Evaluating the Impact of Integrating Civil Cybersecurity into the Defense Department

The decision to place the new Federal Office for Cybersecurity within the Department of Defense (VBS) has sparked considerable debate. Viola Amherd, the head of the VBS, advocated for this move, citing potential synergies between civilian cybersecurity and military operations. However, nearly a year into its operation, the anticipated benefits have yet to materialize.

Two years ago, the Federal Council deliberated on the topic of civilian cybersecurity, ultimately leading to the assertion that the VBS could provide the most effective protection against cyber threats to the public, businesses, and government entities through these synergies. In December 2022, the Council decided to establish the new office under the VBS. Since it became operational in early 2024, the Federal Office for Cybersecurity (BACS) has faced significant challenges, raising concerns about its effectiveness.

The difficulties faced by BACS stem from dual transformations: the National Cybersecurity Center (NCSC) transitioned into an independent federal office and relocated from the Federal Department of Finance to the VBS. However, this restructuring only partially accounts for the challenges at hand. There is also a noticeable absence of a clear strategy within the VBS aimed at strengthening civilian cybersecurity, as initially promised.

A fundamental misunderstanding appears to exist regarding the military's role in protecting Switzerland from cyberattacks. The military lacks the legal framework and technical capabilities to effectively shield the nation from such threats. This misconception has persisted despite prior warnings about the limitations of military involvement in cybersecurity.

Initially, when discussions about the new Federal Office for Cybersecurity began in 2022, the VBS advocated for a centralization of cybersecurity responsibilities, proposing that the office also handle security policy functions and situation assessments. However, due to opposition from other departments, the VBS shifted its stance, opting for a more neutral, technical role for the new office, which the Federal Council ultimately accepted.

Concerns regarding the proximity of the new office to the military and intelligence services prompted skepticism from IT security experts. These experts feared that the military's involvement in offensive cyber operations could lead to conflicts of interest. Such apprehensions were echoed within the NCSC, resulting in multiple resignations, particularly from the GovCert team, a critical unit responsible for supporting the government and vital infrastructure during cyber incidents.

In late 2023, just before BACS commenced operations under the VBS, the Federal Council retracted its responsibility for cybersecurity within federal administration, thereby relegating the office to a supportive role for Switzerland's critical infrastructure.

As BACS has operated for one year, it has become evident that it does not receive a high priority within the VBS. Operating on a minimal budget, BACS was allocated merely 13.3 million francs in 2024, a figure that is considered insufficient given the importance of cybersecurity. An increase to 16.1 million francs has been proposed for 2025.

Despite financial constraints, BACS has performed commendably in its first year, largely attributed to the leadership of its director. His ability to engage effectively with various stakeholders has been noted positively. However, his recent remarks in the annual report suggest a need for clearer directives from the government regarding the office's expected functions and the resources necessary to fulfill them.

In Parliament, a bipartisan movement is emerging, advocating for a budget increase for BACS, with proposals to double its budget to 31 million francs within two years. However, funding alone will not resolve the underlying issues. There is a pressing need for the VBS to establish a coherent cybersecurity strategy. While the integration of BACS into the VBS was a significant step, subsequent actions have led to a perception of indecision.

Moving forward, there are hopes that the new VBS leader will provide a clear vision for advancing Switzerland's cybersecurity framework, especially in light of intensified threats from abroad. The current state of affairs is inadequate in addressing the evolving landscape of cybersecurity challenges.