Transcript of interview with Florian Schütz and Edouard Bugnion
This is a transcript of the interview “Swiss Cyber Storm in a nutshell” that was streamed live in lieu of the full SCS Conference on October 13, 2020.
Link to Full video (Duration: 1:03:05)
Dr Christian Folini: Hello, thank you for joining. We are here in Lausanne at the EPFL and we are going to do an interview with on my left, Florian Schütz, Cyber Delegate of Switzerland, and on my right as our host today, EPFL Vice President, Edouard Bugnion. I don’t want to go too deep into the biographies, but maybe we can touch on that during the talks. Obviously, I heard you guys talked a lot to each other during springtime, during Corona pandemic. I heard you talk more to each other than to your respective families. Ed, would you elaborate a bit on that? How was your relationship there?
Professor Edouard Bugnion: I can confirm, it’s actually the third time that Florian and I see each other face to face with masks on, of course, this time. So welcome to EPFL. I was involved deeply into the development of what became SwissCOVID app and Florian was of course, in his responsibility as the Cyber Security Tsar responsible to sign off on the properties of the system and it has been quite a ride.
Dr Christian Folini: Absolutely, I’m sure of that. I kind of learned that the tracing app is Carmela Troncoso’s baby. Would you then be the Godfather of it? Is that the right role for you? I mean, you introduced it to the Apple and Google teams?
Professor Edouard Bugnion: Yeah, so I mean, the protocol clearly is the brainchild of Professor Carmela Troncoso and her team. What I did is following: My background is operating system. So, I spent my entire career building systems that could be operated, that could be virtualized, understanding the relationship between hardware and software and operating systems. What we clearly recognize is that this was not only a protocol problem; it was also going to be an operating system problem. Particularly, the interaction with the operating systems of Google and Apple, which is why I spend many of my evenings in the spring in conversation with Cupertino and Mountain View to work out what was necessary in order for these decentralized applications to emerge.
Dr Christian Folini: Very good. So, you took the idea and made it into a real operating system. Florian you were the partner for Ed and the EPFL and the development teams. Can you explain to the audience; what would that role be? Is that the kindergarten teacher role or…?
Mr Florian Schütz: Certainly not. I mean, sometimes when projects go at the high, it feels a little bit like kindergarten, but that’s just the norm. Actually, we had a much broader role, I think. There were many more parties involved than those just mentioned. We had in the lead the Bundesamt für Gesundheit, we had the Cantons which had to play a role. We had many different players. Our main role was to make sure that we do the internal security testing of the final product before pushing it through a public security test. After that, we were taking reports on potential vulnerabilities and triaging them to the right parties that they can get fixed.
Dr Christian Folini: Okay. So, you took a coordinating role, a bit of a turntable, but security testing is something you have in mind with the National Cyber Security Centre.
Mr Florian Schütz: I don’t think we can do testing at a scale. That’s not how we are set up and I don’t think that’s how we should set up. I do think our strength lies in the coordination and in the involvement of the right groups. However, of course, I do require that we also have people that can actually verify reports and that also have the technical depth to sometimes drill into something that is interesting.
Dr Christian Folini: Okay, good. Yeah, it makes sense. We’ll get back to that afterwards. Again, I hear the app has already more than one and a half million users in Switzerland. I heard even the service is improving within certain Cantons. Next job seems to be integrating that in the European Union application. That is probably on the political level. Are they really playing hardball with us, using the app on behalf of their citizens when they travel to Switzerland, to make us sign the Association Treaty? Is that really the game here, or why were we not allowed into the app so far?
Professor Edouard Bugnion: I’ll take the easy part of the answer, which is, I’ll give the background and then I’ll turn it over to Florian for the interpretation. The easy part is the protocol, which is designed to allow national applications to operate separately for the residents of their own countries. But of course, whenever somebody goes across borders, there is an exchange of information, so that you can be protected. Both, yourself and, if you were to get infected, you can protect the people and notify the people that you were in touch with, even in another country. This requires a level of technical interoperability. From a protocol and implementation perspective, this is something that is fully worked out. This is something that is being put in place: an European federated gateway. It’s going to be running out of a data centre in Luxembourg and it is going to coordinate the access and exchange of data from a number of European countries. Now, that set of European countries is to be determined and this is where I turn it over to Florian, to speak about the Swiss situation.
Mr Florian Schütz: I mean, I can’t really comment on the political dimension because I’m not in the lead or we are not heavily involved. I can comment a little bit on security collaboration. I don’t think that security collaboration will be an issue, because we already have very strong collaborations with the different European states. For example, using the network of the European GovCerts – we are tightly embedded there – and collaborating and helping each other. So, I do think in the end, there is, as with everything, multiple dimensions involved. I think the technical dimension is one that’s almost solved at least and the rest, we’ll see how it works out.
Dr Christian Folini: Okay. And then that happens, apparently, on the political level, because the technical level is worked out and somebody else has to take charge of that.
Mr Florian Schütz: Yes.
Dr Christian Folini: Okay. Fair enough. Good. We are plagued with vulnerabilities every day. I checked the CVE numbering and we are up to 20,000 already, and it’s only early October; certainly a new record again, and again. One of them stuck out a bit in September was this BLESA thing, so the Bluetooth Low Energy Spoofing Attack. It will allow an attacker to spoof on server devices and send out and indicate the data. The way I read it, it could be used to airdrop on phone calls and people using the Bluetooth devices in webinars, telcos, but it’s probably also touching on the tracing app a bit. Could you elaborate on that?
Professor Edouard Bugnion: No, so it’s actually… I think the vulnerability you are referring to is one that is tied to connection-based Bluetooth establishment between devices and the tracing app, SwissCOVID in Switzerland uses simply beacons to exchange information so there is no establishment of connections.
Dr Christian Folini: So, it’s different technology?
