Objective: Secure and available digital services and infrastructure

Switzerland implements measures nationwide to strengthen cyber-resilience. The Confederation and cantons create the necessary conditions to ensure that a high level of protection is guaranteed, that secure digital infrastructures, products and services are used, and that risk appetite is consciously managed.

Measures are needed at various levels to ensure the security of digital services and infrastructures. It is important that vulnerabilities in services and infrastructures are detected and fixed at an early stage and that new services and infrastructures are developed in such a way that they have as few vulnerabilities as possible from the outset. In addition to vulnerability detection and remediation, resilience management is critical. Based on risk and vulnerability analyses, it must be determined which technical and organisational measures will be implemented to increase the resilience of services and infrastructures. This also includes examining the areas in which standards or regulations are needed. Finally, it is important for public authorities to protect their own services against cyberthreats.

Measures

M5: Vulnerability detection and prevention

Description

The use of digital technologies leads to process automation and networking. This results in complex systems that potentially have a large attack surface. This complexity, combined with the often high cost and time pressure involved in the development and application of such technologies, increases the risk of vulnerabilities in the systems. For cybersecurity, it is essential that the existence of such vulnerabilities is prevented wherever possible and that existing vulnerabilities are detected in good time and resolved quickly. It is important that vulnerabilities are only made public once countermeasures have been identified and implemented ("coordinated vulnerability disclosure"), otherwise disclosure puts the attackers in a stronger position.

Background and need for action

Within Switzerland, there is plenty of expertise in identifying vulnerabilities and analysing their causes. However, the potential is still underexploited. There are too few incentives for security researchers to look for and report vulnerabilities, and there is a lack of national coordination in vulnerability analysis. Close cooperation with specialist authorities in other countries and international organisations is also important. A prerequisite for more effective vulnerability management is the creation of a legal basis for the investigation, reporting and disclosure of vulnerabilities.

Finally, efforts must be made to ensure that security holes are communicated and closed quickly. Too many companies and organisations remain vulnerable because they do not resolve vulnerabilities, even though solutions (patches) have been available for a long time.

Priorities

Institutionalising ethical hacking:
Bug bounty and public trust programmes will be implemented. Ethical hacking will be encouraged by improving legal certainty for ethical hackers.
Coordinated vulnerability disclosure:
A coordinated approach to vulnerability disclosure will be promoted, in order to build security and trust through transparency. To this end, guidelines will be drawn up and disseminated, and incentives to report vulnerabilities will be created.
Centralising vulnerability communication:
The NCSC will be positioned as the central hub for the coordination and publication of vulnerability reports. It will disseminate information and alerts on new vulnerabilities as well as on technical and organisational solutions to address them.
Automated vulnerability detection:
Solutions for automated vulnerability detection and remediation will be developed and deployed.
Software ecosystem:
Secure software development (particularly open-source software) will be supported through collaboration with organisations and initiatives in this area. The aim is to create incentives to ensure that security is considered at an early stage in software development. Formally verifiable security properties will be defined for the development of ICT components.
Cybersecurity in wireless internet-connected devices:
The requirements of the revised Telecommunications Installations Ordinance must be enforced through effective market surveillance.

Key actors

Confederation:
CYD Campus, NCSC, OFCOM
Cantons:
IT offices, cantonal cybersecurity competence centres
Universities:
ICT security research institutes
Business community/society:
Alliance Digital Security Switzerland, NTC, security companies

M6: Resilience, standardisation and regulation

Description

A variety of technical and organisational measures exist to protect against cyberthreats. It remains the case that the majority of cyberincidents could be prevented by consistent implementation of basic protection measures. Decisions on the appropriate measures are based on sound analyses of the risk exposure to cyberthreats. By understanding how these risks manifest themselves in individual sectors, measures to improve resilience can be identified.

The measures are based on international standards. These are an important tool for implementing protective measures. Compliance with standards can be promoted in a number of ways. Aside from the possibility of making standards binding through regulatory measures, the main approach will be to create incentives for their implementation. Transparency can create a strong incentive by using labels to establish who is complying with which standards. Such transparency means that investments in cybersecurity lead to increased customer trust.

Background and need for action

Risk and vulnerability analyses of critical sectors were already part of the first two cyberstrategies. The existing assessments and identified resilience measures must be regularly reviewed and adapted for all critical sectors.

