Let’s imagine a letter written in a language of ones and zeros.

For those with the skills and means to bypass even cryptographic encryption, even such binary sequences reveal more than is intended.

Even if data transmission is encrypted, this cryptography must meet current security and IT standards. Only then is information sufficiently protected and secure.

But even encrypted communication can regularly be compromised in some way.

How is that possible?

In certain cases, such as implementation errors or security gaps in the software we use, our information security is currently at risk.

How basic principles of IT security are reigniting our security debate

The recent Taurus incident is a vivid example of IT security awareness and the importance of handling sensitive information carefully. This goes hand in hand with the use of secure communication, which is of course encrypted end-to-end and complies with strict security standards.

What are the facts?

What facts can we accept as largely certain in the current wiretapping scandal in the German Bundeswehr concerning the Taurus cruise missile?

  • The eavesdropping attack took place during a discussion among Bundeswehr officers via WebEx.
  • Russia published the recordings by Russia Today boss Margarita Simonjan, a state news channel from Russia that is financed by the Russian government.
  • The authenticity of the recording is considered to be confirmed and the extent to which the content is genuine or complete is still being checked
  • Potential security vulnerabilities in the use of WebEx are investigated as a potential cause
  • The content of the explosive discussion relates to purely theoretical deployment options for the Taurus in Ukraine.

Fundamental concerns about the security of information and communication:

There are undoubtedly fundamental concerns about the security of information and communication within the Bundeswehr.

  • Security risks in the Bundeswehr: There is general concern about the security of information and communication within the Bundeswehr. This includes not only digital communication, but also the technical equipment and its integration into existing systems.
  • Problems with digital radios: It sounds like an expensive prank: the Bundeswehr has ordered digital radios from a German manufacturer for 1.3 billion euros, but there are apparently problems with installing them in tanks, combat vehicles and trucks. The ARD Tagesschau already reported on this on Sept. 26. 2023.

These incidents not only raise legitimate questions about the efficiency of such investments, but also shed light on a deeper problem: the compatibility and integration of new technologies into existing infrastructures. The challenge lies not only in acquiring advanced equipment, but also in ensuring that these technologies work seamlessly with existing systems while meeting the highest safety standards. This incident illustrates how essential it is to consider both technical and security-related aspects when implementing new IT solutions in order to strengthen information and communication security within the armed forces.

Although at first glance physical dimensions seem to have little to do with IT security, the key actually lies in effective communication between the numerous parties and authorities involved and established standards…

For privacy reasons YouTube needs your permission to be loaded. For more details, please see our Datenschutzerklärung.
I Accept

The reaction of Defense Minister Boris Pistorius

Defense Minister Boris Pistorius’ response to the Taurus wiretapping scandal reflects, at first glance, a healthy culture of error and his protective behavior towards his officers is highly respectable. By advocating an objective and factual analysis of the facts, Pistorius underlines the importance of transparency and a sense of responsibility in critical security issues. His stance emphasizes that even in times of challenges and mistakes, the focus should be on constructive criticism and the search for solutions in order to sustainably improve the Bundeswehr’s security standards and effectively prevent future security breaches. Nevertheless, he is also interested in a complete clarification of the events.

The commitment to a thorough investigation and clarification of the incident, without premature apportioning of blame, is crucial for confidence in our security measures and the strengthening of the Bundeswehr’s digital defense capabilities.

Protection of digital identities

The protection of digital identities and the increased incidence of cybercrime is an issue that affects all of us. This makes it all the more important to provide the public with transparent and easy-to-understand information. This includes both dealing with information in a sensible way and reflecting constructively and critically on events.

The Taurus wiretapping scandal illustrates how such fundamental security concerns can have a direct impact on operational and strategic aspects of the Bundeswehr. The security gaps revealed by the problems with the implementation of modern communication technologies are not limited to hardware, but also extend to the level of digital communication:

  • Digital communication and encryption: The incident shows that critical information can be compromised even when using communication tools that are considered secure, such as WebEx, without adequate security precautions, especially when authenticating participants.
  • Need for strict security protocols: The fact that sensitive conversations were intercepted underlines the urgent need to rethink and strengthen both the physical and digital security infrastructure of the Bundeswehr. This includes implementing multi-factor authentication and other security measures that go beyond traditional methods to protect communications.
  • Zero Trust principles: The scandal highlights the importance of the Zero Trust approach, where no internal or external network access is trusted without verification. This approach could help prevent similar security breaches in the future.

Despite the use of modern communication technologies and cryptographic procedures such as TLS at a Bundeswehr WebEx conference, an exchange of sensitive information was intercepted.

A security leak and the inevitable questions

This security leak inevitably raises questions:

  • Where exactly were the weak points?
  • How is it possible that information was disclosed despite the assumed encryption?
  • How is it ensured that all (digital) identities are trustworthy?

A critical gap in the digital security chain highlighted by the Taurus incident concerns the authentication of digital identities.

In the digital space, it is essential to verify the identity of each participant to ensure that only authorized persons have access to confidential conversations.

The question that now arises is:

  • How was the authenticity of the participants ensured during the WebEx conference at which the Taurus cruise missiles were discussed?

A central element of digital security is the encryption of data transmissions, with the Transport Layer Security protocolTLS for short – playing a key role. The transition from standard TLS 1.2 to TLS 1.3 marks a significant improvement in the security of data transmission.