Professor Edouard Bugnion: Yes, it’s a different technology, different lower-level protocol. But of course, this vulnerability is an example of the fact that we live in a world that is imperfect, where there are a lot of devices. Sometimes the bugs can be fixed in firmware, sometimes they cannot be fixed in firmware. So you end up having in some rare cases, even the situation where there are some devices and hardware devices and peripherals that are out there in the market that cannot be patched, cannot be fixed and they are still being used by people.
Dr Christian Folini: Okay, yeah, that is a recurring problem, of course. Maybe time to leave COVID behind now. This one question; I mean, there is a huge data collection. And I’m sure a sociologist would have a lot of interest to know how long do people meet each other? How close do they get to one another, north of the Alps, south of the Alps? Where are parties happening, where it’s not and stuff like that. But I also get the feeling, it would be an interesting instrument to measure the efficiency of different cantons. How do they work and how do they interact, who is improving and is this digitalization actually working? Or is it more…?
Professor Edouard Bugnion: I can respond to this on the first point, and I kind of know the way you were putting the question. We don’t collect any of that, nor can we actually collect any of that. What’s fundamental about the approach is that the information that is collected by the phone stays on the phone and is never shared with a third party. So there is actually no global view of things.
Dr Christian Folini: So that you cannot do?
Professor Edouard Bugnion: That we cannot do at all. We are not delivering any insights. What we do have is, right now we are at the level where, and unfortunately, because of, of course, the epidemic situation, the level where we’ve well exited the range of the law of small numbers and we now have some statistically significant insights into how the various parts of the countries are using the app because of the people who call the hotline. To give you a few numbers, if you look over the last few weeks or few days, there well over 200 codes entered every single day by people who are infected and contagious and who were provided with a COVID code by the capital physician. That leads to the automatic notification in the network. And then people in the network have first of all, they have the opportunity to change their behaviour and break infection chains by simply changing and adjusting their behaviour. They have the right to do a free test that’s established in the law. They also can call a dedicated hotline to get advice, and in some cases to ask to be quarantined. The number of calls on that hotline just yesterday on the single day was 600. Every day is breaking new records.
So we are now at the point where we know more. We have a sense of the use of the product. It’s demonstrating its efficacy and its efficiency and its speed. Speed is everything in this pandemic. And then the hotline does have some statistical information about the Canton of residence of the people. So we know the Cantons that basically get more calls with respect to the number of cases and the ones that have less. We can attribute it to many things, but one of the main ones being the efficiency of the various Cantonal processes. We have 26 of them in the country.
Dr Christian Folini: Yeah, and they are not all the same.
Professor Edouard Bugnion: We have 26 flavours. We don’t get to choose yours, but you have 26 flavours.
Dr Christian Folini: Yeah, I see that. Thank you. Florian you obviously took immediately an important leading role during the pandemic, with the COVID tracing app, etc. You could say it was probably a bit a blessing for the National Cyber Security Centre. I don’t know if you would put it that way, but it established yourself an important position in Bern, which was probably not so easy first.
Mr Florian Schütz: Well, with risk comes opportunity and that’s the important part. I do think what we have proven with National Centre for Cyber Security that basically was very young. A little bit on the history, I joined last August. We actually founded the reporting entity where citizens and companies can report problems to on the first of January and we have the legal baseline fully into place for everything I do and my colleagues do in the core group of cyber and the steering committee, and the Cyber Ausschuss is in place since first of July. I think we certainly proved that we can actually deliver, even if we are not fully set up, even if things are sometimes a bit chaotic and even if people have to work extra shifts. I must say I was very, very impressed by our employees, who really did double shifts because they believed in the good of the things. It’s not just the SwissCOVID app. I mean, you have to see, we faced a shift in attacks; we didn’t see more attacks. We faced a shift using the COVID theme. But we were also very, very cautious about our hospitals, because we feared that now is the time to actually attack hospitals, because now they are more likely to pay a ransom, for example.
Dr Christian Folini: So, ransomware get new targets now. It would be a perfect moment.
Mr Florian Schütz: Well, they didn’t in Switzerland. It turned out not to be a problem here. It was a problem in some countries, but this also led us to develop technology, with which we actually could support the hospitals. At the same time, while supporting the app, we developed new services and… well, let me call them prototypes, (not products) to actually support them. We pulled up new processes and at the same time, what we did is, for example, for this security testing, we also sort of documented a very, very lightweight process. we did the calculation of what it costs, so we can repeat it. I think it shows that even in government, we can actually use an approach where we start small and then get better.
Dr Christian Folini: Yeah, that is surprising that you can do that in government. That is true.
Mr Florian Schütz: In my opinion, actually, it’s not that surprising. I mean, look, I came from outside, I had my ideas, but actually what you have in government is a lot of very motivated people across all departments, and they want to collaborate. Now, it’s not always easy within the structures that exist. For example, one speciality is, if something is not forbidden for you, you can just do it. For us as government employee, it’s different.
Dr Christian Folini: If it’s not written then you are allowed to do it.
Mr Florian Schütz: If it’s not allowed, then we can’t do it. So that was also why we needed the law for the SwissCOVID app and everything. And that just changed a little bit the dynamics around.
Dr Christian Folini: So just to repeat it; because you are not entitled to fulfil a certain role, you cannot do it. Unless the law or the parliament grants you the right to investigate this, or do this, perform this action.
Mr Florian Schütz: Yes.
Professor Edouard Bugnion: Yeah, I mean, that’s certainly tricky for people not working for government.
Mr Florian Schütz: It’s always a trade-off between speed, but also being sustainable. It has also positive effects. It refrains us from just jumping on the next bandwagon and do the next cool thing. We’ve got to think it through. It forces us to also explain it to lots of different stakeholders, to lawyers, to the population, to parliamentarians. We have to make sense of the idea. I think that’s actually a good thing because you want solutions that come through. For example, if you look at the MELANI, which is now part of the National Cyber Security Centre, that was founded 2004 actually. This is 15 years old. I remember back in the time I was working in Switzerland, I was working close to government and other states actually had the discussion that they put all these structures in place for Cyber Security. Switzerland just started with a small entity that actually delivered value. We didn’t scale yet. It wasn’t perfect and actually, we came a long way. MELANI, for example, has an excellent reputation across Europe.
