Submitted text
I put the following questions to the Federal Council:
1. what types of data are involved in the contract mentioned in the explanatory memorandum, which was awarded to Hewlett Packard?
2. what assurances does the Federal Council have that this data will not be disclosed to other intelligence services, especially US intelligence services?
3 What does the Federal Council intend to do to ensure that the contractual obligations regarding data security are also complied with? What sanctions are envisaged in the event of non-compliance?
4. the media release of 23 April 2015 mentions “compliance with the guidelines of the federal administration”. Which guidelines are we talking about?
5. where is the data stored? Are they subject to Swiss law exclusively at all times?
6. if the data is stored exclusively in Switzerland, can the Federal Council ensure that no copies are sent to other countries?
7. what happens to the data if the hosting provider goes bankrupt (cf. Federal Council’s reply to my Question 14.1064)?
8. why were foreign private companies considered? Why can’t the service be developed internally? Why could no Swiss company be considered?
9. why does the Federal Office of Information Technology, Systems and Telecommunication (FOITT) not invoke the exceptions under Article 3(2) of the Federal Law of 16 December 1994 on Public Procurement?
Justification
On April 23, 2015, the FOITT announced the award of two contracts with a total volume of 197 million Swiss francs. The cloud will be developed with Hewlett Packard. The company Teradata is responsible for the data storage project. This order volume amounts to 137 million Swiss francs.
Hewlett Packard is a US company. Teradata (Schweiz) GmbH is the subsidiary of a US company. Under U.S. counterterrorism laws (e.g. Foreign Intelligence and Surveillance Act; cf. Interpellation 13.3033), however, these companies can be required to disclose to U.S. intelligence agencies all data in their possession without notifying the owners of the data. It must be ensured that the federal government’s data is spared this fate.
Statement of the Federal Council
By way of introduction, it should be noted that the Federal Office of Information Technology, Systems and Telecommunication (FOITT) has procured a platform for an internal federal private cloud, which is operated by the FOITT itself. It is therefore not, as could be inferred from the questions, a service in a public cloud which would be operated by an external provider.
1. as a service provider, the FOITT will provide its service recipients (interested federal offices and other federal administrative units) with standardized private cloud services on this platform, such as virtual servers. It is up to the individual administrative units to decide which data will be managed via the platform; it can be assumed that both unclassified and “Internal” and “Confidential” classified data will be processed or stored on this platform. Over the next period of time, this platform will replace a similar platform that is already operated by the BIT in the BIT data centers using Hewlett-Packard technology. In the process, new functionalities will be available to BIT customers, offering greater flexibility and automation in the provision and use of the platform.
2/3 The cloud platform is operated in the FOITT data centers by FOITT employees. This is optimal for compliance with the guidelines of the federal administration, especially with regard to security. Hewlett Packard only provides the hardware. In order to further minimize the risk of data leakage, maintenance operations by the supplier are carried out in such a way that the work can be monitored. For this reason, in this particular case – in contrast to managed services, for example – guarantees on the part of Hewlett Packard are sufficient, as the federal government usually demands from hardware suppliers. These guarantees include compliance with the obligation to maintain secrecy and data protection, which were formulated in the WTO proceedings as mandatory criteria for the award of the contract in the draft contract and which Hewlett Packard has accepted. In the event of data theft, the provisions of criminal law (for example, Art. 143bis, 144bis StGB) are also applicable.
4. the guidelines mentioned include in particular the directives of the Federal Council on ICT security in the Federal Administration of 14 August 2013 (WIsB), which have been revised and will come into force in the new version on 1 January 2016 (directives of 1 July 2015). The guidelines mentioned also include the specifications of the Federal IT Steering Committee on ICT security (see www.isb.admin.ch > Topics > Security > Security fundamentals > IT security directives). In addition, Swiss legislation on this topic, such as the Federal IT Ordinance of 9 December 2011 (BinfV; SR 172.010.58), the Ordinance of 4 July 2007 on the Protection of Federal Information (ISchV; SR 510.411), the Data Protection Act of June 19, 1992 (DPA; SR 235.1), the Ordinance of June 14, 1993 on the Federal Data Protection Act (DPA; SR 235.11), and the Government and Administration Organization Act of March 21, 1997 (RVOG; SR 172.010). On 29 January 2014, the Federal Council decided to draw up principles and principles to minimize the risk of intelligence spying by instrumental ICT providers. As a new element of the ICT security procedures, a corresponding audit concept has been tested for sensitive procurements since the end of 2014. This risk management method for reducing intelligence spying (Rina) has been incorporated into the new WIsB. As part of this work, the procurement of a cloud platform was also tested and the selected organizational and security solutions were judged to be appropriate.
5/6 The data is located on the cloud platform, which is operated in the FOITT data centers by FOITT employees. Therefore, the data always remains under Swiss law. Maintenance operations by the supplier are carried out in such a way that the work can be monitored. This minimizes the risk of data leakage. However, since every data platform is always exposed to a residual risk of data misappropriation, no formal guarantee can be given against data misappropriation.
7. since no data storage by a private company is provided for, the question of a possible bankruptcy of the hosting provider does not arise.
On the one hand, it must be noted that there is no Swiss manufacturer for the technology put out to tender, in particular its hardware, which integrally produces these systems in Switzerland. On the other hand, the procurements of the Federal Administration are subject to WTO law, which is based on the principle of non-discrimination.
Based on established case law, the application of the exception clause under Article 3(2) of the Federal Act of 16 December 1994 on Public Procurement (SR 172.056.1) is only permissible under strict conditions. It must be proven that alternative, less competition-distorting measures were examined and that these did not prove to be suitable, i.e. sufficiently risk-reducing. In the present case, the application of such an exception was not justified.