The National Cyber Security Center of Switzerland (NCSC) and the federal departments want to manage cyber incidents together. However, the whole thing is not working at all.
The Swiss Federal Audit Office (SFAO) has once again poked directly into a wasps’ nest with an audit. This time it’s about the joint process for managing a cyber incident in the federal administration, which was armed in April 2021.
The goal of this process is to report to the NCSC all cyber incidents that threaten the proper functioning of the federal government.
According to the SFAO’s latest report, this is particularly important so that Switzerland can assess the threat situation and identify current attack patterns at an early stage.
The SFAO’s audit focused on the feasibility and effectiveness of the defined process. In addition the auditors used two completed cases to check whether the interfaces and communication channels were even working at all.
Everyone does it differently
Right at the beginning, however, it became apparent that not all incident clusters lead to a report to the NCSC. In addition, coordinating and harmonizing the categorization of incidents (high, medium, low) is challenging when a cyber attack affects multiple agencies, it said.
If this is not coordinated, however, there is a risk that the various federal administrative units will approach an incident with different priorities.
In order for an incident to receive the same level of attention everywhere, the SFAO flagged, an adjustment and harmonization of the categorization between the departments is necessary. This would involve clarifying whether the NCSC should perform this categorization and how responsibilities for communication would be regulated.
13 days to report
As noted, the SFAO picked out two closed cases. The first was an internal incident; the second involved an external service provider that was affected by a cyber incident. It took a whopping 13 days from discovery of the incident to reporting it to the NCSC in the first case, and 11 more days for the second.
In the first case, according to the SFAO’s final report, the affected federal unit assumed that only its network was affected. However, it later turned out that an external service provider had also been affected.
In the second case the external service provider did informally report the incident directly to the NCSC. During this time, the officials conducted internal investigations and only informed the NCSC afterwards.
Level system necessary
The SFAO therefore recommends that the administrative units be made more aware of the obligation to report cyber incidents and that the processes and obligations be prepared in a way that is appropriate for each threat level.
The analyzed cyber incident at the external service provider also brought to light that no reporting obligation for such incidents had been agreed to in the contracts. This was all the more significant because this company also programmed software for the operation of critical infrastructure.
Planned adjustments to the contractual clauses on cyber security were a step in the right direction, the auditors explained. However, they said, the deadlines for reporting cyber incidents were not uniformly specified and had to be defined individually in each contract.
Overview completely lacking
However, according to the SFAO, it is questionable whether the federal government agencies everywhere have the knowledge to define such deadlines in a practical way. Moreover, these contractual clauses would also have to be renegotiated for existing contracts. So there is clearly a need for central action.
As part of the audit, the SFAO also stated that the federal administration could only determine which external service providers were available after great effort. An overview of all external companies is completely lacking in the administration.
At the departmental level, it is then all the more difficult to determine which units are served by an external service provider. If an external service provider is affected by a cyber incident, however, the federal government cannot determine within a reasonable period of time which other units, applications and services are potentially affected, the statement added.
Vulnerability of Switzerland
In the event of a cyber incident a lot of valuable time is therefore lost. An overarching inventory of all external service providers could remedy this and help vulnerability management forward information in a more targeted manner.
After a serious cyber incident has been dealt with by an external service provider, it should also be possible to then conduct an independent audit. Corresponding reports should reach all of those involved. In this way, all units could be sure that the incident has been closed and has been responded to appropriately.
Last, but not least, the role of IT managers in the departments must be further sharpened. In addition, there is an urgent need for a deputy regulator. If necessary, the NCSC must demand that the departments explicitly designate the deputy IT officer to cyber incidents. So, overall, there is a lot of work to be done.
However, the reactions of institutions concerned are always interesting in these SFAO inspections, as muula.ch has already reported several times. This time, the response was favorable. The NCSC dutifully thanked the EFK for its comments and intends to put the suggestions for improvement into practice.
So, cyber criminals should politely wait until all the SFAO’s recommendations have been adapted everywhere, and that they actually work, before attacking the Swiss federal government.