National strategy for the protection of Switzerland against cyber-risks (NCS)

The “National strategy for the protection of Switzerland against cyber risks” (NCS) was passed on June 27, 2012, and is in 2017 in its final year of implementation.
The government defined the following three overriding goals for the NCS:
1) Cyber risks are to be recognized and evaluated at an early stage in order for risk reducing and preventive measures to be taken in cooperation with all those involved in the private sector, political circles and society.
2) The resilience of critical infrastructure to cyber attacks—in other words, the ability to resume normal operations as quickly as possible—is to be increased in cooperation with their operators, ICT service providers, system suppliers and the Confederation’s program to protect critical infrastructure (CIP program).
3) Prerequisites are to be ensured for an effective reduction of cyber risks, particularly, cyber crime, cyber espionage and cyber sabotage, and where necessary created anew (NCS 2012: 28).
In the first part of the NCS, there is an overview of the overall ability of the Swiss system to deal with cyber-attacks in 2012. The overall picture looked rather bleak. The strategy then defines an implementation plan with seven spheres of actions as well as sixteen corresponding measures along the four areas of prevention, response, continuity and crisis management and supporting processes.
The sixteen measures should be implemented by the end of the year 2017. By the end of 2016, 15 of the 16 NCS measures were completed, with the final one expected to be completed by the end of 2017.
Overall, a preliminary evaluation from 2016 states that the implementation of the measures generally has progressed well and that Switzerland is now better prepared for cyber risks than in 2012. The intended structures and processes have largely been implemented and various products (reports and concepts) were delivered in a timely manner. The output also triggered considerable outcome by demonstrably expanding capacities, increasing the level of knowledge and improving the overall coordination across agencies.
In view of the ongoing threat due to cyber risks, the Swiss Federal Council decided to commission a follow-up strategy. The Swiss Federal IT Steering Unit has been mandated to draw up a follow-up strategy for the period from 2018 to 2023 in collaboration with the agencies concerned and to submit this to the Federal Council by the end of 2017.

Generally speaking, the government wants to use the strategy in cooperation with public authorities, the private sector and operators of critical infrastructure to minimize the cyber risks with which they are confronted on a daily basis and to bolster cyber resilience.
More specifically, the government defined the following three overriding goals for the NCS:
1) Cyber risks are to be recognized and evaluated at an early stage in order for risk reducing and preventive measures to be taken in cooperation with all those involved in the private sector, political circles and society.
2) The resilience of critical infrastructure to cyber attacks—in other words, the ability to resume normal operations as quickly as possible—is to be increased in cooperation with their operators, ICT service providers, system suppliers and the Confederation’s program to protect critical infrastructure (CIP program).
3) Prerequisites are to be ensured for an effective reduction of cyber risks, particularly, cyber crime, cyber espionage and cyber sabotage, and where necessary created anew (NCS 2012: 28).

The NCS created coordination mechanisms and structures that will continue to be in place after 2017. Moreover, a variety of threat analyses and policy guidelines were published. Since a follow-up strategy (for 2018-2023) is being drafted, and the 30 new positions created for the NCS were permanently extended, the sustainability of the NCS should be secured.

This national strategy is only transferable if the implementing country takes into consideration that this strategy has been tailored to the needs and (federalist) nature of Switzerland specifically. Any country interested in applying this strategy would need to first conduct an in depth-assessment regarding a) its specific cyber threat environment; b) its various agencies’, institutions’ and organizations’ capabilities; and c) the potential for cooperation with private actors and sub-national levels (state level, municipal level).

