Transcript of interview with Thomas Süssli and Myriam Dunn Cavelty
A few weeks ago, we ran our third SCS in a nutshell online interview with Lt. Gen. Thomas Süssli, Chief of the Swiss Armed Forces, and Dr. Myriam Dunn Cavelty from the ETH Center for Strategic Studies. Please find the video of the interview on Youtube and the podcast on our channel at Anchor
This blog post brings you a few take-aways and further down below the complete transcript of the interview.
Myriam Dunn Cavelty has a 20-year track record with thinking about cyber politics and cyber defense. She specialized in this area before it was a hot topic and she continues to be one of the few experts on the subject in Switzerland. Thomas Süssli had an impressive career in the private sector before becoming a full time officer in the army. For two years, he used to lead the FUB (Führungsunterstützungsbasis), the army’s IT service center that is also home
to its cyber security experts. And in 2020, he was promoted to be the chief of the Swiss Armed Forces, a signal that cyber defense is becoming more and more an important topic for Swiss military.
Few people read the detailed annual reports of the Armed Forces and so very few people are aware that the military is conducting active missions in the cyber space in networks outside Switzerland today; missions it executes on request of the national secret service.
Lt. Gen. Thomas Süssli
The intelligence service can also assign us certain tasks to complete. The legal basis for this is always the Intelligence Service. This is already happening today. It’s in the ZEO organization as of today.
ZEO is the Zentrum für Elektronische Operationen (Center for Electronic Operations); an entity that is prioritized for being moved into the new Cyber Command that the Armed Forces are building.
Myriam Dunn Cavelty went on to explain that Switzerland follows a peculiar architecture in this regard. In other countries, the military is kept separate from the intelligence services who carry out their cyber operations themselves. In Switzerland, the Armed Forces can execute cyber missions in foreign networks in the service of the intelligence service in peace time; a mode of operation that is covered by the Intelligence Service Act.
We will see whether the creation of the Cyber Command will raise foreign awareness for these missions or not; Lt. Gen. Süssli has stated in the interview that he is not expecting any troubles in this regard.
The army is exploring artificial intelligence projects that are employed to process information the army gathers from a wide range of sources and sensors. For Dr. Dunn Cavelty, there is a direct link between AI projects and the push for open data in the sense that free or open access to data will allow everybody or at least also smaller players to carry out such projects themselves.
Dr. Myriam Dunn Cavelty
One of the big topics in the future is access to data. We are trying to push for open data, also in the European Union. … It’s almost like a democratic approach to AI, that everybody can actually start training AI systems.
We thought that was a very interesting thought and definitely an angle to the AI discussion we had not seen before. Putting this into a research context is of particular interest here, since AI systems are very often black boxes. It’s the ability to train your own system that allows you to research existing systems and discover their inherent weaknesses and their systematic biases that are often present due to inappropriate training data.
But let’s get back into discussing cyber defense or the role that cyber is playing in the military domain. Both experts agreed that the term cyber war is stupid, since it transports a wrong image of the whole situation. There is no cyber war in sight. But cyber is already a tool that complements the existing military toolbox and it’s an element that is being used in the gray area below the threshold where a war officially starts. So very much like doing a maneuver near the border or accompanying your fishing boats with military patrol, armies are executing cyber missions to send out certain signals or to achieve certain goals.
Lt. Gen. Thomas Süssli
What concerns me: a lot of people think that cyber is going to replace the existing threats. It’s not, it’s going to make them more dangerous even. And this is the reality now, cyber is always part of an overall operation. … In the end, in military terms, it always has been and it’s going to be boots on the ground, that make a difference.
So, we do not have to expect an army invading another country by cyber means alone. But there is a growing number of examples where multi-domain action includes cyber attacks to support the overall mission. This sure puts things in perspective.
Please find the full transcript of the interview below.
Christian Folini and Adriana Cantaluppi
P.S. Please note we smoothed the quotes above a bit for better readability.
See below for the exact wording.
This is a transcript of the interview in the “Swiss Cyber Storm in a nutshell” series streamed on Youtube on April 30th, 2021.
Dr. Christian Folini: Welcome to Swiss Cyber Storm in a nutshell, our third edition of Swiss Cyber Storm in a nutshell. With me today is Dr. Myriam Dunn Cavelty from ETH Zurich Center for Security Studies, and Lieutenant General Tomas Süssli, Chief of the Swiss Armed Forces. We are going to talk about many, many topics today. Probably I have more in my list than we can cover, but there’s a lot of things to talk about. The army is on and on in the news and Mrs. Dunn Cavelty has done a lot of research on these topics.
