National Council wants to report dangerous cyber attacks – defeat for the SVP

In the future, operators of critical infrastructures will have to report cyber-attacks with a high damage potential within 24 hours. That has been decided by the National Council. Those who deliberately fail to comply with the reporting obligation risk a fine.

The Grand Chamber on Thursday approved, by a vote of 132 to 55, necessary amendments to the Federal Information Security Act at the federal level. The no votes came from the SVP.

The proposal will now go to the Council of States.

Also serious vulnerabilities

At the request of its Security Policy Committee (SIK-N), the National Council decided to extend the reporting obligation. In addition to cyber attacks with a high damage potential, this must also involve serious vulnerabilities in computer systems. The Commission expects this to have a preventive effect.

The National Center for Cyber ​​Security (NCSC) would be the central reporting point for cyber attacks. This is to provide an electronic notification form. The Federal Council wrote that reports can be easily recorded and sent directly to other offices if desired.

Speakers from various political groups saw that Switzerland lagged behind in international comparison. “Especially when it comes to digital skills, we are relatively poor,” says Melanie Mettler (GLP/BE).

Controversial detail

The period between the incident and the report as well as the fines for breaching the reporting obligation were controversial in the National Council. At the request of the majority and the Bundesrat, the council wrote into law that the report must be made to the NCSC within 24 hours of the incident.

It’s about being able to act quickly, says Ida Glanzmann (centre/LU). Edith Graf-Litscher (SP/TG) emphasizes once again that no critical analysis is needed, only an indication that something has happened. Internationally, a deadline of 24 hours applies, according to Defense Minister Viola Amherd.

The SVP had wanted to set the limit at 72 hours, but was clearly defeated. Attacks are initially concerned with defense, said David Zuberbühler (SVP/AR). In the first instance, they should be able to take measures themselves and therefore have more time to report.

Fines for deliberate failure to report

The SVP also wanted to waive fines of up to 100,000 francs for violating the reporting obligation. Instead of state coercion with the threat of fines, positive incentives are needed to report incidents and exchange information as effectively as possible, according to Zuberbühler. There is no criminal energy emanating from those under attack.

Here too, the National Council followed the Federal Council by 130 votes in favor and 55 against. According to this, anyone who deliberately fails to comply with the notification obligation risks a fine of up to CHF 100,000, despite being asked to do so.

The duty to report applies, for example, to the Federal Council and parliament, the public prosecutor’s office, the army, universities, banks, healthcare and energy suppliers, the SRG and railway companies. The NCSC is available to provide support to those reporting the attack.

Defense Minister Amherd saw that the voluntary reporting had reached its limits. Some companies reported incidents. Others, on the other hand, did without, but still benefited from it. There is a reporting obligation in many countries, in the EU since 2018.

About 22,000 reports

Today there is no overview of which attacks took place where, as reports to the NCSC are voluntary, the Federal Council writes. Due to the notification obligation, all operators of critical infrastructures must in future participate in the exchange of information and thus contribute to early warning.

In 2021, approximately 22,000 cases of cybercrime will have been reported to the NCSC, about twice as many as in 2020. However, many of the reported incidents are traced attempted attacks and not successful attacks. The Federal Council established the NCSC in 2019.

(dsc/aeg/sda)