Dr Christian Folini: It has an excellent reputation, given the size of it. It’s on equal height with different states, which have huge organizations behind them.
Mr Florian Schütz: I think it’s important that we don’t forget that. Well, I’m generally a very critical person and I like to poke around on the things that do not work. I also think we need to see that in government not everything is slow and not working. We have some pretty nice things.
Dr Christian Folini: Glad to hear that. So touching that again, Switzerland is somehow a bit of a federalistic mess when it comes to cyber initiatives. Personally, I think that is actually a good thing from a resilience perspective, because there are so many people interacting, but speed is a problem there. Would you say you get to be a moderator in all these conversations? Is that your role or is it more the security testing thing?
Mr Florian Schütz: I think it’s a layered role. First and foremost, it’s best if I’m not needed, if it just works. People need to understand, especially owners of businesses, that they are responsible for their business. This is not my role.
Dr Christian Folini: So you are not doing their job? You are not protecting them?
Mr Florian Schütz: No, as long as it’s not a critical infrastructure. If a company gets out of business, there is competition that fills the gap. That’s how markets work. That’s important to understand. My role is to prevent systemic crisis. That’s one part. Together with my colleagues, I’m not doing that on my own. We have very different parts in government, but before we get there it’s…and that’s reactive part. There are a lot of preventive things. One is, really we need to generate framing conditions, where actually businesses can invest in their security in a sensible manner while keeping the innovation up, while also not having to spend too much money, so we stay attractive. And there comes a lot of topics. So for example, can we build very, very resilient infrastructure as a default? If we look today at ISPs, they have great differences about the security they provide. Some will charge you for everything they do in security. Some will not even let you know what they do. And this is the…
Dr Christian Folini: But is this something that you would make transparent or is that a role for you, making that transparent across the country or give a baseline, look this is what you ISPs should do?
Mr Florian Schütz: My role is to think about framing conditions. So let me give you one very specific example. A couple of weeks ago, there was an increase in DDoS attacks on financial institutions. Financial institutions are in a critical sector. So we asked ISPs to please block obviously malicious requests. This is not about censorship; it’s really about 100% identifiable requests.
Dr Christian Folini: And on the network level because ….
Mr Florian Schütz: On the network level, because they do routing. They own the infrastructure. They can do that for their clients, actually. Now, of course, some of them sell it as a service. Some providers just told us no, we are not going to do that. They argument it with freedom of speech, which does not apply if it’s criminal activity. And some of them did. But with the clients, with the banks, actually, they did not know whether their provider took the measures or not. We are not allowed to inform them who did and who didn’t, so this brings a situation where no one benefits in the end. Prices are not transparent because you could pay a very low price. The only thing you see is how fast your internet access is. I see it in our role to not just regulate. We need to apply regulation if it’s necessary to protect our critical infrastructure and our society, but also to find systems where we can increase the transparency so that all the different participants in the system can win on a fair basis.
Dr Christian Folini: Yeah, I see. Good. We are halfway through the National Cyber Security Strategy, the second edition of that. Could you give us a brief status? What is really interesting me is this notification obligation that was put into it. You need to examine it. In summer you did an interview and said, this is coming to Switzerland, there is going to be an obligation to report cyber incidents.
Mr Florian Schütz: I must correct slightly. It’s not yet decided. So we will… Basically, we are working on a draft on how such a reporting duty could be and how it could look like, how could it be embedded in existing laws or do we need to generate a new law? We will then give a recommendation to the Federal Council in December. And then they will take a decision how to take that forward. That’s the important part. We are not taking the political decisions.
Dr Christian Folini: Yeah, but again, they are going to do what you recommend, won’t they?
Mr Florian Schütz: Not always, but at least we recommend them. It is our job to make the options transparent and show the effects of that option. My personal view is that an obligation for critical infrastructure could make sense, because we do have some problems in Switzerland. We don’t really know how many incidents we really have. It’s voluntarily to report them. Some do, some don’t. This makes it difficult for us to then say, okay, where do we need to invest? Is ransomware the big problem? Is it criminality? Is it online fraud? Is it DDoS? So where are the problems? Where should we focus? Does it make sense to work with the ISP to increase the resiliency of their infrastructure? Or do we actually need to work with the critical infrastructure itself? And I think there, it makes sense. It doesn’t make sense to have a reporting duty where you report each and every attack. That’s not what’s interesting.
Dr Christian Folini: You are not interested in that. But it would make Switzerland comparable to other European countries, wouldn’t it? For statistical purposes, that would be interesting?
Mr Florian Schütz: I mean, they don’t really have the statistics as well. And even if we have it, there is a high dollar figure now. Now, what do you consider an attack? If you get an alert because of DDoS, well, you probably have thousands of attacks a day. I used the rule of thumb in my previous profession, as I said, it’s an attack if I lose money. Even if it’s just 50 Swiss Francs, it’s a successful attack. And then you come to depending on your company, a couple a day, that’s the average. If you don’t see a couple a day attacks where you lose money and you are depending on online resources, you are probably not seeing what’s happening. But that’s the thing. So even that isn’t interesting. What’s interesting is an attack that actually endangers the functioning of a critical infrastructure such that they can’t provide the service. The Germans for example, they do a very interesting thing there, they basically said, if it potentially affects X amount of people. Because your power transformater, close to a rural region, even though it’s unpleasant for those affected it’s probably not generating as much damage as one in an industrial zone. And so we need to find measures for that.
Dr Christian Folini: Yeah, I see. National Cyber Security policy, is that something affecting you as university research community at all? Or is this something happening in Bern, where there are new things about it?
