NSA Aftermath German Firms Scramble to Boost Data Protection
German companies have long suspected China and Russia of trying to steal their secrets. But the NSA scandal has turned their attention west, forcing them to worry about prying American eyes and to rapidly bolster security measures.
Building No. 14 of SAP's service center in St. Leon-Rot seems as secure as Fort Knox. But, in the end, it isn't the exterior walls of meter-thick reinforced concrete that give off this impression. Nor is it the security cameras or the high-tech steel gate. In fact, the latter wasn't even working a few weeks ago, as can be seen from the handwritten note taped to it, saying: "Gate broken. Please open manually."
What really makes this building in southwestern Germany secure is a state-of-the-art fingerprint verification system. The computer center is filled with servers containing data on this German software giant and thousands of other companies, together making up a giant library of secret company information spanning much of Europe. To get into it, visitors must pass through five security control points, each equipped with its own fingerprint scanner. Only authorized fingers are given access, and only when they are still attached to living individuals. No one gets into the building with severed fingers.
In other words, it would be wrong to say that efforts aren't made to protect business secrets in Germany. On the contrary, the precautionary measures taken by German companies sometimes read like a chapter from a John Grisham novel -- or, in some cases, like pages from a medical textbook on paranoia.
When BMW managers fly to other countries, they leave their company-issued mobile phones at home in Munich. In their place, they are given disposable phones to be discarded upon return.
At the specialty chemicals giant Evonik, managers are required to store their mobile phones in cookie tins during meetings, the idea being that the tins will serve as Faraday cages that prevent anyone from listening in on the conversations.
Ferdinand Piëch, the chairman of Volkswagen's supervisory board, has conference rooms regularly swept for bugs, and the company even has its own airline, Volkswagen Air Services. The planes are registered in the Cayman Islands, but not in order to avoid paying taxes. Instead, the point is to make the aircraft less recognizable as VW planes so that passenger lists are not readily accessible.
At the aerospace group EADS, employees are not permitted to use iPads or iPhones at work. Only Blackberrys are allowed. Employees working in high-security areas are also not allowed to read work-related emails outside their sealed-off offices.
Heightened Worries about Data Abuse
After the revelations of large-scale data mining by the United States, German managers have become even more nervous about data security. EADS CEO Tom Enders and other senior executives have ratcheted up their defensive measures even further. "Many documents that used to be sent by email are now hand-delivered to the recipient," says an EADS official. He notes that the only documents that are now sent electronically are those that the company would have no objections to posting publicly or displaying "on the church door."
Enders and his fellow managers are not alone. Many German business executives are worried about what the NSA does with all the data it presumably collects on German companies, says Ulrich Brehmer, a member of the executive board of the German Association for Security in Industry and Commerce (ASW).
Brehmer is far from a conspiracy theorist, and he isn't trying to suggest that US intelligence services are deliberately poaching industrial know-how from Germany and channeling it to American companies. Instead, what worries him is that US intelligence agencies are working hand-in-hand with consultants from the private sector. "Who knows whether they might be selling information to interested parties here and there," says Brehmer, who assesses the risk of such data abuse as "high."
SAP founder Hasso Plattner also feels uneasy about the surveillance operations of American intelligence agencies. "It certainly is strange that much of the surveillance is centered on southern Germany," he says, "precisely where all the large and small technology companies are located."
This sense of anxiety has become widespread in Germany. "We are noticing that companies have become more sensitive in recent weeks," says Michael George, the head of the Cyber Alliance Center at the Bavarian State Office for the Protection of the Constitution, the state branch of Germany's domestic intelligence agency. "When it comes to industrial espionage, they had focused almost exclusively on the East. And now they're wondering whether the threat might not also be coming from the West."
Small and medium-sized businesses (SMEs), in particular, are contacting the experts at the state agency and asking some very basic questions: What about products made by US software companies, such as Microsoft, that are commonly used by German companies? Should managers still use Skype for meetings? In addition to hacker attacks from China, do SMEs now have to worry about industrial espionage originating in the United States?
'The Americans Are Pros'
German companies once had a lot of confidence in everything coming from the United States. But it's already clear that much of this has been lost.
Granted, to date, there are no known cases in which US agencies have tried to steal German know-how. But perhaps this is only because German authorities and companies haven't been looking hard enough. The victims of hacker attacks are usually kept in the dark, and it might be that American intelligence agencies are just better at covering their tracks.
In fact, they don't even have to gain direct access to German companies. What sometimes happens is that US intelligence agencies, while conducting their extensive searches on the Web, flush out packets of data from German companies "that don't belong there," says a senior official with the Federal Office for the Protection of the Constitution (BfV). Through data leaks, this information often reaches German authorities, who then notify the affected companies.
"The Americans are pros. They don't leave any tracks behind -- and if they do, they're the wrong ones," says Christopher Fischer of BFK, a consulting firm in the southwestern city of Karlsruhe. "It's always easy to act as if the attack were coming from China. And although they are very active at the moment, everything is now of course being blamed on the Chinese."
All companies know that they should protect themselves from the prying eyes of competitors. But, until now, it was commonly believed that threats of industrial espionage emanating from government entities primarily came from China and Russia, where it is common for intelligence services to spy on foreign economies.
Likewise, it has always been clear that Germany is a stomping ground for industrial spies. Dozens of cases have been publicized in recent years. The only real difference among them is that the spies were looking for different things. The Iranians wanted to know where in Germany they could secretly buy parts for their nuclear program. The Russians have an appetite for all things military. And China's product bootleggers are interested in everything from military technology to high-end record players.
The problem in fending off espionage is that many potential access points must be monitored at the same time. SAP alone sees about 3,000 attacks a month. Throughout Germany, the number of attacks is allegedly in the hundreds of thousands -- per day. "It isn't even necessary to have a great deal of expertise to attack small and mid-sized companies," says a senior BfV official.
Moreover, no one knows exactly where the attacks are coming from. Are they industrial spies? Intelligence agencies? Or just amateur hackers? It is clear, however, that there are entire armies of mercenaries roaming the web, ready to sell their services to the highest bidder. And they are good at what they do. "We have cases in which attackers played around in a company's computers for more than 100 days before being discovered," says Fischer, the BFK consultant. "When that happens, you can assume that nothing is secret anymore."