Cybercrime

Source: TippaPatt -- stock.adobe.com

The term "cybercrime" may be misleading. More appropriate terms are "attacks on control systems", "criminal offences committed over the Internet" or "criminal offences committed with use of a computer". These offences have the purpose of stealing information, identity theft, sabotage, espionage, blackmail, theft of cryptocurrencies, destruction of physical systems, disinformation or acts of terrorism.

This includes, for example:

  • Attacks on remote controls, for example over a narrowband radio channel, WLAN or optical connection
  • Attacks on control systems or computer systems, e.g. by means of malware (such as ransomware), DDoS attacks (malicious overloading of the IT infrastructure), or spam and phishing (falsified and malicious emails)
  • Acts that violate personality rights, copyright or trademark law, e.g. by data leaks and doxing (collection of personal data)
  • Theft of digital assets (non-fungible tokens or tokens in a cryptocurrency)
  • Development of programs that could be used to spy on computer systems
  • Installation of backdoors that allow unauthorized access to systems, e.g. hardware trojans
  • Denial, concealment or maintenance of security vulnerabilities
  • Spreading of lies or untruths
  • Unauthorized creation of movement profiles

  • What is accelerating this development, and what is slowing it down?

    Cybercrime is one of the fastest-growing criminal phenomena with high damage potential: in 2021, 146,363 cybercrimes were recorded in Germany - over 12% more than in 2020, and a new record high. The financial damage amounted to 223.5 billion euros [1]. The new opportunities for crime arising from the surge in digitalization triggered by the coronavirus fell again slightly in 2022 owing to the lifting of the protective measures. However, the number of crimes committed abroad (i.e. the criminals were located outside the country) rose sharply compared to the previous year, making them more difficult to investigate and prosecute [2].

    Numerous factors encourage online crime. The perpetrators respond flexibly to technical and social developments, and their actions are increasingly professional and global. Criminals are also able to operate from almost anywhere in the world and can easily cover their tracks.

    Networking in society is growing dynamically in scale, and provides criminals with a steady stream of new opportunities. Growth of the Internet of Things (IoT) and Industry 4.0, in particular, provides cybercriminals with new gateways for attack [3]. Other drivers include the growing use of GPS technologies, central databases, wireless and mobile devices, networks and open-source software.

    Artificial intelligence (AI) enables hackers to carry out their attacks more effectively and efficiently, and to detect vulnerabilities in program code. The AI-based ChatGPT chatbot, for example, is able to improve the quality of phishing attacks significantly [4]. Collection, storage and processing of vast quantities of information (big data) also presents criminals with attractive targets and makes such systems susceptible to attack [5]. By the same token, however, AI and big data can be used to enhance cybersecurity. For example, AI can be useful in detecting images and text that were themselves generated by AI. Big data can be used to identify suspicious network activity in real time [6].

    The "hacker clause" adopted in Germany in 2007 in the form of StGB 202c, which criminalizes persons merely for searching for security vulnerabilities or programming or using tools suitable for this purpose, has had an adverse effect on IT security [7].

    Careless handling of data exacerbates the security situation. Facilities for encrypting and signing emails, for example, are not used sufficiently often. Emails containing HTML code are easily forged and hidden content is easily added to them.

    The likelihood of hacking attacks rises when personal data is disclosed too readily, or when apps are used that do not assure technical confidentiality. Criminals often encourage such behaviour by offering the prospect of rewards. Conversely, a positive development is that children and young people are becoming familiar with digital technologies and acquiring technical skills at an early age.

    Companies that replace their in-house specialists with external service providers sacrifice the in-house expertise of their own staff and their familiarity with the company’s own IT systems. Options for better protection, such as the "principle of least privilege (PoLP)", are also often ignored.

  • Who is affected?

    According to Germany’s Federal Criminal Police Office, the BKA, cybercrime now affects every single company in Germany. Generally speaking, any company is a potential target for cybercriminals, irrespective of its sector or size. However, the prime targets are banks, private-sector insurance companies, fintech companies, the manufacturing sector, media, hospitals and clinics, data centres and public administrations [8].

    The spectrum of hacking attacks ranges from vulnerable pacemakers which remain open to cyberattacks for longer periods [9; 10], to attacks on crane control systems and industrial plants, and even simple IT components. Ripple20 and similar security vulnerabilities require a target merely to be accessible in the network in order to attack it successfully [11]. Some routers can be compromised remotely even when remote maintenance is switched off [12].

  • Examples (only in german)

    The spectrum of online crime is broad, and is changing rapidly and constantly employing new technologies. It follows that the battle against online crime must also make use of new technologies, such as AI, to counter the increasingly sophisticated attacks by criminals who are using such innovative methods.

  • What do these developments mean for workers’ safety and health?

