Meet GI's Cybersecurity Champion: Carsten Meywirth, Director Cyberdivision, Federal Criminal Police Office (Bundeskriminalamt), Germany

This interview is part of GovInsider's inaugural Cybersecurity Champions report featuring public sector cybersecurity officials around the world.

Please give a brief description of your job function as a cybersecurity professional, as well as what your organisation does. 

I’m the Head of the Cybercrime department with the rank of a Director at the German Federal Criminal Police Office.

We conduct our own investigations, work closely with the police authorities of the German federal states and coordinate the national and international cooperation of the German criminal investigation offices. 

What kind of cyber threats does your organisation face on a regular basis? 

We focus on the prosecution of serious cybercrimes directed against information technology systems, but also target the administrators of criminal trading platforms on the internet and the darknet.

Our aim is to identify and arrest the criminals. Along the way, we deprive them of their digital infrastructures and assets, secure evidence and help to prevent further crimes from succeeding. 

In your view, what are the biggest threats and challenges (be it in the network layer, and/or in areas such as scams, phishing and identity theft) in the public sector cybersecurity scene globally? 

Within the scope of our responsibilities, ransomware attacks regularly cause the greatest damage to victims.

Ransoms are calculated on the basis of the presumed or scouted ability to pay and initially appear to be a more attractive option in view of the sometimes massive loss of business and revenue.

Unfortunately, however, this is sometimes followed by further extortion, sometimes under threat of the publication of previously leaked confidential data. Phishing remains one of the main attack vectors for more serious crimes. 

To subscribe to the GovInsider bulletin, click here. 

Many say that we are entering an age of AI-driven cyberwarfare where both hackers and cybersecurity professionals use AI tools for attack and defence. What is your view? 

AI tools also enable attackers to create more convincing spam emails or to carry out much more far-reaching fraudulent activities.

Everyone needs to be aware of these risks, which is why broad awareness campaigns at all levels seem sensible.

At the same time, AI also offers great potential for both law enforcement and the detection of anomalies in IT systems, which should be leveraged.  

Cybersecurity is often described as a team sport whereby a network's vulnerability is often defined by its weakest link. In this context, how important is having a whole-of-government or whole-of-country cybersecurity posture?

Cybersecurity is definitely a task for society as a whole. The private and public sectors must work together as closely as possible and make their contributions. This was critical to the success of many of our operations.

Comprehensive, self-responsible prevention should also be part of any cyber security strategy. And above all, cybercrime is almost always international. Perpetrators, victims and the infrastructures that connect them are often spread across continents.

That's why we rely on close cooperation with our partners around the world. 

An often-repeated point in the cybersecurity sector is what your Plan B is after your network is breached. Can you share your point of view on this aspect?

Preparation is mandatory.

Every organisation should have clearly structured, carefully reviewed and continuously updated crisis plans. This starts with simple questions about who can be contacted and who is responsible in the event of possible cyber incidents.

In Germany, we have set up specialised central cybercrime contact points of the German police for companies, which we believe is a success story.

And, of course, everyone should make regular backups of their important data. 

If your organisation gave you an unlimited budget for cyber defence, what would you spend it on?

We are not dreaming the dream of unlimited resources, because every nation must use taxpayers' money responsibly.

Of course, human resources are a bottleneck as we would like to be able to run more investigations in parallel.

On the other hand, non-monetary resources such as legal options can also be very valuable for law enforcement authorities. 

What brought you to this profession and what do you love the most in your job and what would you like to improve?

I became a police officer out of deep conviction and passion, because I want to make a contribution to our constitutional state. This is still enormously fulfilling for me. I can't imagine a better job. 

The lack of qualified cybersecurity professionals is a global problem, how do you think this can be overcome?

We rely heavily on our own training and knowledge management in order to multiply the outstanding skills that can be found in our ranks as comprehensively as possible.

Our team is made up of people who are passionate about what they do and this intrinsic motivation can move mountains. 

If you had a chance to restart your career from scratch, would you still want to be cybersecurity professional and why?

Yes, as I can't imagine a more exciting and dynamic sector.