Professor Edouard Bugnion: It’s both sort of an operational topic and it’s also a research topic. It’s an operational topic because we are part of the critical infrastructure as well. Florian talked about the National Network. The National Network is obviously one of the many aspects of the critical infrastructure. There are many other aspects of our digital lives that basically collectively formed a critical infrastructure of the country, and we happen to be running a number of them. So we are faced with it. We have a network that is also constantly under attack, and that we need to respond. This is sort of on the operational side. And then on the research side, of course, we study all aspects of computing, offensive, defensive aspects of computing. We have experts in identifying security vulnerabilities in different systems. That’s part of what we do from a research perspective. This is also how you end up understanding systems. If you don’t understand what the systems consist of, then it’s very difficult to have an educated view of what is actually happening.
Dr Christian Folini: And what is misbehaviour and what is standard behaviour about.
Professor Edouard Bugnion: The complexity of course, is daunting. There is a very famous luminary in distributed systems that said many decades ago that the definition of a distributed system is when you cannot get any work done because a computer you’ve never heard of is not working. Of course, now we are in a phase where the number of things that could fail and impact our ability to operate professionally is extremely high. We need to make from a resiliency perspective, a certain set of assumptions. This is how we think about continuity. This is how we think about resiliency in the case of attacks. By the way, this is also how you think in terms of COVID, where suddenly everybody had to work from home. And then you realize whether you have the infrastructure that scale or doesn’t scale, it’s not stricto sensu a security issue first order, but it is all about scaling. Scaling and the ability for infrastructure to scale is a critical part of the response and very often it’s under-looked.
Mr Florian Schütz: Maybe if I can add here, it’s also very important. We have excellent universities and education in Switzerland. We have, for example, strong collaboration with EPFL and ETH Zurich. So the SwissCOVID App was one. I just met with Professor Peyer who is doing the vulnerability research a lot in Bluetooth and systems, which of course, we also have a good exchange which helped us if there is something that could affect critical infrastructure. We are discussing these opportunities. We work very closely with ETH Zurich, with Professor Perrig, who is the behind SCION, a very, very promising protect, where I think there is big national interest as well to roll this out to secure our infrastructure better with a better routing protocol. Then also, one thing that I would like to address is, at least from my personal experience, a lot of my colleagues today come to me and say well, Florian, we studied at ETH that’s where we know each other from, and they tell me, Florian, I think I’m leaving Switzerland. There is just no career in IT in Switzerland. I’m not taken seriously by the management. If I go to one of the International Tech companies, they take me seriously. You don’t get Senior Vice President of technology in a national technology company, if you don’t know about technology. In Switzerland, you can get CIO…
Dr Christian Folini: You can get very far without knowing anything about technology.
Mr Florian Schütz: And that’s a problem. I wouldn’t hire a CFO that doesn’t know about finances. I’m not saying that the CFO must have been in finances all their life, but that person needs to get the basics right. He needs to understand the matter. So it’s a pity that we have very high ranking universities, ETH Zurich and EPFL among the top universities in the world and we are actually seeing a shortage of talents because they leave the country and they do the innovation somewhere else, or even worse, they start it here and then go abroad. We make it very difficult A, for start-ups in Switzerland and B, we make it very difficult for people to have a career here. I think we need to change that. I’m not sure if you agree.
Dr Christian Folini: Well, you came back, didn’t you?
Professor Edouard Bugnion: Well, I left first and I was in the US for the better part of my career. I lived in the United States for 18 years. So this was home for me. I did come back. I came back to a different world. When I left, it was very clear that there was no career in technology.
Dr Christian Folini: So it improved?
Professor Edouard Bugnion: The way I explained this often is Switzerland made the decision a few generations ago that IT and in general, the digital field was something we would simply buy and operate. We would not worry about owning it or developing it in any particular way. We bought a lot of equipment, and the Swiss IT community is extremely good at operating equipment that was developed elsewhere. Now, if you think about the decision, it was an implicit decision, of course, you know, 20, 30, 40 years ago. It makes sense, Switzerland doesn’t do many things. We don’t make cars.
Dr Christian Folini: Yeah, we buy a lot of things.
Professor Edouard Bugnion: We buy cars. So okay, we buy computers, we buy cars. Things are changing now and I think this is where there is a real opportunity. Because now there is nothing to buy because the IT industry is no longer in the business of selling products that can be operated locally. They are in the business of delivering cloud services. So we have a different model where we either have to operate cloud services, or we have to develop the necessary critical part of the infrastructure that we want to deliver for our country, our citizens, our companies, as part of what is known these days, called a sovereign cloud strategy. I think that’s where there is an opportunity for the community at large.
Dr Christian Folini: Okay, interesting. Let’s get back on that afterwards. I would like to finish off the Cyber Security Centre and the Cyber Strategy Swiss Government. A problem that was around maybe historically with MELANI was competence. To give you a completely hypothetical example; if the military would gather a server exploited, some unpatched server, would you have the competence to lay your hands on that server to do the forensic analysis? Is that sorted out or is this still a hot issue?
Mr Florian Schütz: I think if I personally do the forensic, it’ll take too long. I’m pretty sure I can still do some stuff, but I’ve not done that in many years. Now, joking aside, you mentioned the military. The military has the Führungunterstützung Basis as the IT provider. We have different IT provides within government. They are responsible for their own security, first and foremost. That’s why they have a security team with very good security people, actually. The thing is when an attack now happens, with the new ordinance in place, they need to report it to me. Now, it is not my goal to take over control, it’s my goal to inform the others and to see the risk, and then determine is the risk becoming too high? Do we actually need to coordinate it on an interdepartmental basis? Do we actually need to involve the GovCert? But even on a daily basis, whether it’s the Department of Defence or the Department of Justice, or any of the other departments or be it in our own department, people help each other. That’s already working on a working level.
Dr Christian Folini: Okay, it’s working on a level and you think the competencies are slowly being sorted out because the more you establish the stronger the centre becomes.