There are annual reports (2013-2016) giving an overview of the threat situation and the status of the 16 measures.
In 2016, an impact analysis was published that looked at the implementation of the 16 measures and examines the state of the findings on the financial and personnel implications of the NCS. It evaluates the NCS at the following three levels:
1) the implementation success of the 16 measures was analyzed
2) the aspects cutting across measures (resource planning, contents, organizational structure, and communication)
3) and interfaces with the work of the cantons and the Armed Forces.

a) National level
On the national level, the NCS had the goal of strengthening the cooperation between the actors on the national level, the cantons and critical infrastructure operators as well as private actors.
Regarding the cooperation between the Confederacy and the cantons, the Swiss Security Network (SSN) coordinated an institutionalization of the exchange in the form of a cyber People’s Assembly. Moreover, in 2013, the SSN established an expert cyber group to coordinate the interface between the NCS implementation and the activities of the cantons. The group meets twice a year to ensure the coordination within the ongoing work. For the operational issues, this expert group also established four working groups (on 1) risk analysis and prevention measures; 2) incident-management; 3) crisis management confederacy-cantons; and 4) Overview of criminal cases and coordination on intercantonal case complexes). These frameworks helped enhancing the cooperation and networking between the Confederacy and the cantons.
In order to reach out to private actors and research institutions, there are annual NCS conferences and the so-called Swiss Cyber Research Conferences. Additionally, in 2016, the crisis management exercise “Popula” was carried out, simulating a cyberattack against Switzerland's pension system. It was coordinated by the SSN in collaboration with the federal government, the cantons, and critical infrastructures, with the goal of rehearsing willingness and crisis management at the federal and cantonal levels.
Generally, the cooperation seemed to be successful, at least among agencies on the federal level. It is assumed that the NCS has greatly improved the communication of the actors with a role in the area of cyber risks. Communication is facilitated by the fact that many of the responsible agencies involved actively participate in the implementation of other measures as well and thus a very good mutual understanding could be built up.
However, there is need for action with regard to external communication. Due to the decentralized structure, outsiders stated that it is often unclear who is the main responsible for the implementation of the NCS. The existing communication channels are not sufficient. Feedback from the business community and the general public, as well as the reception in the media after major cyber incidents, have shown that the expectations placed on the NCS were sometimes unrealistic. It was not sufficiently understood that the responsibility for corporate security is not carried by the NCS, but remains the responsibility of the companies themselves.
b) International level
For the international coordination, Switzerland established a working group called „cyber international“, which consists of different agencies on the federal level that deal with cyber security and internet governance. They usually meet twice a year.
On the international level, existing bilateral contacts were intensified and other new ones established. At the multilateral level, work on the confidence-building measures drawn up by the OSCE was developed, and Switzerland was elected as a member of the UN Group of Governmental Experts (UN GGE) on Cyber Issues for one year in 2016.
A number of technical experts from the relevant companies, sector associations, and the competent specialist, supervisory, and regulatory authorities in the federal government and cantons were involved here. In the framework of the UN, the work within the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) has to be mentioned for its development of global codes of conduct, applicability of international law, confidence-building, and capacity-building in cyberspace.
Switzerland also participates actively in the OSCE's process on confidence-building measures to enhance cybersecurity. For the further development of its own capacities, Switzerland collaborates with the Cooperative Cyber Defence Centre of Excellence (CCDCoE) in Tallinn, Estonia, and is actively participating in the dialogue between European countries and China.
The election of Thomas Schneider (Federal Office of Communications, OFCOM) as Chair of the Governmental Advisory Committee (GAC) of the Internet Corporation for Assigned Names and Numbers (ICANN) in October 2014 further has given Switzerland direct influence on the management of a central internet resource. Finally, Switzerland is part of ENISA's (European Union Agency for Network and Information Security) cyber expert working group, which is tasked with comparing national cyber strategies and identifying best practices and guidance.
? Federal Office for Civil Protection
? Federal Office for National Economic Supply
? Federal IT Steering Unit
? Federal Office of Information Technology, Systems and Telecommunication
? Reporting and Analysis Centre for Information Assurance
? Federal Intelligence Service
? Federal Social Insurance Office
? Cybercrime Coordination Unit Switzerland
? Federal Chancellery
? Federal Office of Communications
? Federal Department of Foreign Affairs – Directorate of Political Affairs
? State Secretariat for Education, Research and Innovation
? NCS Coordination Unit
? NCS Steering Committee
? Swiss Security Network
? Federal Department of Defence, Civil Protection and Sport – Security Policy
? Armed Forces Command Support Organisation
? Military Intelligence Service
? Specialist, supervisory, and regulatory authorities

The resources required for implementing the strategy were presented by the responsible federal units in the Spring of 2013. On this basis, the Federal Council approved the creation of 30 new cyber specialist positions in the competent departments when adopting the implementation plan.

