- Email: [email protected]
Empire and Federation differ in security style
z o n e
Stefan Krempl
Empire and Federation differ in security style The political histories of Austria and Switzerland show up in their differing approaches to safeguarding their citizens' data and privacy.
I
n Austria and Switzerland, one can easily find a lot of similarities: both countries are largely Alpine, people mostly speak German (well, kind of) and their northern neighbour is a heavy influence on their image of themselves.
But it would be wrong to see either merely as a junior German doppelgänger.A pretty sharp cultural division also runs between the two mountain countries themselves. Austria was part of the Habsburg Empire for centuries, but is now part of the European Union (EU), and has to stick to the jurisdictional framework set by Brussels. Switzerland has been a free confederation for hundreds of years; it has a long, strong tradition of neutrality, and maintains its political independence vigorously. These differences influence their citizens’ approach to IT security and privacy. In Austria, for example, the former empire now has a chief information officer who is directly affiliated to the Office of the Chancellor. Reinhard Posch has held this post since 2001.A former
professor of applied information processing and communications from Graz, he is proud of the pioneering work his country is doing in e-government. Austria was one of the first EU members to implement the digital signatures directive.“Today, all bills on the internet are signed electronically and dossiers are kept electronically as well,” Posch says.
"Normally they react only if some intrusion or damage occurs." “A big impetus for using electronic signatures also comes from a rule that from 2007 will put electronic invoices on the same legal level as invoices by fax or ordinary mail.The chambers of commerce and the government worked hand in hand in pushing this forward.” But progress is patchy.Asked for the rate of public acceptance of public key infrastructures (PKI), Posch admits,“It would be too early to call it a success story.”
Infosecurity Today May/June 2006
In Austria, things often start moving only when the state drives them. For example, policies for the use of strong authentication measures are in place throughout the Austrian administration. Posch himself can get his office email only if he uses a smart card with cryptographic and e-signature functions. On the cards
There are two other big state-driven card-based projects for encouraging
the public to use electronic signatures. One is called Bürgerkarte.This is a specification for basic functions needed to secure electronic communications between citizens and the administration. The feature set can be integrated for example with the e-card, the other big government initiative with the health sector.The appropriate electronic data transmission infrastructure consists of the social security card itself, which has been given out to 8.2 million insured, and the necessary computer and internet equipment for 10,700 medical practices. Companies and citizens are catching up, but slowly.“It is hard to achieve a high awareness for the needs of IT security in industry, especially within smaller and medium enterprises,” the state CIO says.“Normally they react only if some intrusion or damage occurs.” Posch complains especially that Austrian credit institutions still use a rather insecure procedure with passwords and one-time transaction
16
z o n e
Jacques Beglinger: Swiss prefer general principles
Reinhard Posch: proud of Austrian e-govt. record
numbers for online banking.“There is no willingness to upgrade to better levels of security that would rule out phishing,” he says. But he hopes that his lead projects for e-government will soon make identification processes on the internet easier and more reliable. Avoiding the obvious
Peter Perdich, joint managing director of the Vienna-based security company Lanifex, agrees that infosecurity has lower priority at many enterprises and in the public sector.“Attention is growing, but there are still many holes,” he says.“Many corporations see IT security in isolation from corporate governance. They support the duplication of data centres or draw up contingency plans, but they still don't get into the management of data security risks per se.” Large companies usually install a chief security officer, Perdich adds.“But they often don't have a sufficient budget and can't move things forward in the enterprise. Real time monitoring of security threats and business asset risk management are hard to find.” He is also unhappy with what he calls ‘hawking’ by many service agents with regard to data and network security.“Many network suppliers try to get a hold in this area,” Perdich says.“They just run a scan over your network and from that point on no-one takes care of the infrastructure for two years or so. Within two weeks, patches are not installed and a few months later you are close to catastrophe.”
how to avoid hacking or virus attacks, how to keep children safe in cyberspace and how to shop securely on the internet. Ingrid Schaumüller-Bichl represents Austria on the Security and Protection in Information Systems technical committee (TC 11) at the International Federation for Information Processing. She is also professor for information security and risk management at the University of Applied Sciences in Hagenberg, which offers two special courses in information security.
