Cybersecurity as a joint task for private sectors and state

Daniel Caduff

Daniel Caduff is Deputy Head of the Information and Communication Technology (ICT) Business Office at the Federal Office for National Economic Supply (FONES) in Switzerland. In the following interview, he classifies cybersecurity as a joint task for private sectors and the state. In this context, he not only talks about his (key) tasks, but also about challenges, developments, minimum standards and strategies for protection from cyber risks.

Daniel, at the Federal Office for National Economic Supply (FONES), you deal with securing Switzerland’s critical infrastructure against cyber risk. What are your key tasks, and how do you support public/private enterprises?

Let me preface my answer with the following: In Switzerland, the private sector is responsible for supplying the country with goods and services. It’s only when the economy can no longer perform this function itself (where severe shortages occur) that the state intervenes in market activity with targeted measures to, for example, close up supply gaps in vital goods and services.

The national economic supply system is based on cooperation between the private sector and the state, and this is reflected in its organization: National economic supply is actually a public-private partnership consisting of a staff organ, the federal office, and experts from the business community. These assume management responsibility in the system and contribute experience. In a crisis, professional knowledge and insights, as well as existing structures from the private sector are used to fulfill government tasks.

In a globalized business world, this kind of networked know-how is an important prerequisite for professionally fulfilling supply obligations. Our proximity to public- and private-sector organizations makes hands-on support possible.

Information and Communications Technology (ICT) is one of six departments (including Emergency Supplies, Alimentation, Energy, Logistics, Therapeutics, and Stockpiling) within FONES. It has three primary task areas:

  1. Assuring the availability of critical ICT infrastructure in Switzerland, such as lines, data centers, and mobile radio transmitters, as well as associated critical services tied to it (access to emergency telephone numbers, information on the population, and voice and data communications)
  2. Ensuring the availability of ICT as a critical resource for the other supply areas, such as ICT services needed for managing the supply of electricity in Switzerland
  3. Developing ICT minimum standards for operators of critical infrastructure as part of the national strategy on protection from cyber risks (regarding, for example, the energy supply, healthcare, and the food supply).

In order to achieve its aims, the ICT department develops preventive and reactive measures and potential scenarios, and it creates risk analyses. In this context, the ICT works closely with other federal offices, such as the Federal Office for Communications, the National Center for Cybersecurity, and the Federal Intelligence Agency.

What are some of the key topic areas that you have worked on over the past few months? Are these limited to ransomware, or do they go beyond this?

Ransomware is a common topic right now, and many operators of critical infrastructure classify the risk level as high. However, FONES’s scope of responsibility is aligned more around a long-term perspective. Accordingly, we focus less on individual dangers or attack vectors, and more on the development of new ICT minimum standards. We are currently working on district heating; waste disposal; health care; and with regard to awareness, on training courses for users of the standards (e.g., IT managers at operators of critical infrastructure).

From your perspective, with regard to types of attacks, regional spread, company size, and industries, in what direction are cyber risks heading?

Cyber threats are global. The concept of regional spread no longer corresponds with the current threat situation. As seen during the Solar Winds and Kaseya ransomware attacks, an operator can do everything “right” and still be the victim of an attack if one’s service provider is attacked. These days, any company or industry can be affected. Ransomware attacks in particular can also affect typical SMEs. In parallel, there are new developments through which the risks are changing:

  1. Cryptocurrencies constitute a basis for new criminality at the global level: from pedophilia, to money laundering, to blackmail and ransomware
  2. An attack on a large service provider could potentially have disastrous effects on customers. The Solar Winds and Kaseya attacks represent only a taste of what is potentially to come. If a leading cloud provider like Azure or AWS were hit, the results could be catastrophic
  3. Embedded systems: There is no more IT. IT is now simply a component of a countless number of devices. Security is often not a component, however. It is difficult to make the importance of IT security understandable for users, and people are far less interested in security for smartphones than for desktop computers. When it comes to networked devices at home, hardly anyone cares 
  4. Industrial control system (ICS) attacks: ICS, SCADA, and OT attacks have enormous threat potential. The reason for this is that when industrial control systems are attacked, it is no longer just the IT that fails, but also the services that IT monitors. And it isn’t just a computer that stops working, but rather the supply of electricity or water, for example. The question is not whether something like this will happen, but rather when and where it will occur.

