Dr. Waldemar Grudzien, Director, Department Retail Banking and Banking Technology, Association of German Banks
April 18, 2012 9:00
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Dr. Waldemar Grudzien, Director, Department Retail Banking and Banking Technology, Association of German Banks
April 18, 2012 9:00
Dr. Waldemar Grudzien, Director, Department Retail Banking and Banking Technology, Association of German Banks
April 18, 2012 9:00
Well, move on now to our second presentation. If our second presenter is here.
Yes, indeed. Who is Dr. Almar gin from the association of German banks who will be addressing securing banking infrastructures in the age of cyber warfare. Thank you very much. I think I need my microphone.
Ah, well, I'll give you one of these, okay? Okay. Thank You. Good morning.
Yeah, you can hear me. Okay.
Our talk, Talk a little bit about politics of security. The title is how it is and the real one is that security is no longer a business or not only business, but it's much more politics from in Europe, the U commission and in Germany from Berlin.
Firstly, who I am. Okay. I've studied. It's a long time ago and I joined the association of German banks 11 years ago. Why I'm responsible for security above in online banking and ATM and on cryptography or the pin syncs, biometrics security strategies. And I'm it's important for today. I am the head of the national C P strategy. It's a program driven by the German minister of interior and they am one of the two heads now to very simple to and Boeing slides, but they are vital for the understanding of the politics above and Brussels.
So in, in the first time, I mean, in 2004, as in August, we all were faced with fishing. So in August, 2005, sorry, 2005, we were firstly attacked.
We, I mean the bank, the banks community in Germany were attacked by fishing badly done fishing, but it worked because we were not prepared to it it's it was new to us. And we were simply the first sector because we have your money. We have some money of your bank accounts. We have still this money on our bank accounts. And from the perpetrator's point of view, it was very easy to get the money and not to steal cars and whatever. So this is just very simple, but you have to have it in your, in your head for the understanding what will come later.
I, this today ID is a stretch to, to all of us. I think that as the banking community and the financial sector, that means the insurances too are well prepared to bigger attacks. I'm not talking about Trojan horses, it's daily business it's it's okay. We have above on average, we have 150,000 new Trojan horses in Germany, 150,000 new Trojan horses per month. We can cope it.
It's, it's a huge numbers, but the losses are rather small and we can cope with it. Let me say attacking business. The wheel sweat is as a big attacks thing about Estonia 2007 and the wheel sweat from, from my point of view is also the over-regulation from Brussels. And as you can imagine, even state infrastructures like the new electronic identity card in Germany are not immune to identity theft. So ad theft drives the policy. It's not vice versa. The trend trust outlet shows that security has long been more than technical concern. And not only banks are threatened by ID theft.
It's for us, it's normal business, but also companies, industries, and even countries. And I think that's one of the yeah, pressure points. That's governments above.
Yeah, the main countries. Let me say the Netherlands, the UK, Germany, France, and BRS U commission will increase pressure to, to Europe, to the industry, to protect yourself, to protect your customers. So security safer become an economic and political issue too. Our chancellor Ang America said during the sea this year, so two months ago, she said some more automatic and some more natural using internet becomes some more trust. One has to be able to place in security. You can also wait it in German. It's it sounds nice in German policy makers want trust and they want to be able to trust you.
Otherwise, some various steps will be taken. And I have just put two examples here, Japan. It's an old example, Japan and Japanese government, first German, not in Japan's the Japanese banks to introduce the chip technology mandatory in bang cards since 2004, that was directly a result of increasing losses. Japanese banks were faced in 2002, 2003. And then in 2004, they were forced by law, by a law to introduce a chip technology. What's what's they done.
And in the U you have various regulatory projects in areas previously considered poorly technical banking issues, NG cloud input, and critical infras and so on. And you will see in the following slides that there are various various programs. You driven programs, which you will be faced in the next two to three years, but they are coming now. They are prepared. And of course we have various national cybersecurity strategies driven by now, even for ministers of interior, since 2006.
So banks are no longer the main focus from my point of view, we are no longer the main focus of planned policy measures, but of course we would be strongly affected by more far reaching anti ad theft legislation. So if, for example, other sectors critical sectors, and there are eight critical sectors, you will, I will present them afterwards. If something, a big, big ID theft issue, like let me say it was mentioned to Sony or other famous examples will happen in Germany. I think that also the banks and the insurance companies would be threatened by the political security measures.
One of the national security or C P strategy security politics is so called CRP strategy for the German audience, the plan C it infrastructure, one Cris life up criers of the German abbreviation for it, maybe, you know what you thought about it. And it's a joint work by all federal ministries. So the German ministry of interior, the civil protection disaster assistance, BB car, and so on, it was adopted already in 2009.
