Fotostrecke

Photo Gallery: Germany Learns to Mistrust America

Foto: STEVE MARCUS/ REUTERS

NSA Aftermath German Firms Scramble to Boost Data Protection

German companies have long suspected China and Russia of trying to steal their secrets. But the NSA scandal has turned their attention west, forcing them to worry about prying American eyes and to rapidly bolster security measures.
Von SPIEGEL Staff

Building No. 14 of SAP's service center in St. Leon-Rot seems as secure as Fort Knox. But, in the end, it isn't the exterior walls of meter-thick reinforced concrete that give off this impression. Nor is it the security cameras or the high-tech steel gate. In fact, the latter wasn't even working a few weeks ago, as can be seen from the handwritten note taped to it, saying: "Gate broken. Please open manually."

What really makes this building in southwestern Germany secure is a state-of-the-art fingerprint verification system. The computer center is filled with servers containing data on this German software giant and thousands of other companies, together making up a giant library of secret company information spanning much of Europe. To get into it, visitors must pass through five security control points, each equipped with its own fingerprint scanner. Only authorized fingers are given access, and only when they are still attached to living individuals. No one gets into the building with severed fingers.

In other words, it would be wrong to say that efforts aren't made to protect business secrets in Germany. On the contrary, the precautionary measures taken by German companies sometimes read like a chapter from a John Grisham novel -- or, in some cases, like pages from a medical textbook on paranoia.

When BMW managers fly to other countries, they leave their company-issued mobile phones at home in Munich. In their place, they are given disposable phones to be discarded upon return.

At the specialty chemicals giant Evonik, managers are required to store their mobile phones in cookie tins during meetings, the idea being that the tins will serve as Faraday cages that prevent anyone from listening in on the conversations.

Ferdinand Piëch, the chairman of Volkswagen's supervisory board, has conference rooms regularly swept for bugs, and the company even has its own airline, Volkswagen Air Services. The planes are registered in the Cayman Islands, but not in order to avoid paying taxes. Instead, the point is to make the aircraft less recognizable as VW planes so that passenger lists are not readily accessible.

At the aerospace group EADS, employees are not permitted to use iPads or iPhones at work. Only Blackberrys are allowed. Employees working in high-security areas are also not allowed to read work-related emails outside their sealed-off offices.

Heightened Worries about Data Abuse

After the revelations of large-scale data mining  by the United States , German managers have become even more nervous about data security . EADS CEO Tom Enders and other senior executives have ratcheted up their defensive measures even further. "Many documents that used to be sent by email are now hand-delivered to the recipient," says an EADS official. He notes that the only documents that are now sent electronically are those that the company would have no objections to posting publicly or displaying "on the church door."

Enders and his fellow managers are not alone. Many German business executives are worried about what the NSA does with all the data it presumably collects on German companies, says Ulrich Brehmer, a member of the executive board of the German Association for Security in Industry and Commerce (ASW).

Brehmer is far from a conspiracy theorist, and he isn't trying to suggest that US intelligence services are deliberately poaching industrial know-how from Germany and channeling it to American companies. Instead, what worries him is that US intelligence agencies are working hand-in-hand with consultants from the private sector. "Who knows whether they might be selling information to interested parties here and there," says Brehmer, who assesses the risk of such data abuse as "high."

SAP founder Hasso Plattner also feels uneasy about the surveillance operations of American intelligence agencies. "It certainly is strange that much of the surveillance is centered on southern Germany," he says, "precisely where all the large and small technology companies are located."

This sense of anxiety has become widespread in Germany. "We are noticing that companies have become more sensitive in recent weeks," says Michael George, the head of the Cyber Alliance Center at the Bavarian State Office for the Protection of the Constitution, the state branch of Germany's domestic intelligence agency. "When it comes to industrial espionage, they had focused almost exclusively on the East. And now they're wondering whether the threat might not also be coming from the West."

Small and medium-sized businesses (SMEs), in particular, are contacting the experts at the state agency and asking some very basic questions: What about products made by US software companies, such as Microsoft, that are commonly used by German companies? Should managers still use Skype for meetings? In addition to hacker attacks from China , do SMEs now have to worry about industrial espionage originating in the United States?