"A few months later you are close to catastrophe." She stresses the growing security awareness in industry and public administration.“More and more companies in Austria understand the importance of a general concept for IT security for their daily business.” Pushing forward
She is glad that the Austrian government funded KIRAS, a recent programme to promote security research, because “it pushed things forward”. KIRAS supports national security research projects whose results should help to underpin a high standard of living and opportunities for development.A primary theme is the protection of critical infrastructure. To make IT security accessible to Austrian public administration and companies, Schaumüller-Bichl co-wrote the IT Sicherheitshandbuch (IT Security Handbook), a reference guide inspired by the Grundschutzhandbuch (Baseline Handbook) of the German Federal Office for Information Security (BSI).
Ingrid Schaumüller-Bichl: Austria supports research well
When it comes to privacy,Austrian experts are split in their understanding of people's wishes.“There are discussions about surveillance concerning telecommunications or CCTV, but they are not as heated and polarized as in Germany,” Schaumüller-Bichl says. Civil society groups like Arge Daten or Quintessenz watch for new surveillance programs and fight for effective personal rights. There's also a privacy commission inside the government. CIO Posch stresses that the Bürgerkarte, unlike the new EU machine-readable passport, excludes biometric characteristics “because there were privacy concerns”. But Perdich believes that sometimes priorities are not set correctly. “There's a lot of concern about what personal data can be kept on the ecard, but not many people care that they are tracked all the time via their cellphones or RFID chips.” Switzerland
The situation is different in Switzerland. Non-government privacy watchdogs are hard to find between Basel and Geneva.To be sure, each of the 26 cantons that make up the federation has a special state data protection officer.There's also one for the whole of the confederation, and citizens can look up websites for privacy laws or advice on fighting viruses or spam. Only in rare cases, and then mainly in cantons with larger cities like Zurich, do you find anyone to criticise the abuse of unlawful data collection by the police or other state authorities. “Swiss people are informed and sceptical, but in no way critical towards the state,” observes Peter Berlich, a Zurich-based security researcher.“We are a conservative country,” agrees Jacques Beglinger, a Zurich attorney who specializes in data law.
Infosecurity Today May/June 2006
There is still a long way to go to reach a satisfactory level, but there are positive signals, Perdich adds. He mentions the Austrian ‘Safe in the Net’ initiative, It is modelled after a similar move in Germany. Its sponsors are Microsoft, Bank Austria Creditanstalt, Computer Associates, eBay and Inode.The campaign gives tips to consumers and companies on
Peter Perdich: Austrian risk management still patchy
17
z o n e
“People have trust in the government. They assume that they have nothing to fear from the state.” Formal agreement
Jay Heiser, an analyst with Gartner who has worked in Switzerland for several years at the UBS and Credit Suisse banks, notes:“The Swiss are highly formal, but they negotiate their rules. Once they agree something, they follow it.” Consensus is the magic that makes them tick.A good example of this is the Swiss privacy law.“It caters mainly to our wonderful tradition of working with general principles,” explains Beglinger.“Take Article 4 [of the general Swiss privacy law, Datenschutzgesetz]. It states that personal data can be collected for special
Does this face look bothered? The process of reforming their privacy law gives a good insight into Swiss attitudes to data security and privacy. The need arose when it became obvious that the health sector needed stricter privacy regulations to safeguard patients' data in card-based IT projects. Other companies feared that tougher rules would apply to them as well, and hamper their ability to collect data and exchange internally. Lobbyists, data security officers and other state officials found a compromise that experts like the Zurich based Attorney-at-law Jacques Beglinger believe may work. The solution they found lies in better self-regulation of the industry supported by permission for more internal data transfers. If a company agrees to a security audit and qualifies for certain certificates, or if it appoints special staff for data protection and therefore shows that it takes the issue seriously, it is granted certain rights to use customer data. These carry fewer restrictions than for a competitor that does not open his security mechanisms to external examiners. “As per normal, it's been a very unagitated discussion,” Beglinger says.
