thoughts 01/2025 - security situation in Europe

The security situation in Europe

We live in a time when practically all generations have grown up without wars and in prosperity (a roof over their heads, food, heating, education - guaranteed by the state, i.e. the social community). The lectures of the Federal Office of Civil Protection on emergency preparedness are largely ignored, the state already regulates every danger and can certainly exceed the speed of light in the production and delivery of goods.

Some have perceived the war in Ukraine as a threat. 

In this context, more and more people are becoming aware of risks, real threats and attacks.
Concerns about cyber-attacks are growing, and rightly so.  

How? Our gas doesn't grow in the pine trees in our backyard, and the car we order needs real wires in the age of cloud computing?
And someone is still waving bombs and guns around in Europe?

Then we got Trump as a "gift". We'll see if NATO is any good in the future. 

I have the feeling, however, that the attacks and interventions that take place in practice (even in our election campaign, for example) and the resulting risk to everyday life - apart from the risk of war - are often ignored. Because the attacks are not noticed and there is no understanding of the risks involved. 

Example of cyber attacks
Cyber attacks are commonly associated with data theft, disruption (e.g. DoS) or extortion (e.g. via data encryption/ransomware) of companies and organisations. This means that the damage is limited to these organisations. Of course, it still exists.

However, in 2010 we already saw attacks being prepared (and in some cases carried out) against general infrastructure (Siemens PLC controllers for frequency converters used to control motors in industry, but also in power stations, for example). (1) This was a dimension that can now affect entire industries and put them de facto out of action. And infrastructure that we all need, e.g. power generation and others. 

The Stuxnet malware (or, from another perspective, the development of technologies and methods for cyber warfare) was most likely developed in/on behalf of Israel, which seems plausible given the extensive and little-regulated arms industry there.

Previous themes have tended to revolve around attacks on assets, private and corporate data, blackmail (whether through data expropriation or publication), or operational interventions in technical systems.

Today we see most of the attacks coming from China & Russia and they are of a completely different nature. It's about disinformation, rumours, discrediting people, companies & parties and destabilising whole countries. Interestingly, in the age of artificial intelligence and with experience, the quality of "fake content" has improved, but it is still easy to identify with care and life experience. Rather, it is the psychology that makes some people personally susceptible and spreads and amplifies the effect by passing it on - from which point it is often impossible to identify the fake content. Social media & combined with low media literacy is not helpful here. 

A well known example is the fake news that has been used against the Greens or the AfD, recently even combined with real physical actions like damaged cars. (2)

Dangers that are often overlooked
Many private users now think that they themselves are not an interesting target and are hardly vulnerable to attack.

- I don't have any important or confidential information on my devices
- the failure of any Internet devices is not that important
- my router has a firewall
- ...

Often overlooked:

- Many people have mobile phones. Often without a PIN, with eSIM etc. and the number stored in other places for identification (bank for TAN, Amazon, ...)
- Many use home banking (there are an extremely large number of attack vectors)
- Email (and other accounts) 
- The firmware of the router, smart home plug, vacuum cleaner robot, SmartTV in the WLAN is not up to date and therefore often allows access to all data flowing in the WLAN, if not encrypted.
- Operating systems (especially Windows laptops and Android phones) are often old and no longer maintained, or are not updated.
- Contrary to popular belief, blackmail via nude photos or tapping into a contact's bank details or credit card PIN is not that popular.
- Most people find identity theft (which usually starts with poorly secured smartphones) silly, when other people order mobile phone cards, make mail-order purchases, request official documents and you end up without access to your email, bank account and mobile phone contract.

In short: the carelessness of the 90s/2000s is no longer advisable and the courts now demand more cooperation to limit damage before, for example, money can be recovered from a bank.

Telecommunications & Energy Infrastructure Example
The attacks on underwater Internet cables at the end of 2024 are well known. There were no cyber attacks, but the cables were simply torn apart with anchors. There is no protection against this today, except constant surveillance. This (see Nordstream) does not yet protect against explosives placed by divers (e.g. from a boat, standard procedure also used by the German Navy).

Most people are no longer aware of what happens when the Internet goes down.
Not all services in continental Europe have an independently functioning presence. And even then, such a failure leads to considerable slowdowns due to infrastructure reasons. 

A few examples
- The fact that there is no more weather (X, to be precise) is perhaps no great loss. Eye X's not.
- The fact that all social networks are still "limping" at best, and that information is becoming more and more asynchronous, should often have an impact on data acquisition and the exchange of opinions.
- The fact that some applications on mobile phones no longer make a sound is something that everyone has to judge for themselves.
- The fact that payments and emails abroad are suddenly blocked can quickly cause major problems in the global world.
- International travel becomes more difficult every day due to lack of visas, APIS and the need to verify data with the authorities.
- International trade is restricted, which leads to rising prices and deteriorating supplies after a few days.