    Cyberattacks can have devastating consequences for employees in companies, for example when outside parties take control of safety-critical systems (e.g. cooling systems for chemical substances) [13] or installations and machinery (e.g. collaborative robots) [14].

    Protecting critical infrastructure (power and water supply, transport and traffic, information technology, telecommunications) against cyberattacks is particularly important. The pressure on companies and employees is high, as the potential scale of damage and its consequences for the companies and facilities affected and, in extreme cases, for society and public safety, can be immense.

    Cyberattacks can pose an acute threat to employee safety, for example when control over collaborative robots is lost, or the loss of temperature control in large plants results in runaway chemical reactions. Situations such as these may place employees at risk of serious or even fatal injuries. At the same time, cyberattacks and their unforeseeable consequences may present a psychological burden for the employees tasked with managing the relevant networks. This is not limited to acute stress situations during attacks, but also includes serious, long-term psychological problems. Some affected individuals even suffer from severe trauma symptoms and require psychological support [15]. If confidential or sensitive information concerning companies or their employees is affected, attacks can even impact upon the entire workforce. Companies face the risk of damage to their image, and even of becoming completely uncompetitive.

    The growth in working from home, inadequate security of home networks, the use of private ICT devices, including in companies, and the widespread use of social media for private or business purposes may make protection against cyberattacks more difficult. Fear of cyberattacks may, for example, prompt companies to restrict mobile working, possibly with disadvantages for the company and its employees (loss of flexibility, motivation, commitment) [13].

    Arming themselves against cyber threats and attacks ("cyber resilience") is crucial for companies, usually involves considerable financial and personnel overhead and is made significantly more difficult by the widespread shortage of IT personnel.

  • What observations have been made for occupational safety and health, and what is the outlook?
    • Cybercrime constitutes a huge - and growing - problem for all companies. Raising awareness of the issue at an early stage and at regular intervals and providing training in conscious handling of potential security risks must be addressed in the context of occupational safety and health.
    • To prevent cyberattacks, each individual access to data must be verified, regardless of its origin. This philosophy of zero trust must be implemented by companies, public authorities and research establishments. Comprehensive security within a company’s own system is essential, as cyber attackers almost always succeed in penetrating the core of a system [16].
    • Industrial security: important measures against cybercrime include technical security measures (securing gateways between networks, encrypting email communication, two-factor authentication, etc.), and also raising awareness among the entire workforce of the ubiquitous danger of cyberattack.
    • A core problem in the area of IT security is communication, which in the past has been poor. Where critical security vulnerabilities are detected, manufacturers and operators must be reachable and given the necessary information swiftly. Websites can provide this information through a security.txt file (technical specification RFC 9116) [17]. A supplementary software bill of materials (SBOM) is a central record of the software used in a given project. It enables affected projects to be identified quickly should security vulnerabilities become known [18].
    • In view of the severe shortage of IT specialists, in particular, companies should invest in regular initial and further training of their employees. All parties involved must be aware that the shortage of skilled workers and security researchers will be exacerbated if the mere search for security vulnerabilities continues to be criminalized.
    • Should a cyberattack occur, crisis management according to emergency plans must be ensured. Such plans implement technical measures purposefully to minimize the risks to employees, particularly in the event of accidents or attacks on critical infrastructure, industrial plants, etc. Ideally, a digital rescue chain with a "digital first responder" should also be put in place [19]. An emergency contact for security management ensures that should a critical security problem arise, the relevant information reaches the responsible parties as quickly as possible [20].
    • Germany’s Federal Criminal Police Office (BKA) has a coordinating role in the battle against cybercrime. A number of initiatives have also been launched with stakeholders from the German federal administrations, industry and wider society who are committed to cybersecurity [6]. Networking with these institutions presents an opportunity for the German Social Accident Insurance to optimize and further develop its preventive activity. The German Federal Office for Information Security (BSI) provides basic quantitative information on the cyber security situation, preventive measures and support in the event of a cyber attack.
    • The EU’s planned Cyber Resilience Act (CRA) is intended to establish digital security by setting out common standards for networked devices and services. "Secure by design" is intended to ensure a security architecture in devices’ digital core that addresses all relevant threat scenarios and vulnerabilities from the outset [21]. The DGUV sees further potential for improvement in the draft of the CRA, and is involved in its ongoing development [22].
    • The Institute for Occupational Safety and Health of the German Social Accident Insurance (IFA) provides information on industrial security and conducts research into the topic. The GS-IFA-M24 test principles were developed for testing and certification and are used in the test laboratory for industrial security [23].
  • Sources (in German only)

    [1] Bundeslagebild Cybercrime 2021 (non-accessible). Hrsg.: Bundeskriminalamt (BKA) 2021 (abgerufen am 15.9.2023)

    [2] Bundeslagebild Cybercrime 2022 (non-accessible). Hrsg.: Bundeskriminalamt, Wiesbaden 2023 (abgerufen am 16.10.2023)

