"Safety is difficult to measure"

Mr. Schütz, what are the biggest challenges on your agenda at the moment?  

Operational challenges focus on the proliferation of cyber risks. The example of the Exchange server vulnerabilities shows that security incidents involving widely used products can quickly affect hundreds or thousands of users. Furthermore, it remains our top priority to protect critical infrastructures and the Confederation itself from targeted attacks. Here, in particular, the increasingly sophisticated strategies of attackers and especially attacks via the supply chain are making defense ever more challenging.

Politically, we are faced with the difficulty that, on the one hand, democratic procedures take a lot of time and, on the other, digitization is advancing rapidly internationally. We must plausibly and efficiently incorporate cybersecurity into digitization efforts from the outset in order to promote trust in these technologies among politicians and the general public and keep political decision-making processes correspondingly lean.

Melani registered an increase in ransomware attacks on industrial control systems last year (keyword "Ekans"). To what extent should "Snake"/"Ekans" be understood as a warning that the convergence of IT and ICS or OT has created serious security risks?

The convergence of IT and OT cannot be stopped. This makes it all the more important, for example, to establish correspondingly clear interfaces and security zones. Security must be incorporated into the planning of the infrastructure from the very beginning and implemented throughout the entire development process right up to operation. I recommend the approach of domain-driven design, for example, which allows IT to be optimally aligned with the requirements, including security requirements.

Have you already made Switzerland more secure and what are your most important goals that you want to achieve this year as the Confederation's cyber chief?

Security is difficult to measure, and ultimately others must decide whether my activities have already made a meaningful contribution to Switzerland's cybersecurity. However, I am convinced that we have already achieved quite a bit. We have sharpened and strengthened the organization in the Confederation. Specifically, for example, we have created a national contact point where companies, authorities and citizens can report cyber incidents centrally. This office forwards the inquiries to the responsible office, also outside the federal government. We have also made information on preventive protection more easily available on our new homepage. When it came to the security of the Swiss Covid app, we coordinated the testing of security and not only tested it ourselves, but also involved the public. This, to name just a few examples.

In my view, however, both industry and the authorities still have some catching up to do in various areas of basic protection. Most successful attacks exploit vulnerabilities that have been known for a long time and could have been eliminated. Our long-term goal is for the NCSC to create the necessary framework to enable government agencies and SMEs to take ownership of cyber protection and take advantage of digitalization opportunities at a reasonable cost. By the end of this year, we would like to take several steps to achieve this goal. We will submit a bill to the Federal Council to introduce a reporting obligation for cyber attacks, we will conduct an awareness campaign with partner organizations in May, and we are working with critical infrastructures to expand the exchange of information on cyber risks.

You want to hire more specialists for the National Center for Cybersecurity this year. Will you be able to find them at all? 

The NCSC has so far had no problems in finding suitable specialists. We have a broad network to specialists and are always pleased to note that many of these specialists are motivated to use their expert knowledge for the security of Switzerland.

You can read the full interview in the printed issue of SicherheitsForum 2-2021.
You want to read the articles of this issue? Then close right now here a subscription.