The most secure Internet is hardly being used
There is no end to the news about hacker attacks. Yet there is a new technology that keeps attackers out. It was developed by an ETH professor and implemented by the Swiss National Bank together with telecom providers. But further dissemination is faltering.
The original version of this article (PDF) written by Anna Wanner in German appeared on July 11, 2023, across several CH Media newspapers. The version in English is a courtesy translation by Anapaya.
Attacks on companies, national institutions and critical infrastructures are increasing. At the beginning of February, a ransomware group attacked the University of Zurich, shortly afterwards the Swiss Federal Railways (SBB) reported a cyberattack, and municipalities have also recorded a significant increase in attacks on their systems over the past year. Most recently, cantons, the national parliament and the federal administration have also been among the victims of cyberattacks.
For example, Russian hackers attacked several websites of the federal administration - three days before Ukrainian President Wolodimir Selensky's speech to the Federal Assembly. According to the National Cyber Security Centre (NCSC), the attack targeted the entire federal administration: the websites were no longer accessible, federal applications were no longer available. DDoS (Distributed Denial of Service) attacks on the administration's IT systems paralysed the systems.
Last week, the extent of the breach caused by a ransomware attack on the IT company Xplain in Interlaken became public: the hacker group Play released on the Internet construction plans of police and army systems, addresses and security data of federal councillors, as well as information on the protection of local embassies.
The nature of the attacks differs. What is undisputed, however, is that the damage is great financially on the one hand and that the attacks undermine trust in the authorities on the other.
Up to 250 billion francs for cyber security
Switzerland is not alone. Worldwide, the damage is growing rapidly. This is because the digitalization of the economy is advancing and with it interactions on the Internet. Hackers are offered more attack surface. The McKinsey management consultants estimate that the damage worldwide will grow to 10.5 trillion dollars per year by 2025, or almost 10,000,000,000 Swiss francs. That is three times more than in 2015.
This also increases the need for security. Private individuals, companies and authorities spend more money every year to protect themselves, their data, systems and services. Depending on the estimate, 150 to 250 billion dollars per year are invested in cyber security worldwide - with an annual growth rate of over 12 percent.
Larger companies that hold highly sensitive data and offer critical services tend to protect themselves extensively. The prime example of this is money transfers by local banks.
The Swiss National Bank (SNB) must ensure that the transfers between the financial institutions work properly; it is responsible for the so-called Swiss Interbank Clearing System (SIC). In 2022, an average of around 3.7 million payments worth CHF 200 billion were processed through this system per day. On peak days, it can be over 12 million per day - with turnovers of up to 403 billion francs.
It is unimaginable what would happen if transfers could not be transmitted and thus no longer reach the addressee. Also unimaginable is the chaos that would ensue if private accounts were suddenly not accessible for a longer period of time. Who still has enough cash today to be able to sustain themselves for several days?
The Swiss banking centre as pioneer
To protect the payment system from attacks and to ensure transactions without major interruptions, the SNB and all SIC participants rent point-to-point connections to the central SIC system. Military or intelligence services also communicate via such private lines in order to exclude access from outside.
The banks' connections are thus secure, but comparatively less resilient: if a network connection fails, it takes up to three minutes to switch to an alternative connection. In times when customers want to pay for their goods or receive money in a matter of seconds, speed is also a security issue.
The SNB showed itself to be open and interested in new technology that is future-proof and at least as secure as the current procedure. The SCION protocol developed by ETH Zurich under Professor Adrian Perrig meets the strict criteria because it promises a significant increase in security and other desirable features (see "How the SCION protocol works" below). For example, the closed network limits participation to a group of participants from the financial sector and can protect participants from certain attacks such as DDoS, BGP hijacking or re-routing.
Together with the financial services provider SIX, which provides the infrastructure for the Swiss financial centre, the SNB developed the Secure Swiss Finance Network (SSFN) project, via which the Swiss financial centre will communicate for the most part in the future. Currently, the transition from the existing network is taking place and will be completed by the end of September 2024.
For the project, the operators Swisscom, Sunrise and Switch have joined forces with their networks to establish a new security standard, significantly increased resilience, and fault tolerance. Thus, if a provider fails, the ongoing communication is not affected and the customer - for example a bank - does not notice the disruption.
According to the SNB representative Sébastien Kraenzlin, Head of Operational Banking, another advantage of the new technology over the universally accessible Internet is that only financial market participants and service providers who meet the strict admission requirements for the SSFN can participate. This virtually eliminates the risk of external attacks on the network. "However, financial market participants must continue to protect their own infrastructures themselves." The secure network protects communication and not the entire operation.
How the SCION protocol works
Communication over the internet, the exchange of critical content, can only be protected today with a great deal of effort because neither the sender nor the recipient can control where their data passes through. The SCION technology manages this traffic. The customer determines which connection is trustworthy and where the information passes through, thereby excluding potential attackers.
A well-known bank is attacked 80,000 times a day
Specifically, measurements by Anapaya, the ETH spinoff of Perrig and the distributor of the SCION router technology, vividly demonstrate how networks are protected using the new technology. The company measured the attacks on a major Swiss bank in the last quarter of 2022 and counted 80,000 attempts every day to penetrate the bank's system via the network. Of these, 1,000 attacks are targeted, i.e., malicious, so-called code injection attempts. "When we switched to SCION technology, we expected a massive reduction in measurable attacks," says Anapaya CEO Martin Bosshardt about the tests. The result even amazed the developers: "There hasn't been a single attack that took place through the SCION network and should have been blocked by the firewalls. The number of malicious attacks per day, which used to be around 1,000, dropped to zero."
