A special commission investigating a data breach which took place at the Federal Intelligence Service (FIS) in 2012 said on Thursday that Swiss intelligence seriously compromised its information security before and after the incident.
In its abridged report, the commission blisteringly criticised the role of FIS chief Markus Seiler in the breach involving data theft. The commission found that Seiler had seriously downplayed the FIS’s role in the breach. It also criticised him for signing off on measures to prevent a similar incident from happening again when, in fact, those measures had never been taken.
In May 2012, an IT specialist at FIS stole a hard disk with sensitive data which he then wanted to sell abroad; in the end, he was unable to do so. The data thief blew his cover when he told a UBS employee that he wanted to open a numbered bank account because he was expecting a large amount of money from the sale of federal data. The banker became suspicious and notified the authorities.
Without the tip-off from UBS, FIS would not have got on to the track of the data thief within a reasonable period of time, the investigation showed. The commission said it had no reason to believe that the “at best rudimentary existing” controls at the service would have generated any evidence.
Parliament had ordered an investigation to examine FIS security controls and to explain why the service and defence minister Ueli Maurer were so slow to react. Maurer, who has since taken over the Swiss presidency, was criticised for relying solely on information provided by FIS during the first three months after the discovery of the breach. That information focused on the thief’s actions and disregarded relevant goings-on at the service.
“The inspection showed that the management of the FIS lacked a sufficient understanding of the rules the service had to observe in the area of information security,” the commission members wrote.
The fact that a FIS employee was able to steal a large bulk of secret data is attributable to “fundamental shortcomings” in the organisation, the commission found. It described the service’s risk management as “deficient” and said there was no indication of a systematic risk management strategy.
The report found that “before the data theft, FIS had not taken several technical and organisational measures which would have been a fundamental part of information security and which in part would also have been required by the government or by the ministry of defence.”
For example, IT specialists had unrestricted access privileges, and it was not possible to assign access only to an individual. “The prescribed security concepts for the application and systems were largely insufficient or lacking”, the commission wrote. There was also no emergency planning in case the system or data were thought to be in danger.
According to the report, the problems started when the two former intelligence services were merged. FIS subsequently had to supervise a large number of IT systems with sparse personnel resources. For the commission, this was the result of a lack of preparation.
The investigative report itself will not be published for reasons of state security. The government has until the end of October to comment on the commission’s recommendations.
swissinfo.ch and agencies