Banner Banner

Facing an inconvenient truth

INTERVIEW WITH PROF. DR. JEAN-PIERRE SEIFERT ON CYBER SECURITY AND WHY EVERY IT SYSTEM CAN BE HACKED WITH SUFFICIENT MANPOWER AND FINANCES

Jean-Pierre Seifert is professor of security in telecommunications at TU Berlin as well as a researcher at the Berlin Institute for the Foundations of Learning and Data. His research focuses on topics such as hardware security, cryptography technology, and quantum computers. He is also an established specialist for computer and communication security. Along with other experts he has been warning for some time now of the dangers of cyberattacks for private businesses and critical state infrastructures. Even before the start of the war in Ukraine his research demonstrated that almost all hardware solutions used in the commercial sector and even those intended to protect state high security areas do not function adequately. Functioning information and communication systems are of key importance for economies and societies. Professor Seifert heads a team of researchers in the areas of access control, encryption, online transaction security, privacy, anonymity and identity management, and system security for solutions to design secure communication and network infrastructures.

The war in Ukraine has made your warnings even more explosive. How would you rate the current risk level?

“The current risk level for normal IT systems is very high, though somewhat lower for state infrastructures as the protection here is in principle somewhat better. The challenge is to constantly re-evaluate what security is actually possible in theory and practice under the conditions of ever-changing attack scenarios.”

Is it even possible to monitor the number of cyberattacks on relevant systems now and in the past, and if so, can we detect an increase?

“In principle, yes, this is possible. Unfortunately, it is seldom actually the case. These data would be particularly important for the research on Big Data and machine learning conducted at BIFOLD and TU Berlin. In the few areas where we do actually have data, we can clearly see that the number of attacks has increased. However, this information is rarely made available to the public, other than in cases of attacks on public institutions such as TU Berlin in 2021 or most recently the attack on the Fraunhofer Institute in Halle.”

Are Germany and German businesses in general sufficiently equipped to deal with potential attacks?

“No. In general, too little importance and attention is given to IT security. That is the problem. A lot of damage is preventable by taking even a little action. Currently, there are a number of good recommendations provided by the BSI and consulting firms to help medium-sized businesses. The main difficulty here as well as in the private sphere is the human factor. A good example of this is the well-documented Stuxnet case. In this instance a computer virus launched a sustained attack on uranium enrichment facilities in Iran in 2010 and remained unnoticed for a long time. Hackers left prepared USB sticks lying around, which were then simply inserted into the computer by careless IT employees, enabling the virus to penetrate the systems.”

Are Germany and German businesses in general sufficiently equipped to deal with potential attacks?

“No. In general, too little importance and attention is given to IT security. That is the problem. A lot of damage is preventable by taking even a little action. Currently, there are a number of good recommendations provided by the BSI and consulting firms to help medium-sized businesses. The main difficulty here as well as in the private sphere is the human factor. A good example of this is the well-documented Stuxnet case. In this instance a computer virus launched a sustained attack on uranium enrichment facilities in Iran in 2010 and remained unnoticed for a long time. Hackers left prepared USB sticks lying around, which were then simply inserted into the computer by careless IT employees, enabling the virus to penetrate the systems.”

Would you support the thesis that every IT system can be hacked with sufficient manpower and finances? In other words, are the hackers always one step ahead?

“That is absolutely true and this is precisely the main focus of my research: identifying the weaknesses of the most secure systems, without regard to financial commitment or manpower of the attack. The hackers’ approach can only be countered by comprehensive system knowledge. It is precisely this competence that is generated by excellent basic research, which at best completely ignores practical applications. In the case of my team, we also have over 20 years of experience with industrial projects. The basic research we conduct is also highly relevant to government organizations. We always notice this when US state organizations with very high security requirements take an interest in our research.”

What aspects of security research are you working on at the moment? Can you provide some specific examples?

“Quantum computers are inevitable – one way or another, even if initially only with a few hundred qubits. In light of recent massive data thefts, it will be an enormous challenge to design effective or provably secure solutions that are still secure in the dawning age of quantum computing. Our classical Internet cryptography (public key cryptography or asymmetric cryptography) cannot stand up to quantum computing. This is why post quantum encryption systems is a key area for us. Recently, we discovered that even the entire encryption of mobile communications can be broken by quantum computers, because only the so-called secret key cryptography (symmetric cryptography) is used in mobile communications. This is possible even with very small quantum computers with around 300 qubits. The European Telecommunications Standards Institute (ETSI) and other organizations are now considering what this means for the future of 6G.

In another research strand, which we are pursuing primarily within BIFOLD, we are testing the increased use of machine learning (ML) techniques in the area of hardware security. The goal is to automate time-consuming and tedious preliminary work, so-called reverse engineering, using ML. An innovative approach that is constantly improving and is also already being pursued by companies such as Google, Intel, and even AMD.”