- to be continued...

A national internet blackout, with no smart home, no streaming (TV; radio), no telephone connections, no access to public authorities, no card payments, no cash withdrawals, etc., is of course another dimension. 

However, submarine cables are not just about internet/telecom connections. The electricity grid is also becoming increasingly interconnected. Interference threatens the stability of the power supply, but also has a very rapid effect on prices. There are 3 lines between Norway and Germany alone. (4) The uncertainty it creates and its impact on pricing make it an attractive target for destabilising states. 

By the way, it is easy and effective to use explosives on high voltage pylons to attack the 2-3 parallel lines.

Professionals
It is clear that in many countries, neither cyber nor physical attacks are any longer a sideline for criminals and junior militias. In Russia, for example, Unit 29155 has existed for more than 20 years. (5) In the early years it was a hobby club, but the methods of destabilisation have improved considerably. There are also purely specialised cyber-attack units.

Classic cyber-attacks such as data, asset (account) and identity theft, as well as blackmail by preventing access to data, are now complemented by methods of attacking infrastructure that can disable telecommunications, electricity, water and gas supplies, as well as de facto petrol stations and retail outlets.  

Entertaining page
Such scenarios were described in the book "Blackout - Tomorrow is too late", written in parallel and published in 2012. Anyone who happens to combine knowledge of IT security, industry infrastructure and emergency management will confirm that the scenarios are extremely realistic. Readable, instructive and entertaining.

What is the state(s) doing?
In addition to many manufacturers, who have of course been dealing with the topic for decades, there is attention and also more and more demands & rules for prevention on the part of (in our case) the EU and the responsible federal authority BSI (Federal Office for Information Security). 

Already 10+ years ago, recommendations and standards began to be developed (usually based on international security and data protection standards such as ISO 27.001, in some cases Germany was a pioneer, e.g. with the BDSG for the GDPR). A start was also made on anticipating possible lines of attack and damage and creating special rules for this. This ended provisionally in the BSI Act, as the result of a “Kritis Regulation”. Criticism is the magic word in this context - critical infrastructures. The supply of goods, water and electricity to citizens. The authorities' ability to communicate. Hospitals and air traffic. In short: the modern world has an extremely large number of attack options. 

The latest EU initiative in this area - NIS-2 - is currently being transposed into German law.

Now everyone is talking about NIS-2 being about cybersecurity.(6) This view does not go far enough. NIS-2 requires comprehensive protection. For example, a hospital must also physically protect its infrastructure against unauthorised access and provide emergency power in such a way that an attack by students is unlikely. The sum of all participants and standards therefore also improves purely physical protection and risk and emergency management in general. 

Unfortunately, implementation into national law has been delayed by the collapse of the coalition.

The Federal Intelligence Service, which is logically well informed, occasionally draws attention to external dangers. (7) The Office for the Protection of the Constitution, for example, regularly deals with the various attackers. (8)

Conclusion
By the way, this is not a call for panic. The Cologne Basic Law applies per se.(10) But a realistic view of what risks exist and what is more vulnerable would be a first step. On the "cyber side", this means more focus on IT security. (9) And perhaps some consideration of emergency preparedness. Once set up, little effort (practical and financial). https://www.bbk.bund.de/EN/Home/home_node.html

PS:
In the global situation it seems advisable for Europe not to rely on a US-led NATO for its security. And to arm itself for real imminent attacks. States, Organisations & Citizens. Including the development and use of European Internet services. 

Quellen:

(1) https://de.wikipedia.org/wiki/Stuxnet

(2) https://www.tagesschau.de/inland/bundestagswahl/sabotageserie-autos-russland-100.html

(4) https://de.wikipedia.org/wiki/NordLink

(5) https://de.wikipedia.org/wiki/Einheit_29155

(6) https://de.wikipedia.org/wiki/NIS-2-Richtlinie

(7) https://www.handelsblatt.com/politik/deutschland/infrastruktur-deutschland-wappnet-sich-gegen-russische-sabotage-angriffe/100084831.html

(8) https://www.verfassungsschutz.de/SharedDocs/kurzmeldungen/DE/2024/2024-09-05-cybersecurity-advisory-3.html

(9) https://www.bsi.bund.de/DE/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/cyber-sicherheitsempfehlungen_node.html

(10) https://www.koelsch-woerterbuch.de/das-koelsche-grundgesetz

Bildquellen:

(a) (b) (c) Quelle im Bild

(d) https://www.submarinecablemap.com/

(e) https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Studien/ZwiBACK/ZwiBACK-Studie.pdf?__blob=publicationFile&v=3

(f) Wikipedia