One of the latest news has been that the Swiss Army is going to transform a center for cybersecurity, the so called “FUB”, the English abbreviation is very complicated, so we constantly talk of FUB, which is a German term for “Führungsunterstützungsbasis”. And this is going to be transformed over the course of several years now into a top level Cyber Command. If we look at this in an international perspective, Mrs. Dunn Cavelty, how does Switzerland relate to this? Is this a natural step? Are we on the forefront? Or is it about time to finally do this? How would you contextualize this?
Dr. Myriam Dunn Cavelty: Well, I would say it’s all three and it obviously depends, you know, which aspects you focus on etc. But that armies of the world but also the strategic establishments of the world are taking cybersecurity and cyber defense and cyber offense seriously. That is absolutely the trend. And I would say: “Focused strategic thinking about what is needed” – that is also done everywhere. And it’s good that Switzerland also does it and takes the step carefully, as I know. And I think one of the big challenges will be to understand what capabilities are needed, and then actually building them up. Because what we also see internationally is that a lot of states say “yes, we are now having a Cyber Army and a Cyber Command”, but sometimes they don’t follow up with the capabilities and that is a bit of a problem. And I hope that Switzerland will do better than some other countries.
Dr. Christian Folini: Okay, so you think that it is more than only a signal. You have to walk the talk.
Dr. Myriam Dunn Cavelty: Yes, exactly.
Dr. Christian Folini: Okay. So what do you expect from a Cyber Command what the FUB cannot do, or is not supposed to do right now? What are your plans?
Lt. Gen. Thomas Süssli: Actually, it is mainly a question of focus. And gaining this “fighter spirit” we don’t have today. The current FUB as you call it, in English it’s really boring “Command support Organization” or “Armed Forces Command Support Organization”, it’s a service provider, an IT service provider. It’s a service provider in the era of Telecom, and not really focused on cyber. And what we expect here with this is a clear focus to increase the capabilities without having to add more resources.
At the same time, we are writing a concept, a new general concept for cyber in the armed forces. And that will describe the future capabilities, and the Cyber Command will just follow that concept. So, there’s a conceptual, overarching idea and then the Cyber Command will implement that.
Dr. Christian Folini: The way I’ve read your latest press release on the topic was that FUB continues to exist, and you’re building the new organization next to it and then slowly transfer tasks over.
Lt. Gen. Thomas Süssli: If you conduct big changes, it’s always a question how you do it. And there are different approaches, one might be more kind of a leadership approach, where you slowly turn all the heads in the organization. That might be, well, I mean, the benefit of that is you can have a strong culture.
A second approach might be and that’s not suited for our administration, but then you get rid of all the resources you don’t need. And then you buy in the skills you need actually.
And the third approach is what we chose now, is you actually build it in parallel. So, this dualistic approach, and what we think is this gives us first of all time for conceptual work. So, to free time to think, to conceptualize, to plan and then slowly implement. When I say slowly, it’s not that slow. So, the idea is to have the command up and running with the same capabilities as today, as of 1st of January 2024. So, for us I would say this is rather fast…
Dr. Christian Folini: …for a Swiss Army perspective…
Lt. Gen. Thomas Süssli: … for administration.
Dr. Christian Folini: Okay, now you’re doing cyber security already. Cyber defense within the FUB is a topic. The way I understand it, you just said what the tasks are. But there are these closer-to-cyberwar-tasks that you carry out in the service of other organizations, like the NDB National Secret Service asks the army to carry out a task. So, this is something that the new Cyber Command will then take over. Do I get it correctly?
Lt. Gen. Thomas Süssli: Absolutely, yes. So it’s the intelligence service, which can also task us for certain tasks to complete. This is always based on the Intelligence Service Act, this is the legal basis for that. This is already happening today. It’s in the set ZEO organization as of today…
Dr. Christian Folini: …which is within FUB.
Lt. Gen. Thomas Süssli: Which is within FUB. But it is probably a bit of a closed shop within FUB today, and the idea is, those capabilities to also leverage those more in the new Cyber Command. But those services will also migrate into Cyber Command, probably next year or the year after next year.
Dr. Christian Folini: Okay. So this is the focus, obviously?
