In order to increase trust in the Internet, the topic of security is of the utmost importance to eco. In addition to a broad range of initiatives and services, a dedicated Competence Group deals with current issues of security with regard to the industry. A further Competence Group called the Anti-Abuse CG serves as a forum for member-internal exchange on current abuse topics.

Once a year, eco surveys experts for its “IT security” study on their assessment of the threat situation, on the evaluation of current security topics and on trends. The topics range from personnel and organisational security to the protection of IT systems, right through to the issues of security management and raising awareness among employees.

Security Competence Group

Statement on the coalition agreement

In spring 2022, together with members of the Anti-Abuse Competence Group, the Security Competence Group prepared a statement concerning specific positions of the German coalition agreement. The focus was on the IT topics addressed in the coalition agreement, such as encryption, data retention, handling security vulnerabilities, and the role of the German Federal Office for Information Security (BSI). The outcomes of this workshop were incorporated directly into the work of the Berlin colleagues.

Security Expert Talks and webinars

On 16 March 2022, a webinar on “Security in the IoT” was made available in cooperation with the Internet of Things Competence Group. The recording of the German-language webinar is available in the eco members’ area.

In focusing on present-day developments, on 22 March 2022 we held an eco Security Expert Talk Special, entitled “Cyberwar”. At this talk, we spoke with experts about how the Russian war of aggression against Ukraine was affecting cybersecurity and digital infrastructures, and how companies can best prepare themselves. eco members can access the German-language recording of the Security Expert Talk Special “Cyberwar” in the members’ area.

As a central component of the Internet, the DNS is at the head of the value chain and is exposed to particular threats. For this reason, leading minds met on 22 June 2022 at the Security Expert Talk to discuss ways to protect the DNS.

After Sven-Holger Wabnitz, Senior Advisor at DomiNIC, had presented the basic building blocks of the DNS and explained how they work, he then raised the question of security mechanisms or their absence in the DNS. Patrick Ben Kötter from Sys4 AG also picked up on this idea and called for a fundamental modernisation of the DNS. All companies and people operating online need an Internet in which they can reliably and confidently move about.

Prof. Haya Shulman concluded the Security Expert Talk with her presentation on possible attacks on the DNS, which is available as a German-language video recording in the members’ area.

Podcasts and insights – the IT security situation in Germany

As early as January, in the eco German-language podcast “The IT Security Situation in Germany”, we spoke about the security situation for German companies with Dr. Haya Shulman, Director of the Cybersecurity Analytics and Defences (CAD) department at the Fraunhofer Institute for Secure Information Technology SIT in Darmstadt.

The CG also took up this topic in the first part of the German-language eco Insights IT Security on 11 May 2022. At this event, Markus Schaffrin’s guests Thorsten Urbanski, ESET DACH, and Stefan Becker from the German Federal Office for Information Security (BSI), spoke about the current IT security situation in Germany, and also addressed the topic of “What impact does Russia’s war against Ukraine have on cybersecurity?”

The second part of the German-language eco Insights IT Security focused on the topic of “ransomware attacks”. Here, the experts explained how attacks can take place, what effects malware actually has on companies, and what measures should be taken if an attack has already taken place. The participants also discussed prevention and what it means for companies to focus more on the topic of IT security.

In the third and final part of the German-language eco Insights IT Security, experts Thorsten Urbanski, ESET DACH, and Stefan Becker from the German Federal Office for Information Security (BSI) spoke about the topic of cyber resilience. They provided valuable insights into the protection of company data and what is important when raising awareness among employees.

Secure digital identities

In spring 2022, on behalf of eco, the analyst firm techconsult surveyed approximately 300 citizens, 170 companies and 40 public authorities in preparation of the study “Security & Digital Identities in a Digitalised World”, which was published at the start of June.

