The federal government cannot protect our data

Lesen Sie die deutsche Version hier.

The case of the IT company Xplain startled the Swiss public. The Bern-based company was the victim of a hacker attack at the end of May, and data amounting to around 900 gigabytes ended up on the darknet, including sensitive information from the Federal Office of Police (Fedpol), Customs and Border Protection, and cantonal migration offices, among others. Anyone who is now surprised that a private IT company is providing services for the public sector and cries «Scandal!» does not know what is really the case. Xplain is not the exception, Xplain is the rule.

«Anyone who is now surprised that a private IT company

is providing services for the public sector and

cries «Scandal!» does not know what is really the case.

Xplain is not the exception, Xplain is the rule.»

The largest IT contractor in Switzerland is the federal government. None of the large, internationally oriented companies can keep up with its volume of commissions. The Swiss Confederation has its own Federal Office of Information Technology and Systems (FOITT) with around 1100 employees. According to its own statements, the FOITT supports the administration by means of information technology to «develop and implement economical, secure, user- and citizen-friendly solutions». However, this is only half the truth. The majority of IT projects are realized and implemented by external third-party suppliers. Often, the operation of the systems and the services also run entirely through third-party providers. Is that a bad thing? The question is superfluous: the federal government has neither the know-how nor the resources. As I said: Xplain is the rule, not the exception.

This close interlocking between the state and private service providers, which has long since become a reality, means that the latter also share the cyber risks. It is of no use if the federal government has high security requirements, but these are not also implemented by third-party providers. The National Cyber Security Center (NCSC) is doing a good job and has brought Switzerland a great deal of progress in the area of cyber security. But there is still a lot of homework to be done. Namely, this includes clear guidelines and security requirements for third-party IT providers. Another example of this: The magazine «Swiss Review» produced by the Federal Department of Foreign Affairs for the Swiss abroad is printed in an external print shop. The Confederation supplied the addresses to the company, whereupon data was stolen in a cyberattack on the print shop; the company did not pay a ransom, and so 425,000 addresses ended up on the darknet in June. Now, both interested and less interested circles can see where the Swiss abroad live.

Distrust as a sign of a mature democracy

This brings us to the core questions: How are gigantic amounts of data changing the relationship between citizens and the state? What do data protection, transparency and information justice mean in the digital age?

There is a high level of mistrust among the population, but also an awareness that data can be misused. The Swiss are comparatively skeptical when it comes to the state and rights of inspection or access, which is a sign of a mature democracy. They want to know what this rather intangible juggernaut of a state stores. The fact that individuals are informed about what data the state collects about them should be a self-evident fundamental right, especially when it comes to such huge amounts of data.

The federal government’s annual budget for IT totals around CHF 1,2…