In addition, there are already well-established international standards on cybersecurity that are also applied in Switzerland. In cooperation with the business community and the specialist authorities, the FONES developed an ICT minimum standard and used this as the basis for sector-specific standards. Compliance with these standards is usually not mandatory. However, the new Data Protection Act, which will come into force in September 2023, introduces minimum requirements for data security when processing personal data. In addition, various sectors are examining which standards should be introduced as binding for which organisations.

Alongside sector-specific standards, technology-specific standards are also important. Security standards for cloud computing applications or IoT play an important role in ensuring security in new technological applications. Switzerland has already issued directives on the security of wireless internet-connected devices in the OFCOM Ordinance on Telecommunications Installations. It is now examining what regulations are needed in the area of cloud computing.

However, the need to examine and develop legal foundations is not limited to the question of whether binding standards should be introduced. One example of this is the bill already passed to introduce mandatory reporting of cyberattacks. Where further legal foundations may be required is a question that must be examined on an ongoing basis.

Priorities

The existing risk and vulnerability analyses in critical sub-sectors will be updated as required by the FOCP and the relevant specialist authorities. The identified risks will be addressed as part of resilience management with suitable spheres of action and measures to improve resilience. Implementation of the measures will be regularly reviewed and the sharing of information on risks, vulnerabilities and resilience measures between the Confederation and the cantons will be promoted.
Efforts will be made to promote wider compliance with standards. In particular, the application of standards by SMEs and communes is to be strengthened by making simple tools available. Compliance with ICT security standards must also be made a requirement of public procurement contracts, and verified.
Promoting the wider use of existing labels:
Cybersecurity labels have been successfully introduced in Switzerland. It is important that these labels are coordinated, both nationally and internationally. The use of existing labels will therefore be supported by the sharing of experience between labels.
It will be examined whether and how companies' responsibility for protecting themselves against cyberincidents can be strengthened through legal requirements. The aim here should be to have effective regulations rather than detailed operational requirements. Regulations must also be harmonised across sectors in order to minimise disparities between any requirements.
The need for sector-specific regulations will be examined and, where necessary, draft texts prepared.
Mandatory reporting of cyberattacks on critical infrastructures is already being examined. If a decision is made to proceed with this, implementation will be undertaken in close cooperation with those affected.

Key actors

Confederation:
FOCA, FOCP, FOT, NCSC, OFCOM, SFOE, FDPIC, FONES
Cantons:
cantonal cybersecurity competence centres
Universities: SSCC
Business community/society:
cyber-safe.ch, ITSec4KMU, standardisation organisations, NTC, security service providers, associations of the economic sectors concerned, insurance companies

M7: Expansion of cooperation between public authorities

Description

Cybersecurity has become a key challenge for public authorities at all levels of government. eGovernment services must have a high level of security. While attacks for the purpose of espionage have been relevant cyberthreats for years, attacks by criminals on public authorities have also increased in recent times, e.g. blackmailing authorities by encrypting and threatening to publish official data. This challenge must be tackled at all levels of government.

Background and need for action

Every public authority is responsible for its own cybersecurity. The Information Security Act (ISA) sets out the framework and procedures for security measures in the Confederation and applies to the cantons when they access federal IT resources or process classified federal information.

Ensuring cybersecurity in all federal structures is a major challenge. Given the lack of specialist staff and often also of financial resources, cooperation between authorities at all levels is important. The necessary vehicles for cooperation exist, but there is still plenty of potential for enhanced operational collaboration. The extent to which the Confederation can support the cantons, cities and communes, and in which cases, needs to be clarified.

Priorities

Implementation of the Information Security Act within the Federal Administration.
Promotion of information sharing on cybersecurity within the Federal Administration, in particular between the NCSC and the specialist authorities.
Strengthening of cooperation between the Confederation and cantons.
Clarification of Confederation support for the cantons, cities and communes.
Clarification of cantons' support for their communes.
Promotion of exchanges with international authorities.

Key actors

Confederation and cantons:
SSN, Armed Forces, cantonal cybersecurity competence centres, communal organisations (e.g. Association of Swiss Communes, Union of Swiss Cities), DPSS, DTI, NCSC.