Objective: Effective cyberattack detection, prevention, management and defence

Description

Since there is no complete protection against cyberincidents, setting up and operating an incident management organisation is one of the core tasks of cybersecurity. Incident management involves detecting incidents as early as possible, identifying and implementing the appropriate countermeasures, and analysing the incidents in order to derive findings for improving prevention.

This task requires specialised skills, analytical tools, a smoothly functioning organisation with clearly defined decision-making powers, and close cooperation between all the relevant federal units. Sharing information among trustworthy partners about incidents and possible countermeasures is crucial, given that incidents often affect different units simultaneously and can therefore be dealt with more quickly and effectively if all the affected units share relevant information.

Background and need for action

Many organisations – but by no means all critical infrastructures – in Switzerland have set up or mandated specialised teams to deal with cyberincidents. These teams have different names (e.g. Security Operations Centres, Computer Emergency Response Teams, Computer Security Incident Response Teams) and competencies defined in accordance with their respective areas of responsibility. Many cantons and the Confederation also have such teams at their disposal. Incident management is carried out primarily via these units. Through the NCSC, the Confederation provides subsidiary assistance to the teams of the cantons, communes and cities and those of critical infrastructure operators and their security service providers with the technical analysis of incidents, and supports the sharing of information between them.

The general public can also report cyberincidents and cyberthreats to the NCSC and, if required, will receive initial expert assessments and recommendations for further action. These reports are important for assessing cyberthreats. So far, these federal services have not been underpinned by a legal foundation. The legal framework for information sharing also needs to be regulated. Proposals for the necessary legal adjustments have been drafted, but have not yet been enacted.

One challenge with incident management is scaling. If several major incidents occur simultaneously, the existing resources are rapidly exhausted. A check must be carried out of how capacities can be ramped up quickly where necessary by drafting in experts. 

Priorities

• Enhancing the capabilities of critical infrastructures to detect and manage cyberincidents by developing, creating and making shared use of SOCs.
• Expanding cyberincident reporting:
  As many cyberincidents as possible should be reported in order to build up a good picture of the current threat situation.
• Information sharing:
  The NCSC's existing platform for sharing information between critical infrastructure operators will be overhauled and expanded with the aim of simplifying it and gradually making it accessible to wider groups of users.
• Capacity expansion through cooperation:
  Further intensification of operational cooperation and improvement of coordination between GovCERT, SWITCH-CERT and other security teams. How and when volunteer expert pools can support incident management will also be examined, taking into account existing organisations.
• Strengthening cooperation with specialist authorities:
  The relevant specialist authorities will be informed by the NCSC about incidents in their sector, so that they can assess the threats in their sector. This excludes information that allows the parties concerned to be identified, unless the latter agree to this information being provided to the specialist authorities.

Key actors

• Confederation:
  NCSC, FOCA, FOITT, FOT, MilCERT, OFCOM, SFOE
• Cantons:
  cantonal CERTs, CSIRTs, SOCs (or similar organisations), cantonal police reporting points
• Business community/society:
  CERTs, CSIRTs, SOCs (or similar organisations) of companies and organisations, SWITCH

Description

Attribution means identifying the perpetrators of attacks as precisely as possible. It plays an important role in determining what further action is taken. The Swiss authorities must be able to attribute cyberattacks directed against Switzerland with security policy implications (whether cyberattacks on Swiss targets or the misuse of Swiss infrastructure for attacks abroad). Attribution is the basis for the formulation of political and legal options for action.

Background and need for action

To be able to hold the perpetrators of a cyberattack accountable, they must first be identified. This is a major challenge in cyberspace as the perpetrators are not physically present at the site of the attack. Identification is only successful if attacks are detected in time and their technical, operational and strategic context can be analysed. 

The attribution of cyberattacks is a task of the Federal Intelligence Service (FIS). To fulfil this task, it needs information from its own investigations, but is also reliant on cooperation with other federal units and intelligence sharing with partner services. This has to be regulated.

The attribution of cyberattacks is important for political leaders to be able to assess the threat situation. This includes assessing whether an action can be attributed under international law and what possible responses are permitted under international law. It is also the prerequisite for decisions on technical, political or penal measures. 

Priorities

• Examining and supplementing the legal foundations for the analysis of cyberattacks on Switzerland.
• Cooperation between the FIS and other federal units.
• Expanding the FIS's capabilities for analysing cyberattacks with security policy implications.
• Definition of strategic priorities: It must be determined which attacks are to be analysed in depth.

