Cómo puede protegerse mejor el Gobierno federal contra los ataques de piratas informáticos
Published: Wednesday, May 1st 2024, 13:50
Volver a Live Feed
Following the hacker attack on the IT company Xplain in May 2023, investigations have revealed several shortcomings at the federal government and the company concerned. The Federal Council wants to prevent data leaks in future. An overview of the planned measures:
- NEW LAW: The new Information Security Act has been in force since January 1, 2024. Among other things, it requires administrative units to put an information security management system (ISMS) into operation by the end of 2026 at the latest.
- MORE CONTROLS: By the end of 2024, additional security requirements for cooperation with suppliers are to be drawn up. Control and audit capabilities are to be strengthened.
- IMPROVED TRAINING: By the end of 2024, a function-related training concept is to be developed for training and sensitizing employees to existing security requirements.
- INCREASED TRANSPARENCY: An overview of the federal authorities' existing means of communication is to be drawn up by the end of 2024.
- IT PROTECTION REVIEW: The Federal Department of Defense, Civil Protection and Sport (DDPS) is to review the federal government's IT baseline protection by the end of 2024 and propose any necessary adjustments.
- IMPROVE COORDINATION: By the end of 2024, the Federal Office for Cybersecurity (BACS) is to show how coordination between the Confederation, cantons and suppliers will actually take place when dealing with cyberattacks and what criteria will be used to assess the extent of cyberattacks.
Recommendations of the data protection officer
Parallel to the administrative investigation ordered by the Federal Council, the Federal Data Protection and Information Commissioner (Edöb) conducted an independent investigation. Various recommendations can be found in the three final reports, for example:
- Xplain shall take technical and organizational measures for data security that are appropriate in relation to the processing of particularly sensitive personal data in the context of support and maintenance processes, the processing of personal data and the development of software in the sensitive area of internal security.
- Xplain is to set up an information security management system (ISMS), establish a risk management system, sensitize employees and carry out regular audits. In addition, a deletion concept is to be implemented in accordance with legal and contractual requirements.
- The Federal Office of Police and the Federal Office of Criminal Investigation should examine under what conditions it is necessary for personal data to leave the federal ICT systems and be stored in Xplain's ICT systems as part of support processes.
- Fedpol and the FOCA should continuously sensitize their employees to the data protection risks and clarify the contracts in the area of data security.
The company Xplain, the Federal Office of Police (Fedpol) and the Federal Office for Customs and Border Security (FOCBS) have a thirty-day deadline to inform Edöb whether they accept the recommendations.
Recommendations of the external experts
The company Oberson Abels investigated the data outflow on behalf of the Federal Council, and its report contains further recommendations, for example:
- The State Secretariat for Security Policy (Sepos) is to be given responsibility for managing and monitoring the Confederation's information security, which currently lies with the departments.
- The authorities and organizations in the IT sector should be provided with sufficient resources to fulfil their tasks in the area of information security and data protection.
- The information security and data protection culture should be strengthened. The ban on transferring productive data, i.e. data in live use, to external service providers should be clearly communicated.
- Access to productive data by external service providers, whether on site or remotely, should be reduced to a minimum, strictly regulated and controlled.
- The deletion of productive data that was made available to current or former external service providers of the Confederation in the past should be systematically requested and subsequently reviewed.
©Keystone/SDA
Spanish 
English 
German 
French 
Arabic