'The Americans Are Pros'

German companies once had a lot of confidence in everything coming from the United States. But it's already clear that much of this has been lost.

Granted, to date, there are no known cases in which US agencies have tried to steal German know-how. But perhaps this is only because German authorities and companies haven't been looking hard enough. The victims of hacker attacks are usually kept in the dark, and it might be that American intelligence agencies are just better at covering their tracks.

In fact, they don't even have to gain direct access to German companies. What sometimes happens is that US intelligence agencies, while conducting their extensive searches on the Web, flush out packets of data from German companies "that don't belong there," says a senior official with the Federal Office for the Protection of the Constitution (BfV). Through data leaks, this information often reaches German authorities, who then notify the affected companies.

"The Americans are pros. They don't leave any tracks behind -- and if they do, they're the wrong ones," says Christopher Fischer of BFK, a consulting firm in the southwestern city of Karlsruhe. "It's always easy to act as if the attack were coming from China. And although they are very active at the moment, everything is now of course being blamed on the Chinese."

All companies know that they should protect themselves from the prying eyes of competitors. But, until now, it was commonly believed that threats of industrial espionage emanating from government entities primarily came from China and Russia , where it is common for intelligence services to spy on foreign economies.

Likewise, it has always been clear that Germany is a stomping ground for industrial spies. Dozens of cases have been publicized in recent years. The only real difference among them is that the spies were looking for different things. The Iranians wanted to know where in Germany they could secretly buy parts for their nuclear program. The Russians have an appetite for all things military. And China's product bootleggers are interested in everything from military technology to high-end record players.

The problem in fending off espionage is that many potential access points must be monitored at the same time. SAP alone sees about 3,000 attacks a month. Throughout Germany, the number of attacks is allegedly in the hundreds of thousands -- per day. "It isn't even necessary to have a great deal of expertise to attack small and mid-sized companies," says a senior BfV official.

Moreover, no one knows exactly where the attacks are coming from. Are they industrial spies? Intelligence agencies? Or just amateur hackers? It is clear, however, that there are entire armies of mercenaries roaming the web, ready to sell their services to the highest bidder. And they are good at what they do. "We have cases in which attackers played around in a company's computers for more than 100 days before being discovered," says Fischer, the BFK consultant. "When that happens, you can assume that nothing is secret anymore."

Paying Hackers to Hack

All companies should be terrified of Thorsten Schröder. He calls himself a hacker and likes to wear the trademark garb of the hacker community: T-shirts from hacker conferences and practical cargo pants, preferably all in black.

Schröder recently attacked a company in the medical field. Using his own computer, he was quickly able to pose as one of the company's external salesperson. This gave him all the access privileges of an employee, thereby allowing him to breach the firewall meant to protect the company from outside access.

"Once you're inside, it's just a matter of time and effort before you can access sensitive customer information or internal financial planning data," Schröder says. In this case, the outcome was even worse for the company. Schröder managed to install his own software on the company's servers, turning himself into an administrator and "super user."

This is one of the greatest triumphs for an outside hacker -- but a nightmare for the company. In this case, however, the company was actually paying Schröder for his services. Like many of his counterparts, the 36-year-old hacker has turned his hobby into a profession. Schröder owns Modzero, a company based in the Swiss town of Winterthur. With his four full-time employees, he advises companies on IT security issues and defending themselves against cyber-espionage.

The success rate for one of his operations, which usually last between five and 10 days, is close to 100 percent, Schröder says. "In fact, we always find something." This even applies to larger companies with their own corporate security departments, which sometimes have their own "red teams" that regularly attack and test the company's own systems. In many cases, says Schröder, the higher levels of the hierarchy pose the greatest security risks. "Top managers are usually attractive targets," he says," because they have special status and often a particularly large number of access privileges."

