Cybercrime affects Germany most

According to the study Net Losses – Estimating the Global Cost of Cybercrime published by the Center for Strategic and International Studies (CSIS) Germany loses 1.6 percent of its gross domestic product (GDP) because of cybercrime. This is more than in all other countries. Second are the Netherlands with 1.5 percent followed by Norway and USA with 0.64 percent each. One reason for Germany’s high loss numbers could be the recent efforts to collect and publish cybercrime incidents, but of course also a lack of security measures in German companies.

NSA surveillance major threat to fundamental rights

The alternative report on protection of fundamental rights published by the German committee on fundamental rights and democracy considers mass surveillance by NSA and other secret services as one of the two major threats besides the right-wing terror organization NSU (National Socialist Underground). The major threat to free democracies moves away from outside attackers to an aggressive overreaction of the internal system says one of the publishers Rolf Gössner in a German heise article. Furthermore he states that the German government and justice refuse legal or political consequences for protection so far.

Environmental Risk #1: Air Pollution

The World Health Organization (WHO) recently published a report with new numbers of dead people because of air pollution each year: 7 million worldwide – most of them because of stroke and heart and lung diseases.

This is more than twice as high as previously estimated and thus air pollution is the biggest environmental health risk now. And even in Europe 600,000 deaths are linked to pollution according to the WHO study and the German SPIEGEL reports that particulate matter pollution in some German cities like Berlin or Leipzig is significant.

Of course pollution is not a direct risk to data centers or IT equipment like an earthquake or flood, but it has a significant influence when it comes to sustain one of the most important resources for IT: Skilled people. Pollution already influences decisions about whether to outsource IT to certain countries especially in South-east Asia. It becomes harder to find employees from Western countries that are willing to build up a subsidiary or manage partners in these countries if there is significant pollution in this area.

And pollution might even be a risk to IT operations in case administrators are not able to leave their homes due to high Pollution if critical maintenance has to be done on-site. So pollution definitely becomes a topic for information security considerations and a gas mask might be standard equipment in your future emergency kit.

OWASP Top 10 Privacy Risks

I started the OWASP Top 10 Privacy Risks project together with a colleague. Its goal is to develop a top 10 list for privacy risks in web applications because currently there is no such catalog available. The list will cover technological and organizational aspects like missing data encryption or the lack of transparency. The project is open source and non-profit. Feel free to contribute!

Tips against governmental surveillance

Many people currently ask what to do against governmental surveillance (NSA spying) and some managers even think that standard security measures are useless because “the NSA has access to everything anyway”. But there are other attackers besides secret services and there are also things you can do against governmental surveillance. Here is my list of the most important things to consider:

  • Use encryption. The NSA is not able to read all encrypted data with reasonable effort and if you use the algorithms and key sizes recommended by ENISA you are quite secure. Furthermore there are tools for anonymized internet browsing like Tor and JonDo.
  • Choose European IT companies instead of US IT companies. It will not only help to lower the likelihood that your data leaks to the NSA, but also to put some economic pressure on US companies. US companies themselves will demand to restrict governmental spying if they lose a significant number of customers or users.
  • Blow the whistle if you are aware of governmental back-doors in products or systems, unlawful eavesdropping or even attempted blackmailing. Media companies like the German SPIEGEL have set up guidelines for informants and sometimes whistle-blowing is the only way to point out serious deficits. But prepare to run and leave your family 😉
  • Request independent audits and product certifications that prove the absence of data leaks for governmental bodies. Choose trusted auditors.
  • Continue securing your assets because as a security consultant or manager you are mainly defending the reputation of your company. The NSA would not publish that they hacked your company. But if your customer data gets published or sold by cyber criminals, you will get huge media attention and this will damage your reputation and possibly your shareholder value. Furthermore you also have to comply with laws and regulations.

Note: There are governments from other countries besides the USA that have powerful secret services and support spying on private and company data and internet traffic without providing transparency. One self has to decide whom he or she trusts, and in how far eavesdropping is acceptable and helpful to fight terrorism.

False Risk Perception

I recently read an article about eight people having died in a medium German city last year because they walked over red traffic lights and have been hit by a car. They apparently had the feeling they had everything under control, but they underestimated the risk. The story reminded me about the daily business of information security people having to deal with risk perception of their managers and employees – luckily without casualty. But in a much more complex environment that is hard to oversee. False risk perception is typical for human beings. There are studies saying that the number of deaths of the 9/11 attacks was exceeded by the number of deaths caused by additional car accidents because people chose to drive instead of flying and driving is much more dangerous than flying.

As it seems there is also a false risk perception about terror attacks and the NSA spying. The NSA only contributed to the prevention of 4 out of 225 terror cases since 9/11 according to a study of the New America Foundation. The rest was prevented by the police etc. If there is only a small number of suicides because people are identified as terrorists by mistake because of misleading correlation results of the NSA, the spying would not only help to save lives, but even “kill” additional people. But I doubt there are public reports on the impact of such false positives.

Swedish Transparency

ScreenHunter_03 Jan. 08 19.41

I spent New Year’s Eve in Sweden and it is always interesting again to see that Swedes are much less concerned regarding privacy than people in most other European countries. Especially services like requesting the holder of a car including type, registration date and location by just sending a SMS with the license number to 72503 or getting detailed information about the salary history and financial standing of a person on for only a small fee would not be possible and accepted in most other European countries.

This is not surprising if you have a look at a Eurobarometer report from 2011 stating that only 33% of the Swedes are concerned about over-disclosure of personal information. The EU average is 72%. The revelations about the Swedish government spying on Russia to support the NSA and opposing to the planned reform of the European Data Protection Regulation confirm that privacy is not a big concern in Sweden.