company. But we‘re not only there to advocate a cause. It is more like a dialogue.

CSE: Can you mention a couple of examples of outputs from those deliberations?

AS: We were able to take part in a workshop of multiple organisations to develop the National Association of Corporate Directors (NACD) Handbook on Cyber-Risk Oversight – a publication for top managers which sets out principles for more security. Another example is the co-operation of BSI and several associations of major industry sectors. Job profiles in crafting have become more and more affected by digitisation by the time. In this context, we published the ‘Routenplaner’, which helps SMBs with less security-knowledge to find their way towards a secure IT-based business.

CSE: In your experience, is there a cyber security ‘knowledge gap’ between senior executives in the enterprise sector and their peers in the industrial sector?

AS: There is a difference between [what you might categorise as] Industrial Security and Office Security. The cyber security recommendations that are applicable for an office environment may not be suitable for, let’s say, Industrial Control Systems – for business continuity reasons, for example. However, the more we digitise and interconnect industrial IT, the more vulnerable these systems get – and the more executives must take care of these risks.

CSE: How important will be securing Europe’s emergent 5G mobile networks against cyber attacks for the successful transition to Industry 4.0 operations?

AS: We need 5G networks that are more secure than the current mobile networks. 5G is, after all, supposed to be the technology to enable digital services and developments like Industry 4.0, autonomous driving or medical support. Based on a catalogue of security requirements, the BSI will therefore check and certify 5G hardware and software for their security. By means of technical security requirements for 5G networks we will ensure the confidentiality, integrity and availability of communication. Important aspects are for instance a well-implemented end-to-end encryption or the redundancy of network components.

CSE: The BSI seems more involved in the area of secure certification than are national cyber security agencies in other European states. If that’s correct, can you explain why this is the case?

AS: In cooperation with partner organisations from other EU member states, the BSI is putting significant efforts into cyber security certification. Certification helps to raise the bar for attackers. It demands a common minimum degree of security. It enables regulations and procurement to make use of measurable minimum requirements for products and services. It also further enables industry to sell security based on an independent assessment of their offers. It is one of the motors of innovation in the realm of IT security – as security often does not sell by itself. When we mandate the usage of IT for every citizen, we need to make sure it fulfils highest standards to protect private information. The most prominent examples are the German ID card and the German passport, but other areas like Smart Energy, Smart Home, Mobile Security, and Industry 4.0 add to the variety of engagement.

CSE: Can certification play a role in the security of critical infrastructure?

AS: Yes, it can. The understanding of this importance is commonly shared in Europe, which is reflected by the EU Cybersecurity Act that recently came into force. From our perspective, the most relevant part of this regulation sets up a European Cybersecurity Certification Framework to harmonise certification in Europe and to strengthen the European Digital Single Market. By this we expect consumers, industry, and public administration to benefit from an overall boost to available and effective security.

CSE: The world of enterprise IT and information security is subject to a range of recent legislation, such as the General Data Protection Regulation (GDPR) and the Directive on Security of Network and Information Systems (NIS Directive). Do you see evidence that GDPR, in particular, has positively changed how Europe’s senior executives now approach organisational cyber security strategies?

AS: Many organisations were afraid of, or even irritated, by the new laws, although in most cases it was consensus that these regulations were necessary. From our point of view, there won’t be privacy without data security. So GDPR has fostered the introduction of further security-actions in various organisations. But we should not really regard security as a duty. It can also be a chance and competitive advantage. In the future, demand for products and solutions, which include contemporary protection measures, will be higher than for those which do not.

CSE: As nation states undertake cyber attacks against politico-economic rivals, to what extent do you see European organisations being caught in the ‘crossfire’?

AS: Well, I cannot answer that from a political point of view. Speaking in terms of cyber security, European organisations need to be aware of and cope with the risks of digitisation and protect themselves as optimally as they can, regardless of the identity of a possible attacker. The BSI provides a wide range of information and support to the companies to enhance their levels of cyber security.