Exactly one month after the bombshell revelations that the CIA and the German BND owned Crypto AG and controlled its "sister company" InfoGuard - for decades, respectively, the most trusted secure communications providers to the heads of states of 130 nations and of top private banks - a Spring reportage by Rene Jaun gauged the response of leading Swiss IT security firms.
The scandal greatly impacts the actual and perceived trustworthiness of Swiss and Swiss-based IT security sector. For decades, Swiss IT security and confidentiality - ensured by laws, Swiss neutral status and technical prowess - has been a key locational advantage for huge corporations in the area of life sciences, oil, private banking and other critical sectors.
Yet, it mostly impacts firms targeting the most high-risk customers, public and private, but also overwhelmingly providers of IT confidentiality - one of the 3 canonical parts of IT security, in addition to integrity and availability. That is because powerful western national security agencies are way more interested in spying on the communications and transactions of the World’s most powerful and rich and are instead highly vested in preventing major IT integrity or availability failures to the financial system of a key allied country, where 25% of cross-border global wealth is managed.
The Swiss IT confidentiality market has been quite small, not having realized much of the potential out there. Even though the 2013 Snowden revelations resulted in Forrester Research forecasting a 180 billion market for providers offering the level of privacy that US companies could not offer, the Swiss market realized only a fraction of that potential, while US and Israeli companies have thrived.
Swiss IT confidentiality providers are mostly split in client-side and server-side providers - with a few providing both, like Securosys, and hardware companies packaging their offering as managed services, including training, emergency response, and more.
Swiss client-side IT confidentiality providers, mostly aimed at the most high-risk individuals, banking and enterprises users, include the “off springs” of Crypto AG (Crypto International, CyOne, InfoGuard), Kudelski Security, and fast growing startups like ProtonMail, and Threema, which collectively constitute a small business with a few hundreds of millions francs in revenue and a few hundred employees in Switzerland.
A substantially larger market is constituted by Swiss secure data centers, that have leveraged their Swiss incorporation, laws, neutrality and engineering excellence - as key locational advantage their claims of globally-unique levels of confidentiality, even against the pressures or subversive hacks by foreign and domestic security agencies - in addition to integrity and availability, even in times of War.
The reaction of leading Swiss IT security firms to the Crypto AG scandal has mostly been silent or statements indicating that they'll mostly "carry on as before" ("weiterzumachen wie bisher" as they say here in Zurich). A few proposed improvements equivalent to a band-aid on a bullet wound, some calling for a “manifesto of principles”, while others listed safeguards that they already have in place that supposedly should make backdoors impossible.
Nick Mayencourt, the organizer of the largest Swiss IT security conference, Swiss Cyber Security Days, calling for a minimization of the affair stating that "the real scandal here is the scandal of the scandal." Others, like Securosys - Swiss excellence in IT security, that secures $100 billion of financial transactions every day - have explained in a recent interview to CNN how the safeguards they already have in place ensure them against backdoors.
Prof. Stefan Frei, an employee of the US-based Accenture consultancy, has come forward claiming that their supply-chain security standards initiative would solve the Crypto AG problem, forgetting (?) that "trust cannot be added to integrated circuits after fabrication". Many have started to ask if the levels of transparency and external independent oversight in Threema and in ProtonMail - two Swiss cryptographic excellencies, with millions of users World-wide - are sufficient in a post-Crypto AG World to deliver the levels of confidentiality that they promise - even though their solution as app/browser-based, so they cannot be more secure than the device they run on.
There has been no survey published yet on the impact of the Crypto AG affair - and after revelations that even Bezos cannot protect his most sensitive personal communications - on the level of trust that high-net-worth individuals have in Swiss private banks and Swiss private banks client-side hardware and software solutions. But it surely has overall decreased the general trust of high and ultra-high net-worth individuals - a key demographic for the Swiss economy. Even before the scandal, current IT security solutions were considered by them so inadequate that a recent survey by UBS Group found that cybersecurity is their second greatest concern, after “their country politics”, while Switzerland “was the only region to cite data privacy as a top-three concern”.
Sure, sitting and waiting for a while helps the storm quiet down, and the stirred waters settle and surely mitigate the short-term damage.
But there will surely be a long-lasting and deep impact, if not changes are put in place. An increased Swiss parliamentary oversight over the intelligence services will surely come about. But that is not sufficient.
Unless the Swiss government or economy actors set up meaningful changes, Swiss and Swiss-based IT security companies, large and especially innovative startups - that are not mainly dependent on captive Swiss clients - may well find it more advantageous to move to Israel, Germany or even the US where, at least, investors for larger rounds are much more available and market opportunities much larger.
In fact, Kudelski, the largest and oldest Swiss IT security leader together with Crypto AG whose CEO is the President of the Swiss main innovation funding agency InnoSuisse - has started moving a large part or most of its R&D and production offices to the USA.
Some leading early-stage cybersecurity startups, like the bright team at XorLab, are also reconsidering the advantages of being in Switzerland. We have been invited by a former head of the cybersecurity division of Israeli Prime Minister to have meetings with investors, partners, and clients in Tel Aviv, to explore our move there.
Let's hope that a few large industry actors of the Swiss economy, like enterprises, industry associations or private banks - with the formal or informal endorsement of the federal government - can set in place a more active strategy, than just sit and wait.
One strategy could be to set out to turn the Crypto AG affair, from a public image disaster, into an opportunity for Switzerland to shed the baggage of the needed compromises of the Cold War, by leading in the creation of Swiss-led international standards and certifications that will transparently reconcile the legitimate needs of law enforcement and intelligence agencies with the need of meaningful privacy of our personal and social communications.
In a September 2019 survey, carried out by Digital Switzerland, well before the Crypto AG Affair Swiss revealed that nearly two-thirds of Swiss citizens are worried about the loss of privacy online. A majority (62%) “want to see more regulation for new technologies and the Internet”. There was even support among those surveyed for ”an independent oversight body set up by the state”.
As TRUSTLESS.AI and Trustless Computing Association, we have a very concrete vision for a new voluntary Trustless Computing Certification Body that can re-establish on solid grounds Swiss leadership in IT security, and in the promotion of influential new international bodies and treaties on the most critical aspects of our Digital Age. We detail such a vision in a recent blog post: From Crypto AG to Trustless Computing: a Vision for Swiss Leadership in Digital Trust.