Infosecurity Today May/June 2006
But he's unsure whether the certification process really leads to better security. “But it's definitely good for something: it strengthens the basic trust that Swiss people have in organizations.” There's just one thing he's not that comfortable with: as more and more personal data may be collected in the private industry, the hunger of state authorities to make use of these data for crime and terrorism prevention also grows enormously. “That might be well worth a serious discussion,” Beglinger says.
purposes only, and that the people concerned have to give their consent. Should there be some kind of excess we can fight them with this axiom,” the attorney says.“There's an umbrella of reason that covers everything.We have a necessary set of rules, but we don't want to restrain day-to-day business more then we need.”
based and relies on a password. Credit Suisse was quick to follow.
That's why privacy and security laws tend to be technically neutral and broad, according to Beglinger. “We don't have a special law against spam or anything like that.We have laws that guarantee personal rights and fair competition.That's enough.”
Solutions for identity management are firmly in place in the Swiss banking sector and other industries. But Swisskey, an early initiative to set up a nation-wide PKI service and certification authority, went bust in 2001.
Going into more detail would be something the attorney refers to as Ausdeutschung, a phrase that hints at the Germanic penchant for finding very special rules for every case. Business-friendly
Another trend in Switzerland is that the legislative environment tends to be business-friendly. In and around Zurich, business first and foremost means private banking. Its roots go back to the Thirty Years' War (1618-1648), when mercenaries needed somewhere to keep their loot safe, Heiser contends. Safety and security still are major issues for the banking sector as well as for the pharmaceutical and healthcare industries, which both have a strong base in Switzerland.The leading companies are global, which shapes their interests. “Enterprises here have two main needs: first, they want to ensure the best possible protection of secrets and personal rights against access or abuse from the outside. On the other hand, on the inside (of the corporation), they would like to share data without any restrictions even over national borders,” Beglinger says. This conflict mirrors the difference between Swiss law and EU law, he adds. “It is stricter than EU privacy directives when it comes to keep personal data safe from preying eyes that do not belong to a corporate entity. But it is also more liberal in permitting data transfers between subsidiaries of one enterprise.” With data safety top on the agenda, banks in Switzerland have led the way in infosecurity solutions.“e-Banking is on a very high security standard,” says Berlich.“UBS started with a two-factor authentication procedure that is token-
“UBS went with smart cards very early on and used them for single sign-on,” Heiser adds.“There was also a policy for keeping laptops locked down.Actually, I have seen nothing more locked-down than a Swiss bank, apart from the military.”
"We have laws that guarantee personal rights and fair competition. That's enough." Not sustainable either was Infosurance, a 1999 initiative between government and large Swiss companies to protect critical infrastructures. But Infosurance lives on in association with a larger foundation that aims to raise security awareness, especially in SMEs. Ethical hacking
Even so, there's still a lot of work to be done.This was revealed last year after tests made by an ‘ethical hacking’ team working on behalf of IBM.The team penetrated companies' networks in 90% of all internal deployments and in half of their external attacks. Several enterprises base their research & development in Switzerland. Often it has a special focus on IT security. IBM, for example, runs a lab in Zurich, where ABB and Google have special facilities for schoolchildren as well, keeping their serious work for countryside locations. It would not be beyond the realms of fantasy for breakthroughs in the realm of security and privacy solutions to be made in Switzerland. But you would probably never know, because the researchers are very tight-lipped. It's all about trust in the country of the big mountain lakes and cuckoo clocks.
•
Stefan Krempl is a Berlin-based freelance writer who covers IT and its political, social, and economic effects.