Key actors

• Confederation:
  FIS, FDFA, fedpol, NCSC GS DDPS
• Cantons:
  cantonal police corps, NEDIK

Description

Cyberincidents can have serious consequences and escalate to the point where crisis management becomes necessary at national level. An up-to-date, uniform and comprehensive picture of the situation is crucial for handling crises, as are the definition of efficient decision-making processes and a communication strategy. The associated capabilities and structures must be practised, reviewed and adapted on a regular basis.

Background and need for action

Interdisciplinary cooperation is crucial in the event of a crisis. When a crisis occurs, the NCSC must be able to establish cooperation quickly with all the partners. To this end, it has contacts with the relevant organisations within and outside the Federal Administration.

The NCSC has also been integrated into the federal crisis teams. In the event of any further developments or reorganisations of crisis management at federal level, it must also be ensured that cybersecurity is included directly in crisis management structures.

Cooperation between key actors from the Confederation, cantons and business community in managing a crisis under time pressure is challenging. For such cooperation to work, regular exercises are needed. Switzerland currently takes part in international exercises, and some sector-specific exercises have been carried out nationally. However, there is no overarching concept for planning and implementing crisis exercises related to cybersecurity. This plan must be drawn up and incorporated into the overall planning of crisis exercises. 

Priorities

• Design and implementation of sector-specific (e.g. energy supply, water supply, healthcare) and cross-sectoral cyberexercises. The plan and design must be coordinated with the overall planning of crisis exercises.
• Integration of cybersecurity aspects into all planned crisis exercises.
• Clarifying the basics in coordination with the overarching work on crisis management organisation: What criteria define a cybersecurity-related crisis? Which structures are responsible for political assessment and for initiating crisis management measures?
• Ensuring that cybersecurity is represented in the crisis management system (at federal and canton levels).
• Clarifying the (subsidiary) support for crisis management in the network, including the means of communication to be used.

Key actors

•  Confederation:
  FCh, FOCP, NCSC, Armed Forces, FDFA, FOCA, FONES, FOT, GS DDPS, OFCOM, SFOE, SSN
• Cantons: 
  cantonal management organisations, cantonal cybersecurity competence centres
• Business community/society:
  operators of critical infrastructures, manufacturers/providers of critical software, sector organisations (e.g. Swiss FS-CSC, SWITCH-CERT)

Description

The freedom of action and integrity of the state, business community and population must be protected in cyberspace and defended in the event of a conflict. Cyberdefence includes all intelligence and military measures serving the following purposes: protecting systems critical to national defence, defending against cyberattacks, ensuring the operational readiness of the Swiss Armed Forces in all situations, and building capacities and capabilities to provide subsidiary support to civilian authorities. This includes active measures to detect threats, to identify attackers and to disrupt and prevent attacks.

Background and need for action

The Federal Intelligence Service (FIS) and the Swiss Armed Forces have expanded their capabilities for their cyberdefence tasks. TheGesamtkonzeption Cyber (cyber global concept) describes the capabilities that the Swiss Armed Forces will need to develop by the mid-2030s to be able to counter threats in and from the cyber and electromagnetic environment (CEME). With the Intelligence Service Act (IntelSA) and the revised Armed Forces Act (ArmA), the Confederation has the necessary legal basis for active countermeasures as part of cyberdefence.

However, the development of cyberattacks in recent years and their growing complexity increasingly ties up resources over longer periods. Further action is therefore needed in terms of expanding capabilities and coordinating with the responsible federal units to ensure compliance with international law.

Priorities

• Expansion of centralised capabilities at Armed Forces level. These include CEME self-protection, anticipation and autonomy, as well as basic competency in data science.
• Development of decentralised capabilities. This includes, for example, robust and secure data processing within battalions and companies. Another focus is expanding the resilience of mission-relevant core infrastructure in CEME self-protection. The organisation of units will also be adjusted.
• Maturation of political case processing for cybercampaigns with security policy implications.
• Enhanced integration of Switzerland's capabilities to achieve a direct protective effect for Swiss stakeholders. 
• Extension of basic capabilities for operations in cyberspace at FIS and Armed Forces level.

Key actors

• Confederation:
  Armed Forces, CYD Campus, FIS, GS DDPS
• Cantons:
  cantonal management organisations