Mr Florian Schütz: Look, it’s a pretty normal thing. People that are competent like to work with people that are competent. So that’s happening. I do think where we need to improve is on a process level and on the leadership level. Before my role was founded, there was no real coordinated action towards defining these processes. We still have a way to go there to define them, but we are working on that, we are collaborating, we are working more together and I think that’s a positive development. We still have a way to go, though.
Dr Christian Folini: Okay, good. Ed, I saw open-sourcing of the COVID tracing app as a signal in Switzerland. That is publicly interesting, that is a privacy affecting app and we kind of have it in the law, it has to be open source. Do you think that is a trend? Is this the way it has to be or could it be different? And Florian, do you agree that like government, the law is making things like that mandatory, like transparency, open access, etc. What do you think?
Professor Edouard Bugnion: In the case of the app, if you think about why it became a success, it’s a combination of technical and non-technical aspects. On the technical aspects, why we developed a product that works, it’s not perfect. There are a very large number of constraints that we had to work through. It is a pragmatic approach. And it doesn’t have to be perfect. Remember one thing in this pandemic, nothing has to be perfect. It’s the combination of different imperfect mitigation and prevention measures…
Dr Christian Folini: Speed matters.
Professor Edouard Bugnion: …that will let us defy this pandemic. And then we have next to the technical aspects, we have the sort of the non-technical aspects which are aimed at ensuring transparency and confidence. One of them was we wanted to make sure it was very important that this was a voluntary and non-discriminatory use of an application, right? You can use it; you don’t have to. And the other one was to make sure that we had a best practice approach to transparency. In particular, by making sure that the application was open-sourced. To me, it’s actually kind of a relatively straightforward evolution of what citizens should expect out of government applications. As soon as you start putting any kind of algorithmic decision making into a government process that affects the life of citizens, it’s fundamental that this is open sourced. For example, France has a very, very complex algorithmic-based way of dealing with admissions into higher education. It’s their educational system. And whether the system is good or not good is not the point. The point is it’s essential that there is some level of transparency about how it is implemented so that people who are going through the system have a sense of fairness…
Dr Christian Folini: What is happening to them.
Professor Edouard Bugnion: What is happening to them. I think this is something that we can learn from. You can generalize. The notion of transparency of reporting of when things work and when things don’t work, is actually becoming the norm. One thing we have not mentioned yet, because it is not the law of the land in Switzerland, is GDPR. But GDPR even though it’s not the law of Switzerland, it is absolutely the law of the land for all of the companies that do business with people who live within the European Union. I know cases where you end up having a situation where you have a data breach, these things do happen. If it involves a relatively large database, you end up very quickly having to notify multiple agencies in Europe, potentially all 28 of them. And then you don’t have to notify the Swiss. That is because the law doesn’t require that there is a notification in the case of the data breach.
The revision by the way of the data protection law is actually not going all the way to the levels that are expected with GDPR. So, we have a situation on the Swiss side where we have a… We need to operate, particularly in the private sector with a global environment, at the risk of offending legal scholars of Switzerland, where Swiss law doesn’t really matter that much. Because when it comes to the digital world, the reality is it’s the European data protection law that matters when it comes to data. It’s the American law that matters when it comes to Cyber Security and the potential legal risk of having some warrants to access data, even when the systems are overseas.
Dr Christian Folini: Yeah, I see. Florian, I’m sure you are sitting in different government bodies where these topics are discussed. Is it true and do you see the same trend? Or you think transparency is as important? I don’t get transparency as particularly a Swiss quality.
Mr Florian Schütz: I wouldn’t agree on that. I do think transparency is a Swiss quality, though we need to define what transparency means. So, I 100% agree with what Ed said. But saying something is open source and now it’s transparent, in my opinion, is just plain wrong. Open source can be one measure to build transparency and trust. There are others. So, I trust…
Dr Christian Folini: Could you replace it with something else?
Mr Florian Schütz: Yeah, sure. If you have, and that’s a personal opinion of mine, if you put out a product, and you tell me it’s being verified by I don’t know, by the National Centre of Cyber Security, no. Joking aside, but it has been verified by EPFL, it has been verified by the CCC, Net Neutrality, those people looked at it and probably Microsoft reviewed it, I don’t know. I’m going to trust that application more than the Linux Kernel, because the example Linux Kernel had a problem in the SSL module that wasn’t discovered for years. Just because it’s open source, itjust means everyone can look at it quite often. That means no one does. And even there, when we look at code, it’s very complex. By looking at it, you don’t really gain anything. So you need to do the analysis. You need to use semiformal or formal methods in order to really come to conclusion. It’s just one measure and that’s from the security aspect.
The second thing really is that we do actually discuss a lot is how we can gain the trust of the target groups. Quite often in government are these the citizens or the companies. Now, it’s not always straightforward because there are different interests. Sometimes you have a service provider that provides a service that wants in the end to earn some money by providing that service. You have an operator of infrastructure. You have maybe a political intention behind them. You’ve got to bring that all together and build a solution that is trustworthy enough to be adapted. I think that’s the puzzle that we are trying to solve.
Dr Christian Folini: I mean, trust is a hard problem and it doesn’t come out of thin air.
Mr Florian Schütz: You wanted to add something?
Professor Edouard Bugnion: I mean, from a just very generic IT deployment perspective, there are always three angles that you need to trade-off between. It’s the technology stack that you use, it’s the operational measures that you put in place and then it’s the legal security that you have, and also to the converse, which is elements of legal insecurity that may arise from the operation of the system. If you look at where we are today, you can make decisions and you may have the best technology, but a very bad operational model, so it won’t help you that much. You may have the best technology and some aspects of legal insecurity when you look at the legal basis. And that, by the way, is the state of the art of the cloud today. If we use a US cloud property, then you end up having a situation where basically the technology has been worked out by very massive companies. The operational model and the security of the operation model is been greatly simplified so that you effectively don’t depend on the total competency of a very large number of people within your organization. You can rely on the operational competency of people who are paid to be obsessed about it. And of course, what you trade-off is the fact that you don’t have the same legal security and clarity that you’d have if you were to operate things yourself. And so those trade-offs are inherent into the modern IT world.
