A Comparison of National Cybersecurity Strategies – Challenges for Switzerland
In 2018, Switzerland released its second national cybersecurity strategy. To put the Swiss approach into perspective, this CSS study compares the strategies, policies and governmental structures of Germany, Finland, France, Israel, Italy and the Netherlands to highlight similarities and differences and to discuss the relevant challenges and further implications for Switzerland.
Digital transformation, which is emerging as one of the major challenges of future years, offers not only wide-ranging advantages, but also harbors new risks and engenders new vulnerabilities. A majority of states has begun to address these by developing national strategies under the heading of ‘cybersecurity’. Switzerland published its second ‘National Strategy for the protection of Switzerland against cyber risks’ (NCS), which identifies main challenges, traces responsibilities and outlines future action, in 2018. This study compares the cybersecurity strategies adopted by Germany, Finland, France, Israel, Italy and the Netherlands in order to place the Swiss approach within a broader international context and elicit the most important future challenges through comparison.
It focuses on key strategies, describing main actors and their tasks (in particular the distribution of tasks between civilian and military authorities in the fields of ‘security’, ’defense’ and ‘law enforcement’), and identifying the general challenges for organizing national cybersecurity policies.
The cybersecurity strategies examined share a number of common conceptual elements. Six central aspects have in particular been found across all of the states in the study: a holistic approach which encompasses both national security and socioeconomic aspects; links to broader national security strategies; a central focus on developing defensive cyber capabilities; great appreciation of international cooperation; emphasis on the necessity of cooperating with the private sector; and finally the need for greater awareness, education and information.
The most important differences between the examined states lie in where cybersecurity is positioned within the context of government structures, and who bears which responsibilities. This relates to the extent of centralization, the relationship between civilian and military forces, and the tasks of intelligence and law enforcement services. These differences arise predominantly out of the states’ distinct political cultures and ways of organizing their political systems.
Given the global nature of cyber threats, comparable states are confronted with comparable challenges when developing, implementing and maintaining their cybersecurity strategies. We have identified eight challenges:
- the (vertical) integration of national cybersecurity with national security and/or an overall strategy for controlling national resources as efficiently as possible;
- the (horizontal) coordination of different bodies tasked with cybersecurity matters, in particular the challenge of finding the right balance between centralization and reliance on existing competences;
- the promotion of international cooperation and the establishment of international norms of conduct in an environment in which geopolitical fault lines have deepened;
- the creation of sound, resilient structures for crisis management, including efficient crisis communications, and the development of a strong ability to respond to serious incidents which takes this communications aspect into account;
- the development of an adequate situation analysis and a precise analysis of threats, both of which must resist exaggerated assessments of cyber threats despite the difficulty of collecting reliable data;
- the building of capacities and the design of future education and training programmes to address shortages of specialist cybersecurity staff;
- the development of a framework for cooperation with the private sector which promotes national security without hampering innovation; and
- the harmonization of laws and efficient strategies for fighting cybercrime.
Switzerland is also exposed to these challenges. If a small, wealthy state such as Switzerland wishes to secure its future in a digital world, it should ensure that it invests adequately in cybersecurity without excessively expanding the reach and role of government. This requires all parts of government to work towards the same overarching goal. At the same time, capacity-building and the design of education and training programmes likely constitute the most productive approach.