print preview

A better view of the cyberspace landscape

The cyber world never sleeps. Data and information are being continuously sent back and forth all over the globe – including malicious files such as viruses or other ransomware. This can cause damage to the users’ terminal devices and generate data leakage illegally. In order to obtain an overview of such incidents, armasuisse is developing a Proof of Concept together with partners to manage the operational picture in cyberspace.

Colin Barschel, Cyber Security and Data Science, armasuisse Science and Technology; interview conducted by Anela Ziko, Innovation and Processes, armasuisse Science and Technology

Three views of the cyber platform superimposed on each other with various miscellaneous data on the operational picture in cyberspace.
Using a new platform, cyber incidents can be better monitored and shown in an operational cyberspace picture.

Mr. Barschel, first of all: What is meant by cyberspace today?

Put simply, a cyberspace is a virtual or online world in which all the computers and devices are connected with each other via the Internet, including all Internet networks and the digitally sent data. It is thus the networked world with the interaction of man-machine and the data generated in the process. One area that has recently become increasingly important involves cyber security.

Why is cyber security such an important topic from your perspective?

Very many areas of private as well as business life are linked with each other via the Internet nowadays, and this gives rise to questions such as: What happens with the people? What happens with the data? The cyber world is unsafe and not every area is equally strictly regulated. In cyberspace, people can hide behind false identities and thus attackers have an easy game. For example, a computer can be quickly completely contaminated if you click the wrong links online without thinking and download a malicious software without realising it.  Where cyber security is concerned, it is not just about protecting your own data, for example, from unwanted data leakage, but also about making people aware of how they should behave in the Internet.

For example, a computer can be quickly completely contaminated if you click the wrong links online without thinking and download a malicious software without realising it. 

 

Let’s assume that a company in the area of critical infrastructure becomes the victim of a cyberattack, what should it do?

As soon as a cyberattack has been noticed and internal handling has been initiated, the company should report this cyber incident as quickly as possible to the NCSC. The NCSC is the National Competence Centre for Cyber Security. One of its tasks to protect critical infrastructures. As such, it ensures that the negative impact of such incidents is as short-lived as possible and that the damage is kept to a minimum, as well as guaranteeing continuous monitoring of the threat situation so that active warnings can be issued.

 

How exactly does the reporting process work in the event of a cyber incident?

Private individuals and companies can report a cyber incident or a vulnerability via a reporting button on the NCSC’s website. The NCSC’s employees collect all the reported incidents, compare them with other internal and external sources or earlier reports and check whether similar events occurred in the past. As a federal agency, they also have access to further information from both private and federally-related businesses and administrations. All of this data is then used to create what is known as an operational cyberspace picture. The challenge is that the reported incidents first have to be manually transferred to a tool before the information can be processed and enriched with additional data. As part of an innovation project, we are currently working on developing a new platform which should help analysts at the NCSC to work more efficiently and to have access to a more comprehensive threat landscape.

What is the platform intended to provide? And what is innovative about it?

The platform aims to perform as many automated process operations as possible. Today, analysts have to manually enter the information on the reported incidents in a work screen. Using this new platform, it should be possible to enter the reports digitally and on an automated basis. The platform should be able to distinguish autonomously between relevant and irrelevant information and only automatically process the relevant information. The platform combines tools that already exist on the market with proprietary developments and thus enables centralised processing of all information. An overview of the threat landscape is thus created.

What is new or innovative about the platform is that no such platforms with the numerous necessary functions yet exist on the market.

What impact does this have on the platform?

We at armasuisse S+T have jointly created a new, complex analytical product from scratch together with the customer, the Armed Forces Staff and our industrial partner.

This starts with the definition of the functionalities, continues with the link to various critical or private information platforms to, ultimately, handling and constant further development. As part of this process, we at armasuisse S+T were involved in this project in a very early phase, what we call the preliminary study.

What is also new is the selected procedure. We are not buying a finished product, but a service which will help us in developing this new system. The first step is a Proof of Concept to define the ideal solution and to reduce the development risk. This means that we are purchasing expertise and can schedule and deploy these hours in a targeted and effective manner to develop this platform.

Why was the decision made to not use an already existing product?

Buying a final product was out of the question, due to the uncertainty about precisely which functions should be available on the platform. Of course, certain elements are known. But to buy a product, a procurement with clearly defined specifications is always required. We were not able to meet this requirement. However, the added value of this in-house production is that we work together incrementally, in other words, step by step together – with both end users and developers – to find the most suitable solution for the application. As such proprietary developments already exist at the beginning as demonstrators or test versions, the costs are lower than if an existing product is bought. Because such products are often subject to various conditions and while they cover some important areas, they never meet the individual needs of the end user. The connection to various other platforms is also easier to handle with this proprietary development.

However, the added value of this in-house production is that we work together incrementally, in other words, step by step together – with both end users and developers – to find the most suitable solution for the application. 

 

What are the challenges of this innovative approach?

On the one hand, there is the question of how this platform can be integrated into our end customer’s existing system. This will become more difficult the more secure the data structure is. In addition, a method must be found to link confidential data and sources to this platform in a compatible manner and without major obstacles. Thus both publicly accessible information and non-publicly accessible data are of great relevance for creating a comprehensive operational picture of cyberspace. In addition, most of the development is in-house, which always poses challenges. External elements therefore need to be integrated which must be compatible with the platform. And last but not least, the coordination with the various interfaces must also always be ensured. Currently, this is still completely possible, as we are in what is known as the Proof of Concept phase and are therefore not yet operative. However, this will change as soon as this platform is actually in operation as a finished product. This should be the case in about 18 months.  The platform will then enable a complete operational picture of Swiss cyberspace – and thus contributes to protecting critical infrastructures and the security of Switzerland.