‘If You Hit One of Us, You Hit All of Us’
CLAUDIA PLATTNER is the President of the German Federal Office for Information Security
When Claudia Plattner became president of Germany’s Federal Office for Information Security (BSI) in 2023, she stressed that partnerships and information sharing were critical to bolstering cybersecurity—within her country but also across governments and private companies around the globe. Without the real-time sharing when ransomware and other such attacks occur—as well as the dispensing of prevention and recovery resources to public and private sectors—the world will never get a foothold on combatting cybercrime, she said.
In a conversation with FP Analytics, Plattner expanded on these beliefs and shared recent trends in ransomware attacks—including how attackers have pivoted in light of enhanced security efforts and how artificial intelligence has made it easier for attackers but could also be key to fighting back. The following transcript has been edited for length and clarity.
FP Analytics (FPA): How has the frequency of ransomware attacks in Germany changed over time, and what has been the impact on critical infrastructure?
Claudia Plattner (CP): We’re facing ransomware attacks pretty much every day—but not only are we seeing a steady rise in these attacks, we’re also seeing a steady rise in the amount of the ransoms being demanded. Yes, critical infrastructures are part of ransomware attacks, but the ones that are merely for financial gain hit whatever targets attackers feel they can make money from. You’re just as likely to get a victim in the luxury sector as in critical infrastructure. It’s really all about money and where attackers can get the most out of their victims.
FPA: How have German policymakers and law enforcement responded to the evolving threat of ransomware?
CP: As the federal agency for information security in Germany, BSI is very much focused on the victim’s side and how we can help them through prevention and detection and the interruption of attacks. We’re looking at what we can do to protect potential victims and how we can make sure they are well prepared by having proper business continuity management, which very often helps in recovering from attacks. Our colleagues from the law enforcement side are looking into how we can identify attackers, destroy their infrastructures, and get them to face consequences in court. Together, we form a pretty powerful team in making sure we get this more and more under control.
FPA: How do the German authorities work with and prioritize victims in their response to ransomware, whether individuals, communities, or companies?
CP: We try to prepare them. That is, we talk to companies, we talk to public institutions, we try to make sure they are well protected—from providing information and certifications to making sure they have proper suppliers. When it comes to detecting what’s currently happening, we monitor a lot of infrastructure. For example, we have sensors in public institutions; we’re trying to detect attacks as they happen—and ideally before they happen, where we see indicators and share them. We want to make sure everyone is aware, so it’s very community- and network-driven.
And if an attack happens, especially against critical infrastructure, it depends on what kind of incident we’re talking about or how important the organization and their services are for society. Our help goes all the way from giving them a list of qualified suppliers to having our people jump into a car, drive there, and try to save as much of the situation as possible. It’s a huge portfolio we offer.
FPA: You said earlier that the amount being demanded by ransomware actors has increased over time. Could you elaborate?
CP: It’s actually a tribute to what we’ve already done. Indeed, we are seeing this rise in ransomware demands, and the reason is obvious: A lot of companies are better protected than they used to be. So, for them, it’s not automatically a given that they have to pay a ransom. If attackers encrypt the systems of companies that are prepared and have business continuity management and immutable backups, it may take two days or two weeks to recover, but they will eventually be back in business full scale. And what that means for attackers is they’re not making any money.
As a result, one strategy we are seeing more and more is that attackers are not so much encrypting and rendering the systems of a company useless, but instead it’s about exfiltration—stealing the data and demanding ransom on it. They are also demanding higher ransoms to make up for the losses in their revenue from companies that are better protected.
FPA: Are there other trends you have noticed in recent years, particularly as the international security environment has changed and cybersecurity has become a bigger part of countries’ security strategies?
CP: Over the course of the past few years, we have had a very high number and seen an increase in small and medium-sized enterprises being attacked. And for obvious reasons, they’re the hardest to protect, because they usually do not have the resources to install proper security measures; they are usually the ones attackers choose, because they’re easiest. Big organizations have security departments and know what they’re doing in terms of security.
Political institutions are also becoming more and more the focus of attackers, which is caused by the geopolitical situation we’re facing and tensions around the world. Espionage—which at least for Germany used to be more in the realm of technology like high-tech and industry espionage—has now shifted more toward a political dimension. So, we are seeing attackers increasingly focused on political affiliations like parties, public institutions, and NGOs.
On the technical side, we are seeing a shift toward attacks using zero-day exploits and web applications as opposed to credentials phishing, weak passwords, or brute force attacks.
And we’re seeing a lot of automation and AI. Attacks are becoming a lot faster—we’re down to sometimes just minutes between having a vulnerability detected to it being exploited. That’s one of the downsides of AI; it’s making it a lot easier for attackers. That means for us as defenders, we have to use AI in order to fight back, because if you can write an exploit using AI, you can also write a patch with AI and be as fast—or, ideally, faster—as the attacker.
