Snooping Fears: German Firms Race to Shield Secrets
Edward Snowden's revelations about data surveillance have left German firms feeling acutely vulnerable to industrial espionage. In the medium-sized business sector, which contains a host of world leaders in high-tech fields, the race is on to shield vital know-how.
Markus Stäudinger is a cautious person -- especially when he's sitting in front of his computer. He's an IT security expert at Gustav Eirich, a southern German engineering company that makes industrial mixing equipment, and he has been encrypting his emails for years. "While I was typing I always had in the back of my mind that it could still be deciphered," says Stäudinger, 48. He has tried to entrench that mindset in his company.
Stäudinger has spent years trying to enhance the security of Eirich's data and communications. He kept telling colleagues to be careful when dealing with sensitive information. He installed extra security features on notebooks and smartphones before they were taken off company premises. Some of the firm's 750 employees probably shook their heads at all this paranoia. But now, after the NSA revelations of whistleblower Edward Snowden, they all know that Stäudinger was right. "We were always aware that the intelligence services and business work closely together in the US," said the IT expert. "When we heard about what's been going on, it didn't hit us completely out of the blue."
Other companies were taken by surprise, though. Be it Prism, Tempora or XKeyscore, reports about mass electronic surveillance and tapped Internet hubs and trans-Atlantic data lines have alarmed German companies. Many firms are now worried that the intelligence services aren't just trying to pinpoint terrorists but to get at German industrial secrets as well. They fear that their lead over US, British and French competitors could be at risk. And they've suddenly realized that they've got to do something to protect themselves against the organized theft of data.
"The reports of the activities of intelligence services are a wake-up call for many companies. It sent alarm bells ringing," said Rainer Glatz, director of product and know-how protection at the VDMA German engineering association. In the past, warnings of hacker attacks and IT espionage often fell on deaf ears. But now Germany's small and medium-sized business sector, or Mittelstand, often described as the backbone of the German economy, has woken up to the risk. "There is growing sensitivity," said Glatz. "In many firms, the management boards are now thinking about how they can shield themselves better."
Spying Causes Billions of Euros in Damage
Action is urgently needed. At most, only one in four Mittelstand firms has an IT security strategy, said Christian Schaaf, founder of the Munich-based consultancy Corporate Trust. Many have limited themselves to a simple firewall and a few anti-virus programs. But that's not enough to keep out professional hackers, let alone the likes of the NSA. "Many companies are starting to realize that they have to cast a safety net over their data," said Schaaf.
There's plenty to spy on in the Mittelstand, with its thousands of high-tech businesses, ranging from newly developed products to production processes and process control systems, as well as customer lists and price offers in contract tenders. Germany's domestic intelligence agency, the Office for the Protection of the Constitution, estimates that industrial espionage causes damage totalling between 30 billion and 60 billion ($40 billion to $80 billion) per year. No one knows the exact figure because companies in Germany and across Europe tend to keep quiet when they find out they have been spied on. There are a number of reasons for this: They're afraid of copycat espionage, they don't want to reveal to potential new attackers where their weak points are and what they're doing to protect themselves. And they're afraid that they may lose customers if their data leaks become public.
Engineering company Gustav Eirich would be worth spying on. The 150-year-old, family-owned business from Hardheim in the Odenwald region of southern Germany is among the world leaders in its field. Eirich's machines can mix chemicals and all sorts of materials faster, more thoroughly and more efficiently than those of its international competitors. This is thanks to a host of inventions and innovations that the company has had patented. "Our know-how is our big competitive advantage," said security chief Stäudinger. And Eirich is doing all it possibly can to protect that lead.
Possible Boost For German Data Security Firms
The company refrains from storing information in foreign data processing centers. Video conferences, data transmission and emails -- Eirich handles all that via its own cloud server. Skype is forbidden, and the use of Facebook is discouraged. All staff members are given clear instructions to avoid any unintentional releases of sensitive data. As a rule, the company encrypts all emails it sends outside the firm, if the clients go along with that, and they use German software to do the encrypting. "With US programs the intelligence agency will definitely have the general key," said Stäudinger. "That's why we try to use domestic products whenever we can." In Germany, security authorities usually don't get access to the algorhythms of firms that offer encryption.
Germany's comparatively strict rules on data privacy protection represent a possible competitive advantage for German suppliers of IT security. Data processing centers based in Germany have been enjoying a strong increase in demand of late, said Gatz, VDMA's IT security expert. Providers of private clouds such as Demando, a subsdiary of the Kaiserslautern municipal utility company, offer their customers their own server cabinets and can even make exclusive glass fiber lines available to them so that they don't have to send sensitive data through the Internet.
However, even such lines can be tapped into, and almost every encryption code can be cracked. "You can never guarantee 100 percent security," said Stäudinger. "We know there's a residual risk. But we set the hurdles as high as possible." Maybe that will make potential attackers seek easier targets: among companies with less distrustful security chiefs.
© SPIEGEL ONLINE 2013
All Rights Reserved
Reproduction only allowed with the permission of SPIEGELnet GmbH