In the future, companies will have to report cyber attacks

The federal government wants to know when an important infrastructure in Switzerland is attacked via the Internet. The intelligence service would also like to benefit from this information.

A cyber attack on a nuclear power plant can have serious consequences, which is why electricity companies are to be required to report as part of the critical infrastructure in the future.

Adrian Baer / NZZ

The car dealer Emil Frey and the Perlen paper mill are the two most recent victims of cyberattacks to become known in Switzerland. Numerous companies report such attacks to the police and also to the National Cybersecurity Center (NCSC). However, companies in Switzerland are not obliged to do so. That should change now.

The authorities do not have a complete overview of the cyber attacks due to the lack of reporting requirements. Still, the covenant is not blind. Years ago, the Reporting and Analysis Center for Information Assurance (Melani) set up a platform for exchanging information with the critical infrastructures, i.e. with those companies that are crucial for the functioning of the country.

The principle here is “sharing is caring” – or, to put it another way: it pays to participate. Because anyone who promises to share their information about attacks is also warned in good time. In addition, the companies and authorities of the so-called “closed customer group” benefit from further support, for example through an on-call number for emergencies.

Information is treated confidentially

The federal government now wants to institutionalize the idea of ​​exchanging information. In future, all companies involved in critical infrastructures – i.e. hospitals, water suppliers or airlines – are to be obliged to report serious cyber attacks to the NCSC. The information will be treated confidentially and will not be published. On Wednesday the Federal Council the corresponding change in the law is sent for consultation.

A reporting obligation for all companies, i.e. the entire economy, is currently not up for discussion. Even the critical infrastructures only have to report serious incidents. These include attacks that endanger the functioning of the critical infrastructure or so-called ransomware attacks.

The law also provides for a report if a foreign state is behind the incident or if the attack went undetected for more than 30 days. These criteria indicate that there is likely to be a technically superior player behind it, who could also target other companies. The NCSC may pass on the information received to the intelligence service, which is responsible, among other things, for counter-espionage.

The federal government wants the report to be as simple as possible using an electronic form. This should also enable other authorities to be informed at the same time. In the finance or telecommunications sector, for example, there are already regulations for reporting incidents to the regulatory authorities.

Companies receive “first aid” from the federal government

If the operators of the critical infrastructures do not comply with the reporting obligation, the NCSC can impose a fine of up to 100,000 francs. However, this is only intended “as a last resort”, as stated in the report on the submission: “Due to the long-standing cooperation with the critical infrastructures, the NCSC assumes that this provision is largely symbolic.”

Instead, the federal government prefers to use positive incentives. Anyone who reports a cyber incident receives technical support from the NCSC “in the form of first aid”. This is already the case today, as the delegate for cybersecurity, Florian Schütz, recently told the NZZ. Now the Federal Council wants to create the explicit legal basis for this. The NCSC experts should not compete with private offers from IT security companies.

The NCSC is also officially commissioned to raise public awareness of the dangers in cyber and to warn of specific threats. Judith Bellaiche, Green Liberal National Councilor and Managing Director of the Swico digital industry association, welcomes this new competence.

Overall, Bellaiche finds the thrust of the template good. However, she sees the definition of the critical infrastructure as a critical point. “It is important that the regulation does not get excessive and too many private companies fall under it.”

After the consultation, which lasts until April, this definition could still be discussed in Parliament. The reporting requirement should actually come into force in one and a half to two years at the earliest.

source site-111