Expert interview: Thwarting cyber attacks
The Swiss Confederation is arming itself, investing heavily in individual departments. But how can Switzerland's many small and medium-sized enterprises defend themselves against cyber attacks? Peter Regli, once the top officer in the Swiss Intelligence Service, a retired divisional officer and now a security expert, shows the few possibilities.
Industry reports on the development of cyber black markets make it clear from year to year that cyberspace has long since ceased to be a playground for individual players and is now fuelling hierarchies of meticulously organized groups. Serge Droz, head of the security department "Switch", which allocates Internet addresses on behalf of the Swiss government, speaks of 40,000 to 50,000 new computer viruses attacking the Swiss economy every day. Most of the attacks are harmless, says Droz. At times, however, highly dangerous viruses penetrate networks and data centers. These financially controlled intruders cause damage and economic consequences. So how would Peter Regli, once the head of the Swiss intelligence service with the rank of a division officer on the general staff and now a much respected security expert, protect himself against new forms of cyber attacks - perhaps from the point of view of an SME?
"The need for an alliance between national security and defense in cyberspace does not seem to be an issue."
How do you assess the cooperation between authorities and industry, between government "cyber defense" files and businesses, which adapt differently to cyber attacks?
In 2012, the Federal Council adopted a "Strategy to Protect Switzerland from Cyber Risks" defined by all departments together with the business community. However, each department then went its own way in planning implementation. At the federal administration level, the activities of the cyber security actors are coordinated, but real leadership and clearly defined security policy goals are largely lacking. Thus, the FDF and the FDFA primarily take care of themselves. The armed forces remain largely excluded. It is repeatedly painted into a corner with the generic term "subsidiarity" - that it should deal with crisis and conflict scenarios. So the need for an alliance between national security and defense in cyberspace does not seem to be an issue. For the most part, the private sector is working alone against cyberattacks. This situation is very worrying.
The NSA affair and the revelations associated with it have shaken transatlantic relations. They have also highlighted the politically important role attached to the Internet and how differently data storage is handled on both sides of the Atlantic. Would you say the NSA affair brought more transparency to the security industry?
The media tsunami triggered by Edward Snowden undoubtedly contributes to the fact that even in the furthest corner of our country the importance of information technology, the Internet, mobile devices and social media is being discussed. The daily use of state-of-the-art technology, including activities in a wide variety of social networks, drastically demonstrates the current situation of the transparent citizen. It is therefore incumbent on each individual user to assume his or her own responsibility in this rapidly developing information sphere. Users of new technologies should also be able to judge the dangers of their actions for themselves. They should pass on their information in a considered manner or put it "in the cloud".
The army has written "cyber defense" on its banners analogously to the "air" and "ground" sectors. Training courses in cyber defense have been available since last fall. Here, the focus is on synergies in terms of knowledge and networks outside the armed forces. How do you assess this development?
After it proved impossible to reach agreement on the joint implementation of the cyber strategy at federal level in 2012, the DDPS took action. It appointed a delegate for the "Defense/Army" sector. This delegate can also draw on the skills and knowledge of militia members in implementing the strategy. The knowledge available in the economy and in research - see our universities - will thus flow into the project "Cyber Defense Army" via highly qualified members of the militia. There will certainly also be positive effects for the economy. A win-win situation should arise for all players. However, strategic implementation, analysis and synthesis will take years. It would be illusory to expect visible results in the short term.
Kurt Nydegger, head of the Electronic Warfare Division and chief of the Swiss Command Support Base, repeatedly points out that there is a lack of understanding of cyber attacks at federal decision-making levels. Can you imagine why Kurt Nydegger misses political support in Switzerland?
Retired Division Commander Nydegger is an expert in command support of our Armed Forces and as a senior staff officer he knows the tasks and the processes in our state and in the departments. He knows the lack of awareness among those in positions of responsibility regarding cyber threats. He knows the lower motivation to take measures against cyberattacks - to create the necessary investments including legal foundations. Kurt Nydegger would have to slowly conclude from this that a major loss is needed first in Switzerland in order to make progress in a natural risk area.
Cyber defense does not simply mean spying on and disclosing private e-mails by government or private specialists; it is more about public critical objects. In your opinion, which Swiss infrastructures should really be monitored and why?
Since 1994, the term "national critical infrastructure" has been used. The areas that could be permanently affected by a cyber war (and have already been attacked several times) are defined (per se for all levels of responsibility). The most important service providers of our country fall under it. Sometimes it is all those that are operated, controlled and networked by information technology: Energy, electricity, water, transport, blue light organizations, financial and banking center, administration, air transport, etc. In November 2014, a combined exercise will be carried out over several weeks as part of the "Swiss Security Network". This scenario envisages a power blackout lasting several days for large parts of the country, a nationwide "blackout" and, at the same time, a flu pandemic. You will be surprised what observations and lessons will be published to the public by the federal government and the cantons after the exercise. The exercise will certainly bring many people and especially those in positions of responsibility down to earth. I hope that by then at the latest, the motivation to work together and coordinate the cyber threat between the state and the economy more efficiently will be greater.
Is there even such a thing as a panacea against hacker attacks?
In order to be able to really counter fake and real cyber attacks, a new intelligence service law (NDG) will certainly be absolutely necessary. The "do-gooders" among our parliamentarians, who believe in eternal peace and the "good man", see privacy threatened by this law. Nevertheless, privacy protections are needed. It is to be hoped that after the exercise in November 2014, the seven departments, the cantons and the business community will come to the conclusion that only joint action against cyber attacks can lead to success. The world is a powder keg. The fuse in the "cyber war" has been burning for a long time - and worldwide! The political leaders in our country should become aware of this, and do so before a cyber attack assumes the proportions of a war.
Do you think the civilian sector and the army should be considered as separately as possible, or where do you see areas of responsibility that SMEs and government agencies could share - in terms of new cyber threats?
As mentioned, in the field of cyber defense, cooperation and coordination is an indispensable prerequisite for success. The federal government supports the public with its own "Reporting and Analysis Center for Information Assurance", called MELANI. This records current risks and threats in the IT sector, assesses them and disseminates their significance. This serves in particular for early warning and alerting. Unfortunately, MELANI only reaches part of the critical infrastructures of the economy and the cantons.
Mr. Regli, thank you very much for the interview.
Info: Investments against risks
By 2017, the federal administration is to receive 38 new positions for the defense against cyber attacks. In addition, 21 new positions are planned for the armed forces. The "National Strategy for Protection against Cyber Risks 2012" showed a need to catch up in terms of personnel and technology in order to take more consistent action against hackers, who are constantly arming themselves, or even against cyber assassins. According to the above planning document, implementing the national strategy to protect Switzerland against cyber risks will cost at least eight million francs each year.