The other one that’s very important to always keep in mind is this notion of… With trust is the notion of privacy by design. Try to minimize how data is organized, how data is collected, making sure that data could be erased, making sure that if data were to be lost it would not be reversible back to clear data, at least to the extent possible. And systems need to be organized to minimize the amount of data they collect. And then make sure that they manage the data that they do collect in the most privacy preserving and security conscious manner, and the most transparent manner as possible.
Mr Florian Schütz: Let me take up the second part of your question about regulation. The way you put it, it was like, okay, we need more regulation. To me, it was quite interesting how quickly people ask for regulation and at the same time how they don’t want regulation at all. That’s always a difficult thing. Personally, I do think we should limit regulation as much as possible, because having good regulation that still keeps enough openness for innovation and competition and these things is very, very difficult. And often, the markets sort themselves to a certain extent. That’s where, for example, everyone’s responsibility comes in.
If you are a company, if you are doing a contract with an IT provider, ask them about their security and don’t buy the service, if they don’t offer an adequate level of security. If everyone does that, we don’t need to regulate that, because the market does. That’s just examples, but then there are areas where regulation is needed. Regulation can be something that you can use for two things. A, you can level the playing field, so you can take competitive advantage out for those that don’t behave to the same set of rules and values that the other marketplace takes and the other is, you can really increase the level of compliance, and by that, improve the level of security. But these are instruments that need to be considered very carefully. And it’s also a very different situation. It’s hard to find one size fits all regulation. I often get asked, what do we need to do for small and medium sized enterprises? What do we need to do for the big ones? That’s completely the wrong method! It’s the question of the degree of digitalization. What’s the assets that you actually have? If you are a biotech company that has this revolutionary new method for, I don’t know, genome sequencing or something, well you need a different protection level than the big E-commerce that sells fruits, or… I’m making this up, of course, but…
Dr Christian Folini: Customer databases are something completely different.
Mr Florian Schütz: I’m not saying it’s not valuable. Personal data is something of the most valuable we have, but that’s, as I said, if you apply data minimization schemes, and basically everything you leak is also in the phone book, that’s probably less of a problem than a genome database with genomes of group at risk in our population. So, it’s this risk topic. Regulation isn’t the one size fits all. In actual fact, there are many, many more measures that can be taken before.
Dr Christian Folini: Okay. Okay. Florian, you mentioned SCION as a very interesting project before. Ed, let’s say SCION would have a Swiss tag: “Made in Switzerland” on top of it, if it takes off. What other interesting research can we see maybe also at EPFL, Security Innovation Park, Centre for Digital Trust, what should we look out for?
Professor Edouard Bugnion: I think one of the things that’s most interesting sort of in our part of the country is, that we have the combination of the technology depth at EPFL, and Lausanne International. Lausanne International is actually sort of moving up and becoming sort of a hub to reflect on Cyber Security. There is an interesting set of new initiatives popping up over there. The Cyber Peace Institute is one of them; they are a partner of the Centre for Digital Trust. The issue of attribution of attacks is becoming a significant problem. It is poorly defined from a multi stakeholder perspective. There is no clear understanding between countries on how to reason about attribution of attacks. Even though it is becoming more and more of a pressing problem, even though now we actually have the demonstrated proof unfortunately, that a cyberattack even a form of vandalism can actually lead to the death of some people in some circumstances.
So, the ability to create attribution, it’s a diplomatic problem. We are looking at it from a technology side. We are also looking at how the impact of technology on the humanitarian sector, how to provide aid to beneficiaries in a privacy preserving way in countries where the legal basis may be very different or non-existent than we have in the countries we are used to. So, there are a lot of really interesting challenges that are basically at the intersection between hardcore computer science and the fields of applications. We’ve talked about health. I mentioned the humanitarian sector. We mentioned attribution of attacks coming from rogue countries. These are all things that are core to the thinking into at the EPFL right now and in more generally speaking, in the area.
Dr Christian Folini: Okay. Very good. I look at the time there, we are three quarters in. It’s about time to see if we have any questions from the audience. Simon is bringing a few. Oh, that’s a huge, huge pile. I hear that we had sound problems for the first two or three minutes on the stream. Sorry, and thanks for your patience and that you didn’t drop out. I don’t know what we missed, but we are not going to repeat it.
Mr Florian Schütz: I’m sorry. It’s not scripted, I can’t repeat it.
Dr Christian Folini: I need to understand this first. Okay. Oh, yeah, that’s fun. Has any of you news about the dedicated Swiss cloud? US Privacy Shield is a key word there. Maybe in the context of the National Cyber Security strategy, but it sounds like that should read the private sector first.
Professor Edouard Bugnion: Well, there is no US Privacy Shield anymore. It’s dead. It was invalidated.
Dr Christian Folini: So, what do we do?
Mr Florian Schütz: I just can’t give you a general answer. We are not in a vacuum. Switzerland is part of the world and there are foreign countries. In the end, we need to discuss with these countries and agree on regulations that span our countries, because the internet is global. It’s not something that only exists within borders. So of course, I think where we need to become really good at is to identify upcoming discussions on regulation, be it by others or be it on our own need, very, very quickly, and then formulate a strategy and actually participate in the negotiation. Because if you don’t sit at the table, in the end, you, in my opinion, always end up losing. Even if you sit at the table, you can always say no or yes. That’s your decision then.
Dr Christian Folini: Okay, okay, that typical Swiss problem, we want to be at the table and some of us don’t really want to be at the table, but then we kind of have to be at the table.
