On Friday, 9 December 2022, the Federal Council decided to move the Federal Office for Cyber Security – which has its roots in the NCSC – to the Federal Department of Defence, Civil Protection and Sport (DDPS), according to Federal Councillor Amherd who spoke at the following media conference. The main reason for this is the potential for synergies. Not a word was said about any conflicts of interest which might result from this. The decision gives the DDPS a few headaches, since the successful further development of cybersecurity requires continuous trusting cooperation between competence centres and between the federal government, businesses and society. Trust can be lost very quickly and is even more difficult to rebuild. Evidence is now required in the DDPS without delay.
Switzerland has made considerable progress in reducing cyber risks and combating cybercrime. This includes the establishment of MELANI, the first national cybersecurity strategy (NCS) in 2012, and particularly NCS 2018-22, which is now coming to an end. Key success factors include the creation of a specific Federal Council committee, the recruitment of a Federal Council delegate for cybersecurity and the establishment of the NCSC as a competence centre. This strong basis could speed up cooperation within the federal government, trusting cooperation with the private sector and the systematic sensitisation of the population within the next few years. This would also be absolutely necessary in view of the rapidly developing threat situation and digitalisation within society, businesses and administration.
SWITCH welcomes the NCSC’s expansion into a Federal Office for Cybersecurity (FOCyber), because it means that the federal government is attaching greater importance to the topic of cybersecurity. However, we also share the opinion of Reto Vogt which was expressed in his commentary about the Federal Council’s decision: the decision to transfer the NCSC into the military department is wrong. If we are to avoid negative consequences for the further development of cybersecurity in Switzerland, the DDPS must now act in a credible manner in different subject areas, independently of other interests within the department.
The federal government previously classified cyber risks into three areas of responsibility: ‘cybersecurity’, ‘cyber defence’ and ‘cyber law enforcement’. This allowed it to take the broad understanding of the complex subject area as a social, economic and security policy task into account. The separation of powers into three different departments has proven to be a success. It fits in with the basic understanding of democracy in Switzerland and takes the basic principle of the segregation of duties in cybersecurity into account, i.e. the avoidance of conflicts of interest. As a result, there has been a significant improvement in the operational cooperation within the federal government and with competence centres in the private sector.
At the media conference, Federal Councillor Amherd emphasised the dismantling of interfaces and synergies with organisations and tasks in the DDPS. Taking a closer look at the key tasks of the NCSC is the easiest way to understand the reasoning in the case of the Federal Intelligence Service (FIS), which provides situation reports. There are certainly tasks within the Federal Office for Civil Protection (FOCP, sector risk analysis), armasuisse (procurement, CYD campus) and the specialist cryptology unit, but these are more of secondary importance as far as the NCSC is concerned.
At the same time, not a word was said about conflicts of interest in the area of cybersecurity, and the importance of the relative independence of the NCSC in such conflicts of interest. And conflicts of interest such as these are present in critical subject areas. In addition to the handling of new, as yet unknown vulnerabilities in software and platforms which was mentioned in Reto Vogt’s commentary (elimination and responsible disclosure versus use in reconnaissance or information gathering), a hard-fought battle for access to chat information is taking place not just in Switzerland, but throughout Europe when it comes to law enforcement and intelligence services gaining access to encrypted messaging information. With regard to combating child pornography, there is even a call for comprehensive surveillance of images on all mobile devices.
These issues involve serious interference with the basic rights of the population, and they raise fundamental questions about IT security and data protection issues for internet users. This is a concern which makes transparent balancing of interests and balanced decisions vital. And this relates to subject areas in which the FOCyber can take a fundamentally different stance than the FIS and law enforcement. Will this still be possible in the future?
Why haven't these issues been explicitly put on the table? And why were these issues not addressed when the Federal Council decided to put the FOCyber in the same department as the FIS? It is not about whether it is a civil or military federal office. It is more of a question of governance being controlled by the same General Secretary and the same people who previously exclusively worked in the interests of the FIS and the army, for understandable reasons.
The classification of critical cybersecurity issues under the Federal Council’s Security Committee (SeC), a decision which was also made on that Friday, is basically understandable with regard to content. However, this committee is chaired by the head of the DDPS and names the director of the FIS as a permanent participant (situation report). The directors of fedpol and the FIS are part of the core security group (security policy situation) which is relevant for the SeC. The NCSC and the future FOCyber will only be consulted selectively. This means that the interests of the FIS and law enforcement will dominate cybersecurity issues in a very one-sided way in the future. In conjunction with the allocation of FOCyber to the DDPS, this further exacerbates the above-mentioned conflicts of interest.
From a technical point of view, the combination of decisions made by the Federal Council on Friday is questionable for the above-mentioned reasons, because positioning that is independent of the FIS and law enforcement and objectivity are both key to the credibility of FOCyber. That which is at stake is nothing less than the trust that MELANI and the NCSC have built up over a period of more than ten years between businesses and the population, and the strong cooperation that is based upon it. A loss of trust would also have an adverse effect on the very well-established operational cooperation with national and international competence centres that is indispensable for cybersecurity in Switzerland.
Without this trust, the added value of implementing the obligation for organisations in critical infrastructures to report cyber incidents, which was the third decision made by the Federal Council on that Friday, would be called into question. This is a model which was developed with the exemplary involvement of the companies and organisations that were affected. In the event of a loss of trust in the handling of the reported information, the organisations concerned will restrict their cooperation to the minimum level required by law.
There is also a high risk that many employees won’t go along with this change of department because of their own values, precisely because of the above-mentioned issues regarding conflicts of interest, governance and the foreseeable impact on credibility and trust. However, they made the NCSC the widely accepted centre of excellence that it is today with a great deal of commitment to the cause. In the current situation on the job market, it will be difficult or even impossible to replace these employees. If this scenario occurs, the topic of cybersecurity will be set back a matter of years, to the detriment of the population and the economy.
The DDPS must now do everything in its power to create transparency as to how to deal with the above-mentioned risks. It must show how an FOCyber can be independently and credibly established in the DDPS, and how the work can continue on the existing basis of trust for the benefit of better cybersecurity in Switzerland. The key questions and requirements are:
Expert committees and representatives from the ICT economy, science and civil society will be taking a very close look at what decisions are now being made in the DDPS so as not to jeopardise the necessary further development of cybersecurity and in order to minimise the negative impact of the decisions which have been made.