German Government Cybersecurity Chief 'The Only Thing That Can Help Is Preventative Action'
In an interview, Arne Schönbohm, 49, the head of Germany's Federal Office for Information Security, discusses the potential danger posed by Huawei, why he thinks it is "manageable" and the general state of IT threats in Germany.
DER SPIEGEL: Mr. Schönbohm, the German government has decided not to exclude Huawei from building networks for the next generation of mobile communications. As the head of the most important cybersecurity agency in Germany, you're ultimately responsible. Do you not see any risk in allowing this controversial Chinese company from participating in the construction of the 5G network in Germany?
Schönbohm: I think the risk is manageable. There are essentially two fears: First, espionage -- i.e. that data will be siphoned off involuntarily. But we can counter that with improved encryption. The second is sabotage -- i.e. manipulating networks remotely or even shutting them down. We can also minimize this risk by not relying exclusively on one supplier in critical areas. By possibly excluding them from the market, we also increase pressure on these suppliers.
DER SPIEGEL: Together with the Federal Network Agency, you are currently formulating stricter security requirements which not only Huawei, but all equipment suppliers will have to follow. What will they include?
Schönbohm: We need a 5G network in Germany that is more secure than today's mobile networks. We want to make autonomous driving and medical services possible, after all. So, we have to be able to review and certify hardware and software for security based on certain checklists. It would also be helpful to be able to analyze the source code of the software of these devices in order to see whether hidden functions are built in that would make the siphoning of data possible.
DER SPIEGEL: And if they fail those tests?
Schönbohm: Then network providers would not be allowed to use that company's products. Our advantage is that we know how to deal with these things. There is no other institution in the world that issues more high-security certificates than we do.
DER SPIEGEL: The Americans still consider the German approach to be naive. They warn against Huawei.
Schönbohm: We're in close contact with our American and English colleagues, and there are different risk assessments. I think that's legitimate.
DER SPIEGEL: Have you ever seen hard evidence that Huawei is spying or conducting sabotage?
Schönbohm: Let me put it this way: If we saw uncontrollable risks, we would not have adopted our approach.
DER SPIEGEL: In September, you will publish your annual situation report. What trends are emerging?
Schönbohm: In cybercrime, we are seeing an increasing number of cases of blackmail using encryption programs, so-called ransomware. There have been recent reports that a number of hospitals in southwest Germany have been affected. The perpetrators are becoming increasingly professional, and even divvy up their work. In June, for example, the computers of municipal administrations in Florida got hacked and encrypted. The attackers demanded about a half-million dollars each, payable in Bitcoin, for the data to be released. They used a novel combination of different Trojans that we are familiar with in what we are calling a "triple threat attack."
DER SPIEGEL: Many victims panic when their computers are attacked and their data is no longer accessible. What's your advice? Should people pay?
Schönbohm: Never ever. Often the promised keys for restoring access don't even exist, so the data is gone not matter what. There's nothing along the lines of honor with these thugs. The only thing that can help is taking preventative action: You should make backup copies of important data. I have backed up the things that I don't ever want to lose, like photos of my children, on two or three external hard drives.
DER SPIEGEL: Your agency is currently planning on opening up a second office in Freital in the eastern German state of Saxony. Why there of all places?
Schönbohm: We want to be represented wherever innovative work is being done on new digital solutions. Information security also needs to be part of the "Made in Germany" quality label. In this respect, the greater Dresden area with its focus on microelectronics is a good additional location.
DER SPIEGEL: The government has created a budget for 350 new jobs at your agency this year, which will allow you to increase its size by a third to around 1,300 employees. Are you going to ask for more?
Schönbohm: Germany is facing huge challenges in digitalization. Here's a simple question: Do you want to get into self-driving car that isn't safe? We currently have a budget of around 120 million euros. The planned revision of Germany's IT Security Act will give us additional tasks. And we will, of course, need additional staffing for that.
DER SPIEGEL: As Germany's cyber-sheriff, do you have a nightmare scenario?
Schönbohm: An attack by Trojan ransomware on the federal administration with the encryption of all the federal government's data would be one case. But we and the other security authorities are well-positioned for most conceivable scenarios.