Warning call in Linz – “A catastrophe”: that’s how vulnerable we are on the Internet

The company Dreamlab Technologies developed ‘CyObs’ on behalf of Switzerland, a system that can analyze millions of connected devices in the country, Peter explains. “Our software indexes everything connected to the public internet.” For Austria, CyObs was used to scan nearly two million online assets and 1. such as IP addresses, each of which can host 300 to 1,000 domains, and .at domains. 2 million documented and known vulnerabilities identified.

“This is actually a catastrophe,” says the expert, because it is well known that these vulnerabilities exist. And in many cases the hacking tool can be downloaded for free on the internet. This is where IT managers should take action. “We have 50,000 years of evolution and then we have another ten to fifteen years of digital transformation. We as humanity have simply not yet arrived at this new reality,” Peter is clear, but discussions are needed in politics and institutions that take responsibility. It is important to invest a lot, especially in education.

“Everyone must participate”
The expert wants cybersecurity to be a high priority in politics, business and society. “Because ultimately everyone has to participate. This also includes, for example, the data hygiene of each individual on social media. What do I share? What information do I provide to whom? Are they also protected by this institution?” Peter explains. In politics the leverage effect would be greater. Naturally, the balance between safety and supervision of citizens and companies always plays a role.

With their lecture “The current Austrian cyberspace – an update”, Peter and company founder and director Nicolas Mayencourt hope to “make an impact” at the ICT conference because important people from politics and business from all parts of Austria will be present. “We look at what a cybercriminal organization or foreign state sees when he or she prepares an attack on Austria and present a large collection of vulnerability types.”

The infrastructure is largely located abroad
Of course, the experts from Switzerland were not allowed to paralyze a city’s railway infrastructure or traffic light system during their tests, although that would be possible. They found that only five percent of DNS servers, the control infrastructure for domain resolution, are located in Austria. Only 20 percent of mail servers are located in Austria. 80 percent of mail servers are located abroad, including those of governments and municipalities.

E-mails from citizens to municipalities or telecommunications companies could be read abroad or by foreign services “because we do not encrypt the e-mails.” According to the experts, the vulnerabilities also include exposed infrastructure control systems, for example heating systems that can be accessed unprotected via the Internet, and web cameras that monitor hydroelectric power stations, dams and water supplies. The government domains “.gv.at” were also analyzed and more than 1,000 critical vulnerabilities were identified.

Hacker methods for a good cause
Basically, cybersecurity experts try to penetrate the IT infrastructure that needs to be protected like a hacker, but without causing damage. The individual companies bear a correspondingly great responsibility. When accepting an assignment, it is important to ‘establish ethical, internal protocols’, that is to say to ask whether you want to share the knowledge with the client – ​​a state, an organization. This is already partly essential knowledge today. In Western Europe, there is now a growing awareness that it is important to have such technological knowledge in one’s own country, that is, to be able to defend cyber-national borders. “Austria, like Switzerland and many other medium-sized European countries, is in the middle to lower midfield. This means that we are simply not doing our job,” says Peter, who also heads the Digital Transformation Competence Center at the FHNW School of Business in Olten.

Scandinavia as a pioneer
Peter mentioned Scandinavia as a role model. There, banks and critical infrastructures are required to share information about attacks with other organizations, which is called ‘shared threat intelligence’. The anonymized metadata of the attack is shared. For the past three years, Dreamlab has been working with the EU on a project “that envisions every consumer product that may ever be approved in the EU having such a shared threat sensor, i.e. every refrigerator, every coffee, a machine that connects to the internet is connected, will alert anyone if he senses he is being attacked.” This raises questions such as: ‘Do we trust the state? Does the state need control bodies? These are new topics that we haven’t even started discussing yet,” says Peter, who still sees a lot of work ahead of him.

A uniform EU solution would make sense. There are initial discussions and ideas. “In fact, these sensors should be present at the EU borders where the submarine cables enter EU territory to intercept the worst attacks,” where the trade-off between security and surveillance again comes into play. Isn’t there such a thing as cyber neutrality? “We have been asking ourselves for years why no country in Europe or around the world has positioned itself to guarantee cyber peace and cyber neutrality, not only to protect its citizens, but also to be attractive as a business location.” are,” says Peter. Because if ‘Austria, for example, offers this cybersecurity and with an attractive tax rate, then yes, the rules of the game have changed’, Peter thought the term ‘cyber fortress’ was appropriate, but we are still a long way from it.