Intelligence service: illegally hunted down cyber spies for years

When security guards hunt down cybercriminals or digital spies on the Internet, they need to exchange information. This includes IP addresses or domain names of the servers from which the attackers operate. These servers can then be monitored, for example, to obtain more information about the actions of the perpetrators or to identify the victims.

The Federal Intelligence Service (NDB) also needs such technical data for its work. They can come from partner services abroad, from private IT security companies or from Internet providers. However, at least some of these indications of an attack, known in technical jargon as Indicators of Compromise (IOC), are subject to telecommunications secrecy in Switzerland. The FIS requires a special permit for each processing. He had not caught up with them in the past.

The FIS has thus violated the statutory provisions. This is the conclusion of former federal judge Niklaus Oberholzer in his investigation, the results of which he presented on Monday. According to the summary of the 90-page report, which was classified as secret and not published, the FIS cyber department had “illegally procured and processed data” for years.

Employees did not act intentionally

At the same time, Oberholzer puts the misconduct of the FIS into perspective. The information was not personal data that was particularly worthy of protection, but peripheral data of telecommunications traffic. The data was also analyzed purely technically and “not with regard to personal elements”. This is entirely consistent with the logic of technical indicators: they provide insight into the attackers’ actions, but provide little information about the people behind the attacks.

Oberholzer, who used to be a federal judge for the SP, does not see criminal behavior. The employees of the FIS misjudged the legal situation and did not act intentionally. Apparently they assumed that the FIS was entitled to “receive reports from anyone, as long as the information was provided voluntarily”.

Oberholzer, on the other hand, clearly criticizes the leadership of the FIS. The report unequivocally states that the internal control and supervisory measures have failed. The cyber department of the FIS has largely developed a life of its own. It seems incomprehensible that the management and in particular the head of the information department “did not recognize the unlawfulness of the practice that had been in use for years”.

It is also striking that the FIS obviously does not keep records of its work, or only keeps insufficient records. Oberholzer writes that the extent could not be reconstructed because the processes in the cyber department “were not systematically recorded and documented”. This gap can also provide ammunition for critics who suspect the FIS across the board of acting clandestinely and outside the legal framework – and who also want to evade effective control.

FIS cyber defense is currently limited

The unlawful procedure has serious consequences for cyber defence. The activities of the Cyber ​​Department in the affected area were already discontinued in spring 2021. In the future, simply obtaining a permit for each processing is not a practicable solution, as Oberholzer also notes. Such technical indicators must be processed quickly so that the attackers can be combated effectively. However, the approval process can take days to weeks.

The investigation report therefore makes recommendations that the Defense Department now wants to examine. This includes organizational and legal adjustments – or even removing the affected analysts from the FIS. This forensic competence center for detection and analysis could be attached to the National Center for Cyber ​​Security (NCSC). In the next few months, this will be transformed into a federal office that will be relocated to the Defense Department. It is possible that a major restructuring is imminent here.