Federal Council not deciding again – Switzerland falling behind on Cybersecurity

To be clear upfront: I think that our political system is amongst the best across the Globe. It is one of the purest systems to reflect a democratic process in a direct democracy. This is shown in special initiatives like the “Hornkuh Initiative”, where on farmer from the Swiss mountains found enough support for his idea to bring it in front of the Swiss citizens and the politics had to discuss it (it was about supporting farms who still work with cows with horns).

The downside however is speed: Our political processes are sound but slow, sometimes very slow and you can see that when it comes to Cybersecurity – especially in the conflict between the shiny initiatives like e-voting and the hard work around security.

Our government tries to enable the digitalization and to provide a framework and an environment where companies can grow – and they do a not too bad job there.

But then on the political pane they are driving initiatives like e-voting, which – to me – is mainly a political PR initiative with almost no real value-add but high risks. We are voting about very six weeks and it is a fundamental part of our society. Additionally, we can use different channels today already like early voting, voting by postal service or in person on the day of the vote. I highly doubt that it will increase the number of people going to vote nor do I think that the quality of the vote will increase if you can “swipe left or right” to vote yes or no. Voting requires upfront thinking and an upfront debate on the subject. I do not see a lot of upsides on e-voting except for a few politicians who can claim that they are the ones driving.

The “only” value add is for Swiss citizens living abroad (which is important, and I can understand this) but the risks connected to bring one of our most fundamental processes in our society to the internet are simply not acceptable. This was shown in a discovery by the Chaos Computer Club: Flaw reported in Switzerland’s biggest e-voting system. Not really a surprise. And this caused me to write this blog: On the one hand, our government and mainly our Federal Council wants to show their drive towards digital Switzerland with high-risk initiatives like e-voting but they miss the fundamental work on Cybersecurity: Schweiz: Regierung gibt grünes Licht für E-Voting – die Gegner sind zahlreich. They key point which some people make is that we did a certain number of votes online already in some states in Switzerland and “nothing happened”. A laughable point if you are a security pro.

This is the shiny side, lets look at the basics, let’s have a look at security…

Since quite a time, the Swiss Federal Government is driving a National Cybersecurity Strategy and the people behind this strategy are very good and motivated but the responsible people on the political level do not take their accountability to drive this process. Instead the ministries are fighting each other on competencies and budgets. In July, the Federal Council took a no-decision on Mr./Mrs. Cyber, which caused an uproar within the security community. Different organizations published open letters, something which is not too common in Switzerland. It drove some press coverage as well:

The Federal Council did not take a position on this coverage (which is perfectly ok) but we all at least expect some action.

Well, the worst happened and the Federal Council – once again – did take a non-decision just before Christmas: Rückschlag für Cybersicherheit beim Bund – Bundesrat vertagt Entscheid über Kompetenzzentrum

Dear Federal Council, I know that you will not read that but if you do, please consider:

  • There are a lot of high-skilled experts in commissions to support the government and the industry with their experience. To be clear, we all do that in our spare time. It might make sense if you at least consider their opinion and listen to them. Else, we all rather spend our time with our families and go skiing than spending our time in meeting rooms if you know better anyway.
  • The bad guys are moving fast. You are talking about years (to have the budget, the headcount – and then think about how you will find the right people). The bad guys are talking about hours and days.
  • The speed you show and the unwillingness to decide is shocking and simply unacceptable – sorry to be so harsh. You are putting Switzerland at risk. As simple as that.
  • Instead of investing your energy into an initiative where you feel that you get press coverage and can shine like e-voting, rather do your job and fix the basics and spend what is needed on security. This is the core job of the government and of you as a civil servant.
  • If we will ever have a Mr./Mrs. Cyber – I hope, we find somebody with the right profile who is actually willing to do the job with the history we have here – listen to her/him! Do not do what you do to the experts in the field. Do not ignore this person!

It would be nice if we get a smart and forward-looking decision beginning of next year! And then move fast!!

*** This is a Security Bloggers Network syndicated blog from Roger Halbheer on Security authored by Roger Halbheer. Read the original post at: https://www.halbheer.ch/security/2018/12/22/federal-council-not-deciding-again-switzerland-falling-behind-on-cybersecurity/