Lt. Gen. Thomas Süssli: Is one of the focuses.
Dr. Christian Folini: This Swiss setup where the army in peacetime takes over certain functions that evolve around cyber and cyber defense, active defense, is that the way other countries handle this, or do they have… is the Secret Service not the countries doing this by its own, or is this a Swiss specialty?
Dr. Myriam Dunn Cavelty: I think Switzerland is very special. If you look at our ministry of defense, we have something that not many others have: it does a lot of things, it has the armed forces, it has intelligence, but it also has critical infrastructure protection, or at least civil defense. And that makes it a very, very special department. And I think also the weight it has, in the overall architecture, if we go beyond the MoD (Ministry of Defense) now and look at, you know, other actors that are important for cybersecurity in Switzerland, it has a lot of resources. And I think that is also reflected in how the new strategy that just came out last week, I think, kind of positions the VBS our MoD. So, it is very special. And I think there’s a strength in there that we sometimes maybe don’t communicate enough about also to others. But it also makes comparisons a little difficult. And the two “new” laws (I mean they’re not so new anymore) but the two laws [that] were mentioned, they are absolutely crucial. So the one for the intelligence, but also for the military, where these tasks are now clearly separated. And there is an ability to make sure that there is also an oversight that is possible, because I think that is one of the topics that are sometimes a bit difficult in other countries where you have a destabilization of trust in civil society etcetera, because you don’t fully understand who is doing what in military and intern in the cyber domain. And I think Switzerland is in a good position there.
Dr. Christian Folini: So thanks to the law, these responsibilities are now really clear.
Dr. Myriam Dunn Cavelty: Yes, more or less, of course. But I think it’s just there, [there] is a law that you know, very clearly spells out what has to happen in a case that, if a critical infrastructure is involved, etc. And I think that is needed and it is very good that we have that.
Dr. Christian Folini: Okay. Sounds interesting. Good.
Before we leave that topic, we reiterate that, so you do carry out certain tasks or missions for Secret Service. And now you raise this to Cyber Command level. I get the feeling this will raise awareness about that. It’s becoming more official. It’s closer to the nation state afterwards. Is that anticipated? Is this simply acceptable? Yes, this will happen, so be it? Or is it actually something that you want?
Lt. Gen. Thomas Süssli: It’s actually not something we really…, that’s not the goal of doing this.
But also, I mean, within the Cyber Command or already today within FUB or CSO, we have cyber defense as a capacity, capability. So, every offense is like our situational awareness in the cyber room. But it’s also a mobile cyber troops to support our own Armed Forces, or maybe help critical infrastructure.
The second competence is our Cyber Fusion Center, this read defensive part. That’s where our security operations center is, where our mill cert is. And then the third capability, the third big part is computer network operations. And this is for active measures in the cyber room. So, in a normal situation, as of today, we’re not allowed to [or] not supposed to attack or to [do] active reconnaissance. It’s always based then on the Intelligence Service Act, and this will remain absolutely the same. And I’m not too much concerned that if it lifted up one level that it will be more visible. I’m not too much concerned about that. But as you said, right, I mean it’s all about the legal basis and the legal basis will remain the same. Even Mr. New Cyber Command is not going to change.
Dr. Christian Folini: Okay. Yeah, that makes sense. Thank you.
In a normal enterprise, big enterprise, army level enterprise or organization, you do operational security with your security officers. You hire external pentesters to look at your services, new projects, etc. How do you do new projects, new services within the army? Is this something a capability that you have yourself? Or are you looking up in a phone book and call in a penetration company to test something for you? How’s this happening on a practical level? Because I think army must be very different.
Lt. Gen. Thomas Süssli: It’s not too much different, I would say, I mean, I’m going to disclose the secret to you now: you also do external pentesting.
Dr. Christian Folini: You do externally?
Lt. Gen. Thomas Süssli: We do. We actually hire companies or pay companies to do external pentestings. I’m not going to disclose who is doing it.
Dr. Christian Folini: I think our audience would be aware of that, because they’re very various pentesting companies.
Lt. Gen. Thomas Süssli: So they might be aware of that. So, but other than that, like project is exactly the same. So, it’s not too much of a difference. I mean, different might be like, we fund those projects, we have a very strict funding cycle in administration. This yearly cycle has to go to Parliament. But other than that, I would say we handle projects exactly the same way as I experienced in, in my civilian life.