Human Weakness Opens Doors

This brings us back the fundamental problem of every counter-espionage operation: the many access points that need to be monitored. Even if it were possible to make company networks more secure, attackers would simply choose a different route -- one that passes through the bedroom, for example, as an employee of a German medical-technology firm learned only a few weeks ago.

At first, he couldn't believe his good fortune when he launched into an intense flirtation with a Chinese woman. She was young and attractive, and she was apparently interested. Only when he was blackmailed with compromising photos of himself and the attractive Chinese woman did the manager figure out what had really happened. He had stumbled into a "honey trap," an age-old trick in espionage of all sorts.

The victim was supposed to provide information about a successful product made by his company. But the attack failed in this case when the employee told both his boss and his wife about the Chinese woman. Nevertheless, the example shows that even in the era of the PRISM surveillance program and Trojan horses, there is still one particularly weak point when it comes to drawing secrets out of a victim: the human being. Or, in this case, the male.

Attackers use simple but effective tricks. For instance, a man walks up to a convention booth, identifies himself as a manager with a competitor and inadvertently leaves his keychain behind with something very tempting attached to it: a USB flash drive.

The victim, thinking it's his lucky day, sticks the flash drive into his computer to see what the competition is up to -- and, in doing so, unwittingly downloads a spy program onto his own computer.

Attackers like to combine new technology with time-tested methods. To gain the trust of a potential victim, attackers search for information on social networks. Within a few days, social networks can yield the amount of information that it used to take several weeks to gather.

Preferences, contacts, friends and even hints about possible passwords for email accounts or company networks can often be found in Facebook or Xing profiles. This information can then be used for subsequent operations.

Efforts to Improve Coordinated Defenses

This form of spying by using someone's personal context is called social engineering. Next to hacking, it is one of the most important tools for intelligence services. But, according to a study by the consulting firm Corporate Trust, only one in four employees of German companies is prepared for this threat.

In fact, employees in many companies simply assume that the IT department will somehow figure out how to solve the security problem on its own. In most companies, it isn't even clear which data is considered especially sensitive -- what industry insiders call a company's "crown jewels." Only one in five companies has prepared the necessary analysis for itself.

One problem for German domestic intelligence agents is that they don't really know what is actually going on behind company doors. Indeed, companies are tight-lipped and only report 20 percent of industrial espionage cases to the BfV.

To address the issue, George, the cyber security expert in Bavaria, is constantly trying to gain the trust of SMEs. "The fatal aspect of the current situation is that every company is an island," he says, "and no one knows what is happening on the next island." This means that attackers can use the very same trick to gain access to several different companies, and no one even notices it's a trick. The Bavarian domestic intelligence agency only recently began passing on anonymous information about attacks from one company to another.

When it comes to espionage, the relationship between government agencies and companies, and between the political and business worlds, has been filled with suspicion for years -- and become a vicious circle. Companies feel that the interior ministry and the BfV pay too little attention to the issue. Meanwhile, the intelligence agencies are critical of industry, saying that companies provide them with too little information about hacker attacks and cases of possible industrial espionage.

Hartfrid Wolff, a domestic policy expert with the pro-business Free Democratic Party (FDP), believes that Germany is in a relatively poor position when it comes to defending itself against industrial espionage, and that SMEs, in particular, are in over their heads. "Universities and other research facilities also need substantially better protection," he says.

But ever since news leaked about the NSA's vast spying operations, the fronts seem to be softening. At the end of August, representatives of both sides intend to sign an agreement on protecting businesses. The plans include an Internet platform on which companies and government agencies can exchange information about possible attacks. "The goal is to warn each other so that security gaps can be plugged," says the head of IT for a major German company.

Privacy Agreements Ignored

The IT reporting law planned by Interior Minister Hans-Peter Friedrich, on the other hand, has gained little support. Under the proposed rule, companies that discover an attack on their computer systems would be required to report it immediately. But the business community feels that the current draft of the bill is poorly thought-out. What does Minister Friedrich intend to do with all of this wonderful data, asks the head of security for a defense contractor? He calls the proposed law "a joke," saying that it shows how helpless lawmakers actually are.

