Inter­pel­la­ti­on Paga­ni­ni (18.3562): Cyber­crime. MELANI Man­da­to­ry reporting

EN 
EN  DE  FR 

from

on

Indu­stries

Aut­ho­ri­ty

Laws

Topics

Take-Aways (AI)
  • Intro­duc­tion of man­da­to­ry report­ing of cyber attacks would impro­ve the data­ba­se, rai­se awa­re­ness and increa­se deter­rence against cyber criminals.
  • Fede­ral Coun­cil to review models by sum­mer 2019; report­ing obli­ga­ti­on must be admi­ni­stra­tively justi­fia­ble and offer posi­ti­ve incen­ti­ves and support

Inter­pel­la­ti­on Paga­ni­ni (18.3562): Cyber­crime. MELANI Man­da­to­ry reporting

Sub­mit­ted text

Cyber­crime is beco­ming an ever grea­ter pro­blem for pri­va­te indi­vi­du­als and espe­ci­al­ly for com­pa­nies. Accor­ding to the latest figu­res 88 per­cent of com­pa­nies fall vic­tim to cyber attacks every year. The vol­un­t­a­ry report­ing opti­on to MELANI, the Fede­ral Report­ing and Ana­ly­sis Cen­ter for Infor­ma­ti­on Assu­rance, is not used by many vic­tims: A com­pa­ny does not want to admit that it has been the vic­tim of a cyber­at­tack for fear of pos­si­ble dama­ge to its repu­ta­ti­on; the attack was not con­side­red important enough; or the com­pa­ny is even urged by the attacker not to report the attack under thre­at of fur­ther dama­ge. Fail­ure to report, howe­ver, can beco­me a pro­blem for cyber­crime respon­se. It unde­re­sti­ma­tes the scope of the pro­blem – not only the num­ber of attacks, but also the pre­va­lence of cer­tain attack methods.

The Intro­duc­tion of man­da­to­ry report­ing, at least for com­pa­nies, would not only lead to the coll­ec­tion of suf­fi­ci­ent data in the cyber risk area. It would also make it pos­si­ble to streng­then awa­re­ness among the popu­la­ti­on and com­pa­nies and exert a cer­tain deter­rent effect on cyber cri­mi­nals. The Fede­ral Coun­cil wants to explo­re the pos­si­bi­li­ty of a report­ing obli­ga­ti­on as part of the Natio­nal Stra­tegy for the Pro­tec­tion of Switz­er­land against Cyber Risks (NCS) 2018 – 2022 review. I would ask the Fede­ral Coun­cil to ans­wer the fol­lo­wing questions:

1. by when will the opti­on of man­da­to­ry report­ing of cyber attacks be exami­ned? In what frame­work will it pre­sent the results of this exami­na­ti­on and take the decis­i­on to intro­du­ce the report­ing obli­ga­ti­on or not?

2. to what ext­ent does it take the nega­ti­ve effects of increa­sed bureau­cra­cy for com­pa­nies into account when con­side­ring a report­ing obligation?

3. Have the­re been any data pro­tec­tion con­cerns from com­pa­nies or even data leaks from repor­ted attacks in the past with the vol­un­t­a­ry report­ing requirement?

4. if no report­ing obli­ga­ti­on is intro­du­ced, is he alre­a­dy thin­king about how the incen­ti­ves for com­pa­nies to report cyber attacks could be increased?

5. to what ext­ent does today’s spar­se data hin­der impro­ve­ments in cybersecurity?

State­ment of the Fede­ral Coun­cil of 29.8.18

The Fede­ral Coun­cil shares the view that a report­ing obli­ga­ti­on for cyber attacks of all kinds can increa­se awa­re­ness of the risks and thus streng­then Switzerland’s pro­tec­tion against cyber risks. Howe­ver, expe­ri­ence from abroad shows that a report­ing obli­ga­ti­on only has the desi­red effect if the Effort for the report­ing com­pa­nies justi­fia­ble is and when a Mes­sa­ge with posi­ti­ve incen­ti­ves is con­nec­ted. The Fede­ral Coun­cil ans­wers the que­sti­ons as follows:

1. Fol­lo­wing the adop­ti­on of the Natio­nal Stra­tegy for the Pro­tec­tion of Switz­er­land against Cyber Risks for 2018 – 2022, cla­ri­fi­ca­ti­ons on the intro­duc­tion of a report­ing obli­ga­ti­on have begun. The aim is to, to deve­lop basic prin­ci­ples by the sum­mer of 2019which enable a decis­i­on in prin­ci­ple to be taken on the intro­duc­tion of a report­ing obli­ga­ti­on. Par­lia­ment is given the oppor­tu­ni­ty to make a decis­i­on within the frame­work of the ful­fill­ment of the Po. 17.3475 Graf-Lit­scher reported.

2 The Fede­ral Coun­cil is awa­re that a cer­tain admi­ni­stra­ti­ve bur­den for com­pa­nies can­not be avo­ided if a report­ing obli­ga­ti­on is intro­du­ced. It takes this into account when weig­hing up the advan­ta­ges and dis­ad­van­ta­ges of a report­ing obli­ga­ti­on and when exami­ning various models for its pos­si­ble implementation.

3. the­re is no evi­dence that the report­ing of attacks at MELANI has ever been affec­ted by a data leak. Whe­ther data pro­tec­tion con­cerns lead to no report­ing can not be said with cer­tain­ty. Howe­ver, MELANI has been able to build a rela­ti­on­ship of trust with and among the com­pa­nies par­ti­ci­pa­ting in its net­work. A sur­vey in 2015 among the mem­bers of MELANI’s clo­sed cus­to­mer cir­cle, which Ope­ra­tors of cri­ti­cal infras­truc­tures reser­ved, con­firm­ed this. The­se com­pa­nies also have a “non-dis­clo­sure” agree­ment with MELANI which regu­la­tes the hand­ling of shared information.

4. expe­ri­ence shows that the stron­gest incen­ti­ves for report­ing an inci­dent are the Offer of assi­stance in coping with of the inci­dent, the pos­si­bi­li­ty of anony­mi­zed infor­ma­ti­on exch­an­ge with other affec­ted par­ties if requi­red, and access to the net­work of natio­nal and inter­na­tio­nal secu­ri­ty experts. The­se incen­ti­ves work very well in the exi­sting model with a limi­t­ed group of par­ti­ci­pan­ts. MELANI is working on models that should make it pos­si­ble to main­tain the­se strengths even with an expan­ded clientele.

5 Thanks to the reports from the clo­sed cus­to­mer base and MELANI’s natio­nal and inter­na­tio­nal net­work, the data situa­ti­on is suf­fi­ci­ent today for a solid and up-to-date assess­ment of the situa­ti­on in the cyber area. More data would allow more pre­cise ana­ly­ses and it can be assu­med that a report­ing obli­ga­ti­on would increa­se the sen­si­ti­vi­ty to cyber risks.