AWK. Bericht Wirksamkeitsüberprüfung NCS. 2016. Berne. https://www.newsd.admin.ch/newsd/message/attachments/48045.pdf [last accessed: October 12 2017]
Dunn Cavelty, Myriam. Cybersecurity in Switzerland. 2014. Berlin: Springer.
Federal Department of Defence, Civil Protection and Sport DDPS. National strategy for the protection of Switzerland against cyber risks. 2012. Berne. https://www.isb.admin.ch/dam/isb/en/dokumente/ikt-vorgaben/strategien/ncs/Strategie%20zum%20Schutz%20der%20Schweiz%20vor%20Cyber-Risiken.pdf.download.pdf/Strategie_zum_Schutz_der_Schweiz_vor_Cyber-Risiken_k-ENGL.pdf [last accessed: October 12 2017]
Federal Department of Finance FDF and Federal IT Steering Unit FITSU. NCS implementation plan. 2013. Berne. https://www.isb.admin.ch/dam/isb/en/dokumente/themen/NCS/Umsetzungsplan%20NCS.pdf.download.pdf/Umsetzungsplan_NCS-engl.pdf [last accessed: October 12 2017]
Federal Department of Finance FDF, Federal IT Steering Unit FITSU and Reporting and Analysis Centre for Information Assurance MELANI. 2013 annual report of the NCS steering committee. 2014. Berne. https://www.isb.admin.ch/dam/isb/en/dokumente/themen/NCS/Jahresbericht%20NCS%202013.pdf.download.pdf/Jahresbericht_NCS_2013-engl.pdf [last accessed: October 12 2017]
Federal Department of Finance FDF, Federal IT Steering Unit FITSU and Reporting and Analysis Centre for Information Assurance MELANI. 2016 annual report on the implementation of the national strategy for the protection of Switzerland against cyber risks (NCS). 2017. Berne. https://www.isb.admin.ch/dam/isb/en/dokumente/themen/NCS/NCS-Jahresbericht-2016-en.pdf.download.pdf/NCS-Jahresbericht-2016-en.pdf [last accessed: October 12 2017]

https://www.isb.admin.ch/isb/en/home/themen/cyber_risiken_ncs.html
https://www.isb.admin.ch/isb/en/home/themen/cyber_risiken_ncs/ergebnisse.html

The general strategic objectives of the NCS are still valid. These include, as mentioned, the early detection of cyber dangers and threats; the strengthening of resilience in critical infrastructure and the reduction of cyber risks.
The specific measures derived from the objectives cover the wide range of activities required to tackle cyber risks, and can therefore be seen as consistent with the overall objectives. There is, however, some room for improvement insofar as that the measures could be combined in a stronger fashion (e.g. to merge two measures into one). A consolidation of the measures would be useful for a better overview and clarity of measures in the future. Moreover, it could be argued that although the objectives have been defined well, there is a lack of specific indicators with which the success of implementation can be measured. Some would argue, however, that reason for that was that first the required structures and knowledge had to be built and that exact (quantitative) objectives to be reached would not make much sense. The structures and the knowledge that was built can and must be used for next steps in the Swiss cyber security architecture.

The implementation of the 16 measures was successful overall and the defined goals were largely achieved. This has led to stronger capacities, expanded specialized knowledge, and better communication. The decentralized organizational structure helped achieve the goals, and so did the close cooperation among agencies and the efficient internal communication. The cooperation between the cantons and the federal level worked well and a certain sensitization on cyber issues took place in the cantons.
However, there are some remaining issues. Firstly, important questions remain open regarding the interface with the work of the Armed Forces. The delineation between the civilian responsibilities of the NCS and the competence of the Armed Forces in the event of a crisis has not been clarified conclusively, and the expectations of the Armed Forces as well as their possibilities relating to subsidiary support have to be specified in more detail. Secondly, external communication at the national level was criticized. Public awareness of the NCS is too low, and it is not sufficiently known what the federal government is doing in regard to cyber risks and where it sees the limits of its competence.
Still, it can be said that Switzerland is better prepared today for cyber threats than it was in 2012, when the NCS was started. At the same time, it has become clear that the NCS can be considered merely a foundation, and that protection from cyber risks must be further expanded.

