Can I start a private cyber military?

"An army cyber attack would take months or years"

The Swiss Army is facing major changes: Military operations always need cyber support. How is the army getting ready for it? And how does it react to the new types of threats? The army chief and the cyber commander provide information.

Electronic warfare is a top priority. Army chief Thomas Süssli himself was responsible for the command support base (FUB) before his appointment as the highest military. Behind the awkward name hides the department of the army that is not only responsible for IT, but also for cyber operations - that is, for that delicate area of ​​electronic warfare that will be fundamental in future conflicts. When it comes to questions about cyber defense, Süssli insists on providing information himself - side by side with his successor at the head of the FUB, the major Alain Vuitel.

Mr. Vuitel, when was the last attack on the army network that worried you?

Alain Vuitel: We've got off well since I took office a year ago. We have attacks, of course, but none of them killed me.

Is that a good sign?

Vuitel: The greatest cyber threat to the army is those activities that we cannot detect. That is why we invest a large part of our efforts in sensor technology in order to prevent intruders to be identified and fended off at an early stage. To do this, we want to use artificial intelligence in the future.

The intruders were not discovered for at least a year and a half during the 2016 attack on the Ruag armaments plant, which is close to the federal government. Would you notice such an attack earlier today?

Thomas Süssli: You can never say with certainty. That is why there is the principle of “Assume Breach” in cyber defense: You always have to assume that there is already an intruder in the network. This also applies to us.

Specifically, for example, is your communication geared towards the fact that someone is already in the network?

Sweet: Exactly. Even our crisis management provides for this case. My cell phone can ring at any time and I get a message that we have a serious attack.

A year ago you said at a conference that you saw attacks by various actors. Only the Chinese would not see you. Is it still like that?

Sweet: Yeah, we still don't see them. And this despite the fact that China has a cyber command of over 100,000 men. There are three possible reasons for this: First, that they are too bad. Second, that we are not a target. Or third, that we cannot recognize them.

The third case would be worrying.

Sweet: It must be said that the army's network is now part of the federal network. This protects us from the outside. The last major attack on the army was that in 2017 on a computer that was connected to the Internet. In 2018 there were attacks on the Spiez laboratory when samples were examined there in connection with the poison attack on the former Russian agent Skripal. We have recognized these attacks well.

In the Skripal case, the author is said to have been a Russian hacker group. Who else do you see activity from?

Sweet: It is always difficult to say who the attacks are actually coming from. Switzerland does not make any public attribution by saying who attacked us. This did not happen during the Ruag attack in 2016 either. However, we published a detailed technical report there so that the creators knew that we had discovered them.

In addition, the report also made the attackers' tools public and therefore useless. But you still try to assign the activities in the background. Which groups do you see there?

Sweet: For our cyber situation picture, we take a look at which actors there are and which attacks could be associated with them. But I wouldn't attach that to specific countries. The attackers come from all over the world and are mostly anxious to cover their tracks.

Do you see a certain motivation for the attacks?

Vuitel: Cyber ​​is a good means for an actor to get his own way. An attacker can thus achieve a certain effect under the radar or prepare the terrain for further actions in the long term. And the bottom line is: the attacker can always deny it.

In this way, states can resolve conflicts without actually starting a war?

Vuitel: Exactly. How to do that with political or economic pressure. Cyber ​​attacks are another tool in the toolbox of power instruments.

When is the war threshold exceeded?

Sweet: I don't like to talk about cyber warfare because the term gives the wrong picture. In the past, war was declared and fought until the winner was certain. Today, conflicts are more complex and are also carried out by economic, political or criminal means. Cyber ​​is just another means of achieving your goals. That is why cyber attacks must not be viewed in isolation. They are always part of an intention.

What happens when attackers paralyze the computer systems of a hospital and people die as a result?

Sweet: The question is which group is behind it. Today it is cyber criminals who attack hospitals. That's why it's not an act of war.

In 2015 and 2016, Ukraine experienced power outages caused by cyber attacks. Sometimes there is talk of cyber warfare.

Sweet: Here we come to the question of the actor and his motivation. There were accompanying terrestrial operations in eastern Ukraine. The blackouts were about creating confusion or breaking connections. This corresponds to my argument: Cyber ​​does not come alone, but reinforces an existing intention. Cyber ​​does not replace existing threats, it makes them more dangerous.

How does official Switzerland react to cyber attacks?

Sweet: We are responding to the diplomatic channel together with the Department of Foreign Affairs. It was the same with the Ruag attack.

States often publicly denounce the attackers. For the first time this summer, the EU even imposed sanctions on people and organizations allegedly involved in cyber attacks. Isn't that an option for Switzerland?