It's not the oldest program as even an older one, some slides later, and the starting point for consolidation and new developments with the aim, how to protect the German population. It's, I'm not kidding you now, the German population, how to protect it for a civil war. So that's the real, the German government is anxious of a civil war, which could, which could be caused by an big ID, served by a big attack on the German, vital it infrastructures. It's not a joke. Okay.
It's, it's consists of, of course, a shared responsibility between the state, between you as the critical infrastructure operators as the suppliers and of, of course, between the citizens tool. This is the older programs, CRP implementation plan, which was launched in September, 2007, Just for the overview. So who are the sectors? What are the sectors? You can see it in the inner ring here, the eight critical sectors. I think it's common. It's also used in, in Brussels and NS and so on. So more or less you have, so food sector, energy ITC. So you has transport media and culture.
It's not in room, bigger focus, media and culture, of course, water. And that's me financial service as an insurance, the rest is in German. In the ordering. You can see the government department and the last part, one rings the supervisory authority and in the German C P program in German, the up critters will critters. We try to cover all the eight sectors. And honestly, honestly speaking, we tried to get them all, but we didn't succeed until now completely, as you see. So we have a low degree of coverage in the transport sector. For example, what is a vital infrastructure for Germany?
We in the middle, we are an export nation and yeah, Who are the participants? So this is a big whos who, not of the suppliers, not of the German suppliers, but of the, of the operators of critical infrastructures. In alphabetical order, you can here have all the names here. So the big commercial banks, insurance, insurance companies, and all the others and firms that do not operate critical infrastructures. I recommend to implement the guidelines when the minister of interior in Germany talks about recommendation.
You know, that it's, it has the first of a law. So they always recommend you something, but they never say you should, or you must.
But if I, Mr. Friedrich at time recommends tele telecommunication companies, they are four in Germany to do something.
So they, they will follow coverage is being systematically extended, as you have seen, Okay. We have four working groups. I'm the head of two of two of the four doesn't matter. Now it's maybe for later discussions. One of the first things we implemented was single point of contact culture is spoke culture. Let me say you have on the left side, some companies, maybe some banks in the middle, our spoke, our spoke is driven by the bonus bank.
And the bonus bank then is the, the link between the commercial banks, the participating commercial bank, not between all commercial banks and the BSI is not the British standardization body. It's oh God, what is the English translation? It's a consultant state out consultant for it, consultancy for it, for the German government. Let me say the name is different.
I know examples of cybersecurity strategies have quoted only the newest five in the middle there as the German one, which was introduced last year in February cybersecurity strategy for Germany, of course, much more famous as the us one. Yeah. So the many things happen that time. What is the motivation for the German government? Okay.
You know, all the threats cybersecurity is in the middle. You have a crime undergoing economy. He cracker it is the complexity of it. Systems is also a big threat for the policy makers and military intelligent services from different countries all over the world. So these has a pressuring points for the politics. The German cybersecurity strategy consists of exactly 10 main components. The third one on the left and the third line critical infrastructure. These are the two programs. So up criers and CIP P in Germany. And there are some different, more, what does I'm searching for one, yeah.
In the middle use of reliable and trustworth information technology so far. I know. And as I'm hearing from time to time from, from year two, with the Europes, there are no, there's no more technology available for the real internet background systems Ruta, which are fast enough and all the other things and St. German government, I dunno how they want to yeah.
To, to make it, but they plan to, to support the development of German and of European technology companies who are able to deliver European developed European build internet technology. So they want to get some independent of who are they of, or of all the others. Let us see what they were able to do. European plans at time, we have exactly five. I will just try to make it in a short overview, EP C I P. That's a com complimentary program of the German European critters in Europe. It's a great strategy to you.
You will see it in the next slide proposal for European strategy for internet security. It's a very new program, two months old. So the third one is the directive against a text on information systems that is driven by Ms.
EY, miss Monica, EY should be known in Munich green paper towards an integrated European market for card, internet, and mobile payment sets. Simply speaking it's it covers only the banking community, but you will see that even in banking, community paper, like this green paper will face all the others, all the other sectors too. And the buffer, the suppliers, and last but not least a proposal to establish a European center to combat cyber crime. The first one driven by not, not by Ms, but, but by who was this C P C I P it's not, not nearly cruise. Second one. I forgot that it doesn't matter.
Since 2009, two sectors are already covered by this EP C I P programs. That means the energy sector and transport as a sectors above all we, the financial services and telecommunication should follow in 2012.
If we, if they will succeed, if I will lose, we will be covered by this program in January. Next year, we were able to prevent it for the last three years. Okay. Let us see.
What will, what will happen in this year in Germany, commented extensively this year, EP C I P program, because we just have seen from the transport energy sector that the security will not be enhanced, but we will just get much more paperwork. Okay. Security, if they will succeed, if the CPCP will succeed and get also telecommunication and the financial services sector.
