Motion Eichenberger-Walther (16.3186): Exchange of technical information
Not yet dealt with in the Council. The Federal Council proposes that the motion be rejected.
Submitted text
The Federal Council is invited, in connection with the review of the “National Strategy for the Protection of Switzerland against Cyber Risks (NCS)” to be submitted after five years (in summer 2017), to show how data protection, data security and the fight against cyberattacks (crime, espionage, theft of intellectual property) are clearly demarcated from each other in legal terms so that data is protected but the exchange of technical information is enabled. A legal basis must be created for the exchange of technical information.
Justification
Given the sensitivity of the data of victims of cyberattacks and the technical complexity, a clear delineation of the issues of data protection, data security and the management of cyberattacks seem urgent, as does the legal basis based on them, which allows the exchange of technical information under clear conditions.
Statement of the Federal Council
The legal framework is as follows:
In the context of an ongoing criminal investigation, the Code of Criminal Procedure sets the framework of secrecy or publicity of the proceedings.
As far as information from intelligence sources is concerned, this will be regulated in the new Intelligence Act (against which, however, a referendum was held).
As a rule, technical information processed in connection with cyberattacks does not constitute personal data; in these cases, there is no personal reference. This does not apply to information that allows conclusions to be drawn about the persons or companies concerned. This means that technical information does not in principle fall within the scope of the Data Protection Act (Federal Act of 19 June 1992 on Data Protection, FADP; SR 235.1). Consequently, there is no need for delimitation or (additional) protection here; the risk of a personality violation is extremely low in these cases.
(Personal) data of victims of cyberattacks are already considered personal data requiring special protection under the regime of the current FADP (if they relate to administrative or [not pending] criminal sanctions/prosecutions); they are subjected to increased technical and organizational protection, which is sufficient.
The Federal Council now interprets the motion to mean that it should be possible to exchange technical information between the state and the private sector for the purposes of prevention.
In the area of critical infrastructures, a public-private partnership between the state and the private sector, the Reporting and Analysis Center for Information Assurance MELANI, has existed since 2004. MELANI brings together partners who are active in the field of computer system and Internet security and the protection of Swiss critical infrastructures. Such cooperation requires a high degree of trust so that information can be exchanged between the partners.
An important criterion here is that the information supplier classifies his information today according to an agreed system. If this information is classified as confidential or even secret, he trusts the state not to disclose it. This also applies to technical information, as it is often possible to draw conclusions about the information supplier, i.e. the injured party, on the basis of this information. The exchange of information with further circles can only take place within this framework. From today’s perspective, there are no plans to change this practice, as it could jeopardize the very good cooperation between MELANI and the operators of critical infrastructures.
The exchange of information between MELANI and the operators of critical infrastructures is also the subject of the planned Information Security Act (ISG). The ISG dispatch is expected to be adopted by summer 2016 following consultation with parliament.
Since several areas of law with diverse interfaces are involved, the NCS coordination office works with the federal offices responsible for the areas to ensure that coordinating cooperation is consistently ensured in legislation and enforcement and that new challenges can be responded to quickly and coherently.
The measures listed here are already being implemented without acceptance of the motion. In the view of the Federal Council, there is no need for additional regulation.