Sweet: We deliberately hold back. On the one hand for reasons of neutrality. And on the other hand, as mentioned, the assignment is difficult. There remains a certain residual risk of wrongly accusing someone. As a small, neutral state with international dependencies, we cannot afford that.

What about a so-called hackback, i.e. that you hit back? This was also discussed during the Ruag attack.

Sweet: That sounds spectacular, but in reality it is not that easy. According to the military law, the Federal Council must approve such an attack. Imagine if Major Vuitel wants to strike back in a heavy attack. I would ask him: How sure are you? Maybe 30 to 40 percent. . .

Hopefully 60 to 70 percent. . .

Sweet: But even then: the uncertainty is too great. That was the end of the matter.

And yet the idea of ​​hackbacks keeps popping up.

Sweet: Yes, there is this illusion of deterrence. Partly also with companies. But it is not a realistic option, because I usually only hit those IT systems from which the attack is carried out. It is difficult to catch the real attacker in the background.

Does that mean the Swiss Army has never penetrated a foreign computer system?

Sweet: Based on the military law, we have never asked the Federal Council to be allowed to carry out such a measure. There is also the Intelligence Service Act, which also allows such measures. The professional organization of the army carries out such operations on behalf of the intelligence service.

Is the army today capable of carrying out a major cyber attack, a kind of cyber strike?

Sweet (hesitates): She basically has the skills. The question arises with the capacities, i.e. how complex such an attack is and how many actions are carried out in parallel. That cannot be said unequivocally. Such actions are extremely complex.

But the knowledge and the tools are basically available?

Sweet: We have the necessary skills because we see the attack tools and methods of the opponents. The Ruag attack is a good example of how we managed to understand the attack in detail. With this knowledge you can also become active yourself.

It doesn't sound like you can strike back quickly.

Vuitel: The time dimension is the main difference to a conventional counter-attack. You have to prepare for a cyber attack, and that takes a lot of time.

Sweet: We occasionally see in exercises that there are misconceptions here: Now we are using cyber to switch off an area of ​​the opponent, it is then said. But that doesn't work at all. You have to be very careful, work your way through the net and be careful not to step into a trap anywhere. Such attacks are not made overnight.

Which timeframe is realistic?

Sweet: Even taking advantage of a serious security gap, a so-called zero-day exploit, you still have to build the right tool. Then I'll probably need social engineering to get the tool to the right person. When I am then in the computer system, the preliminary probe phase only begins. Such an operation would take months or years.

Do you have such zero-day exploits, i.e. vulnerabilities that have not yet been public?

Vuitel: We do not communicate about this for clearly understandable reasons.

But the army is allowed to buy information on such vulnerabilities that are offered on the black market?

Sweet: I can not say anything about this. There are big companies that buy such vulnerabilities. Not for hackbacks, but for understanding security vulnerabilities. We have the same interest in vulnerabilities so that we can close them or ward off attacks.

Vuitel: However, knowledge of the networks is just as important. An attack can only be carried out if you know how the opposing infrastructure is structured. In order to generate the right key, we need to know exactly what the lock looks like.

And since the army also takes active measures on behalf of the intelligence service, i.e. is allowed to attack, you can also practice these skills.

Vuitel: Of course we have the technical skills for offensive operations. But we're not going to talk about that in detail. And the fact that we also work on behalf of the intelligence service is of course an advantage.

You're working on a report on the Army's cyber capabilities. So will there be more funds in the future?

Vuitel: The trend is clearly towards additional human and financial resources. Data is a key factor in the operational readiness of the armed forces, and we have to protect them accordingly. Our commanders of all branches need the best information about the situation. It's about the knowledge and decision-making advantage. The “Overall Cyber ​​Concept”, which we will publish this year, defines the framework within which we can subsequently plan and carry out specific armaments procurements.

A Cyber ​​Command is to emerge from the current management support base by 2024. Does this mean that cyber is upgraded in the army?

Sweet: Clearly. Cyber ​​already concerns us every day and also has strategic effects. Therefore, the topic must be close to the army command. We need the skills right at the table. The army becomes important when there is a conflict. In everyday life, however, cyber is the bigger issue.

Does that mean the subject is so important that it will be under the command of a corps commander?

Sweet: I wouldn't start star accounting now. The rank has not yet been determined, it will probably be between one and three stars.

Vuitel: The stars are not relevant. It's about a world that has changed. Today data and information are also central in the army. Operations on the ground or in the air are no longer possible if the data exchange is not guaranteed continuously. Just as you are connected to the world and can call up data thanks to your cell phone, so must the army units. This brings about revolutionary changes in how one thinks, plans and conducts military operations. Only those who are superior in communication can achieve their goals.

Is the Swiss Army lagging behind here?

