Information security at the Confederation: no serious incidents in 2024

The "Federal Information Security 2024" report states that the number of cyberattacks on the Federal Administration remains at a high level and that Switzerland is internationally exposed. The numerous DDoS attacks in connection with the visit of Ukrainian President Volodymyr Selenskyj to the World Economic Forum (WEF) in Davos and during the high-level conference on peace in Ukraine on the Bürgenstock were significant examples of this. Overall, there were no serious incidents in 2024 that posed a serious threat to the Federal Administration's information or IT resources. This was averted thanks to the timely detection and consistent response to attacks.

Processes of the new SEPOS information security department established

In addition, two important milestones for information security fell in the 2024 reporting period: the new Information Security Act (ISA) came into force and the Federal Information Security Unit (FSIS) began its work. The specialist unit is responsible for advising and supporting the authorities in implementing this law. For their part, the departments are responsible for implementing information security. The specialist unit set up and established the relevant processes in 2024.

Avoiding data outflows and strengthening information security

At the same time, the Federal Administration implemented the Federal Council's measures to prevent future data leaks and strengthen information security in response to the cyberattack on the company Xplain. Targeted investments in technical, organizational and personnel resources have increased the general level of security.

Following the Xplain case in 2023, there has been a strong focus on auditing activities at federal suppliers. In this report, the security-sensitive orders of the entire Federal Administration were surveyed for the first time and information on testing activities at federal suppliers was recorded.

The administrative units were instructed to add the participating federal suppliers to their inventory of protected objects by the end of 2024. This measure was fulfilled by most administrative units. In the other administrative units, the measure was in the process of being implemented.

The Federal Office for Information Security

Based on the new Information Security Act, the Federal Office for Information Security reports to the Federal Council on the status of information security at the Confederation. This task was transferred from the Federal Office for Cybersecurity (BACS) to the State Secretariat for Security Policy (SEPOS) and the FS BIS in 2024. The report, which has been produced regularly since 2018, was therefore compiled by the FS BIS for the first time this year. It was based on a structured survey of the departments and the Federal Chancellery on the status of their information security, as well as the security notifications and reports from internal federal service providers.