Unfortunately, the war in Ukraine has once again changed the risk assessment. We see intensification in cyberwar among state and non-state actors. This increases the risk of collateral damage in the cyber domain as well. Many of the tools used for cyberwarfare operations reappear later in a different form. We witnessed this with Stuxnet.Pieces of code from Stuxnet resurfaced in other forms of malware. And the same thing occurred with Not Petya. Once can compare the tools of cyberwarfare with physical weapons: They don’t just disappear once the war is over; rather, they continue to be passed around and used for new attacks.

Together with the private sector, you have defined ICT minimum standards. Why is the federal government taking action here, and how did this come about?

In 2012, the Swiss parliament instructed the government to get more involved with cybersecurity. As a result, the “National Strategy for Protecting Switzerland Against Cyber Risk” (NCS) was developed. The NCS has two primary aims:

  1. Using opportunities from digitization
  2. Protecting against risks in digitization.

In terms of organization, the NCS is divided into three task areas, each with different responsibilities:

  1. Cyber defense, with responsibility falling on the armed forces and intelligence services
  2. Cyber-based law enforcement (cybercrime), with responsibility falling on the Federal Office of the Police
  3. Cybersecurity, with responsibility falling on FONES and diverse federal offices.

In addition, there is the new National Center for Cybersecurity, which has overall responsibility and coordinates the three mission areas. In order to achieve targets, a variety of measures were developed. One of these measures is the set of ICT minimum standards for the operators of critical infrastructure.

In the future, will the minimum standards be determined by the authorities or other market participants?

Various industry associations, such as the Association of Swiss Electricity Companies, have already declared the standards binding for their members. Also, in terms of legislation, members of parliament have been active in this regard, and related proposals are pending in parliament or waiting to be finalized. 

In addition, other articles of law require operators of critical infrastructures to ensure security as a matter of principle, and this includes protecting against cyber risk. There are companies and organizations that have already gone beyond the target security level set by the ICT minimum standards.

What challenges do companies face in terms of implementing cybersecurity?

We’ve found that there is often a lack of know-how, and that not enough importance is placed on the topic. This then means that there is not enough awareness regarding risk, or that IT-related risks are not seen as risks to the company. As a result, a company does not have the necessary resources in terms of time, personnel, and/or money. Old ways of thinking and resistance to change lead to a belief that security is a condition or state that can be achieved. In reality, security is a process that must be carried out on a daily basis.

How do you assess maturity levels in operational technology and in the security of physical products that are becoming increasingly networked in the context of the Internet of Things (IoT)?

Do you recognize any trends here in terms of content?

Regardless of whether we are talking about IT or IoT, technical analysis of security levels among devices is not part of FONES’s spectrum of tasks. In general, with regard to IoT, I would say that the importance of security has not yet been sufficiently taken into account.

However, we must differentiate between IoT in the consumer area and IoT in critical infrastructure. Problems with, for example, excessive latency due to full E2E encryption in IoT networks will be dealt with only gradually. Likewise, in IoT, and especially in the ICS/SCADA, there is a problem in that two different speeds exist: From conception to end-of-life, complex ICS systems often have a service life of more than 10 years ─ and more than 20 years is also not uncommon.

During this service life, these systems are constantly modified. These networks were originally designed to be standalone systems, but in reality, these days, they almost always have interfaces with other networks. In the ICS sector, 10 or 20 years is quite a common operational lifespan. In IT security, however, 10 or 20 years are an eternity, and these networks need to be continuously updated. The truth is, this is usually not possible, or it can’t be done quickly enough.

What technical developments do you find particularly interesting?

Personally, I find technical developments in the areas of quantum computing (or, rather, the end of classic encryption techniques), passwordless authentication, zero-trust architectures, and cloud-based SCADA/ICS particularly interesting.

Imagine that you were giving advice to a CIO/CISO in a public/private company. What would you tell him or her?

Do more than you have done to date. Don’t believe that you are safe. Ensure that you have a complete inventory of assets ─ now. Create detailed BCM plans. Create an incident-management plan. Ensure that you have clean backups and restore processes. Test your processes! Train your employees continuously. Implement a cybersecurity standard that addresses to the risks your company faces, and discuss cyber risk with your IT service providers. Allow your level of cyber risk to be evaluated externally.

In short: evaluate, document, implement, train, test, and practice. Over and over again.

Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.