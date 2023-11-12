With the new Federal Office for Cybersecurity, the Federal Council wanted to strengthen IT security in Switzerland. However, the competence center is no longer responsible for protecting the federal administration.

Security in the federal administration is more than IT: A new specialist office is intended to ensure a comprehensive approach.

The promise a year ago was clear: the federal government wanted to use synergies and pool forces in the area of ​​cybersecurity. At the beginning of December, Federal Councilor Viola Amherd explained why the new Federal Office for Cybersecurity (BACS) was coming to the Defense Department.

The BACS is now about to start. On January 1st, the new Federal Office will emerge from what is now the National Center for Cybersecurity (NCSC). The current delegate for cybersecurity, Florian Schütz, is in charge. However, there is now not much left of the promised pooling of forces. The competencies in the area of ​​cybersecurity are additionally divided.

The Federal Council decided this week to transfer the protection of the federal administration against cyber attacks to a new body. This specialist office for information security will be part of the new State Secretariat for Security Policy (Sepos), which will also be created in the DDPS at the beginning of the year – but is currently without a manager.

The federal government has not yet sufficiently monitored IT security

For example, the specialist office is now responsible for issuing the minimum technical requirements for IT security for the entire federal administration. It must also approve exceptions or organize controls. Today, a department in the NCSC takes care of these tasks.

The reason for the renewed reorganization of IT security is a holistic approach. The specialist departments for personal security checks and operational security will also be located in the State Secretariat. They check people who are allowed to access classified information or companies that take on sensitive orders for the federal government.

There is a gap in this area today, as the case of the IT company Xplain in June showed. Criminals stole data from Xplain and published it on the dark web. This also included sensitive information from the federal administration, which is a customer of Xplain. According to reports, there were security deficiencies in Xplain’s IT systems. The federal government never checked.

The specialist office for information security will deal with the security of supplier companies in the future. However, it is not just about technical issues of IT security, but also about organizational precautions, for example.

The reorganization will significantly restrict the scope of the Federal Office for Cybersecurity. It is only responsible for protecting the economy and especially critical infrastructure. The laborious development of internal specifications and administrative tasks are eliminated, which can also bring advantages for the Federal Office.

At the same time, there is no longer a clear competence center for cybersecurity in the federal administration. The big question, for example, is who will come forward to the media in the event of a cyber attack on the federal government or a supplier. At Xplain it was Schütz. In the future, it could perhaps be the State Secretary for Security Policy – although operational IT security is not the core area of ​​​​a diplomat like Thomas Greminger, who is considered a candidate for the office.

Departments resist requirements

This constellation raises further concerns. The IT security requirements are repeatedly met with resistance in the departments and offices. Then you need someone to work on the dry and technical topic within the administration. A diplomat with the rank of state secretary doesn’t seem particularly suitable here either. There are therefore fears that the new constellation will not increase the federal administration’s IT security.

The Defense Department is aware that setting up the new specialist unit takes time. For the next year and a half, responsibility for protecting the federal administration will therefore remain with the Federal Cybersecurity Office. However, this also means that the responsible authorities have to continue to focus heavily on organizational issues – instead of finally being able to calmly concentrate on improving IT security.

For the new State Secretariat, the new specialist office for information security means a further deviation from the actual task. Officially, the new State Secretary is still responsible for security policy. But the majority of employees will deal with operational security issues.

The DDPS is already talking about a “State Secretariat for Security”. This should be the competence center for security policy and ensure comprehensive information security for the federal government.

