What were the key goals and findings of the cybersecurity research study that the Cyber-Defence Campus conducted with SATW support in 2023?
Bernhard Tellenbach (BT): The primary goal was to obtain an overview of the thematic direction of research at the various types of university in the country (according to Swiss Universities) and of the resources invested in that research in FTE terms. The study only recorded the work of research groups or similar research units if they had been pursuing the topic in question for at least two years and employed at least one full-time equivalent (FTE) on it. Furthermore, the FTE count only included the work done by research staff – in other words professors, postdocs, scientific associates and PhD candidates. Any work done by students, in the form of Bachelor’s or Master’s theses, for example, was excluded.
The study showed that around 297 FTEs have been invested nationwide, a figure that is about the same as an SME, since the boundary between medium-sized and large companies in Switzerland is 250 full-time equivalents. While a very good 13 of the 14 identified research areas were covered, only 57 of the total of 145 research topics – just over a third – were being addressed. The uneven distribution of resources is also striking. More than half – 174 FTEs to be precise – are focused on three areas: cryptology; network and distributed systems; and software and hardware security engineering as the frontrunner.
What is the reason for the regional imbalances in research areas and resources? Is Switzerland in a good overall position in cybersecurity research or are there “blind spots”?
BT: I think there are various different factors at play here. One of them is certainly the difficulty of the research issues and the work and cost that is often necessary to find solutions. In particular, destructive research, or identifying where a security issue exists, is generally simpler than developing and establishing a solution that replaces an insecure technology with a secure one. For the latter, you need to find a more or less “bulletproof” solution. In other words, you have to address all the points of attack and vulnerabilities you can think of. For the former, by contrast, all you have to do is find a single issue or point of attack.
The topical urgency of an issue, as perceived by the government and public, can be another important factor. Examples include security and data protection issues associated with artificial intelligence or issues connected with quantum technologies. Like any organisation that conducts cybersecurity research, we at the Cyber-Defence Campus have to set priorities and try to fill gaps with the options and resources we have available.
The answer to the question on Switzerland’s position depends on the skills and knowledge that various stakeholders in government and society regard as important for our country. The answer might differ, depending on who you ask.
What actions does the study propose in response to its findings?
BT: The study does not propose any actions. There is already awareness of the tools that can be used to direct research activity towards the desired fields. Plenty of options exist, from competitions such as the DARPA Cyber Grand Challenge (see www.darpa.mil), through the financial incentives offered by research funding programmes (such as the central programme areas of the EU research programme) to setting up specific research facilities, such as CISPA, the Heimholtz Center for Information Security funded and operated by the German government since 2018. This is an area where government and society has to decide whether intervention is necessary and, if so, what form it should take. What is clear in any event, however, is that given its limited resources, Switzerland needs to prioritise.
MELANI, the Reporting and Analysis Centre for Information Assurance, became part of the NCSC within the General Secretariat of the FDF in 2020. As of 1 January 2024, the NCSC will be attached to the DDPS. Does the breakneck pace of this change reflect the constantly growing importance that the Confederation attaches to cybersecurity?
BT: The Confederation has been aware of the increasing importance of cybersecurity for some time now. Even though I was an outsider at the time, I viewed the Action Plan for Cyber Defence (APCD), initiated by the Confederation in response to the RUAG incident in 2016 as a clear indication of the high priority afforded to the issue. Incidentally, the formation of the Cyber-Defence Campus, which is attached to armasuisse Science and Technology, was also part of this plan. Cybersecurity continues to enjoy a high priority, although I am aware that some sections of the community take a critical view of recent developments.
Are there plans to cooperate with cybersecurity research institutes in the education sector of the type defined in this study? Or even with civilian companies?
BT: This is an area where I can only speak for the cyberspace research programme that I lead at the Cyber Defence Campus. We have been working closely with research institutions in Switzerland since the Campus was set up. This involves various tools, such as commissioned research or hackathons. The commissioned research involves us working with partners to investigate research issues that we feel are strongly relevant to Switzerland. The goal here is generally to highlight or assess the risks and opportunities of novel methods and technologies and to build up skills that will subsequently be in demand in federal procurement or innovation projects.