    [3] Pandemie bietet Nährboden für Cyberkriminalität: Steiler Anstieg der Delikte. Hrsg.: Polizei NRW, Düsseldorf 2022 (abgerufen am 15.9.2023)

    [4] Cyberkriminalität: Künstliche Intelligenz (KI) macht Unternehmen das Leben schwer. Hrsg.: baublatt.ch, Adliswil 2023 (abgerufen am 15.9.2023)

    [5] Big data and the rise of internet crimes. Hrsg.: iPleaders, Delhi 2022 (abgerufen am 15.9.2023)

    [6] Argumente für den Einsatz von KI und ML in der Cyber-Security - Sicherheit finden. Hrsg.: WEKA Fachmedien GmbH, Haar 2023 (abgerufen am 15.9.2023)

    [7] Strafgesetzbuch (StGB) - § 202c Vorbereiten des Ausspähens und Abfangens von Daten. Hrsg.: Bundesministerium der Justiz (BMJ), Berlin 2023 (abgerufen am 9.10.2023)

    [8] Was ist Cybercrime? Hrsg.: Myra Security GmbH, München 2023 (abgerufen am 15.9.2023)

    [9] Herzschrittmacher: IT-Sicherheitslücken in kardiologischen Implantaten. Hrsg.: Heise Medien GmbH & Co. KG, Hannover 2021 https://heise.de/-6314991 (abgerufen am 9.10.2023)

    [10] Sicherheitsloch im Herzschrittmacher. Hrsg.: Heise Medien GmbH & Co. KG, Hannover 2017 (abgerufen am 9.10.2023)

    [11] Ripple20 erschüttert das Internet der Dinge. Hrsg.: Heise Medien GmbH & Co. KG, Hannover 2020 (abgerufen am 9.10.2023)

    [12] Fritzbox-Sicherheitsleck analysiert: Risiko sogar bei deaktiviertem Fernzugriff. Hrsg.: Heise Medien GmbH & Co. KG, Hannover 2023 (abgerufen am 9.10.2023)

    [13] Foresight on new and emerging occupational safety and health risks associated with digitalisation by 2025. Hrsg.: European Agency for Safety and Health at Work, Bilbao 2018 (abgerufen am 15.9.2023)

    [14] Key trends and drivers of change in information and communication technologies and work location. Hrsg.: European Agency for Safety and Health at Work, Bilbao 2017 (abgerufen am 15.9.2023)

    [15] Psychische Folgen von Cyber-Angriffen: Ausnahmesituation fürs Security-Team. Hrsg.: heise online, Hannover 2022 (abgerufen am 15.9.2023)

    [16] Herr Prof. Michael Waidner, wie sind die kritischen Infrastrukturen in Forschung und Wirtschaft in Deutschland in Bezug auf Cybersicherheit aufgestellt? Hrsg.: Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. 2022 (abgerufen am 15.9.2023)

    [17] security.txt: Standardisierte Kontaktinfos für IT-Sicherheitsmeldungen. Hrsg.: Deutsche Gesetzliche Unfallversicherung e.V. (DGUV), Berlin 2023 (abgerufen am 9.10.2023)

    [18] BSI TR-03183 Cyber-Resilienz-Anforderungen (non-accessible). Hrsg.: Bundesamt für Sicherheit in der Informationstechnik (BSI), Bonn 2023 (abgerufen am 9.10.2023)

    [19] Die Bedrohung ist digital. Hrsg.: tagesschau.de, Hamburg 2023 (abgerufen am 15.9.2022)

    [20] Notfallkontakt für das Security-Management in Unternehmen (non-accessible). Hrsg.: Institut für Arbeitsschutz der Deutschen Gesetzlichen Unfallversicherung (IFA), Sankt Augustin 2023 (abgerufen am 15.9.2022)

    [21] Der Cyber Resilience Act bringt endlich "Security-by-Design". Hrsg.: Security Insider, Augsburg 2023 (abgerufen am 15.9.2023)

    [22] "Sicherheitslücken in Steuerungen sind ein ernstes Problem für den Arbeitsschutz". Interview mit Jonas Stein, Leiter des Arbeitskreises Security der DGUV. Hrsg.: Deutsche Gesetzliche Unfallversicherung e.V. (DGUV), Berlin 2023 (abgerufen am 15.9.2023)

    [23] IFA-Prüfgrundsätze zu Industrial Security. Hrsg.: Deutsche Gesetzliche Unfallversicherung e.V. (DGUV), Berlin 2023 (abgerufen am 9.10.2023)

Contact

Dipl.-Psych. Angelika Hauke

Interdisciplinary Services

Tel: +49 30 13001-3633


Dipl.-Übers. Ina Neitzner

Interdisciplinary Services

Tel: +49 30 13001-3630
Fax: +49 30 13001-38001