Based on this study, the Security Competence Group met on 15 November to discuss the topic of “Security & Digital Identities in a Digitalised World”. Pascal Lehan-Bergmeier from Bonn Police Headquarters emphasised the importance of preventing cybercrime, given that digitalisation is creating more and more lucrative opportunities for criminals to commit criminal offences. He highlighted that it is important that security technologies for identity protection are user-friendly and have a user acceptance. The fact that there is still room for improvement in this area was demonstrated by figures from the eco and techconsult study Security & Digital Identities in a Digitalised World. Carsten Stöcker, founder and CEO of Spherity GmbH, then spoke about identities, zero trust principles and trust models as the basis for cybersecurity. Using an example from the pharmaceutical industry, he showed how SSI (Self-Sovereign Identities) enables full control over personal data.

As part of the German-language it-sa 2022, the Security Competence Group, together with the adesso SE member, exchanged views on the requirements and challenges that arise not only in software development, but also in daily use. Both advancing digitalisation and the growing professionalism of perpetrators are reasons for the rise in registered cybercrime offences in Germany. As 80 per cent of all attacks take place at the application level, this means that the focus on secure software (development) is imperative. In turn, Ediz Turcan from Adesso presented the “Hacking for Security” approach. The primary goal here is to create a real awareness of security gaps and dangers among developers and to deepen knowledge and theory through practical exercises, such as live hacking.

IT Security Study

When compared to the year 2021, the IT security experts we surveyed in 2022 see an increasing threat potential. Whereas, in the previous year, 77.4 per cent assumed that the threat would grow at the very least, the 2022 figures show a further increase of 16.4 per cent. 93.8 per cent of the respondents assume that the threat situation will grow or grow strongly. This is shown by the IT Security Study 2022 of eco – Association of the Internet Industry, which has been conducted for more than ten years in the period from September to the end of each year.

The experts are much more positive regarding the threat situation in their own companies than in Germany as a whole. More than two-thirds (71 per cent) of the experts surveyed said that the German economy is not adequately equipped in terms of IT security. The respondents are more optimistic about their own companies, with only 12.4 per cent thinking that they are inadequately protected against cybercrime. 30 per cent consider themselves sufficiently protected, 39 per cent consider themselves well protected, and almost 15 per cent even consider themselves very well protected.

Anti-Abuse Competence Group

The eco Anti-Abuse Competence Group (Anti-Abuse CG) comprises representatives from the anti-abuse departments of German web hosting companies and Internet Service Providers, as well as selected experts from the anti-abuse field.

The Anti-Abuse CG has a particularly strong culture of confidentiality, and this allows a positive and open exchange between the specialist units of companies, many of whom are ordinarily each other’s competitors.

The fact that the Anti-Abuse CG handles confidential data, some of which requires special protection, means that it is a closed group; nonetheless, invitations are naturally issued to qualified participants. In addition to the exchange of experience at internal meetings, members benefit from intensive exchange with the Security Competence Group (Security CG) and strong contacts with the German Federal Office for Information Security (BSI).

At the beginning of 2022, the Anti-Abuse CG comprised of 72 participants from 37 companies and institutions. As a member of the Anti-Abuse CG, eco’s Michael Weirich contributed a short statement on IT security and cyber risks to the “VDI-Nachrichten” (VDI News), which was published in the 14th January 2022 issue.

Together with members of the Security CG, in spring 2022, the Anti-Abuse CG prepared a statement on specific elements of the coalition agreement. The focus here was on the IT topics addressed in the coalition agreement, such as encryption, data retention, dealing with vulnerabilities, and the role of the German Federal Office for Information Security (BSI).

DNS forms the baseline for all communication: As such, this was the topic of the first Anti-Abuse CG meeting in 2022. Thomas Rickert and Lars Steffen presented the topDNS Initiative to the CG and recommended close collaboration between the CG and the initiative. In the course of the year, the CG drew up a catalogue of definitions and requirements for the initiative.

For instance, the CG defined abuse cases and elaborated on the differences between “DNS abuse” and “content abuse”. As Leader of the CG, Patrick Ben Koetter took part in meetings with the EU in Brussels in an advisory capacity.

In addition, at the Security Expert Talk “Security for the Domain Name System”, as Leader of the Anti-Abuse CG, Patrick Ben Koetter represented the CG as one of the expert speakers on the topic of DNS in Germany.