Ultimately, everyone is interested in improving security – yet this poses something of a dilemma for computer manufacturers. Additional security comes at a price, but few consumers are willing to pay more or sacrifice performance in return for more security. Razavi also faces a dilemma: as a scientist, he needs to publish his findings as soon as possible in order to gain an edge in the cut-and-thrust world of academia – but his industry partners have other ideas. “We follow the principle of responsible disclosure,” he says. “In other words, we give companies time to fix flaws before we publish them.” Razavi has also enlisted the support of Swiss federal authorities: for example, his discovery of the vulnerability in dynamic memory led to a joint publication with the National Cyber Security Centre. As of last September, this is the agency responsible for registering critical vulnerabilities in Switzerland.
Yet technical measures alone are not enough to make cyberspace safer, says Razavi. “We also need input from policymakers, because questions about how we share data and who has access rights to certain types of information are political decisions that engineers shouldn't be expected to make,” he says.
Neutral and transparent
Such policy issues fall within the remit of Jakob Bund, who heads up the cyberdefense project in the Risk and Resilience Team at the ETH Zurich Center for Security Studies. One of his tasks is to examine how governments and organisations protect themselves against risks in cyberspace. “We provide policymakers with the scientific principles they need to make decisions,” he says. To do this, Bund maintains regular contact with the Swiss Department of Defence and the Armed Forces Command Support Organisation, which is to be transformed into a military cyber command by early 2024.
As a political scientist, his job is to place the technological risks in a political context. “We’re concerned with possible impacts,” he says. “For example, how are these technologies being deployed? What can they be used for? And how do they differ from conventional methods?”
Today’s governments face competition and conflicts on many different levels in cyberspace: disseminating false information in social networks, using cyber espionage to obtain secret information and deliberately seeking to cripple their opponents’ critical infrastructure. Yet individual actions can only be properly understood within a broader strategic framework, says Bund – and by continuously reassessing what actors hope to achieve, and what impact their activities may have. Experts are currently engaged in heated debate about the possibility of establishing rules for governments in cyberspace. “It’s a complex process,” says Bund. “As well as defining what it means for a state to behave responsibly in cyberspace, we also need to figure out how we want to ensure that those norms are followed in the future.”
The US presidential election in 2016 was a wake-up call for how sophisticated state-sponsored cyber conflict has become. “The fact that the national headquarters of both major parties in the US were targeted by cyber espionage operations came as little surprise,” says Bund. “But the way in which some stolen information was used in the election campaign in the attempt to manipulate voting decisions was a new combination of existing tactics and tools.” This illustrates how modern governments now have completely new methods at their disposal to interfere in another country’s affairs. According to Bund, Europe still tends to underestimate the significance of this point: “One possible explanation is that it’s harder to see the influence on election campaigns here because many continental European countries have a broader range of political parties.”
One aspect of particular interest to Switzerland is the law of neutrality. This has been amended on multiple occasions to reflect the emergence of new technologies such as telegraphy and radio – but the question now is how far the concept of neutrality can be extended to cyberspace. “Cyberspace spans the globe and has numerous fault lines,” says Bund. “Yet it is also connected to infrastructure in the real world. Switzerland and other countries need to consider under which circumstances these digital entanglements might bring them into touch with otherwise geographically distant conflicts.”
And that’s not the only reason Switzerland should be having this conversation: it also needs to consider its duty to protect international organisations based on Swiss territory. “These organisations are an attractive target for cyber espionage,” says Bund. “And that makes it more likely that Switzerland will be caught in the cross hairs of threat actors operating through cyberspace.” Learning how other countries are protecting themselves against cyber risks should therefore be a top priority, he argues. “And independent scientists like us can help share that kind of knowledge,” he adds.