SECUROSYS BLOG

In Conversation with Florian Schütz: Shaping Switzerland's Cybersecurity Strategy and Future

Written by Martina Alig | Oct 01, 2024

Please note that this transcript has been simplified and summarized for better readability and may not reflect the exact wording of the original conversation. For the full, unedited interview, please watch the video on YouTube 

 

[Opening] 

Robert Rogenmoser: I'm very happy to have Florian Schütz here, from the National Cyber Security Center (NCSC). Florian, you've been head of the Federal Office for a couple of years now. Who are you, and where do you come from? 

Florian Schütz: (Jokingly) I ask myself that often. I’m an engineer by training, studied computer science at ETH Zurich. I went on to work at RUAG, a Swiss Defense contractor, where I had the chance to build a research team. Later, I moved to Zalando in Berlin, where I learned about scaling security. 

 

[Zalando and Cybersecurity] 

Robert: So, you were selling clothes? 

Florian: (Laughing) No, I was never really into fashion, but Zalando taught me how to handle security at scale. Back at the time, we generated around 200GB of compressed data per second and pushed it through the networks. We had an average of three incidents a day, which were cashflow relevant and had many changes in the infrastructure every day. That's small compared to AWS, and AWS is peanuts compared to Alibaba. There's always room for more but that's where I learned about scale in security. 

Robert: Was it all about money then? 

Florian: Yes, incidents often translate directly to monetary loss, so it’s crucial to handle them fast. 

Florian: I try to encourage a shift in mindset – security isn't just about risk; it's also about generating business value. For instance, when Zalando was hit by DDoS attacks, instead of just blocking regions, we gathered data and insights, which helped in marketing. That’s how we generated business value through security. 

 

[Transition to Federal Cyber Role] 

Robert: At some point, you got the call from Bern. How did that happen? 

Florian: The position of Federal Cyber Security Delegate was newly created with the implementation of the second national [cyber security] strategy. This time the strategy was taking everyone into account, military, police, and so on. Therefore, the Federal Council decided that they needed someone to coordinate all those cybersecurity efforts. 

I applied because I saw opportunities for Switzerland in cybersecurity. Now, I lead the National Cyber Security Center, which handles the operationalization of the national strategy. It is a great pleasure to be in this position and to actually be able to shape those opportunities. 

 

[National Cyber Security Center] 

Robert: What’s your role at the NCSC? 

Florian: I am leading the National Cyber Security Center. My role is to develop and implement the national cybersecurity strategy. This includes coordinating with companies, the Cantons, and the general public. 

Robert: National cybersecurity strategy, that sounds big. Where do we start? Do we have a national strategy? 

Florian: Yes, the third version already. Compared to the two previous versions, it’s not just about risks anymore; it also emphasizes opportunities. Countries which are successful in cybersecurity are the ones shaping opportunities through their national strategy. 

This time, the strategy is also built with and acknowledged by the Cantons and economic associations. We're trying to find a way to balance between regulation and to avoid every possible risk. 

 

[Challenges of Cybersecurity Coordination] 

Robert: How do you coordinate cybersecurity across different federal entities? 

Florian: We are a federal state – there is no single "boss." I coordinate between various entities, including the military and the Cantons. We also have an external steering committee which consists of people from industry, civil society, Cantons as well as at Federal level. They are here to oversee our efforts. 

While we frequently collaborate with various federal entities such as the Cyber Command and the Swiss Federal Intelligence Service (NDB), there are strict limitations on the exchange of sensitive information. For example, although we may discuss operational matters, we do not automatically share all vulnerabilities with the intelligence service or the police unless national security is directly at risk. These checks and balances ensure that information is only shared when necessary, preserving both security and operational integrity. 

 

[Burgenstock Ukraine Conference and Cyber Threats] 

Robert: One of the big recent events in Switzerland was the Bürgenstock conference. Can you tell us about your involvement in the Ukraine conference at the Bürgenstock? 

Florian: Yes, you can also find a report on our website with the details of what we can reveal. We dealt with expected DDoS attacks by pro-Russian groups like “NoName”. While these attacks weren’t sophisticated, they were a nuisance and cost money. They also could have had an impact on public perception, so we prepared thoroughly, coordinating with police and military as well as communicating a lot through media outlets prior and during the event. We also did a risk analysis with key stakeholders in preparation of the event. 

Robert: Could you tell us more about what happened? Did some websites go down? 

Florian: We had a couple of attacks; I would say it was medium intensity. There could have been more. We also had some manipulation of emergency organization data during the conference, but overall, the impact was manageable. All entities worked together towards the same goal. It was our job to make sure everyone knows what they were working towards and what their role was. Switzerland can be a little complicated, because of its federal system, but at the same time, if you get the people around the table and you can coordinate them well, it's a very resilient system. 

Robert: Earlier Timo Pfahl from SIX System told us that when everything works you usually don’t hear about it. It’s a good thing. With Bürgenstock, we didn't read much about cyber security incidents or anything alike, so I guess it went well. Thank you, very good job for you and all the other teams there! 

 

[Future Cybersecurity Challenges] 

Robert: What about the future? AI, Cloud, Quantum Computers—how do they factor in? 

Florian: AI is not our main topic because most of the issues can still be solved with statistics. However, it is a reality in cyber attacks which we keep monitoring, especially phishing emails. With machine learning, phishing emails become better, more targeted, and they are scaled better. Stay vigilant. 

Cloud computing is a broad and complex topic, and there is no one-size-fits-all solution when it comes to security. In my opinion, major cloud providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud invest billions of dollars annually into securing their infrastructure. This investment results in highly secure environments that are often more robust than what individual businesses can afford to maintain on their own. 75% of Swiss companies earn less than half a million a year so their IT is quite small. But depending on your business model and industry, there are stringent compliance requirements that govern how data should be stored, processed, and accessed. When moving to the cloud, it’s critical to ensure that your cloud provider complies with these regulatory requirements. 

Finally, Post-Quantum Computing presents a significant future challenge, particularly for cryptography. While we are exploring migration strategies to prepare for this era, it is not yet the highest priority. When it will be the case, our role would likely focus on framing processes, assessing dependencies, and planning critical priorities – especially for national critical infrastructure – rather than directly driving the implementation. I see some adding value by coordinating efforts and setting clear priorities for a smooth transition. 

 

[Closing and Practical Cyber Advice] 

Robert: Any final tips for companies or individuals on how to protect themselves from cyber threats? 

Florian: Yes,

1) Keep your systems updated, even privately. When Securosys launches an update, install it! 

2) Use two-factor authentication, most issues could actually be avoided by a two-factor authentication. 

3) Assess risks realistically. Don't be scared. Estimate the risk and if you think it's high risk but potentially high reward, go for it! 

4) And finally, don't be arrogant – everyone can fall for a phishing email at some point. If it happens, don’t be ashamed; report it directly on our website. 

Robert: Thank you, Florian!