These hackers want to make Switzerland safer with targeted attacks

The National Testing Institute for Cybersecurity NTC published legal advice on Monday that shakes people up and notes: According to this, hackers with good intentions and subject to certain preconditions can penetrate third-party computer systems that are protected against access.

The intrusion is not done with criminal intent, but with the motivation to expose existing vulnerabilities and increase IT security. In the professional world this is called ethical hacking assigned.

NTC test manager Tobias Castagna explains to Watson that a team of internal and external cybersecurity experts will increasingly carry out such attacks. On its own initiative. Without warning.

Who are the NTC hackers targeting?

The NTC especially wants to look at digital products and technical infrastructures “that have not been tested or have been insufficiently tested”. Test manager Castagna confirms that an internal list of specific “targets” already exists.

According to the NTC report, these are primarily “widespread, critical, alternative and official systems”. Namely those who “appear to be at risk based on objective evidence”, for example because there are indications that there are security vulnerabilities in a system.

The NTC test manager understandably does not disclose who the white hat hackers will be hacking in the coming weeks and months.

IT security gaps are known to exist all over the economy, in small and medium-sized enterprises (SMEs), as well as large enterprises. Another potentially valuable target for cybercriminals is state institutions, whether at the municipal, cantonal, or federal level.

What does this have to do with the ransomware epidemic?

A lot.

As is well known, cyber-attacks by professional, mostly Russian-speaking ransomware gangs are among the biggest risks for local companies.

NTC test manager Castagna explains:

What should the hacked ‘victims’ take into account?

Even when ethical hacking is done correctly, the organizations involved run the risk of reputational damage. For example, through false or exaggerated reporting in the media or on social media platforms.

Watson therefore asked what the internal decision-making process at the NTC looks like, whether and how people are publicly informed about a successful attack.

NTC Test Lead Castagna explains that reporting vulnerabilities has three purposes:

How will the NTC inform?

When publishing the security gaps, the NTC will adhere to its own “Vulnerability Disclosure Policy,” explains test manager Castagna. «We plan to make the relevant publications on our website. This is equally accessible to everyone.”

“For a detailed publication, the identified and documented security gaps must be completely eliminated,” the legal opinion states.

Can those affected hide vulnerabilities (discovered)?

The NTC test leader explains:

Will the NTC also hack state-related big companies like SBB and Swisscom?

Apparently this cannot be ruled out.

NTC test manager Castagna emphasizes:

So operators of critical infrastructure are also targeted?

Companies responsible for the power supply and other socially indispensable services invest an above-average amount of money in cybersecurity: citizens count on that.

NTC Test Leader Castagna:

What role do Apple, Google and Microsoft play?

The American companies Apple, Google (Alphabet) and Microsoft operate the largest and most important platforms from a consumer perspective: iOS/iPadOS/macOS, Android, Windows.

Watson therefore wanted to know from the NTC what role these platform operators play in the ethical hacking project. Will the NTC ensure that things are fairly evenly distributed by operating system/platform?

Under what circumstances are such hacker attacks exempt from punishment?

As explained above, ethical hacking involves detecting gaps in IT security without the explicit order and consent of those involved. Spicy: According to Swiss law (keyword “hacker article”), even the attempt to penetrate a secured IT system is punishable.

If Swiss law is violated “in the context of vulnerability assessments”, a hacker can do so under certain circumstances the justifiable state of emergency according to Article 17 of the Criminal Code (StGB) appointed, the notification of the report states.

Who issued the legal advice on ethical hacking?

From the Walder Wyss business law firm in Zurich, according to “Bilanz” one of the country’s leading law firms.

The firm’s lawyers recently had a much more well-known client: Credit Suisse (CS). According to the “Handelzeitung”, residents of Zurich were responsible for providing legal advice in the CS warehouse.

Who is behind the NTC?

The National Test Institute for Cybersecurity NTC is a non-profit organization based in the city of Zug, which cooperates with government agencies, research institutes and private companies. It was founded in 2020 on the initiative of the canton of Zug. The NZZ called it “Cyber-Empa”.

The internal and external experts examine “digital products and infrastructures that are not or insufficiently controlled by the private sector”.

One of the first clients was a federal government, the National Center for Cyber ​​​​Security (NCSC): In 2021, the experts of the NTC checked the functionalities and security of the Swiss Covid certificate system.

Unlike the Federal Materials Testing and Research Institute (Empa), the NTC does not conduct product certifications. And to avoid a conflict of interest, testing is not done on behalf of product manufacturers.

Sources