Switzerland

Details

  • Date: 8/26/2014

“The greatest danger lies in not knowing the threat” 

Interview with Marc Henauer, Head of OIC MELANI

Could you explain briefly what MELANI is?

The MELANI Reporting and Analysis Centre for Information Assurance is a cooperative venture between the Federal IT Steering Unit within the Federal Department of Finance and the Federal Intelligence Service within the Federal Department of Defence, Civil Protection and Sport. It was called into life by the Federal Council in 2004 with the aim of collecting and evaluating technical and non-technical information about incidents and threats to critical infrastructures and making the findings available to the operators of those critical infrastructures. As such, MELANI supports the information assurance process of critical infrastructures in Switzerland.

Where do you see the biggest threat to Switzerland in terms of digital security?

In this sense, “Switzerland” is made up of a wide variety of different players and service providers. They implement information and communications technologies (ICT) for vastly different processes. The danger each of these individual areas faces are correspondingly heterogeneous. Ongoing global developments regarding attacks on e-banking clients can sometimes have a mitigating impact on the threat faced by Switzerland’s financial sector, and sometimes they can exacerbate the situation. Yet that has few or no implications for the operators of waterworks.

 

The greatest danger lies in not being aware of what the threat actually is to your area or what processes and informations are indeed critical and thus particularly worth protecting. Without that knowledge, this can quickly lead to an approach that calls for across-the-board technical upgrades of all systems which could be expensive yet which simply is not effective for certain processes. Not every new Trojan means an increased threat level for certain areas. 

Has there really been an increase in attacks from abroad or just in the media’s reporting?

A purely qualitative estimate on this subject is probably impossible. Processes are today more heavily ICT-based and as such more susceptible to ICT attacks. Another reason for the increase in targeted attacks is that there are better tools available nowadays to identify attacks of this nature than there were a few years ago.

Is Switzerland in any special danger due to its economic and political situation, the keywords here being taxes, financial hub and neutrality?

Companies and organizations domiciled in Switzerland as well as the general public certainly could be lucrative targets. In the area of industrial espionage, Switzerland has quite a bit of know-how to offer that could potentially be stolen at a relatively low cost through attacks on ICT systems. However, as a general ruleit can be argued that the focus of these criminals only shifts to information once it has a price tag. A few years ago, groups targeting e-banking systems were not really interested in the nationality of bank account holders. Since it has become possible to cash in on this information, certain groups have been collecting it wherever possible.

 

We need to add to this a political element, namely governments. Depending on what options a state has at its disposal and the level of political interest and motivation, it will take advantage of these capabilities. Regardless of whether the objectives and information gleaned still reflect the original reason for establishing these capacities or not. In this casethe concrete assessment of the threat plays a major role. The focus could suddenly shift to information that had originally been uninteresting, thereby making it a target.

How can companies protect themselves against attacks?

Probably the first and most important step is to accept the reality that not everything can be protected. Like in the offline world, the online world has risks that simply cannot be reduced to zero no matter how much technology and good judgment you use. One approach would be to primarily focus on how critical information and processes are and what level of protection they actually require. Not everything is equally worth protecting. A virus scanner and cloud solutions might be sufficient for most things. Yet every player’s critical processes and information crown jewels most likely need protective measures that go beyond that. One decisive critical factor is that these safeguards cannot just be technical in nature. Personnel, physical and organizational measures need to be combined with technical measures and applied to the relevant processes. Particularly when performing due diligence checks for third-party providers, when it comes to ICT, the main focus will probably shift to issues other than simply the availability of services.

What can private individuals do?

In essence, the same rules applie as for companies. In the end it is up to every individual person to decide which information is considered valuable. The decision to store or distribute information should be made bearing this in mind.

Is the digital natives generation more aware of potential threats or is the reverse more likely to be true?

In all likelihood, it will take a few more years before this becomes apparent. In principle, we can probably presume that this natural relationship with new technologies will also lead to a greater and constant awareness as well as understanding of the risks involved. I think our grandparents had a much more intuitive, natural attitude toward driving cars than our great grandparents did.

To what extent does MELANI help protect against cybercrime?

MELANI is not responsible for prosecuting cybercrime. In Switzerland, this falls within the jurisdiction of  the cantonal prosecuting authorities and the Cybercrime Coordination Unit Switzerland (CYCO). MELANI assists these agencies by performing assessments or providing information for the purpose of contextualization wherever desired. Otherwise, MELANI exchanges information with its main client, namely the operators of critical infrastructures.

Is this kind of information also exchanged at an international level?

MELANI would not be in a position to carry out its mandate without an international exchange, both in technical and non-technical subject areas. Generally, problems does not manifest itself in Switzerland first, but somewhere in the World Wide Web. Therefore, good contact to players in the cyberworld are vitally important to our ability to assess developments and incidents as quickly as possible in terms of their repercussions on critical infrastructures.

 

What do you think the priorities and challenges will be in the years to come?

 

One of the greatest challenges will be the increasing necessity to integrate IT security into other areas of security. Over time, it will become increasingly more difficult to protect ICT-based processes and data primarily through ICT measures.

 

Another challenge will be to more clearly regulate how data is handled when exchanged across international borders. At the moment there’s still quite a bit of conflict potential in terms of inter-state transmissions plus a large number of legal ambiguity and in some cases even inconsistencies for companies with international operations.

 

Last but not least, a further challenge at the international level will be increased consolidation and the incorporation of Switzerland’s specific concerns with regard to cyber related aspects of companies and public administrations in terms of security policy and economic initiatives and associated standardization efforts. Being actively involved in these matters at the international level is important, especially for a country that relies heavily on ICT tools.

 

Generally speaking: Is Switzerland ready for the digital future?

 

Just how ready Switzerland is as a whole remains to be seen. Many countries have published a cyber security strategy over the past two or three years. One interesting aspect of this is that most of these strategies call for the creation of so-called National Cyber Security Centres (NCSCs). The approach adopted by these NCSCs is primarily to link technical capabilities with existing non-technical and strategic elements. Their goal is to take any relevant information on incidents and threats gained through this cooperation and make it available to the various companies and institutions. Germany for instance, called into life a Cyber Defense Center in 2012, which is modeled on this concept. Switzerland had already adopted this approach in 2004 with the creation of MELANI.

 

Marc Henauer

Marc Henauer

Head of OIC MELANI

 

© Mark Schröder / Computerworld