Only error messages, such as incorrectly entered passwords, still appear in the statistics. However, there have been no more attacks that could have caused damage if access to the system were not well-maintained and secured.
The reason for the increased security is a direct result of the technology, which only routes the data through trusted routers: For outsiders, i.e., attackers or their bots (programs that look for loopholes), the network as well as its participants are no longer recognizable at all, i.e., no longer visible, as Martin Bosshardt explains. So, if a network participant decides that he only considers other participants from Switzerland to be trustworthy, his connection and the services he offers on the network will not appear to users abroad.
And from this derives the greatest security advantage: As a rule, criminals use stolen passwords and logins to gain access to business networks or even private computers. If a system cannot be found at all, then even the logins, passwords and certificates are of no use to the hacker because he can no longer reach the system. Martin Bosshardt speaks of a "giant step in security" because the individual participant can now define who can theoretically still attack him.
The advantage of using SCION technology in Switzerland: by preventing attacks from abroad, cybercriminals are only left with attack options from Switzerland. But here, the Internet providers Swisscom, Sunrise, Switch and the like control the data traffic. This means that the users' addresses are all traceable and identifiable. This in turn means a great help for law enforcement, which can better track down the criminals.
Another statistic from Anapaya shows where the attackers come from. The company analysed the countries of origin of the almost seven million attacks in just three months on the Swiss bank mentioned above: the majority of the attacks came from China. The second most attacks come from the USA - from the large cloud providers that offer anonymity.
In such cases, identifying the perpetrators is virtually impossible. Also, because they are partly covered by the states of origin.
Number of attacks on a Swiss bank per day, October to December 2022
Number of attacks on a Swiss bank per day, October to December 2022
Origin Countries of the Hackers
Analysis of Attacks October to December 2022 for a single day
The Swiss Federal Administration is also testing the technology
So why is this technology not (yet) more widespread? On the one hand, the danger is not very visible: because cyber-attacks are not generally subject to mandatory reporting in Switzerland, it is difficult to quantify the extent of the damage. For example, large-scale attacks like the one at SBB only become public when disruptions become noticeable - or when stolen data is published.
Furthermore, the technology is still little known and meets with a great deal of skepticism, as Martin Bosshardt notes. But cyber-attacks are on the rise - also on the home office accounts of companies. Thanks to the co-operation of Swiss Internet providers in the implementation of the new technology, global attacks on critical systems may be prevented. The SNB, for example, has now also secured most of its home office access for employees via SCION.
However, the technology is not unknown: Florian Schütz, the Confederation's delegate for cyber security, upon request confirms several test trials. For example, the Federal Department of Foreign Affairs (FDFA) connected the Swiss embassy in Germany via SCION technology as a pilot test in 2019. The FDFA launched a second pilot test in 2021 with the connection of the embassy in South Korea and the connection to the demilitarized zone on the border with North Korea.
The army and the National Cyber Security Centre (NCSC) have also tested the technology. Armasuisse's Cyber Defence Campus has been operating a permanent SCION network test infrastructure to connect its sites in Zurich, Lausanne and Thun since 2022. This test infrastructure is used for research and innovation and is currently being expanded with an additional SCION node in Estonia at NATO's Centre of Excellence for Cyber Defence to test 5G networks via SCION.
Whether and when this can also be applied in other areas is still open, says Florian Schütz. "The technology is interesting but does not mean ultimate security." For example, he says, the systems that need protection are never completely isolated. "There is always an entrance," explains Schütz. But the technology reduces the attack surface.
Certain cyberattacks can also be controlled by other measures. For example, DDoS attacks could be prevented by using more power, i.e., wider connection volumes. However, that is ultimately a matter of cost. "In this way, the risk appetite for each company is manageable," says Schütz.
A gigantic advantage for Switzerland's security
That SCION technology can solve all cybercrime problems is not postulated. "Granular control over one's own attack surface makes a fundamental difference in terms of security. Building up enough pressure for a DDoS attack is simply not possible with SCION. This means that costly, constantly growing defense bandwidths are no longer necessary," says Martin Bosshardt and specifies: "In addition, anonymous attacks across legal borders are no longer simply a technical given. Such risks can be eliminated or taken in a selective manner."
The Anapaya CEO speaks of "secure communication", as opposed to "secure access". This means that common security applications such as firewalls, virus protection and encryption of information are still needed.
Martin Bosshardt is aware of this: "It still needs a lot of energy and staying power to bring the SCION technology further into use. The Anapaya CEO also had to be patient for the cooperation with the SNB.
"The SNB is very conservative when it comes to security issues," says Sébastien Kraenzlin, explaining the long test phase. It was by no means clear that the new technology would one day be used. "We put it through rigorous testing for two years."
The SNB's decision to use the technology for the Swiss banking center is therefore akin to an accolade: the technology must meet the highest security requirements. At the same time, the SNB enabled the spread of SCION connections throughout Switzerland by convincing the local Internet providers of the project, as Sébastien Kraenzlin says.
Swisscom, Sunrise and the like have invested millions in the technology. The SNB representative therefore sees great momentum for the country: "The financial sector, with its highest security demands, led the way. Now we hope that other institutions, companies, and authorities will also adopt SCION technology, thus establishing a new security standard in communication."
The foundation stone has been laid; already today, interested parties can order SCION access from the telecom providers and connect via a secure network (Swiss ISD) using the necessary software and hardware. This results in a tremendous advantage for the country, as important systems within the SCION technology's "White Net" are more secure: This includes not only the services of the financial sector, but also healthcare services, public infrastructures like rail transport, and energy supply.
Telecom providers also see a great opportunity, they have invested. The big question is, does Switzerland see it too?