18
Stefan Krempl
Empire and Federation differ in security style The political histories of Austria and Switzerland show up in their differing approaches to safeguarding their citizens' data and privacy.
I
n Austria and Switzerland, one can easily find a lot of similarities: both countries are largely Alpine, people mostly speak German (well, kind of) and their northern neighbour is a heavy influence on their image of themselves.
But it would be wrong to see either merely as a junior German doppelgänger.A pretty sharp cultural division also runs between the two mountain countries themselves. Austria was part of the Habsburg Empire for centuries, but is now part of the European Union (EU), and has to stick to the jurisdictional framework set by Brussels. Switzerland has been a free confederation for hundreds of years; it has a long, strong tradition of neutrality, and maintains its political independence vigorously. These differences influence their citizens’ approach to IT security and privacy. In Austria, for example, the former empire now has a chief information officer who is directly affiliated to the Office of the Chancellor. Reinhard Posch has held this post since 2001.A former
professor of applied information processing and communications from Graz, he is proud of the pioneering work his country is doing in e-government. Austria was one of the first EU members to implement the digital signatures directive.“Today, all bills on the internet are signed electronically and dossiers are kept electronically as well,” Posch says.
"Normally they react only if some intrusion or damage occurs." “A big impetus for using electronic signatures also comes from a rule that from 2007 will put electronic invoices on the same legal level as invoices by fax or ordinary mail.The chambers of commerce and the government worked hand in hand in pushing this forward.” But progress is patchy.Asked for the rate of public acceptance of public key infrastructures (PKI), Posch admits,“It would be too early to call it a success story.”
Infosecurity Today May/June 2006
In Austria, things often start moving only when the state drives them. For example, policies for the use of strong authentication measures are in place throughout the Austrian administration. Posch himself can get his office email only if he uses a smart card with cryptographic and e-signature functions. On the cards
There are two other big state-driven card-based projects for encouraging
the public to use electronic signatures. One is called Bürgerkarte.This is a specification for basic functions needed to secure electronic communications between citizens and the administration. The feature set can be integrated for example with the e-card, the other big government initiative with the health sector.The appropriate electronic data transmission infrastructure consists of the social security card itself, which has been given out to 8.2 million insured, and the necessary computer and internet equipment for 10,700 medical practices. Companies and citizens are catching up, but slowly.“It is hard to achieve a high awareness for the needs of IT security in industry, especially within smaller and medium enterprises,” the state CIO says.“Normally they react only if some intrusion or damage occurs.” Posch complains especially that Austrian credit institutions still use a rather insecure procedure with passwords and one-time transaction
16
z o n e
Jacques Beglinger: Swiss prefer general principles
Reinhard Posch: proud of Austrian e-govt. record
numbers for online banking.“There is no willingness to upgrade to better levels of security that would rule out phishing,” he says. But he hopes that his lead projects for e-government will soon make identification processes on the internet easier and more reliable. Avoiding the obvious
Peter Perdich, joint managing director of the Vienna-based security company Lanifex, agrees that infosecurity has lower priority at many enterprises and in the public sector.“Attention is growing, but there are still many holes,” he says.“Many corporations see IT security in isolation from corporate governance. They support the duplication of data centres or draw up contingency plans, but they still don't get into the management of data security risks per se.” Large companies usually install a chief security officer, Perdich adds.“But they often don't have a sufficient budget and can't move things forward in the enterprise. Real time monitoring of security threats and business asset risk management are hard to find.” He is also unhappy with what he calls ‘hawking’ by many service agents with regard to data and network security.“Many network suppliers try to get a hold in this area,” Perdich says.“They just run a scan over your network and from that point on no-one takes care of the infrastructure for two years or so. Within two weeks, patches are not installed and a few months later you are close to catastrophe.”
how to avoid hacking or virus attacks, how to keep children safe in cyberspace and how to shop securely on the internet. Ingrid Schaumüller-Bichl represents Austria on the Security and Protection in Information Systems technical committee (TC 11) at the International Federation for Information Processing. She is also professor for information security and risk management at the University of Applied Sciences in Hagenberg, which offers two special courses in information security.
