As of: February 20, 2024, 3:04 p.m
By: Sebastian Hölzle
Comments
Press
Split
Claudia Plattner has headed the IT authority BSI since July 2023.
Plattner was previously Director General of Information Systems at the European Central Bank (ECB).
The photo shows her in the National IT Situation Center in Bonn at the beginning of February.
© Oliver Berg / dpa
The BSI was in the headlines with unusual frequency last year due to serious allegations against former boss Schönbohm.
The authority, which is essential for cybersecurity, has therefore had a new boss since 2023.
Munich – The name is awkward: Federal Office for Information Security, or BSI for short.
The importance of the Bonn authority has grown extremely in recent years: The BSI is responsible for cybersecurity in Germany.
Arne Schönbohm headed the BSI for many years, and at the end of 2022 he was transferred by Federal Interior Minister Nancy Faeser (SPD).
Claudia Plattner has been BSI President since July 2023.
We talked to her about gaps in IT security – and how everyone can protect themselves.
As BSI President, you know the threat situation in Germany better than almost anyone else.
Since taking office, have you lived in constant fear that your private cell phone or computer could be hacked?
No, definitely not.
But of course I approach the topic of information security very consciously.
For example, I care about sensible passwords and almost exclusively use apps and services with two-factor authentication.
That means?
Many people are familiar with two-factor authentication from online banking: This is a two-stage verification of the user and can mean, for example, that the provider you want to log in with sends a confirmation code to another of your devices after you enter your password. for example your smartphone.
The second factor can also be your fingerprint on a corresponding sensor or the use of a chip card: You can only use the service if you also have this means of confirming your identity.
An attacker has to do a lot to undermine that.
How do you keep track of all the passwords?
We recommend password managers, they make life easier and more secure.
I've been using this for years, you quickly get used to it.
In the future, we will also see new methods - for example, well-secured biometric recognition, such as fingerprints or facial recognition.
What I also do regularly on my cell phone: I remove apps that I don't use.
Why?
When in doubt, apps notice what I'm doing on my phone.
The fewer apps are installed on the cell phone, the less data is lost.
In general, every app is always a potential gateway for attackers - especially if it doesn't receive regular updates.
In this respect, it makes sense to remove apps from your cell phone that you don't need.
My news
2 hours ago
Dispute over the end of nuclear power: “Maybe the Greens will get a telephone number and find out more” read
Pension increase in summer 2024: Heil gives the first forecast for pensioners
Russia threatens “logistics collapse”: China bank lets Putin run into the ground read
Fuest: “Out of 2000 euros more gross, 32 euros net remain at the end” read
2 hours ago
Mercedes-Benz is recalling around 250,000 cars worldwide
Pension in the event of occupational disability only possible for two years read
What about backing up files, such as photos?
You do that?
Yes.
I back up my cell phone data at least once a year, and I also back up files on my computer.
What applies to private users?
Everyone should make regular backups.
The easiest way is to back up your data in the cloud; there are different providers here.
Of course, data can also be backed up on an external hard drive.
But if this is lost, the data is gone.
Do you recognize a fraudulent email or WhatsApp message immediately?
I wish I could say that about myself.
But unfortunately that's not the case.
These scams are getting better and better.
With the Nigerian prince, who supposedly wanted to transfer money to me if I transferred money to him beforehand, it was relatively easy to recognize the fraud behind it.
But I've also received emails that looked deceptively real and I really didn't know straight away whether they were real or fake.
How did you react?
I deleted the emails just to be on the safe side.
There is no shame in someone falling victim to a scam, it can happen to anyone.
It is important to me that everyone is aware that these scams exist.
I advise everyone to be vigilant.
What makes detecting scams so complicated?
Thanks to artificial intelligence, fraud schemes are becoming increasingly difficult to understand: In terms of language, fraudulent emails or short messages are now at a high level and, unlike before, free of spelling errors.
Fraudsters have also resorted to collecting information about their victims.
This allows you to create personalized emails, and suddenly what looked like a phone bill is actually not a phone bill.
What patterns do you observe in attacks on companies?
This usually involves getting someone from the company to transfer money.
The second scam is to lure employees to fake websites.
