When it comes to cyber attacks, the federal government is largely groping in the dark. Now there should be an obligation to report attacks on critical infrastructures. The most important questions and answers.
Why is? In the future, critical infrastructures will have to report serious cyber attacks to the federal government. That’s what the Federal Council wants. This so-called obligation to report cyber attacks is now coming to Parliament. The National Council will discuss this on Thursday morning as the first council.
Why is it important? In Switzerland it is unclear how many nuclear power plants, hospitals and drinking water suppliers fall victim to cyber attacks every year. Because the official statistics are based on voluntary reports. According to experts, the number of unreported cases is huge. This is exactly where the reporting obligation for so-called critical infrastructures comes into play. It’s about getting a better overview of the number and type of attacks and thus better understanding the threat picture.
How common are cyber attacks? According to the National Center for Cyber āāSecurity, cyber attacks have tripled in the last two years, from a good 10,000 to over 30,000 known cyber attacks. But there are many more cyberattacks than those that have been reported voluntarily.
What information must companies report if they have been attacked? Data on the company, what kind of cyber attack it was and details on how to deal with the attack, i.e. what measures were taken and what defense attempts were successful and which were not. A kind of early warning system is to be set up in which the victims of cyber attacks can learn from each other.
Which companies will have to report cyber attacks in the future? The obligation to report only applies to critical infrastructures. These are companies that are central to the functioning of the economy or the security of the country – for example banks, the SBB or hospitals.
Legend:
The federal government does not know exactly how many cyber attacks there are in Switzerland each year. Therefore, a reporting obligation for attacked critical infrastructures is to be introduced.
Reuters
What do companies think of a reporting requirement? There is a tradeoff between corporate reputation and security. Sharing sensitive information keeps everyone safe. However, it can also be uncomfortable for individual companies to disclose detailed information about a cyber attack. This is why voluntary reporting of cyber attacks has only worked to a limited extent so far. Companies fear being publicly pilloried. They don’t want the impression that it’s their own fault.
Why does it take a lot of tact to implement the reporting obligation? Trust is the currency when it comes to cyber security. According to experts, the general public should only have access to anonymous data, for example on the number of cyber attacks in Switzerland and their effects. In addition, the obligation to report only applies to serious cyber attacks. Then when the security of the country or the functioning of the economy are at stake. For example, if a hospital can no longer function or if a large wave of attacks is suspected.