Reporting from the Convention “Cyber Risks Switzerland 2014”

This is a brief report from the convention Cyber Risks Switzerland 2014 (Tagung Cyber Risiken Schweiz), Berne November 20, 2014. The conference, organised by ISB/MELANI, was meant to give some insight into the implementation of the various tasks formulated in the National Cyber Strategy (NCS). Meeting and networking between all sorts of players in the field (administration, research, NGOs and surprisingly few businesses) was a major goal too, of course.

Federal Councillor Eveline Widmer-Schlumpf opened the presentations with her talk giving an overview on threats and risks. She named decentralization and individual responsibility as core feature of the NCS. But also admitted that the growing complexity of the IT infrastructure makes it difficult to perform risk analysis and without solid risk analysis, it is hard to make the right decisions.

Partnerships are important. On the national level, this has to include the private sector but also on an international level, where Switzerland can obtain expert level knowledge. The intermediary for this exchange is meant to be MELANI, an example of a Swiss success model.

The federal councillor also presented a simple example of the security problems coming with the internet of things: It is now possible that your fridge orders milk for you. That’s OK. The problem starts when your milk orders a new fridge for you. This gave her a few good laughs and the joke sort of became the running gag of the day with many speakers taking up the example.

When asked about the security level Switzerland is aiming for, Eveline Widmer-Schlumpf said the government aims to achieve the same level of security like similar countries. But we also want to apply a “Swiss Finish” so to say and thus get a bit above the crowd.

The following presentation by Marc Henauer, head of NDB / OIC MELANI, talked about cyber attacks and the impossibility to obtain security. In the absence of being 100% secure, we must strive for risk minimalisation and risk optimisation. And if we are talking risk, then we leave the field of IT as cyber risks are not much different from other risks in organisations from a method perspective.

Risk is a governance issue and thus a board level duty. In the end what matters is not if a server works or not. It’s the data, the process and the service that matter.

Pascal Lamia, head of ISB MELANI, gave an overview on the NCS tasks. He named the core principles as (1) decentralisation (empowering existing structures), (2) risk management, (3) flexibility and (4) cooperation. In the field of cooperation he mentioned the public partnership Swiss Cyber Experts, a new organisation that has been named again and again throughout the day.

A panel discussion closed the morning. There was a lot of Swiss consensus here, and relatively few takeaways. Interesting was the repeated call of Andy Mühlheim, Swissgrid, for regulations and minimal standards in IT security. Roger Halbheer, Swisscom, made a point stating that Switzerland gains resilience out of the fact of being a small country where people know each other and are used to work together. Subsidiarity again.

The afternoon saw talks by Stefan Brem, BABS; Ruedi Ryth, BWL; André Duvillard, SVS; André Bourget, Canton Vaud; and Benno Laggner, EDA. I got the impression, the implementation of the NCS is in full motion. There is still a mountain of work ahead, but there are also various remarkable initiatives in all sorts of areas.

Ambassador Laggner laid down the activities of Switzerland within the OSCE, where we are active in the process of confidence-building. How does the law of nations apply to the cyber space and what standards can be defined for state players? A bold proposal by Germany and Switzerland is now actively discussed: All OSCE countries commit themselves to refrain from using their IT infrastructure to attack other OSCE countries. That sounds like daydreaming of course, but during the discussion, the ambassador resorted to the important role of the OSCE in the peaceful fall of the former Sowjet Union: All we can do is talking and building confidence among the players. Fatalism won’t take us anywhere.

All in all an interesting day. Lots of empowerment for the Swiss principles of federalism and subsidiarity, a boost for Swiss Cyber Experts and the impression that there are a lot of interesting projects going on.

Christian Folini