FPA: Based on those trends, how are the ways in which you are working with partners—whether in other parts of government or in the private sector—evolving?
CP: We as public institutions understand that we need to work with the private sector more to be able to introduce the right kind of automation, the right use of AI, the right kind of “industrialization of cybersecurity” needed to effectively protect against attackers. We are seeing an increase in those public-private partnerships, and we ourselves want to engage more.
There are various ways in which this can happen. On our end, we can provide victims of cyberattacks with contacts from our list of qualified security service suppliers, which could save them time in the event of an emergency.
And we look to the private sector to help build up our automation. We as state protectors need the right technology to be able to protect and defend against certain kinds of attacks, and we need private support because public institutions are usually not the best at building and running IT infrastructure.
The most important part is about the exchange, about the community, about the network. The basic idea is if one of us—a public institution, a company, a supplier—has been hit, then immediately the information about it should be shared. How did that attack happen? What are the indicators of compromise? What can we learn from it? It’s important to share that information immediately to protect everyone as a community, as a network—if you hit one of us, you hit all of us. Insights from the private sector, from IT and cybersecurity companies, will be crucial in making sure we distribute all of the information accordingly so we’re all well protected.
FPA: With the Digital Front Lines report and the crisis simulation, we’re interested in how to build international consensus and create norms around ransomware and cybercrimes. How would you assess the strengths and weaknesses of existing international norms and frameworks on ransomware?
CP: I’d say we have quite a few things in place. When it comes to speaking the same language, there are some frameworks that everyone’s using. What we’re still lacking is proper information sharing. And I don’t mean where you pick up a telephone, although that’s important. I’m talking about making sure we share information instantaneously. The moment it happens, everyone needs to be in the know, and we need to be connected, particularly the ones who try to defend and protect against cyberattacks.
In the situation we’re finding ourselves, with the challenges we’re facing, there’s really no room for political discussions. There’s not even room for commercial discussions. There must only be room for how we share information in order to protect ourselves and build that community. So, here, there’s potential to improve.
We also need to make sure we dry up the financial resources that are behind cybercrime. We have to look into international money streams, how money gets from A to B. And, of course, these days, this is also very much about cryptocurrencies.
FPA: Do you see any other critical gaps that need to be addressed with respect to ransomware and cybersecurity?
CP: All sectors have undergone digitalization over the past 20 years. But I still see cybersecurity being understood as merely an expert’s business. We need standards for data exchanges, data models. No one worries, for example, about finding a good data model for enterprise resource planning systems. Everyone knows you can download that on the internet, whereas if you wanted to find a good data model for, let’s say, advanced persistent threats or business continuity impacts, you would not find a standardized way of looking at them. So, there are some basics missing when it comes to having proper digitalization automation, which is crucial for defense.
I think there have been attempts—for example, the NIST (National Institute of Standards and Technology) frameworks are really helpful—but when it comes to data exchanges and having a proper standardization, I think there are some gaps that still need to be closed over the next few years.
Claudia Plattner has been the President of the German Federal Office for Information Security (BSI) since July 2023. She has more than 20 years of experience in IT functions for companies and institutions. Most recently, she served as the Director General for Information Systems at the European Central Bank and previously held a senior position as Chief Information Officer of DB Systel GmbH, the internal IT service provider of Deutsche Bahn.
Lisa Monaco
Ransomware Attacks Demand a Genuinely Global Response
Organizations should not be left to navigate ransomware alone.
Max Smeets
The Uncomfortable Truth About the Fight Against Ransomware
Many countermeasures used by governments to tackle cybercrime turn out to be only temporarily effective. Instead, defenders must find a way to disrupt how the ransomware ecosystem functions.
Darrin Eugene Jones
Responding to the Ransomware Threat Requires a Coordinated Global Response
That's where INTERPOL comes in, bridging fragmented legal frameworks and partnering internationally
Dr. Bruce Watson
Ransomware Is a Strategic Threat. We Need to Treat It Like One.
The industrialization of cybercrime demands a response that matches its scale—one that bridges the divides among governments, the private sector, and the technical community. Canada offers a playbook to lead that response.
Anne Marie Engtoft Meldgaard
Disrupting Ransomware Through Tech Diplomacy
Countries need to be nimbler to combat increasing and evolving cybercrime threats.
Amy Hogan-Burney
Ransomware Attacks Are No Longer Just About Profit. They’re Also About Politics.
Multistakeholder collaboration is crucial to stemming this evolving threat.
Francesca Bosco
Ransomware Attacks Aren’t Just Technical—They Are Profoundly Human
As countries around the world face these growing threats, it’s vital to prioritize the protection of people and essential services.