Two Swiss cybersecurity experts argue that a newly created national organisation is a good platform for addressing online attacks, amid increasing threats to business, government and private citizens.This content was published on September 7, 2020 - 09:03
Switzerland’s new National Centre for Cybersecurity (NCSC) started work on July 1 but many of the political issues are still to be worked out. Does this mark an end to bureaucratic wrangling over spheres of responsibility? Or is it a typically Swiss solution that relies on decentralised structures and massive coordination?
Cybersecurity has developed from a niche technical subject to a long-term security policy issue over the past ten years. One of the reasons for this is the steep increase in strategically motivated cyber incidents led by state actors, which is a reflection of current geopolitical tensions.
The perceived urgency of national security matters often sidelines other considerations, or at least gives the impression that extraordinary, even undemocratic measures are needed. This tendency also applies to cybersecurity. But it isn’t just a national security issue: cybersecurity cuts across disciplines, and therefore requires solutions that can only be achieved when multiple actors cooperate.
Experts agree that a satisfactory level of cybersecurity can only be achieved with an alliance of state authorities, business and society. This puts cybersecurity policy in a political realm where different interests must be understood and consciously balanced.
This is precisely what the National Centre for Cybersecurity intends to do. However, simply creating structures is not enough. Cybersecurity policy requires complex and dynamic negotiations in three areas of conflicting interests that haven’t received enough attention up to now.
Government and business
The first area of conflicting interests is between the government and the business community. This includes the question of how policies prevent the negative consequences, of liberalisation, privatisation and globalisation, without dampening their positive effects.
These negative consequences may be related to investment decisions made in (privately owned) critical areas of infrastructure that are not necessarily optimal for society. Decisions by private actors in one sector could also have negative knock-on effects on other sectors. In this area of conflicting interests, it is up to the state to guarantee national security, including the resilience of the entire social system.
Government and citizens
The relationship between the government and citizens is another area of conflicting interests, where political balance is needed between the need for security on the one hand and personal freedoms on the other. Additional powers for the police or intelligence services come into conflict with civil rights, particularly the basic right to determine how personal data is used and the right to online anonymity. What is often overlooked in these debates is that cybersecurity is just one of many other areas where the state has to deal with competing priorities.
Citizens and business
The third area of conflicting interests – between citizens and business – attracts the least attention by regulators. It is about creating the conditions for an effective security environment. Can a market with huge, quasi-monopolistic technology firms be regulated to achieve the right balance between security and functionality? What incentives can make digital service providers more committed to security?
In democracies, these conflicts have to play out in the political arena and must be addressed systematically. For example, to fight crime, the government may, on the one hand, want to use modern intelligence capabilities to exploit vulnerabilities for surveillance purposes.
On the other hand, it also has an interest in the broadest possible use of secure technologies by business and society. What this debate requires is a better understanding of the different and equally important roles that the state must fulfil in the realm of cybersecurity.
Alongside its role as a guarantor of safety and security as well as a legislator and regulator, the state also serves as the supporter of wider society, as a partner for industry, as a creator and disseminator of knowledge, and last but not least, as a threat.
The multiple aspects of cybersecurity must be understood in order for us to be in a position to understand, prioritise and address all the political and social issues that need to be addressed. The creation of the National Centre for Cybersecurity offers a good platform for this.
The views expressed in this article are solely those of the author, and do not necessarily reflect the views of swissinfo.ch.
A version of this article was originally published in German in Defacto. Language adaptation by Catherine Hickley and Jessica Davis Plüss.