class=”sc-29f61514-0 kHgAwW”>
The small chamber approved the necessary changes to the Information Security Act on Thursday with 42 votes in favor and 0 against. The bill goes back to the National Council to settle the differences.
In March, at the request of his Security Policy Committee (SIK-N), he decided to extend the reporting obligation. This should not only include cyber attacks with a high damage potential, but also serious vulnerabilities in computer systems. The majority in the National Council hoped that this would have a preventive effect.
The Council of States fears legal uncertainty
The Council of States rejected this extension by 31 votes to 13. The majority did not consider the obligation to report opportune, because there was insufficient clarity about the number of affected companies and the type of vulnerabilities to be reported.
“The expansion would mean an indefinite additional effort for the companies and the registry office,” says Hans Wicki (FDP/NW). In addition, the concept of ‘vulnerability’ can be interpreted in different ways. There is legal uncertainty.
Commission spokeswoman Andrea Gmür-Schönenberger (Mitte/LU) countered that it would make sense to report vulnerabilities so that other companies working with the same software would be warned. Mathias Zopfi (Greens/GL) tried to calm down the critics of the extension of the reporting obligation. “If you have a cyber vulnerability, it should be possible to fill out an online form.”
«Central threat to society, state and economy»
Defense Secretary Viola Amherd said in the Council of States that the Federal Council could live with either solution — with or without extensive vulnerability reporting requirements. However, it is crucial to quickly introduce a reporting obligation for cyber attacks. These are “a central threat to society, the state and the economy”.
The National Center for Cyber Security (NCSC) would be the central reporting point for cyber attacks. This is to provide an electronic notification form. In this way, reports could be easily recorded and sent directly to other offices if desired, the Federal Council wrote in the notice for filing.
Fines of up to CHF 100,000
Anyone who deliberately fails to comply with the notification obligation can be fined up to CHF 100,000. The duty to report applies, for example, to the Federal Council and parliament, the public prosecutor’s office, the army, universities, banks, healthcare and energy suppliers, the SRG and railway companies. The NCSC is available to provide support to those reporting the attack.
Today there is no overview of which attacks took place where, as reports to the NCSC are voluntary, the Federal Council wrote in the embassy. Due to the notification obligation, all operators of critical infrastructures must in future participate in the exchange of information and thus contribute to early warning.
Defense Minister Amherd saw that the voluntary reporting had reached its limits. Some companies reported incidents. Others, on the other hand, refrained from it, but took advantage of reports from others. There is a reporting obligation in many countries, in the EU since 2018.
In 2021, approximately 22,000 cases of cybercrime will have been reported to the NCSC, about twice as many as in 2020. However, many of the reported incidents are recognized attempted attacks and not successful attacks. The Federal Council established the NCSC in 2019. (SDA)
Source:Blick
I am Liam Livingstone and I work in a news website. My main job is to write articles for the 24 Instant News. My specialty is covering politics and current affairs, which I’m passionate about. I have worked in this field for more than 5 years now and it’s been an amazing journey. With each passing day, my knowledge increases as well as my experience of the world we live in today.
