In order to strengthen Switzerland's ability to protect itself against cyberthreats, measures will be taken in the areas of education, research and innovation, in awareness raising, in assessing the threat situation and in expanding capabilities for analysing dependencies and risks.
Objective: Empowerment
Switzerland strengthens its position as one of the world's leading centres of knowledge, education and innovation, including in the realm of cybersecurity. It uses these capabilities to independently assess cyber-risks across supply chains, anticipate technological developments and respond to them in an agile manner. The population is informed about cyber-risks and thereby empowered to use digital services.
Measures
M1: Cybersecurity education, research and innovation
M2: Awareness raising
M3: Threat situation
Priorities
M4: Analysis of trends, risks and dependencies
Description
To protect itself from cyberthreats, Switzerland needs sufficient specialised personnel. At the same time, steps must be taken to ensure that the population has the basic skills needed to use digital technologies and services. The corresponding capabilities are to be built up, imparted and further developed on an interdisciplinary basis through the existing educational and research institutions.
However, education, research and innovation are not only needed to strengthen protection against cyberthreats; they will also contribute directly to Switzerland's success as a business location. Switzerland wants to use its solid position as a neutral country with a high standard of education and a strong innovation system to become one of the world's leading locations for cybersecurity services and products.
Background and need for action
Switzerland is home to a high-performance network of educational and research institutions. Various training opportunities related to cyber-risks have been developed in recent years. However, the economy's high demand for cybersecurity professionals cannot yet be adequately met, and cybersecurity skills are not yet taught systematically across all levels of education (compulsory schooling, upper-secondary and tertiary levels, and continuing education and training).
A sizeable cybersecurity start-up scene has developed in Switzerland in recent years and a number of major players have opened branches in the country. However, a comparison with internationally leading regions and with Switzerland's innovation capacity in other areas makes it clear that the conditions for cybersecurity innovation need to be further enhanced.
Priorities
- Education:
Education and training on cybersecurity will be promoted at all levels. While compulsory schooling will primarily teach basic skills, upper-secondary level vocational education and training and tertiary-level professional education, higher education, and continuing education and training need targeted offers tailored to the requirements of the labour market. The tried and tested instruments of Swiss education policy will be used to promote education and training on cybersecurity. In teaching cybersecurity skills, teachers will be supported with suitable teaching materials and by subject specialists, and coordination between educational institutions will be fostered. Specific training and courses for specialists (e.g. in critical infrastructures) will be offered more widely in Switzerland.
- Research:
Research into cybersecurity will be promoted through existing research policy funds. The impact of Switzerland's outstanding political, economic and social research must be expanded. This will require enhanced coordination between researchers in the various cybersecurity disciplines so that joint recommendations can be developed and communicated. - Innovation:
Networking between actors will be promoted to create an ideal environment for innovation. Exchanges between universities, companies and public authorities are to be further expanded. Within the scope of the law, the responsible federal units will encourage expert involvement in cybersecurity through the existing Innovation Fellowships and similar programmes.
Key actors
- Federal Administration:
CYD Campus, NCSC, SERI - Cantons:
CCJPD, SPI, EDK, SHK - Universities:
all Swiss universities, SSCC, swissuniversities, ETH Board - Business community/society:
Swiss vocational education and training sector, ICT associations, Innosuisse, SATW
Description
Awareness-raising measures are needed to ensure that the Swiss population can use electronic and digital products and services in a risk-conscious way. The aim is to create a high level of cybersecurity awareness across society and to provide tools that promote the responsible use of digital technologies and services. This also takes into account the goal under data protection law of ensuring that individuals retain control over their personal data and that companies and organisations make their data processing methods transparent.
Overall, awareness raising is intended to strengthen society's resilience to cyber-risks.
Background and need for action
Cybersecurity awareness is on the agenda of many Swiss institutions, companies and organisations, with the systematic aim of making businesses and individuals resilient to cyber-risks. However, there is a need for greater coordination and pooling of current and planned efforts, because it is important that awareness-raising efforts are tailored as much as possible to the relevant target groups and how they are affected. For this reason, the target groups must be defined and the need for measures identified as close as possible to the target groups. Communicators must coordinate their messages to ensure consistent communication that facilitates recipients' understanding of the sometimes complex subject matter.
There is already plenty of expertise in addressing specific target groups. Accordingly, existing bodies and organisations and their channels for communicating the measures will continue to be used as before (e.g. events and specialist journals/magazines run by associations, interest groups and umbrella organisations).
Priorities
- Needs assessment:
The need for awareness raising and prevention in the different sectors will be continuously assessed based on the latest incidents, the development of the threat situation and the assessments of public authorities, companies and business associations on the need for awareness raising in their sectors.
- Overview and coordination:
The actors involved in awareness raising will be known and interaction between them promoted in a targeted way.
- Measurement:
The costs and impacts of awareness-raising measures will be recorded in order to determine their success and enable them to be optimised.
Key actors
- Federal Administration:
NCSC, FDPIC, FIS, FOCA, FOCP, FONES, FOT, FSIO, OFCOM, SFOE - Cantons:
communes and cities, cantonal cybersecurity competence centres, cantonal police corps, CCJPD, SCP - Business community/society:
All interested industry and business associations, other associations, NGOs and individual companies are included in the campaigns where this makes sense.