"A few months later you are close to catastrophe." She stresses the growing security awareness in industry and public administration.“More and more companies in Austria understand the importance of a general concept for IT security for their daily business.” Pushing forward
She is glad that the Austrian government funded KIRAS, a recent programme to promote security research, because “it pushed things forward”. KIRAS supports national security research projects whose results should help to underpin a high standard of living and opportunities for development.A primary theme is the protection of critical infrastructure. To make IT security accessible to Austrian public administration and companies, Schaumüller-Bichl co-wrote the IT Sicherheitshandbuch (IT Security Handbook), a reference guide inspired by the Grundschutzhandbuch (Baseline Handbook) of the German Federal Office for Information Security (BSI).
Ingrid Schaumüller-Bichl: Austria supports research well
When it comes to privacy,Austrian experts are split in their understanding of people's wishes.“There are discussions about surveillance concerning telecommunications or CCTV, but they are not as heated and polarized as in Germany,” Schaumüller-Bichl says. Civil society groups like Arge Daten or Quintessenz watch for new surveillance programs and fight for effective personal rights. There's also a privacy commission inside the government. CIO Posch stresses that the Bürgerkarte, unlike the new EU machine-readable passport, excludes biometric characteristics “because there were privacy concerns”. But Perdich believes that sometimes priorities are not set correctly. “There's a lot of concern about what personal data can be kept on the ecard, but not many people care that they are tracked all the time via their cellphones or RFID chips.” Switzerland
The situation is different in Switzerland. Non-government privacy watchdogs are hard to find between Basel and Geneva.To be sure, each of the 26 cantons that make up the federation has a special state data protection officer.There's also one for the whole of the confederation, and citizens can look up websites for privacy laws or advice on fighting viruses or spam. Only in rare cases, and then mainly in cantons with larger cities like Zurich, do you find anyone to criticise the abuse of unlawful data collection by the police or other state authorities. “Swiss people are informed and sceptical, but in no way critical towards the state,” observes Peter Berlich, a Zurich-based security researcher.“We are a conservative country,” agrees Jacques Beglinger, a Zurich attorney who specializes in data law.
Infosecurity Today May/June 2006
There is still a long way to go to reach a satisfactory level, but there are positive signals, Perdich adds. He mentions the Austrian ‘Safe in the Net’ initiative, It is modelled after a similar move in Germany. Its sponsors are Microsoft, Bank Austria Creditanstalt, Computer Associates, eBay and Inode.The campaign gives tips to consumers and companies on
Peter Perdich: Austrian risk management still patchy
17
z o n e
“People have trust in the government. They assume that they have nothing to fear from the state.” Formal agreement
Jay Heiser, an analyst with Gartner who has worked in Switzerland for several years at the UBS and Credit Suisse banks, notes:“The Swiss are highly formal, but they negotiate their rules. Once they agree something, they follow it.” Consensus is the magic that makes them tick.A good example of this is the Swiss privacy law.“It caters mainly to our wonderful tradition of working with general principles,” explains Beglinger.“Take Article 4 [of the general Swiss privacy law, Datenschutzgesetz]. It states that personal data can be collected for special
Does this face look bothered? The process of reforming their privacy law gives a good insight into Swiss attitudes to data security and privacy. The need arose when it became obvious that the health sector needed stricter privacy regulations to safeguard patients' data in card-based IT projects. Other companies feared that tougher rules would apply to them as well, and hamper their ability to collect data and exchange internally. Lobbyists, data security officers and other state officials found a compromise that experts like the Zurich based Attorney-at-law Jacques Beglinger believe may work. The solution they found lies in better self-regulation of the industry supported by permission for more internal data transfers. If a company agrees to a security audit and qualifies for certain certificates, or if it appoints special staff for data protection and therefore shows that it takes the issue seriously, it is granted certain rights to use customer data. These carry fewer restrictions than for a competitor that does not open his security mechanisms to external examiners. “As per normal, it's been a very unagitated discussion,” Beglinger says.