TLS 1.3 not only reduces the complexity of the handshake – the process by which two communicating systems agree on an encrypted connection – but also eliminates outdated and potentially insecure cryptographic methods that are still present in TLS 1.2. These innovations make TLS 1.3 more resistant to man-in-the-middle attacks by minimizing the amount of information an attacker could intercept while increasing the speed of authentication and encryption.

In the context of the Taurus eavesdropping scandal, the question of whether the WebEx conference used TLS 1.2 or the more secure TLS 1.3 variant is of crucial importance. The use of the older standard could represent one of the potential security vulnerabilities that could have made it easier for attackers to access the encrypted communication. This underscores the need for organizations – especially those working with sensitive information – to implement the latest security protocols to protect their digital communications.

Another relevant potential weak point in digital communication is a lack of verification of the identities of the conference participants or their end devices. The lack of robust authentication measures allows attackers to infiltrate the communication unnoticed – a tactic known as a “man-in-the-middle” attack.

The need to standardize advanced authentication and encryption technologies

This emphasizes the need to implement advanced authentication technologies such as minimal two-factor authentication (2FA) or even better multi-factor authentication (MFA), which provide an additional layer of security by going beyond the traditional password.

Integrating strong authentication protocols into our communication systems is therefore a crucial step in preventing future security breaches. Strict standards for effective end-to-end encryption must also be standard.

In fact, the use of such technologies in highly sensitive areas is not a luxury, but simply an absolute necessity.

Without knowing any further details, the Taurus security breach also shows that we must always ensure that the digital identities involved in a communication are trustworthy. Otherwise, even the strongest encryption methods can be easily circumvented.

Auguste Kerkhoff’s maxims and principles of IT security

The importance of Auguste Kerkhoff’s principle is fully underlined by the Taurus wiretapping scandal. The maxim of Auguste Kerckhoffs, a pioneer of cryptography in the 19th century, states that the security of an encryption system should not be based on the secrecy of the algorithm, but rather on the secrecy of the key.

Auguste Kerkhoff's maxims and principles for IT security

Auguste Kerkhoff’s maxims and principles for IT security

This principle is more relevant today than ever, especially in the context of highly sensitive military communications. It illustrates that the assumption that simply using a seemingly secure communication tool such as WebEx is sufficient to ensure security is a fallacy. Instead, robust security procedures are needed that still offer protection even if the methods of their use are publicly known.

The basic IT security principles – confidentiality, integrity, availability and non-repudiation – should be given top priority in all areas, but especially in sensitive contexts such as military communications. In the case of the Taurus wiretapping scandal, increased encryption measures and improved access controls should have been implemented to ensure confidentiality. At the same time, integrity should have ensured that the information was not manipulated during transmission. Kerckhoff teaches us that in the era of digital communication, security strategies must be constantly questioned and adapted to keep pace with evolving threats.

The incident makes it clear that the security of communication cannot be guaranteed solely by choosing a supposedly secure communication tool such as WebEx. Rather, it requires robust security procedures that offer protection even if the methods of their application are publicly known.

Kerckhoffs’ principle reminds us that true security lies in the careful preservation of keys and the transparency of the algorithms used, a guiding principle that is essential in the digital age.

In light of the Taurus scandal, it is clear that a comprehensive security strategy that takes these principles into account and builds on a solid understanding of Kerkhoff’s principle is essential to minimize the security risks in digital communication. The implementation of these security standards and protocols ensures that even if certain aspects of the security infrastructure are disclosed, the core components of the communication – the data itself – remain protected from unauthorized access.

How can the disclosed security gaps be effectively addressed?

In order to effectively address the security gaps revealed in the Taurus wiretapping scandal, it is essential to implement preventive measures and solutions that strengthen our digital security in the long term:

  1. Early update to current standards such as TLS 1.3: As the current security standard, TLS 1.3 offers considerable security advantages over its predecessor. Organizations should ensure that all their digital communication tools, including online conferencing tools, are updated early to the latest version of security standards such as the TLS protocol to maximize protection against potential attacks.
  2. Introduction of multi-factor authentication (MFA): To strengthen identity verification and prevent unauthorized access, the implementation of MFA is essential for all users accessing sensitive data. MFA provides an additional layer of security by asking users to provide two or more proofs (factors) of their identity.
  3. Regular security training: Raising awareness among all employees to protect against cybersecurity threats and practices is critical. Regular training raises awareness of phishing attacks, secure password practices and promotes the importance of prompt software updates.
  4. Zero Trust Architecture: Building a Zero Trust architecture, where inherently no device or user is trusted inside or outside the network, can help organizations avoid security breaches. This requires consistent verification and authentication of all requests to ensure that they are legitimate.
  5. Encryption of sensitive data: In addition to encrypting data transmission, the data itself should also be encrypted, both at rest and in transit, to ensure the protection of confidential information.

By implementing these measures, all organizations can build more robust protection against current cyber threats and effectively improve the security of their digital communications.

Be smart & up to date!

What this means for us is clear: we must constantly review and adapt our encryption practices. It is not enough to rely on yesterday’s security.

While the investigation is still in its infancy, the digital war has long since begun. Our sensitive data and proprietary information require our constant vigilance and willingness to strengthen security protocols, especially in areas of national security.

Zero Trust principles – coupled with the latest security standards – offer the best possible protection here. Auguste Kerkhoff’s maxim will continue to apply in the future.

About the Author:

Sascha Block

I am Sascha Block – IT architect in Hamburg and the initiator of Rock the Prototype. I want to make prototyping learnable and experiential. With the motivation to prototype ideas and share knowledge around software prototyping, software architecture and programming, I created the format and the open source initiative Rock the Prototype.