Vuitel: The FUB is a child of the end of the Cold War. Back then people wanted to have everything as cheap as possible. Redundancy was no longer in great demand, it just had to work. Now you can see that the world has changed.

Sweet: Maybe we were a little behind for a long time. But now we are looking far into the future and building up new skills that will be necessary in the next few years.

What does that mean for training?

Sweet: We are currently very concerned with this question. Multidomain thinking is important, i.e. the connection between ground, air and cyber operations, which will be incorporated into the training. It is open, for example, whether the mechanized troops and the infantry will still exist separately in the future or whether they are already organized together in one unit. Maybe there will be a cyber unit there too.

So cyber specialists are not only needed in the cyber command, but everywhere?

Sweet: At least when it comes to leadership, the topic of cyber must appear at all levels. Whenever you plan a military operation, cyber will be an integral part. Cyber ​​resources have to be considered. It is still open where the units are located. The new concept does not simply provide for a cyber command. Cyber ​​must be taken into account in all troops and operations, always and everywhere.

So is there going to be a major reform that will permeate the entire army?

Sweet: I don't want to talk about reform. It is not about a major reorganization that is then carried out in one step. We want to continuously develop the army in small steps. This not only affects cyber, but also, for example, the ground troops and should drag on over the next few decades.

As a lateral entrant, are you bringing the agile thinking of the private sector to army development?

Sweet (laughs): You could say it that way.

The army has great cyber defense capabilities. But they do not play a role in everyday attacks on companies and critical infrastructures such as hospitals. Isn't that a waste of resources?

Sweet: The principle is always the same: if civilian funds are no longer sufficient, the cantons can submit an application. The Federal Council can then approve the subsidiary deployment of military personnel. This is currently the case in the health sector, where the army is deployed in various cantons. Such missions are possible, regardless of whether they are medical soldiers in a hospital or cyber specialists, for example at the National Bank.

But it's about protecting critical infrastructures, not companies.

Sweet: The army cannot protect all companies in Switzerland. The first rule is: Everyone protects himself. There is no other way. Only because the army cannot know all the networks or every software that is used.

The Swiss Federal Audit Office has identified deficiencies in the IT system for the armed forces that you did not report to the relevant federal IT control body in accordance with regulations. Is military IT none of the business of the federal cybersecurity delegates?

Sweet: One has to distinguish. The command information system of the army, for example, is an isolated and sealed off environment. If there is a weak point there, we record it in our security management system, including the measures to remedy it. The FUB is responsible for the security of the IT systems of the armed forces and the implementation of the measures. In the example mentioned, what is the added value if we report the vulnerability to the cyber delegate in accordance with the ordinance? I don't see anyone. In addition, we are not allowed to spread our weak points for security reasons.

Then army IT should be taken out of the responsibility of the civil cyber delegate?

Sweet: We are about to change that. The IT systems of the armed forces are to receive their own regulation by 2024 at the latest. Then the cyber delegate should no longer be responsible, and the responsibilities would be in one place, namely in the army.

In the Crypto AG affair, the army and its cryptologists played an important role. The business audit delegation speaks of service in service. What did you know about it?

Sweet: There is no ministry on duty. There are only cryptologists in the FUB. They have a task that is important for Switzerland. You are one of the few specialists who can even tell how good encryption is. Of course, they also had something to do with Crypto AG, and they checked their devices.

They knew there were unsafe devices.

Sweet: Yeah we knew One of the tasks of our specialists is to convert encrypted data that is received somewhere into readable information. There is a toolbox for this. You take it to hand when you get something encrypted that you don't know yet. And a tool we have can decrypt the data of the crypto devices. That is also in the report of the business audit delegation.

What is not in the report: How and when did the army get this key?

Sweet: I cannot comment on that.

According to the report, the experts at the FUB's predecessor organization realized relatively early on that weak devices existed. How official was the collaboration with the Americans?

Sweet: This is also stated in the report; the cooperation mentioned no longer exists today.

But how was this collaboration organized?

Sweet: I cannot comment on that either.

What are the consequences of the crypto affair for the army?

Sweet: We have to make sure that we do not lose the cryptological expertise in this country. Independent manufacturers of cryptology infrastructure are needed in Switzerland. Basically, I hope that cryptology will be promoted at universities or startups so that the know-how is preserved in Switzerland. For me, that is the most important consequence for the army.

Security policy discourse in the NZZ

geo. · The geopolitical situation is noticeably worsening. Together with climate change and the corona pandemic, the world is facing epochal challenges. What do these developments mean for Switzerland's security policy as a powerful small state in the core of Europe? The wafer-thin yes to new combat aircraft shows, among other things, that opinions diverge widely. The NZZ is therefore launching a discourse on threats and possible concepts for countering them under the heading #security.