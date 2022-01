Data released by experts from Check Point Research are alarming: in 2021, attacks increased by 65% compared to the previous year. So what are the reasons? And, above all, what is the federal government doing to deal with this faceless enemy? We put this question to Florian Schütz, federal delegate for cybersecurity and director of the National Cyber Security Center (NCSC). «Yes, our center has seen a disproportionate number of reports in recent months,« confirms Schütz.

«Two reasons. Firstly, attacks have actually increased, particularly those using ransonware, a form of cyber blackmail. Secondly, with the advance of digitization, the sensitivity towards IT security on the part of private individuals and companies has grown: although there are no obligations, events are increasingly reported and there is a greater propensity to make them public. Therefore, as a consequence, the number of reports is also increasing. The business of cybercrime, unfortunately, is convenient: those who attack know that there are victims willing to pay to have their data returned. And it knows also that the probabilities of success are good, because the obstacles are few».

Some deny the risks

Few obstacles, yes. Therefore, does this mean that Swiss companies and institutions are vulnerable? Says the representative again, «Switzerland’s level of cybersecurity is quite comparable to other European countries,« he explains. « Nevertheless, among companies, there are big differences in terms of cybersecurity. Many companies still have insufficient protection measures. The key is the leaders of the companies themselves, who ought to take the issue of cybersecurity seriously and include specialist IT profiles in management.» So we see a potentially very damaging underestimation of risk. «We notice two trends,« notes Schütz. «The first: Some companies underestimate or even deny the risks, and therefore have to accept a high possibility of suffering an attack. The second: Many companies acknowledge the danger but don’t know how to deal with it. They are often overwhelmed by complexity. A further sensitive point is that cybersecurity is a ‘’very noisy market’’ in which professional arguments are not always to be found. This further complicates companies’ risk assessments and solutions. This is precisely one of the areas for improvement: most cyber attacks can be prevented with reasonable effort.»

Regulatory tools

But who lies behind these attacks? «Beyond individual criminals, it’s often real organizations that strike, each with their own business model,« «Some are organized on a regional level, others have members scattered around the world.» These are difficult enemies to counter and pursue. Yet, as we’ve seen, there are readily available tools useful for prevention. So what is needed to increase cyber security in Switzerland? Schütz continues: «It is essential to create the right framework conditions so that companies - even those with little digital know-how - can make targeted investments in IT security. This would provide strong basic protection for the infrastructure. But going forward, regulatory measures must also be put in place to reduce the risk of a systemic cyber crisis.»

A first step was taken on January 12, when the Federal Council put the draft law introducing the legal basis for the reporting obligation out for consultation until April 14. If attacked, operators of critical infrastructure will have to inform the National Center for Cybersecurity.

Teamwork

Yes, when it boils down to cyber, one of the key concepts is «teaming up.» No one can claim to be protected from this type of event, yet if everyone took appropriate measures cyber criminals would encounter far more obstacles. «It is important for companies to be aware of the risks, but it is equally vital to realize that individual behavior can affect the security of everyone else,« «In this sense, I think it is worth investing in educating and sensitizing the population on security issues. In an increasingly digitized world, citizens should have a basic understanding of cybersecurity. Not everyone has to become a computer scientist, but education helps reduce risk and promotes policy discussion on these important issues. In general, we should move away from the concept of attack-defense.

The emphasis should be on technology, developing and using safe protection systems. The ‘’pure risk’’ approach is not paying off.» The NCSC itself, currently employing some 40 staff, will also need to be strengthened. «We’re doing some evaluations on that,« Schütz comments. In my opinion, I can already see the need for expansion. But how and to what extent will be determined by politics.

«Switzerland has grasped the need to change its approach.»

For Alessandro Trivilini, head of SUPSI’s Computer Forensics Service, the federal government has grasped the need to change its cultural approach to cybersecurity. Yet, «the view that is generally held of these threats is obsolete,« he explains. «Securing critical infrastructures, updating them, developing a response plan in case of attack and training employees are unfortunately still seen as a cost that only large companies can afford. This is wrong: in ten years of activity we have followed more than three hundred cases, and we have come to the conclusion that repairing the damages of an attack costs two and a half times more than the cost of prevention». Even in Ticino the figures are alarming: since October, notes Trivilini, the cases have multiplied and involve both small and medium-sized enterprises and public institutions. «Some people contact us because they are afraid of being targeted by cybercriminals but cannot identify the attack, while others turn to us because they are affected by ransomware, a computer blackmail that blocks sensitive data.

The extent of this phenomenon?Trivilini compares it to a wind that strikes every corner of the canton, without distinction. There is still a lot to do in Switzerland to reach the level of awareness necessary to face these dangers. Although something is moving: the federal government has grasped the strategic importance of the cybersecurity issue by passing the new Data Protection Act. «In fact, the new legal framework will change the rules of the game for the next decade,« the expert explains. «Companies and institutions will have to pay more and more attention towards the cybersecurity sector, because for the first time the notion of responsibility comes into play. In other words: if a company’s data is rendered inaccessible as a result of a cyber attack, someone will have to answer to their customers. A mayor of a targeted municipality will have to answer to his citizens.» Kind of like what happens in the case of a fire: you have to figure out what started it, the degree of responsibility, and whether there was negligence. «When it goes into effect, the new legislation will have a disruptive effect,« Trivilini continues. «No one will ever be able to say ‘’I didn’t know, I couldn’t predict.’’ So here it is that, in reflection, the degree of awareness and responsibility of companies or institutions towards customer data will rise. «In the event of a complaint, with the introduction of the new law, the responsible parties could be prosecuted in a civil court for not having done everything in their power to protect the data and secure the company,« Trivilini explains. «It is not only an economic issue, but also a matter of reputation. The paradigm will shift, and there will be no turning back. Therefore, the time has come to work as a team: whoever decides to run alone risks, and scientific research has a decisive role to play». The new law will come into effect in January 2023, «to give everyone time to prepare.»

Yes, the cybersecurity sector represents the present and the future: but in addition to legal instruments, human resources are necessary, which are rather scarce at the moment. What should Switzerland do? Trivilini again: «We are only at the beginning of a journey, the road to achieve a nimble and up-to-date level of protection is long. But there are also opportunities: the Confederation is considered a safe country. It would be smart to invest resources to be a leader in the IT security sector. Ticino, through the formation of the Cybersecure group, has made major progress and today is a reference. But Bern, too, has made moves in creating the National Cyber Centre last year. Now it’s a matter of making this national and regional network proactive. And to train experts capable of working in a sector that is evolving very rapidly».

