Our society and economy have developed a critical dependency on a large number of digital infrastructures. We rely on connectivity being constantly available and on the correct functioning of countless technologies and services that we no longer directly control. These include, in particular, the hardware and software solutions that are essential to the growing digitalisation of business processes, and which represent a core and critical component. At first glance, the supplier market appears to be extremely diverse and heterogeneous in terms of its range of solutions. However, a closer look at the home countries of these suppliers diminishes the appearance of heterogeneity substantially.
Process digitalisation in its current form cannot take place without hardware and software solutions from large international corporations. However, the geographical concentration of production sites in a very small number of countries, some of which are not democratic, also means that foreign companies or states theoretically have simplified access to the information and communications technology (ICT) systems of domestic manufacturers and service providers. The foreign companies or states could, therefore, in principle access the information stored on, processed on or supplied to those systems.
A general discussion is underway in several countries, including Switzerland, on how to reduce the various dependencies and create a sort of independent domestic industry and possible alternatives. The key expression here is “cyber sovereignty”. It must be borne in mind, however, that one of the major challenges will be procuring rare-earth elements and specific materials for producing microchips, since such materials do not occur naturally in Switzerland.
One graphic example of a dependency that had a global impact was the IT systems outage following the distribution of a faulty update by US cybersecurity company CrowdStrike in July 2024. The incident affected Windows devices on which CrowdStrike software was used as a defence against hacking because a flaw in the update caused a system outage. The ramifications were colossal, affecting companies, banks, emergency call centres and airlines in particular.
As digitalisation progresses, the growing dependency within and between infrastructures is giving rise to critical threats that can merely be “managed” in risk management terms and mitigated only to a limited extent. Moreover, it is more than doubtful whether Switzerland, as a centre of industry, will be able to develop alternatives to foreign suppliers’ hardware and software solutions in the near future. Even if Switzerland had a coordinated industrial policy in this unfamiliar area for the country, the effects of this policy, if any, would only be long-term in nature. However, the digitalisation of business processes, the development of new technologies such as 5G and similar are already happening now. Swiss production of the ICT components and solutions needed for these trends is either as good as non-existent or involves only small volumes and often major cost and complexity.
The close links between, the complexity of and the growing dependencies between a very small number of dominant operators, services, technologies and infrastructures is causing an exponential increase in critical risk in the digital society. Things are becoming more complex, more frequently interlinked and interdependent at superlinear speed.
Hardware and software: A small number of dominant hardware and software products and cloud services from an even smaller number of manufacturers and providers are absolutely essential for cross-sectoral operation. Weak points, malfunctions and the lock-in effect1 cause problems as regards availability, continuous maintenance of business operations, data security and system stability.
Protocols: Dependency on a small number of Internet protocols and the infrastructure through which they are delivered increases the risk of cascade effects across various sectors2.
Clouds, cloud providers and service models: The increasing number of online or cloud-based services combined with the constant pressure to transition to subscription models is increasing reliance on network and service providers’ availability. A significant proportion of global Internet business relies on fewer than ten cloud providers from just two countries – China and the USA. Minor outages are causing ever more damage and a huge and growing accumulation of systemic risks3.
Cryptography: Almost all security guarantees in the digital world are based on a few dominant cryptographic methods and their implementation. This creates huge systemic exposure to as yet unknown weaknesses in mathematics, implementation or sudden progress in quantum computing. The development of quantum-safe cryptography is another area where Switzerland is at risk of dependency on foreign providers.
Legacy: Products and services can no longer be operated in isolation without guaranteed continuous connectivity or manufacturer support throughout their entire service life. Premature disappearance of the manufacturer or supplier as a result of bankruptcy, forced closure or sanctions is therefore a critical risk.
Politics: Dominant manufacturers and infrastructures are heavily concentrated in just a small number of countries. Control of digital infrastructure is superseding political power – because to disrupt real-world systems nations can easily overstep digital borders, or rather because there are no national borders in the digital space. The spread of the Internet into the physical world is radically escalating government concerns about privacy, discrimination, personal safety, democracy and national security.
Everything is interconnected and becoming ever more complex. On the one hand, Switzerland’s small, open national economy is dependent on foreign ICT manufacturers. On the other, the situation represents an opportunity for Switzerland. Since the leading nations in ICT pursue different interests, Switzerland can skilfully exploit its role to balance between these interests and achieve advantages as a result. It will benefit from shaping relations with different countries with strong ICT industries in such a way that it optimally leverages their technologies and market strategies for itself.
We can no longer act in isolation. Effective and sustainable action to protect and provide products and infrastructure goes beyond securing individual systems. Digitalisation in the Swiss economy will remain heavily dependent on foreign ICT manufacturers. For this reason, consistent risk management with regard to possible state intervention and enforcement and which takes full account of interaction with manufacturers, suppliers and providers of hardware and software solutions should be established.
We must identify the digital infrastructures that are too critical to fail. Furthermore, we need to develop strategies to minimise dependencies and protect these infrastructures, establish redundancies and increase the resilience or stability of both the digital infrastructure and industry to disruptions, crises and attacks. We should do so before the next crisis occurs.
The complexity of systems and infrastructures is increasing vulnerability, outages, errors, human overload and difficulties in managing outage issues4. To avoid unnecessary complexity and dependencies, we must give preference to simple, transparent and consistent architectures, drafts and implementations. Since it is not possible to fully predict, test and model all conditions with such systems, we must accept outages and compromises, factor them in and design secure, fault-tolerant systems. The only way to achieve genuine security gains is to master the complexity.
Accept digitalisation, but invest in understanding the main risks and make informed decisions on critical investments.
Deliberately evaluate critical dependencies in their cyber infrastructure and actively strive for a balance of optimisation (efficiency, short-term gains), resilience (long-term survival) and the associated costs that matches their own appetite for risk or security needs.
Imply outages and plan accordingly. Functions that are critical for civil society and business must be able to withstand outages to a certain degree. Redundancies should be planned, communicated, funded, implemented and tested.
The possibility of introducing product liability should be examined.
European initiatives that address critical dependencies as well as product liability should be driven forwards.
Cooperation with local providers, including Swiss start-up companies, should be promoted.
Business continuity management: Manage critical dependencies that could cause outages with serious consequences for civil society in the same way as other potentially devastating risks (e.g. natural hazards).
How long can a system be unavailable until an existential problem arises (minutes, hours, days)?
Does the outage infringe legal requirements?
What impact does an outage have on how society functions and Switzerland as a business location?
Umberto Annino, Microsoft | Daniel Caduff, AWS | Stefan Frei, ETH Zurich | Pascal Lamia, BACS
Endre Bangerter, BFH | Alain Beuchat, Banque Lombard Odier & Cie SA | Matthias Bossardt, KPMG | Adolf Doerig, Doerig & Partner | Roger Halbheer, Microsoft | Katja Partner | Roger Halbheer, Microsoft | Katja Dörlemann, Switch | Martin Leuthold, Switch | Hannes Lubich, Board of Directors and Consultant | Luka Malis, SIX Digital Exchange | Adrian Perrig, ETH Zurich | Raphael Reischuk, Zühlke Engineering AG | Ruedi Rytz, BACS | Riccardo Sibilia, DDPS | Bernhard Tellenbach, armasuisse | Daniel Walther, Swatch Group Services | Andreas Wespi, IBM Research