Mr Florian Schütz: I have to disagree slightly there because I honestly think the way, or Switzerland being at the table actually had a very, very positive impact on the development of our country and actually, we are known as a very trustworthy and transparent and reliable partner. I think what’s important is that we need to make clear what our interest is in something, and we also need to declare our interest. We mentioned SCION. I personally think we should have a strong interest that this becomes a global standard. That’s something that we need to put out there. It’s always negotiation, give and take and put things on the table.
Dr Christian Folini: Yeah and we need to get interest, big guys, big parties into the thing that was developed in Switzerland. And that is negotiation, obviously.
Mr Florian Schütz: It’s negotiation and showing sense – and we should not be scared. We can do that. I mean, I’ve had discussions with multiple representatives of different countries who are responsible for cyber security. We don’t have to hide. Actually, what I get pretty often is, we think Switzerland is having a very interesting approach. It’s very structured, can we learn from you? Which comes as a surprise to me as a Swiss because we tend to be self-critical, but you know we get applause for that, that’s a good sign.
Professor Edouard Bugnion: My view on Privacy Shield and Schrems, Schrems II is, it will be an opportunity. But I think nobody can really read through the tea leaves and know exactly where this is going to go and the impact that this will have. It’s very clear that we now are in an era where there is some legal insecurity. There is more legal insecurity than before. Some of it is legal insecurity for Facebook and others who are collecting data of citizens. That’s basically it’s between citizens and these large companies. It does increase the legal insecurity for some companies who want to basically rely on existing US resources, which these companies will have to reason which is not well understood. Of course, this is something where these technology giants of course, they want to serve customers in a way that actually meets the customers’ requirements.
The migration to the cloud is one of efficiency and scale. I go back to scaling all the time. It’s not designed to effectively allow US law to operate on data of non-US entities. That is never the purpose. That has never been the purpose from the perspective of these commercial providers. It is the reality that they live in and this is where potentially there will be a combination of technological, operational and legal solutions to this problem. They were cases of sort of European sovereign cloud deployments based in Germany. One of the things I think that we will need to really reflect on in Switzerland is the granularity in which we think about the borders and scale. If I give the example of… In the Swiss system, we have a commune system. I think the communes have generally understood that it’s okay if the data of their commune is actually managed in a data centre in another commune. Then you actually have a slightly more complicated discussion if you think about would a Canton be comfortable having its data being managed in another Canton? I will remind you: we have 26 of them, including some quite small ones. And, of course, Florian and I will answer well, it’s only rational to basically put servers in secure data centres and dedicated facilities. We probably don’t have one of those in every single of our 26 Cantons. And yet, that is actually a conversation where I’m sure that if we were to dive into the details, we would find some very strong resistance by a Canton to give up the fact that the computers of their citizens would be run in another Canton.
Of course, this is all anecdotic. The real question is Europe. Because we need to really think about for which tech class of service, the Swiss doesn’t have the scale to actually have a form of a digital infrastructure. We may have some things that are either very critical and we would run them locally at a premium. We may have it in some cases where we have a unique selling value proposition where we actually do that, including on an export basis. In some cases, the rational thing is actually to come up with some kind of equivalence so that we agree once and for all that Europe is a domain of equivalency…
Dr Christian Folini: That was the idea of the Privacy Shield. That was the … .
Professor Edouard Bugnion: No, the Privacy Shields are different. Privacy Shields are not between European countries. Privacy Shield is between Europe and the US. Privacy Shield is basically the EU with its critical mass protecting the right of its citizens. We are not part of it in a way. We just copied it. What I’m saying is the role of Switzerland with respect to Europe, when it comes to IT infrastructure and scaling infrastructure… And I think this is actually going to be a political question that the country will have to face at some point.
Dr Christian Folini: Okay, okay. Good. Another question, which I dropped from my question, but now we have it from the audience, I have to ask it. What is the formal relationship between the National Cyber Security Centre and the Führungsunterstützungsbasis of the army? I mean, you made a cut there, but I see them racking up numbers on the military side, they are talking about a cyber battalion now, and these people want to be exercising and do something. While it’s your numbers in your teams, they are growing modestly. Is this because you are much more efficient, and they need more people for the same job or…?
Mr Florian Schütz: That wouldn’t be fair to say. It’s important to understand, I do lead the National Cyber Security Centre, but first and foremost, I’m the delegate for Cyber Security of the Confederation, not of the EFD, not of the National Cyber Security Centre. I am basically there for everyone. I’m trying to help everyone and I do think what the military is doing there is absolutely the right thing. Future conflict has a very strong cyber dimension, and it only makes sense to invest in capabilities to actually defend from and operate in these domains. I think that’s one.
The second one is we need to be careful with the numbers. There is no real classification of how these numbers are counted. Is the person doing maintenance on the server that has security aspects in the top a cyber security person or not? How do you count this? There is no agreed rule of thumb. To answer the question, how is the collaboration going and if you’ve got more questions in detail, I can’t answer it in detail here, but you know… just right… In general we have the Cyber Board of the Confederation with the Federal Counsellors from Department of Defence, Department of Justice and Department of Finance. We have attributed core responsibilities for defence, military and intelligence defence in the Department of Defence, the core responsibility for cyber-crime, the Department of Justice and all the rest of the Department of Finance.
I represent two entities in that group: (A) the core group which I preside, where I have colleagues from Department of Justice and Department of Defence, where we discuss these processes, how we collaborate across government and so on. That’s where my colleague from the Department of Defence actually puts these topics on the table and we discuss them in the group. And (B) then we have the steering committee for the National Cyber Security strategy. I’m not going to repeat the full name. There we actually collaborate with not only government, but also private organisations. EPFL is there, ETH Zurich is there, associations, Cybersafe is there. We have approximately 80 projects there, you talk about the strategy, and there we steer these projects, how they contribute to the national strategy. That’s very brief. Of course, we have a lot of different entities that sort of fit in that big picture.
