Setup at full speed
Swiss Federal Government // On January 30th, 2019, the Swiss Federal Council passed a resolution to create the National Cyber Security Centre (NCSC). This was established based on existing structures, but had to rapidly develop new services and determine its own form as an organization.
“The Federal Council has been commis-sioned [...] to create a cyber security center at federal level and introduce the necessary measures to make it happen. This organizational unit will be tasked with developing the necessary expertise to ensure cyber security and coordinating it nationwide.” The initiative, which was forwarded as a motion almost unanimously at the end of 2017, left the parliament of the Federal Council in no doubt that the area of cyber security would need to be expanded and centralized. This put increased pressure on the planned reorganization of the government and almost certainly contributed to the Federal Council’s decision to create the National Cyber Security Centre (NCSC) a little over a year later.
As a result, the NCSC faced high expectations from the very beginning. It had to be set up quickly and with relatively few resources, while being capable of covering the broad spectrum of subject areas related to cyber security and finding a meaningful way to divide roles with other federal agencies. This starting position posed various challenges of a political, administrative and organizational nature. During the two years in which the NCSC was being set up, these were precisely the areas where issues needed to be resolved.
Unclear requirements on the NCSC
The central political challenge for the NCSC lies in the expectations of politicians, business and the general public, which were made clear in the parliament’s decision. This has less to do with high expectations than it does with the fact that political debates about the role of the government in cyber security are only in their infancy. Apart from the National Strategy for the Protection of Switzerland against Cyber Risks (NCS), there are no clear guidelines as to what role the government should assume in relation to cyber security. Currently, there are no clear legal provisions for the scope of the NCSC’s responsibilities and its freedom to act. Developing these will take time. It is necessary and right that questions such as these, which are important for state policy, are discussed in parliament with the appropriate amount of care, and defined accordingly. However, this leads to the situation where the NCSC is established before key questions have been conclusively resolved.
The NCSC is therefore actively seeking dialog with politics and business through the federal government’s Delegate for Cyber Security, Florian Schütz, and will adjust the scope of its responsibilities according to expectations. The center will furthermore be strongly aligned with the national strategy. Accordingly, it began operating its national point of contact for businesses and the general public in January 2020. This receives and analyzes reports of cyber incidents and advises those af-fected on how to proceed, as the first line of assistance. In doing so, the NCSC makes an important contribution to providing increased protection against cyber risks for SMEs and the general population, as envisaged in the strategy.
Division of tasks within the federal government
A further challenge lies in the clarification of boundaries with other administrative units of the government. With the decision to create the NCSC, the issue of cyber security was by no means a greenfield scenario for the government. Administrative units of different departments were used to dealing with the issue from their own perspective and within the scope of their own remit. Cyber security was and continues to be seen as an interdisciplinary issue, which can only be effectively managed by incorporating expertise from different areas of government.
“This starting position posed various challenges of a political, administrative and organizational nature.”
In 2019, the Federal Council decided that the NCSC should be founded on the existing structures of the well-established reporting and analysis agency MELANI, a decision that has made the establishment of the center much simpler and faster. At the same time, the Council created a cyber committee of the federal government and two inter-departmental coordination committees: the Cyber core group and the NCS steering committee. In doing so, it has made clear that, while it takes into account the need for greater centralization in government, it maintains the principle that cyber security should continue to be advanced by the relevant agencies within their specialist areas.
Operational tasks required while center still in development
The last major challenge is one that was clear from the beginning. Since the NCSC needed to take up its operative function very quickly, its development would be an ongoing process. Structures needed to be created and filled, without knowing from the start how many resources could be used or what tasks might be added to its remit. This placed high demands on the flexibility and availability of employees and management. Fortunately, it turns out that this challenge has been dealt with very successfully, as the opportunity to build an organization that functions effectively in the long term provided the necessary motivation. The NCSC has also found that, despite the lack of skilled workers in the field of cyber security, it has been able to recruit extremely well-qualified personnel within a short space of time.
After two years, the result is undoubtedly positive. Today, the NCSC performs important functions and has helped the federal government demonstrate a clear approach to cyber security. Of course, the aforementioned challenges are not yet fully resolved, and they are surely not the last. However, thanks to the foundation that has been created in the past few years, we can be optimistic about the NCSC’s further development.