Description
In order to assess the threat situation, it is necessary to determine which actors exploit or could exploit which attack vectors and vulnerabilities. As part of this process, the threats should also be weighted. The result is an assessment of the threat situation, on the basis of which the business community, society and administration can identify and implement their risk-minimising measures in the most cost-effective and targeted way possible. The threat situation is thus intended to reveal not only fundamental and broad-impact threats, but also those that are business- and process-specific.
Background and need for action
Switzerland already has periodically updated tactical, operational and strategic representations of the threat situation in the cyberdomain. These are informed by observation of threat actors and their actual and potential capabilities, as well as information about the damage or failures caused by cyberincidents.
Due to the increasing digitalisation of processes in various sectors of the economy, there is a growing need for threat assessments specific to these sectors. This need will be met by processing threat-related information in a way that is appropriate for the target group. Threat-related information will be communicated to companies and other organisations according to their needs.
Priorities
- Further development of situation monitoring with a focus on those actors who pose a threat to Switzerland at a tactical, operational and strategic level.
- Further development of the assessment and processing of situation-relevant information. Level-appropriate provision for the business community, society and administration.
- Support for setting up sector-specific information sharing and analysis centres (ISACs) and establishment of close cooperation to assess specific threat situations.
Key actors
- Confederation:
FIS, NCSC - Cantons:
cantonal police corps, cantonal cybersecurity competence centres, IT offices, NEDIK - Business community/society:
private-sector CERTs/SOCs, ISACs, security service providers, SWITCH
Description
It is very important for Switzerland to understand how dependent it is on digital technologies, how this dependency is developing and what risks this entails. Given that digital technologies are developing dynamically, it is important in this context to identify new developments at an early stage and to understand their impact on security. This will help to strengthen Switzerland as a business location, a location where secure digital technologies and services are applied and locally developed.
Another need for analysis arises from the fact that the majority of key digital technologies are now manufactured abroad. It is important for Switzerland to understand what dependencies it has on these manufacturers and what risks are associated with this. Switzerland must be able to make decisions about the use of digital technologies and services based on autonomous, independent analyses and assessments.
Background and need for action
Technology monitoring with regard to cybersecurity is carried out by the Cyber-Defence Campus in close cooperation with universities and the business community. The Swiss Academies of Arts and Sciences are tasked with assessing the opportunities and risks associated with new technologies.
Switzerland is significantly less advanced when it comes to the systematic analysis of dependencies and risks related to ICT products. The National Test Institute for Cybersecurity (NTC), which is currently being set up, will have the capacity to examine ICT products in depth for their attack surface. This centre will complement and strengthen the capabilities available today at the CYD Campus and those increasingly being built up by private security service providers. These capabilities are a prerequisite for independently assessing the security of products used, for example, in critical infrastructures.
There is also further potential in the systematic evaluation of incidents. This can help to better understand who is affected by which attacks and how such attacks could be prevented in the future.
This requires an established exchange of information between public authorities, security service providers and universities, and a willingness on the part of affected companies to transparently disclose incidents and their impacts.
Priorities
- Monitoring of new technologies:
The CYD Campus, together with universities, will anticipate technological cyberdevelopments and make the findings of this monitoring available to the relevant actors.
Cyber-Defence Campus:
Cyber trend monitoring gains importance at armasuisse - Expansion of competencies for the investigation of cyberincidents:
Cyberincident causes and mechanisms are to be examined in greater depth and findings from these investigations are to be systematically processed and characterised. To this end, the exchange of data between public authorities, insurers and security service providers will be promoted, as far as the law allows. Investigations will be voluntary for those affected and are intended to help ensure that lessons are learned from cyberincidents. - The testing of ICT products and digital networks will be referred to test centres in Switzerland such as the National Test Institute for Cybersecurity (NTC) or to providers of vulnerability analyses and penetration tests. With the expansion of the NTC for cybersecurity, capabilities and testing capacities in Switzerland for the independent risk analysis of ICT products will thus be strengthened, in cooperation with universities and the business community as well as international partners. The CYD Campus will also further strengthen its capabilities for such analyses in the context of procurement preparation and procurement of security-critical ICT products for the Confederation.
- The expansion of the National Test Institute for Cybersecurity will be taken forward. In cooperation with universities and the business community, this will create capabilities for the independent risk analysis of ICT products.
- Dependencies:
Analyses will be undertaken to ascertain what dependencies Switzerland has on which products and suppliers and what form these dependencies take. Companies, universities and public authorities will jointly determine how these analyses can be carried out and continuously updated. - Monitoring of AI applications in critical infrastructures:
In order to better understand the capabilities of these applications and their impact on society, their use will be regularly reviewed at the request of the Confederation and cantons. - Strengthening of exchanges between research centres:
The existing exchanges in the context of the CYD Campus, universities and the SATW will be further expanded and coordinated.
Key actors
- Federal Administration:
CYD Campus, NCSC, DTI, FIS - Universities: SSCC
- Business community/society:
NTC, SATW, security service providers
Last modification 05.03.2024
