NCSC: decision with potential for collateral damage

Switzerland has made considerable progress in reducing cyber risks and combating cybercrime. This includes the establishment of MELANI, the first national cybersecurity strategy (NCS) in 2012, and particularly NCS 2018-22, which is now coming to an end. Key success factors include the creation of a specific Federal Council committee, the recruitment of a Federal Council delegate for cybersecurity and the establishment of the NCSC as a competence centre. This strong basis could speed up cooperation within the federal government, trusting cooperation with the private sector and the systematic sensitisation of the population within the next few years. This would also be absolutely necessary in view of the rapidly developing threat situation and digitalisation within society, businesses and administration.

Switch welcomes the NCSC’s expansion into a Federal Office for Cybersecurity (FOCyber), because it means that the federal government is attaching greater importance to the topic of cybersecurity. However, we also share the opinion of Reto Vogt which was expressed in his commentary about the Federal Council’s decision: the decision to transfer the NCSC into the military department is wrong. If we are to avoid negative consequences for the further development of cybersecurity in Switzerland, the DDPS must now act in a credible manner in different subject areas, independently of other interests within the department.

Previously successful separation of responsibilities ignored?

The federal government previously classified cyber risks into three areas of responsibility: ‘cybersecurity’, ‘cyber defence’ and ‘cyber law enforcement’. This allowed it to take the broad understanding of the complex subject area as a social, economic and security policy task into account. The separation of powers into three different departments has proven to be a success. It fits in with the basic understanding of democracy in Switzerland and takes the basic principle of the segregation of duties in cybersecurity into account, i.e. the avoidance of conflicts of interest. As a result, there has been a significant improvement in the operational cooperation within the federal government and with competence centres in the private sector.

Synergies emphasised, conflicts of interest dismissed

At the media conference, Federal Councillor Amherd emphasised the dismantling of interfaces and synergies with organisations and tasks in the DDPS. Taking a closer look at the key tasks of the NCSC is the easiest way to understand the reasoning in the case of the Federal Intelligence Service (FIS), which provides situation reports. There are certainly tasks within the Federal Office for Civil Protection (FOCP, sector risk analysis), armasuisse (procurement, CYD campus) and the specialist cryptology unit, but these are more of secondary importance as far as the NCSC is concerned.

At the same time, not a word was said about conflicts of interest in the area of cybersecurity, and the importance of the relative independence of the NCSC in such conflicts of interest. And conflicts of interest such as these are present in critical subject areas. In addition to the handling of new, as yet unknown vulnerabilities in software and platforms which was mentioned in Reto Vogt’s commentary (elimination and responsible disclosure versus use in reconnaissance or information gathering), a hard-fought battle for access to chat information is taking place not just in Switzerland, but throughout Europe when it comes to law enforcement and intelligence services gaining access to encrypted messaging information. With regard to combating child pornography, there is even a call for comprehensive surveillance of images on all mobile devices.

These issues involve serious interference with the basic rights of the population, and they raise fundamental questions about IT security and data protection issues for internet users. This is a concern which makes transparent balancing of interests and balanced decisions vital. And this relates to subject areas in which the FOCyber can take a fundamentally different stance than the FIS and law enforcement. Will this still be possible in the future?

Why haven't these issues been explicitly put on the table? And why were these issues not addressed when the Federal Council decided to put the FOCyber in the same department as the FIS? It is not about whether it is a civil or military federal office. It is more of a question of governance being controlled by the same General Secretary and the same people who previously exclusively worked in the interests of the FIS and the army, for understandable reasons.

The classification of critical cybersecurity issues under the Federal Council’s Security Committee (SeC), a decision which was also made on that Friday, is basically understandable with regard to content. However, this committee is chaired by the head of the DDPS and names the director of the FIS as a permanent participant (situation report). The directors of fedpol and the FIS are part of the core security group (security policy situation) which is relevant for the SeC. The NCSC and the future FOCyber will only be consulted selectively. This means that the interests of the FIS and law enforcement will dominate cybersecurity issues in a very one-sided way in the future. In conjunction with the allocation of FOCyber to the DDPS, this further exacerbates the above-mentioned conflicts of interest.

Trusting cooperation as the key to cybersecurity

From a technical point of view, the combination of decisions made by the Federal Council on Friday is questionable for the above-mentioned reasons, because positioning that is independent of the FIS and law enforcement and objectivity are both key to the credibility of FOCyber. That which is at stake is nothing less than the trust that MELANI and the NCSC have built up over a period of more than ten years between businesses and the population, and the strong cooperation that is based upon it. A loss of trust would also have an adverse effect on the very well-established operational cooperation with national and international competence centres that is indispensable for cybersecurity in Switzerland.

Without this trust, the added value of implementing the obligation for organisations in critical infrastructures to report cyber incidents, which was the third decision made by the Federal Council on that Friday, would be called into question. This is a model which was developed with the exemplary involvement of the companies and organisations that were affected. In the event of a loss of trust in the handling of the reported information, the organisations concerned will restrict their cooperation to the minimum level required by law.

There is also a high risk that many employees won’t go along with this change of department because of their own values, precisely because of the above-mentioned issues regarding conflicts of interest, governance and the foreseeable impact on credibility and trust. However, they made the NCSC the widely accepted centre of excellence that it is today with a great deal of commitment to the cause. In the current situation on the job market, it will be difficult or even impossible to replace these employees. If this scenario occurs, the topic of cybersecurity will be set back a matter of years, to the detriment of the population and the economy.

Evidence is required now!

The DDPS must now do everything in its power to create transparency as to how to deal with the above-mentioned risks. It must show how an FOCyber can be independently and credibly established in the DDPS, and how the work can continue on the existing basis of trust for the benefit of better cybersecurity in Switzerland. The key questions and requirements are:

• Which measures are going to be taken by the Federal Council’s Security Committee in order to ensure that decisions regarding cybersecurity are not primarily governed in the future by the interests of the FIS, law enforcement and security policy?
• How will the DDPS resolve the conflicts of interest which arise at General Secretariat and management level, and how can it guarantee that the FOCyber will represent important concerns and positions from businesses and society in an independent and appropriate manner, independently of the interests of the FIS and the army?
• The key positions in the new FOCyber must be occupied by people from the NCSC who have won the trust of business and national and international competence centres in recent years by means of good work, inclusion and transparent communication. Continuity must be a key criterion. Wrong decisions which are made at the management level are likely to have serious consequences in terms of employee loyalty and trust in the organisation.
• How is the DDPS going to convince NCSC employees that it will also be possible to credibly develop and expand tasks in the DDPS, and how is it going to keep them on board? It must provide appropriate perspectives very quickly, closely linked to answers to the questions which have been raised here.
• The further development of the National Cybersecurity Strategy is almost complete and has been a success, with the exemplary involvement of the stakeholders. Prompt adoption of this strategy by the Federal Council is important, because the current strategy expires at the end of 2022. It will be important to make management more independent of administration as planned, taking the opinions of business and science experts into consideration.
• Prompt, transparent and open communication with all of the stakeholders involved concerning the questions which have been raised here is critical.

Expert committees and representatives from the ICT economy, science and civil society will be taking a very close look at what decisions are now being made in the DDPS so as not to jeopardise the necessary further development of cybersecurity and in order to minimise the negative impact of the decisions which have been made.