Infosecurity Today May/June 2006
But he's unsure whether the certification process really leads to better security. “But it's definitely good for something: it strengthens the basic trust that Swiss people have in organizations.” There's just one thing he's not that comfortable with: as more and more personal data may be collected in the private industry, the hunger of state authorities to make use of these data for crime and terrorism prevention also grows enormously. “That might be well worth a serious discussion,” Beglinger says.
purposes only, and that the people concerned have to give their consent. Should there be some kind of excess we can fight them with this axiom,” the attorney says.“There's an umbrella of reason that covers everything.We have a necessary set of rules, but we don't want to restrain day-to-day business more then we need.”
based and relies on a password. Credit Suisse was quick to follow.
That's why privacy and security laws tend to be technically neutral and broad, according to Beglinger. “We don't have a special law against spam or anything like that.We have laws that guarantee personal rights and fair competition.That's enough.”
Solutions for identity management are firmly in place in the Swiss banking sector and other industries. But Swisskey, an early initiative to set up a nation-wide PKI service and certification authority, went bust in 2001.
Going into more detail would be something the attorney refers to as Ausdeutschung, a phrase that hints at the Germanic penchant for finding very special rules for every case. Business-friendly
Another trend in Switzerland is that the legislative environment tends to be business-friendly. In and around Zurich, business first and foremost means private banking. Its roots go back to the Thirty Years' War (1618-1648), when mercenaries needed somewhere to keep their loot safe, Heiser contends. Safety and security still are major issues for the banking sector as well as for the pharmaceutical and healthcare industries, which both have a strong base in Switzerland.The leading companies are global, which shapes their interests. “Enterprises here have two main needs: first, they want to ensure the best possible protection of secrets and personal rights against access or abuse from the outside. On the other hand, on the inside (of the corporation), they would like to share data without any restrictions even over national borders,” Beglinger says. This conflict mirrors the difference between Swiss law and EU law, he adds. “It is stricter than EU privacy directives when it comes to keep personal data safe from preying eyes that do not belong to a corporate entity. But it is also more liberal in permitting data transfers between subsidiaries of one enterprise.” With data safety top on the agenda, banks in Switzerland have led the way in infosecurity solutions.“e-Banking is on a very high security standard,” says Berlich.“UBS started with a two-factor authentication procedure that is token-
“UBS went with smart cards very early on and used them for single sign-on,” Heiser adds.“There was also a policy for keeping laptops locked down.Actually, I have seen nothing more locked-down than a Swiss bank, apart from the military.”
"We have laws that guarantee personal rights and fair competition. That's enough." Not sustainable either was Infosurance, a 1999 initiative between government and large Swiss companies to protect critical infrastructures. But Infosurance lives on in association with a larger foundation that aims to raise security awareness, especially in SMEs. Ethical hacking
Even so, there's still a lot of work to be done.This was revealed last year after tests made by an ‘ethical hacking’ team working on behalf of IBM.The team penetrated companies' networks in 90% of all internal deployments and in half of their external attacks. Several enterprises base their research & development in Switzerland. Often it has a special focus on IT security. IBM, for example, runs a lab in Zurich, where ABB and Google have special facilities for schoolchildren as well, keeping their serious work for countryside locations. It would not be beyond the realms of fantasy for breakthroughs in the realm of security and privacy solutions to be made in Switzerland. But you would probably never know, because the researchers are very tight-lipped. It's all about trust in the country of the big mountain lakes and cuckoo clocks.
•
Stefan Krempl is a Berlin-based freelance writer who covers IT and its political, social, and economic effects.
18