The so-called Safe Harbor Framework, an agreement that the United States and the European Union signed in 2000 to regulate data privacy for US companies operating in Europe, is especially sensitive.

Under the framework, US companies can more or less voluntarily agree to comply with certain data privacy rules when they wish to store and process information about European citizens. The Safe Harbor Framework is then essentially considered a seal of quality for which US authorities are supposed to handle certification and compliance monitoring.

More than 3,000 companies in the United States -- including giants like Google, Facebook and Microsoft -- have already agreed to observe the rules. This has enabled them, with the EU's approval, to store, process and swap billions of data sets on EU residents.

However, in 2004, a study commissioned by the European Commission revealed that there was no monitoring of compliance with the data privacy guidelines, especially in the United States. At the time, the Americans promised to improve the still somewhat obscure guidelines.

A second study appeared only four years later. Commissioned by the EU, it was prepared by a Belgian university in collaboration with Norwegian and American researchers. But, unlike the 2004 study, the 192-page study was only made available to a small group of experts.

Today, the EU says that it incorporated the study into its overall assessment of Safe Harbor. But the managers of major German corporations suspect that other motives are behind the reluctance to talk about the study. Indeed, they believe that the study's results were so devastating that the agreement should have been terminated long ago.

The study's authors frankly conclude that the US officials complied with the data privacy provisions "even worse" in 2008 than in 2004. For instance, the report states, the relevant US authorities' verification of certification and compliance with the data privacy rules was "completely inadequate." In such cases, there were hardly any sanctions against the US authorities.

But now European Justice Commissioner Viviane Reding has apparently had enough. The agreement, she says, is apparently more of a "loophole than a safeguard for our citizens." Reding is now no longer ruling out the possibility of a unilateral termination of the agreement.

Surge in Demand for Tap-Proof Phones

Under the USA Patriot Act of 2001, US authorities are granted access to all domestic data, both private and commercial. What's more, software developers can be compelled to build backdoors -- or "interfaces" -- into programs through which intelligence agencies can later gain access. The developers are also required to sign non-disclosure agreements and forbidden from even talking to their superiors about the work.

Still, software giant SAP is not worried that the US software it buys might contain interfaces for US intelligence services. Whenever SAP doesn't have access to a software's source code, it hires outside specialty companies to search for such loopholes before buying it. After that, an in-house department at SAP checks the source codes. "You have to be pretty cunning to get around such scans," says Gordon Mühl, SAP's head of security.

But dangerous leaks can arise at the interfaces as soon as different programs have to be coordinated with each other or when antivirus software is not constantly updated. "Thousands of SAP systems with Internet access are not up to date," says Alexander Polyakov of the security company ERPScan. "They are gateways for data thieves."

Some are also profiting from the new security boom, such as the Düsseldorf-based company Secusmart, which specializes in tap-proof mobile phones and includes German Chancellor Angela Merkel among its customers.

In a few weeks, Secusmart will provide the German government with ordinary Blackberrys that operate with a special card about the size of a fingernail. As soon as the caller speaks into the phone's microphone, the words are encoded. At the same time, the device can still be used like a smartphone.

Since the NSA's surveillance methods were revealed, Secusmart has seen a growing interest in tap-proof mobile phones from companies. "In the past, companies often didn't believe us when we said that it isn't just very easy to tap phone calls, but that it also happens," says Jörg Goronzy, chief sales officer at Secusmart. "The surveillance scandal has opened the eyes of many."

But, Goronzy adds, that's not even the best part: To effectively protect itself, a company would have to provide tap-proof mobile phones not only to executives and managers, but also to secretaries and assistants. The encoding system only works when both the caller and the receiver have a tap-proof phone. For that reason, Secusmart says, it makes sense for a major corporation to buy the phones for 500 to 1,000 employees -- at a cool €2,500 ($3,300) a pop.

WRITTEN BY MARKUS BRAUCK, DINAH DECKSTEIN, FRANK DOHMEN, ANN-KATRIN NEZIK, MARCEL ROSENBACH, MICHAELA SCHIESSL and JÖRG SCHMITT

Translated from the German by Christopher Sultan