So we, the banks, the water phones, the, or tools of the world will have to, for example, to prepare security programs, you know, you all have security, but you have to prove it to another body tool, to the U commission tool. You are secure. I know it's that you are secure because our banks are also secure because nothing happens like in Estonia, but then you have to prove it to one more, to one more office name and BRS. That's a key point. That's expensive to prove it. Okay.
And you have to names and, and notice security officers and just them as a point of contact with the commission, you have to, to say that Mr. John Taylor, I think was the name is the security officer.
If he is, it's an example of quest, and you have to give this name to Brussels, to an office, we dunno to which office do you want it? I don't think that you are keen on doing like this. We should have had the study at this study is prepared now by Bruce and co and the study show should be published in June this year. And the proposal for interactive for the, for the next three years of interactive should, should come by the end of 2012.
And then I hope that we at at least we, as the financial services, I am the financial services guy will not be on this, on this table tool for the next three years, internet strategy. It's a very, it's a newest program at time. Maybe read such a proposal for European strategy for internet security. This is driven by DJ.
So it's, it sets only a main it's okay. This program is okay for me.
It is, it is only one main goal. That is where is it? So sub is a good, yeah, they want to, so this is the official slide official slide. So there are five key components is also very official here, but the in official slide is my slide. They want to force all the countries in Europe, which are not, let me say escort as prepared as he is UK, the Netherlands, maybe also Germany. They want to force all 27, the 27 member countries to establish infrastructures in order to be able to, to respond to a big it attack to an Estonia scenario.
Of course, EU commission knows that the UK, Netherlands, France German situation is not established in all 27 member states. So this is a hidden agenda of the internet strategy to try to establish similar similar structures. Like for example, in Germany, where we have federal office of, for information, the BSI, the German BSI is a German FBI. BKA Quis with this box and some other things. So this is a hidden agenda of Senti strategy. We can live with it because we have it already established years ago.
Then you have a proposal for a directive of European parliament and of the council on a text against information systems. It's also good program. I would say a neutral one here. The only one goal is to, to harmonize the penalties for cyber attacks on it systems that's all. And namely the attacks using botnets. So if the Russian guys, mostly the Russian guys attack European systems use as usual, their botnets, I don't know why. I don't know how, but then the commission tries to, to harmonize the penalties in Russia. I don't know.
And to, yeah. To give them at least to try to get them at least for two years or in heavy things or substantial damage for even five years in prison, let us see what, what would happen. And the second goal is companies. That means the operators like banks to be literally required to take protective measures and to cooperate with the police.
We, as the banks above all other banks have still huge problems to get free cooperation with it, network operators. And I would say, it's not China. It's not Russia where we have the biggest problems to get the real bad guys. It's Germany here in Germany, you have some biggest problems to, to get datas of our customers where the pin and transaction numbers were stole.
So last part one is the green paper towards an integrated European market for card internet, the mobile payments it's for the face for the first look it's only and banking program, but through this project, primary targets, the banking sector. And so above three payment channels, the three payment channels are cards, payments, direct debits, and credit transfer. So these other so-called three payment channels. It's also addresses key political issues of universal relevance. Like you can read some for yourself, security access to database as European commission is keen on.
And at the end, they will succeed because the commission, because it's the commission, they are keen on opening your databases. They start with us to start with the banks, but they will open our big databases. I I'm speaking of the customers, databases, not about the canteen plan or whatever. So they will force us to open, maybe not for free, but we will be forced to open our customers, databases to the big internet community. And we are always the starting point, but this will be a problem for you for you.
If they will succeed with banking and insurance companies, they also try to get legal access to the settlement systems. The so settlement systems, it's payment stuff, transparency of course, cross border interability. This is the aim is to, to make it possible. If I were cancel my but Fox bank bank account and go to the parka, then it should be without any problem for me enter. Okay. It's it's okay. But assessed to the database. It's a real point where this will change all the business. Not only for banks, the last one proposal to establish a European center to combat summer crime.
It's only a small one, a small thing. We will get how to say the FSA.
I mean, FSA, it's a Russian espionage service. So this is an European FSA, which will, which should start. But the 1st of January, next year, it's only a small, further aspect of political security that European commission seems to be forced on feels that it is need able to get such a European center, combating cyber crime conclusion security is for a longer time already a political issue. It's not a business issue for me. It's a political issue. The business community can no longer choose whether or not to corporate with the states and the you commission on security policy.
We just can now try to influence how and when, but not, if we will cooperate, the corporation is voluntarily voluntarily, but it's not really voluntarily, but at the end, I'm convinced that we should work with the state because, and that's also not, not a joke. The corporation offers commercial benefits from my point of view and not only to banks, but also to, to you as, and deliverers of the financial sector. So thank you for your attention. Are there any questions? I hope it was in a shock. Thank you very much. Appreciate it. Thank you.