The investigation report clearly shows that the secret service’s cyber defense operated illegally. But there is no scandal of excessive surveillance – just bad law.
The intelligence service may not accept any information from private IT service providers in Switzerland that would be valuable for counter-espionage.
The scenario is not far-fetched: In order to wear down the population in Western Europe, Russian secret services target energy companies across Europe in the winter. Cyber attacks are intended to disrupt the distribution of gas and fuel, leading to bottlenecks. Russia wants to raise awareness against Western sanctions.
The Federal Intelligence Service (NDB) receives information from a friendly service about servers in Switzerland with which the Russian saboteurs carry out their attacks on energy companies in Switzerland. The server is operated by Swisscom. The intelligence service now wants to know which domestic and foreign computers the server is connecting to – and as quickly as possible. So he can warn potential victims.
The defense against state sabotage or espionage is one of the core tasks of the FIS – also in cyberspace. However, this ability is currently limited because there is no legal basis for it. The exchange of information with the private Internet providers has not been possible for two years. An active warning, as described in the scenario at the beginning, is no longer possible. This is devastating.
The risk of cyber attacks is high
The intelligence service thus lacks an important tool for tracking foreign cyber spies. Receiving, processing and forwarding IP addresses of suspected attackers is fundamental to defending against cyber attacks. This data is exchanged worldwide between cyber security authorities, secret services and private IT service providers. The Swiss intelligence service can only participate here to a limited extent.
Effective cyber defense would be extremely important at the moment. Russia increased its espionage attacks after invading Ukraine. The danger of sabotage actions is in the room. And Switzerland will sit on the UN Security Council for the next two years, which could make the foreign ministry in Bern an attractive target.
At the same time, the unlawful processing of technical data in the FIS itself has caused a great deal of unrest. The fact that two department heads in the cyber department were dismissed caused resentment. Fluctuation is increased. These events further weaken the cyber capabilities of the FIS. This is not good for Switzerland’s security.
Intelligence leadership has failed
The FIS must ascribe responsibility for this misery to itself. In 2015 he established a problematic practice that was also clearly illegal with the new intelligence service law from 2017 at the latest. For years, nobody in the NDB management had noticed this. It is incomprehensible that internal control could fail in this way. And it’s annoying because it weakens trust in the FIS.
Because the practice that is now the focus is unlawful, but actually harmless. The technical analysts of the FIS had only evaluated IP addresses of foreign attackers and their connections. Such an approach is international practice and widely accepted. It offers little potential for abuse. The evaluations were aimed at the technical infrastructure of the attackers and were not aimed at monitoring individual people.
Therefore, a distinction must be made between the incomprehensible lack of internal control, which is now to be addressed by means of a reorganization, and the actual overstepping of authority. The latter was technically driven and aimed at protecting Switzerland from cyber attacks. This is not about a surveillance scandal.
That’s why organizational or legal adjustments are needed quickly so that the attackers’ IP addresses can be used again. From today’s perspective, it is incomprehensible that this point was not taken into account when the Intelligence Service Act was created in the 2010s. Simpler procedures are needed so that the FIS can once again fulfill its counter-espionage mandate – including on the Internet.