The National Test Institute for Cyber Security (NTC) tests what is not tested elsewhere. It examines digital products and infrastructures that are not or not sufficiently tested by the private sector. The NTC guarantees independent and extensive testing and thus make a strategic contribution to maintaining Switzerland’s security. Tobias Castagna leads the team of test experts at the NTC and is the No. 1 employee.
What makes the National Test Institute for Cyber Security different and what are the strategic benefits that it brings to society?
Vendors that test systems on behalf of others to verify their security have been around for a long time. But such testing only happens when someone is willing to pay for it. It takes a customer. Unfortunately, some manufacturers, operators, and distributors of digital products do not have the incentive or awareness to have their products tested for vulnerabilities. As a result, unsafe, unregulated, and uninspected products enter the marketplace. The NTC identifies and tests such products for vulnerabilities, even without a mandate, to reduce the cyber risks they pose. The results are made available to the public, authorities, and the business community. We do this under a strict vulnerability disclosure policy and support the fact that vendors or operators can provide an adequate means to fix the vulnerability.
Who pays the NTC for the work it does?
The NTC is a non-profit organization publicly funded. We have received a knock-on financing from the canton of Zug.
Aren’t you in competition with private companies offering security testing, attack simulations, bug bounty programs, etc.?
No, within initiative projects we test what is not tested otherwise. So, there is no customer and therefore no commercial market. Without the NTC, these socially relevant target systems would often not be the subject of testing.
As a matter of fact, we even have the experience that new projects are the result of our activities. As a result of our vulnerability disclosures, the security awareness of the target organizations increases. They realize how important and pressing the issue becomes, and often turn to the private sector to help.
What is an “initiative project”?
Unlike commissioned projects, initiative projects are carried out at the initiative of the NTC. That means, the NTC determines what will be tested and to what extent. The necessary resources are provided by the NTC and are ultimately funded from public resources. The results are publicly disclosed according to the Vulnerability Disclosure Policy, making them available to the general public.
You state that the NTC tests what is not tested otherwise, but also that the targets have to be socially relevant. What do you mean by “socially relevant”?
Our definition of socially relevant systems includes the following categories: First, widespread systems that, if compromised, would affect a large number of citizens and businesses. Second, critical systems that, if compromised, could cause significant harm to a relevant part of society. Third, systems without alternatives where there is a de facto obligation to use them. This may be the case, for example, due to legal requirements or a monopolistic position of the manufacturer. Finally, official systems that are operated for or by public authorities, such as the Confederation, cantons or municipalities, and thus for society.
In the case of initiative projects carried out by the NTC, there is no commissioner and thus no consent from the operator. Are such tests legal?
At first glance, Swiss law does not distinguish between “good” and “bad” hacking. Hacking is hacking, and as such it is against the law. However, good hacking, i.e., ethical hacking, is not punishable under certain circumstances. In a detailed legal opinion entitled “Criminal liability of Ethical Hacking“, the law firm Walder Wyss analyzed the legal situation in detail and concluded that ethical hacking remains unpunished if certain general conditions are met. The NTC has established extensive processes to ensure that these general conditions are met in initiative projects and thus remain exempt from prosecution.
Given the frequency of security vulnerabilities in IT products, do we need stricter regulation?
Poorly designed or excessive regulation can cause harm, make people sluggish, and slow innovation. On the other hand, well-designed and targeted regulation can help. Getting the balance right is not easy. What I think is helpful in practice is to have an open and constructive discussion to raise the awareness of security. The NTC’s initiative projects and the publication of the results are a contribution to this. Companies that are notified by the NTC of a vulnerability tend to get off lightly and tend to prioritize cybersecurity going forward. The publication of the results also alerts other companies. This creates an open discussion in which everyone can learn from each other’s mistakes.