Let’s start with the home-office situation. Did this increase the vulnerability of companies?
Actually, we couldn’t confirm the increase of vulnerabilities. Rather, what we see is a shift in risk. Suddenly, offices were empty and attacks on computer networks within offices became less feasible. The home office was open for attacks….There hackers could use an angle over a private email address using phishing. We didn’t really see an increase in incidents and reports. Quite the contrary, actually: We’ve seen people becoming more aware.
According to S&P Global Ratings, the financial sector was the most heavily hit by cyberattacks over the past five years worldwide. Does that apply for Switzerland as well? And what kind of threats are the most common?
We don’t have exact numbers but usually the global percentages apply to Switzerland as well. And it’s quite logical that the financial center is heavily targeted because we see, according to the Verizon Data Breach Report, for example, more than 80 percent is really organized crime, and they are after money. And the banks have the money, so you go there instead of doing a bank robbery. You use digital means in a highly digitalized world. Not that we don’t have attacks in other sectors as well, but we also see that the finance sector, for many years, has been aware of this. Credit card fraud is nothing new, it’s been known, and with the rise of the internet and with payments with credit cards on the internet this became a problem, and they addressed it. Banks are very good at calculating loss and calculating risk, and this also comes a little bit more natural in that sector.
Can one even have 100 percent security?
No, you can’t. It’s mathematically impossible, and on the other hand, you don’t want that. In the end, it’s about risk. You want to have a certain risk appetite in order to do business, in order to be innovative. You win some and you lose some. You’re trying to find that sweet spot. Of course, there are some no-go areas, like your customer data. You have a responsibility to protect that. So it’s always important to understand where you can make trade-offs and where not. That is why cybersecurity is a top-level topic and not just a purely technology topic.
Can one say that Switzerland is somehow safer when it comes to cybersecurity? Maybe because of protecting data or because of certain laws?
I wouldn’t go that far. I do think that the way we do cybersecurity in Switzerland has certain benefits. We have really good infrastructure. We are a little bit less good when it comes to digital services, but in general we are a nation with a lot of technology and technology knowledge. We have the Federal Institutes of Technology, which are among the best universities in the world. I think what we struggle with a bit and need to improve is actually our cultural approach. And as I mentioned, it’s a top-level topic. And quite often in top-level things we don’t [think we] need to know about technology. That’s not true.
The thing you manage you need to understand. And that’s an interesting development when tech companies enter financial markets. They basically understand that they need to talk to the engineer, and I think that will be one of the big challenges. On the other hand, we also have very interesting start-up technologies, we have innovation. There the key question is how can we use that technology to protect Switzerland better, and that’s also one of our responsibilities: How can a government generate framing conditions that decrease financial burden. But also, how can we actually make Swiss start-ups stay here—in a risk-averse market—and be competitive?
Do you have any concrete examples for such technologies or start-ups that are looking into that field?
There are a couple of examples, but one I would like to highlight is actually at ETH Zurich, where Professor Adrian Perrig developed a new routing protocol. Routing means how does communication come from one point to another? Today, it’s hard to define where this communication goes through, and sometimes it might go through a country that might try to listen to that communication. The innovation that was made there is that basically you can define the path and by that limit it to Switzerland, for example. And there was a pilot that SIX and the Swiss National Bank did together with a couple of banks and it looked very promising as it increased the security of the communication but it also decreased the risk of failure and it decreased failure over time, which enables new business models.
So this was an experiment. When will this be implemented?
I don’t know. That’s something you need to talk to the National Bank or SIX about. But I think the important takeaway is that in an industry, in the banking sector, you know risk is their daily bread-and-butter business and IT needs to function. And if they talk positively about something, we in the government ask ourselves, where could we also use that, how can we increase resiliency?
In February, the Swiss Federal Audit Office did a report and criticized banks for their intransparency when it comes to reporting cyberattacks. Now, there are a few reasons for that, I assume, so how are you at the National Cybersecurity Center cooperating with banks and trying to get more data from them?
I think first we need to understand the dynamics of that criticism. On the one hand, we have the fear of the institutes from overregulation. There, it’s a trust matter, right? For example, if you take denial of service attacks, on a low scale—I’m not talking about the big ones—they happen on a daily basis. This is normal. But there is a fear that if they see all the individual events, you try to regulate something. On the other hand, FINMA as a regulator, they need to have the data.
Because you can’t just put senseful regulation in place if you don’t have the data. And together with the important players from the financial sector, we started a project to increase the cybersecurity resilience in the financial markets. We are discussing the idea of an information-sharing and analysis center. They exist also in the U.S., for example, and there’sa European one. We would like to give it a Swiss twist with a little operational unit that can then basically anonymize and accumulate that data in order to supply it to the regulator in a manner that addresses both concerns.
And this pleases banks?
Yes, so far it has. I think the biggest success is that there are a lot of organizations with different goals and sometimes they’re competing with each other, but they’re all there, they’re all talking about it. They’re also putting work into it, which makes me very positive that we’re going to succeed.
Let’s look at security on a global scale. Does Switzerland somehow help or contribute to a more secure financial services sector?
I do think that Switzerland already contributes to more cybersecurity in the financial sector. Swiss institutions but also SIX, which operates a lot of the infrastructure, invests heavily in cybersecurity and it also shares best practices and knowledge. They collaborate very well. I also think we can do even more. I talked a little bit about innovation, I talked about that one start-up. I do think we have other great start-ups, and I do think because we are so interconnected, and the finance sector per se is interconnected—also Switzerland plays an important role with other markets like Singapore, for example, or the U.K. financial market—and I do think we can push technology there for the benefit of everyone.