In this way, the perpetrators create a gateway to inject malware into the company network.
How can companies protect themselves?
We also advise companies to take measures such as two-factor authentication.
In addition, you should always work with the latest software versions.
And very important: Employees must be sensitized not to click on everything.
What is the worst-case scenario?
The attack on Südwestfalen IT, a municipal IT service provider in North Rhine-Westphalia, is very striking.
There, at the very bottom of the food chain, the IT networks were paralyzed.
At the front of the chain, it was no longer possible to get married in the registry offices; in the registration offices, applications for vehicle registration were carried around in laundry baskets.
Now you can imagine that there could be more threatening scenarios.
Which would those be?
An attack on critical infrastructure, for example - be it power grids or large telecommunications networks.
Such cyber attacks on infrastructure have already occurred in Ukraine as part of Russian warfare.
In Germany so far we have mainly seen crime and propaganda on the Internet.
Fortunately, we have so far been spared from a major attack.
Actually, that's almost surprising.
With its confusion of responsibilities between the federal government, the states and numerous authorities, Germany often seems somewhat overwhelmed when it comes to IT security issues.
It is clear that we definitely have to position ourselves much better.
The discussion about the competences between the federal and state governments has been going on for a long time.
But what is the solution?
In the event of a crisis, three things are important: having all information available immediately, taking action quickly and coordinating this action.
If the lights go out in Munich and Hamburg at the same time due to a cyber attack, we must be able to act together immediately.
However, this is currently not possible in important aspects: regular, permanent or even institutionalized support for the federal states from the BSI is not constitutionally possible.
We are currently only allowed to work together in exceptional and selective ways, and only when someone is already down.
We have to change that, with the BSI in the role of central office for cybersecurity in the federal-state relationship.
How do you deal with the balancing act of closing security gaps on the one hand, while investigative authorities like to use gaps for their own purposes?
As the name suggests, we as BSI come from the security corner.
Our position is therefore very clear and unequivocal: we must close vulnerabilities, and as quickly as possible.
Any vulnerability that exists can and will always be used against us.
Has this message already reached the security authorities?
You have to ask the security authorities.
But seriously: Of course we are not naive, as BSI we also live in reality.
In the end, it is up to politicians to find a good balance.
You are a mathematician and during your studies you also took courses in computer science.
How did you get into programming?
I started programming at the age of 13.
My father brought me a computer in the 80s: a huge block, green screen, keyboard and calculator in one.
The part weighed 30 to 40 kilos.
And it was my father who taught me the first steps in programming – in Basic.
Although there were the first simple computer games back then, I enjoyed programming more - that still applies today.
Are you still programming?
Yes.
For me, there is hardly anything more relaxing than just having a few hours on the weekend to try something new on the computer.
What did you program last?
Of course, we as BSI act according to law and order.
The tasks and roles of the BSI are regulated by a relatively large number of laws.
Some time ago I wrote a small application that can provide me with all BSI-related laws within seconds.
Then I thought that I would like to have an AI for this application.
This would allow me to ask the AI where I can find which law on this or that topic.
So one weekend recently I filled my program with all the German legal texts.
Now all the laws are on a hard drive and my AI answers my questions about them.
Then you can only hope that your AI is intelligent enough and always provides you with the correct legal texts - not that the BSI suddenly no longer works in accordance with the law.
(laughs) That's why it's so important that in the end the human always retains sovereignty and that you don't just let the AI do it.
Artificial intelligence does not release us from the obligation to use our natural intelligence.
You have to remain vigilant and critical; in the end, the decision is still made by people.
Her predecessor as BSI President was a business economist and had pursued a classic administrative career.
Does being an expert help you in your position?
No question, of course it helps me.
But that doesn't mean that this is a necessary prerequisite for running such an authority.
Arne Schönbohm was a civil servant, you are employed on the basis of a non-tariff contract.
Doesn't that weaken your design options if you're in a sort of ejector seat?
No, not at all.
And if someone no longer thinks I'm the right person for this position, I'll just do something else.
Regardless of whether I am a civil servant, a political official or employed outside the collective bargaining agreement: I am at the BSI because I want to make a difference.
The issue is close to my heart – there is no other reason why I do this job.