The idea in this article originally appeared in the ENISA Quarterly Review, 3rd Quarter 2008
www.enisa.europa.eu/eq

Over 40 million Germans are now online, and the number of users of IT and the Internet is growing constantly. Information and communications technology (ICT) is making inroads into ever more areas of our lives. The process is being speeded by miniaturisation: as mini-computers are incorporated into everyday objects, the pace of technical integration is increasing rapidly. However, the resulting advantages such as availability and mobility are also accompanied by certain disadvantages. With huge numbers of processes and tasks supported by IT nowadays, public sector authorities, as well as commercial enterprises and private individuals, are heavily dependent on fully functional information technology and secure information infrastructures.
Inspired by the potential opportunities to abuse this development, cyber-crime is itself becoming increasingly professional and international. Already there is a flourishing underground economy based on the principles of the division of labour and organised along global lines. This shadow economy allows criminals to use the Internet as an instrument of crime, without necessarily having any IT skills of their own.
Against this background it is likely that ITbased threats will continue to multiply in both quantity and quality. In view of the global scale of integration via the Internet and other networks, it is clear that IT security is an international issue. All over the world those responsible find themselves confronted with similar problems, while at the same time the origins of these problems frequently lie beyond their own national borders. Therefore, in future, in addition to continuing our efforts at a national level, we should pursue intensive international co-operation in the areas of prevention and prosecution, not least to exploit technical developments and platforms, in order to ensure that business, the public sector and private citizens are able to use the Internet and IT securely.
The Federal Office for Information Security (BSI) is the national authority responsible for IT security in Germany. One of the great challenges facing an authority such as BSI, which is tasked with prevention, is to provide security for the complex information infrastructures employed by the federal government authorities.
Other critical infrastructures, including energy supply networks, traffic and transport systems, banking and insurance, must also be protected, as well as the information and communication technology used in these fields and in the ICT sector itself. Supply shortages, impairments or failures in these fields resulting from IT security incidents have the capacity to inflict serious damage on both industry and society.
Looking at the tools employed by cybercriminals to mount their attacks, the greatest risk involved in using the Internet nowadays lies in manipulated websites and the malware secretly distributed via them. These Trojan horses, as they are called, find their way unnoticed onto the user�s PC where they operate in the background, spying out passwords etc., without the user even being aware. Internet criminals are now distributing these programmes with increased intensity by exploiting the programming weaknesses to be found in websites. To load such malicious code unnoticed onto your computer, all it takes is to �surf� an infected website. Frequently the process takes place via the use of active content in the browser window. Online criminals are also using reverse engineering to discover security backdoors in software programmes that can be exploited in order to mount attacks.
Anyone wishing to navigate securely through the virtual cyber-world, now and in the future, must actively and continually take steps to protect both IT systems and infrastructure. This applies to private citizens, businesses and public sector authorities. A key element for trustworthy and efficient eBusiness and eGovernment is the concept of a secure electronic identity (eID). Protection against identity theft is one of the great challenges of the Internet age. This topic and profiling, as well as assuring data minimisation and data security, are among the top priorities. Germany is making considerable efforts in order to protect digital identities. BSI sees the necessity for action on two fronts. The technical function of IT products and systems is not transparent for a large number of users.
Manufacturers and providers are therefore called upon to assign the topic of IT security a high priority and, for example, ensure transparency of the security features of IT products by means of standardised tests and certification. The integration of security mechanisms from the outset will improve the security level and lower the risk potential. For better acceptance, the mechanisms should be as automated as possible to restrict necessary user interaction to a minimum. However, the need for becoming active should not only be a concern for manufacturers, providers and the respective state institutions. They cannot offer 100 percent protection. The more perfidious and faster the attackers become, the greater the necessity for users to become active themselves.
The best protection for users in society, business and administration can be achieved by improving their IT security competence. This is an essential factor in improving the framework conditions for the secure use of information technology. Interest must be awakened in regular and up-to-date information on new risks, and users must be motivated to follow the recommendations for effective security measures. The behaviour of users must be marked by alertness and caution, and they must be made more aware of their own personal responsibility. In the future the installation of security updates and patches should be as much a matter of course as wearing a safety belt in the car.
Both awareness raising and technical innovation are integral parts of the German Government�s efforts to achieve secure electronic identities by means of two current projects: the electronic Identity Card and the Citizens� Portals Initiative. Both projects are being developed under the supervision of the Federal Ministry of the Interior and are substantially supported by BSI.
The electronic Identity Card � part of the eCard strategy of the German Government � will make it possible to prove one�s identity reliably online and at the same time offers new solutions for data protection and the right of informational self-determination (e.g., selective data transmission, pseudonym function). The card will be equipped with a contactless chip, including biometrics for official use by government authorities, in the same way as the German electronic passport, which was issued in its final version in November 2007. The card will also provide new technical features, in particular the eID function, which will support the user in secure communication and online transactions where mutual authentication is required (e.g., eGovernment, eBanking, eCommerce, secure email and data storage). The misuse of data associated with the eID is prevented by an access management based on a Public Key Infrastructure (PKI). In addition, the eID Card will enhance password protection and be optionally prepared for the use of qualified electronic signatures. By the end of July 2008 a Cabinet decision on a new ID card law had been taken with the aim of introducing the new card in November 2010.
In parallel, the Citizens� Portals Project aims at making Internet communication easier and more secure by establishing a new form of trusted email infrastructure. Through this new kind of infrastructure, electronic communication via the Internet will become at least as secure, authentic, confidential and binding as today�s paper mail.
To this end, a network of Government certified and, as a rule, privately operated Citizens� Portals is to be established, mainly providing a secure email service. Simple and easily interpretable email addresses, leading to a trustworthy registered identity (of a natural or legal person), will guarantee authentic communication, free of spam. All security features guaranteeing integrity, confidentiality and non-repudiation will run inside the network of the Citizens� Portal, without additional user interaction. By building on existing standards such as Secure Socket Layer (SSL) and secure Simple Mail Transfer Protocol (SMTP), with only a small number of the necessary profiles, the complexity to realise a Citizens' Portal is minimised.
Citizens' Portals will offer qualified, signed confirmations of consignment and receipt of emails. These confirmations will provide evidence that a message reached the recipient at a certain time. Based on existing applications including web browser and email clients, the services of Citizens' Portals will be easy for everyone (citizens, industry and government) to use. In addition to the email service, Citizens' Portals will provide an identification service and a document safe for the longterm deposit of documents.
The electronic Identity Card is expected to be the decisive instrument of authentication within the Citizens' Portals project. Both projects have the potential to contribute significantly to a culture of cyber-security in Germany.
Over the last few months, the German Government and its partners have been finalising preparations for pilot projects, which will be launched officially at the 3rd National IT summit in Darmstadt, Germany on 20 November 2008.
Regarding the allocation of tasks, the underlying idea on which both the eID and the Citizens' Portals projects rely is close co-operation between Government and the private sector (public private partnerships). While Government will confine itself to providing the legal infrastructure and central technical specifications, it will be the enterprises themselves which will develop business models and implementation processes around the new technologies. In this way, the new technologies will create the preconditions for innovative services, which in turn will help Germany to continue moving forward in information technology. At the same time, an attractive new field for producers of security technologies is emerging.