As mentioned, the decentralized approach has proven to be efficient overall and by the end of 2016, 15 of the 16 NCS measures were completed, and the time schedule defined in the implementation plan was met.
From a holistic perspective, it can be said that the need for resources was estimated realistically. There were just enough resources for most measures. It helped that most of the involved organizational units had already been working on similar topics, due to which it has been possible to benefit from existing know-how. This also allowed the NCS to be implemented with little additional staff (30 overall, 28 thereof directly for the NCS). In some cases it was difficult for the respective agency to fill the vacancies, as only temporary employment contracts could be offered. Moreover, the NCS does not have its own budget, which limits the decision margin of the coordinating unit and makes it difficult to launch own projects.
Overall, it can be said that the resources planned for the implementation of the NCS were just enough, which is good insofar as that there was no need to increase the budget. Additionally, the mandating of assignments to agencies that previously had already been working on similar topics seems reasonable and (cost-)efficient. It is not entirely clear, however, how to exactly measure the cost-efficiency of the programmed, as - as mentioned above - no clear indicators have been given regarding the measurement of the NCS’ successful implementation.

Impact
It is generally difficult to assess the direct impact of the measures on the strategic objectives, especially in the complex and dynamic context of cyber risks. Moreover, the NCS is running until the end of the year 2017, and boosted cyber resilience capabilities might only be observable after a certain period of time. Nevertheless, one can look at the specific outputs respectively outcomes of the implementation plan.
In terms of prevention, the Federal Office for Civil Protection and the Federal Office for National Economic Supply conducted risk and vulnerability analyses in the critical sub-sectors identified in the strategy for critical infrastructure protection and published their reports. The Federal Intelligence Service created a presentation called "Threat Situation Radar", which visualizes the various cyber threats to Switzerland's infrastructures and shows the relevance of the threats.
Concerning response, the specialist competence centers for analyzing malware at the federal level were further expanded and a number of additional products were developed to improve the capacity for detection and response. Additionally, the specialist cyber division of the Federal Intelligence Service built up specialist knowledge and skills in this area which allows it to analyze the targets, methods and players in an attack and thereby to identify potential perpetrators. However, there is currently a lack of additional technical and operational analysts in particular as well as language specialists for more systematic and sustainable processing of cyberattacks at the intelligence service.
In the area of continuity, federal agencies together with the operators of critical infrastructures and the competent specialist, supervisory, and regulatory authorities continue to develop measures to improve ICT resilience in the critical sub-sectors. This work builds on the results of the risk and vulnerability analyses carried out. It should be taken into account in this regard that for many sectors, it is increasingly important to introduce guidelines and minimum standards and to reconcile measures with existing specifications.
Regarding support processes, the State Secretariat for Education, Research and Innovation initiated important bodies which, in collaboration with the private and public sectors, have compiled an overview of the competence-building offerings as well as proposals for how to use them and how to close existing gaps. In cooperation with the association ICT Vocational Training Switzerland and with the support of numerous companies, a new qualification for an ICT security expert with a federal diploma was created.
At the same time, an expert report was compiled, identifying the most important research topics on cyber risks in Switzerland. Within the public sector, the relevant specialist units involved in research (cyber risks) are now being coordinated in a committee across federal offices and departments.

As mentioned, the Swiss Federal IT Steering Unit has been mandated to draw up a follow-up strategy for the period from 2018 to 2023 in collaboration with the offices concerned and to submit this to the Federal Council by the end of 2017. This follow-up strategy is supposed to use the structures and processes built by the NCS to continue to sustainably strengthen Switzerland’s cyber resilience. The Federal Council decided therefore to permanently extend the funding of the 30 positions created for the NCS.

The NCS not only involves a high number of federal agencies (see above), but also successfully incorporated the cantons, the municipal level, operators of critical infrastructure, private companies and research institutions. It thereby takes a holistic approach to the involvement of practically all relevant stakeholders.