Dr Christian Folini: Okay, good. Here is a news bit from Germany where the Bundesland Baden-Wüttenberg(that’s the one across the border in Basel) they opened a phone hotline for everybody just to ring in. And you just told us that you are there for everybody. So, is that a thing that is coming? You really want to respond like the fire brigade. My roof is on fire, my data is on fire. When I purge that, will be a surprise?
Mr Florian Schütz: In the context of my answer, I am there for everybody within government, but my role also involves collaboration with the public and being here actually is part of my role. Phones are maybe a little bit 80s. While I like all this 80s vibe, it’s probably not going to scale. And we discussed… Ed mentioned it often: scale, that’s really important. We need to learn, we need to become better at scale. I have a vision, though it’s a bit daring to talk about it in public, but my vision would be a platform where we actually can bring different actors that have a relevancy in the cyber domain, be it cyber risk, be it a very digitized company, be it citizens, where people can participate, and where actually communities also can help each other.
We get a lot of reports from people that got victim of an online fraud or scam. Now, of course, we get the email, we send an email back, we explain to them what to do, we collaborate with police and everyone to make sure it is correct. But also, there are a lot of things that are not yet really a criminal act, fakes extortion and so on, but people are insecure. I believe if we can build a platform where experts and communities can connect, and someone can just ask “hey, I got this email, I’m not sure what to do”, and someone, not a government official, just someone can actually answer and say “yeah, I’ve seen that before. It’s not that bad, don’t worry. Report it to the government and it’s done. We don’t have to do anything.” That could generate an environment of collaboration. That’s actually very strong in Switzerland. We know each other. We collaborate. If I’ve got a problem right now, Ed can help me. I just call him up.
But again, we also just meet maybe in a forum. I’ve seen in private industry for managing incidents, not just cyber incidents, but general incidents. We have big ones in the companies, I have heard from time to time. If an online service is down, and that’s a major part of your business, you lose a lot of money very quick. The most effective instrument was a chat, where people just typed in their answers. You can scroll back, you can read, you can actually say, oh, no, you really said… Oh, you know, I forgot. Why not use these elements? I’m not saying that everyone needs to use it, maybe there is also a person that wants to phone in. I’m afraid we might not offer that, but we have that for example, for critical infrastructure, they can call us on the phone 24/7.
Dr Christian Folini: And they do?
Mr Florian Schütz: Yeah. We don’t have that many incidents that require them to phone us, but if they need to, they do. Yes.
Dr Christian Folini: Okay. Okay. There is maybe final a question before we wrap it up. Strategy Secure IT infrastructure of municipalities. So, we have… The Federation has three layers; that’s the state level Switzerland, small country within Europe, we have the Canton level, and a lot of autonomy is happening at the community level, municipality level. And within the cyber strategy – making this transparent: I took part in one of the workshops – there was an initiative to help with the municipalities to wrap up their cyber status or the cyber posture. Is that happening or… because I get feeling Switzerland, the government is fairly good, they have the money, they have the plan, and they have the experts. Cantons are not doing so well, and then on the municipality level where people are actually living, they are really behind and they need support.
Mr Florian Schütz: I don’t think it’s a fair assessment. There are Cantons that are really, really good at what they do. You were just in one. Canton de Vaud is really, really strong in Cyber Security. It’s impressive what they do and they are very invested. At the municipality level, you have some that have a fairly decent amount of security and some that don’t. What we do within the strategy, for example, we work with that label Cybersafe, and we do a pilot there, where they basically help municipalities to implement a baseline security level. And then they sort of give them a label if they do, and we collaborate there, from a government side under the National Cyber Security Strategy. And there are other initiatives.
Professor Edouard Bugnion: Maybe just to add, I think your question and Florian’s answer was in a way, a pre-COVID question and a pre-COVID answer. I think what’s also legitimate to say is, okay, do we think about COVID? Do we think about things differently now that we’ve seen, what it means to actually be forced to go through this massive accelerated digital transformation because of COVID, as a side effect of COVID? It’s very clear, right, some part of the infrastructure, the educational system and the administration system were able to function perfectly fine during the crisis, when everybody was working from home and then other things got delayed in a very, very significant way. I think, what we need to do, and we will be able to do, once the crisis is over, once we will be post the crisis mode is to analyse, in which cases the service level agreements that the citizens have with various parts of the administrations, were met, and in which cases the service level agreements were not met during the crisis.
I think this will be very, very closely correlated with the level of preparedness from a digital transformation perspective. I’ll give a few examples. Can you operate with digital signatures with your administration? Can you do all of the regular change management that you would have from an account perspective with the administration over the Internet in a safe and secure way? Or do we still rely extensively on pieces of paper going through the mail that will then need to be processed by people need to be physically on site in order to handle it. I think this post mortem will be will be very effective. I think it is not a cyber security question per se but these two things, the digital transformation and the need to secure the infrastructure, because it is so critical, will go hand in hand, because what we want is to make sure that we have a target that is both efficient, as well as secure.
Dr Christian Folini: Okay, thank you. That sounds like a good closing word here. I thank you very much for participating.
Mr Florian Schütz: Thank you. Just if I may propose one thing, I see you still have many, many questions on there. So, if you want to hand them over after the chat, actually, I could give you some answers that you can then distribute to the audience that didn’t get the chance to ask. It’s just an offer.
Dr Christian Folini: That is an offer. And then we go through my huge pile of additional questions here as well. Thank you for the proposal. So that will be on the YouTube channel. Thank you all for watching at home with the patience when we had sound problems. Also thanks to our sponsors, they are probably on one of the slides here, and I thank EPFL and you Ed for having us. If you are bored at your home offices, and there is no Swiss Cyber Storm today, I recommend watching last year’s Cyber Storm talks that you didn’t. They are all here on the YouTube channel. The highest rate is based on the feedback of our audience was one by Tobias Ospelt, Michael Hausding and Dave Lewis. Thank you, everybody for watching.