Dr. Christian Folini: And you have done a lot of civilian work.
Lt. Gen. Thomas Süssli: I’ve done some projects in my past, yes.
Dr. Christian Folini: Yes, okay. So, there is not such a big difference now. Then, what might be a difference is the public interest or focus that you’re getting for these projects? We could say that?
Lt. Gen. Thomas Süssli: Absolutely.
Dr. Christian Folini: Of course, I am leading now slowly into the learning management system where there was the latest breach that was published. And I was wondering, should you have caught that before it happened? Or why didn’t you catch it? And is that a structural problem that you didn’t catch it? Or was it just bad luck?
Lt. Gen. Thomas Süssli: It’s a bit more complicated than just this. I mean, first of all, you have to differentiate. We differentiate two different types of IT infrastructure. We have the infrastructure really for Armed Forces, which is being used in operations of our Armed Forces. And then we have all the administrative systems, and we call them green and blue systems. And blue is really what is part of the administration. And for blue systems, we do what every other company also does, we outsource. So, first of all we buy the system, we buy software, and then we give it someone else to host and run it for us. And this learning management system we are referring to was hosted by a third company, and it’s not a green system. It’s a blue system. But that doesn’t mean [anything:] we are still responsible, and responsibilities still comes back to us.
And then there was not only one incident, there were actually two. The first one was in January, and this was our cyber conscript’s course. And they detected the first of these flaws in the system. And they actually reported it, and we have been able to fix it. And the second one was approximately one month later, it was a recruit who went home, and he still had access, or he still had the URL of when he had to log in and retry it again. And then he figured that he could still extract data. And was actually it was it was a bit of a wake-up call for us.
Potentially, there could have been more than 400,000 data sets being lost. So far, we couldn’t see anything, we didn’t see anything on darknet or anywhere else or have been offered to buy a pass.
So, we hope that there was no loss of data, no breach, really. But it was a wake-up call for us.
Dr. Christian Folini: Okay. There is one detail that occurred to me when I re-read the press release today that you relied on the system provider who apparently also hosts it to do the forensics for you and tell you “no, there was no data leakage”. Why wouldn’t you do this, this forensic analysis yourself?
Lt. Gen. Thomas Süssli: I’m not sure I read the same press release…
Dr. Christian Folini: Okay.
Lt. Gen. Thomas Süssli: Actually, we did. It was our own Cyber Fusion Center and MilCert-team, and that was really very closely involved in analyzing these log files.
Dr. Christian Folini: Okay. Good. Let’s leave this behind. We have read enough about this. And I was pleased to hear that this is a wake-up call for you because it’s about operational security as well.
Now, I’ve already mentioned this dirty term cyber war that nobody in this room probably likes, but it’s used a lot.
I think there is a conceptual flaw in here. When I have a traditional army and it does physical defense or physical attacks, then I think it is relatively easy to link an action with a goal, like [let’s] say you’re interested to get a peninsula somewhere in Europe, and then you invade it, and then you have it. I think it is much more difficult in the cyber domain to have a certain goal and achieve it with means in cyber in a virtual world, I mean, you don’t want to steal IP addresses. So where am I wrong here? Or is there really a conceptual problem in this whole this course?
Dr. Myriam Dunn Cavelty: How long do I have? (she laughs) cyber war is my big topic, it’s actually how I got into, you know, studying cybersecurity and politics. Because at the very beginning in the 2000s, that was the mobilizer, everybody talked about cyber war and very early on I, but also others said “drop that term, it’s not gonna help you!”. Also “please Armed Forces: don’t use it because it’s wrong”. And people will have the wrong expectations about the threat and the response capabilities or the possibilities. I’m sure you know that that pew-pew map where you see how the different [nations] shoot at each other. And if you don’t get that out of people’s heads, also politicians, you have a problem because you constantly need to explain that cyber operations work differently. And that you have to use them in different ways. And you cannot invade a country, via just cyber. You might use it in addition to military operations…
Dr. Christian Folini: …So it is part of a multi domain operation.
Dr. Myriam Dunn Cavelty: Exactly. I mean, the more digitalized we are, the more clear it is that everybody uses cyber means to achieve strategic, political and military goals. I think that is already clear. But this idea that you have what was called “the strategic cyber war” [where] somebody shoots, via the cyber way, and that’s it. You know, this is the “diehard scenario” where you have that movie where you have the cyber terrorists, and they basically, the whole country is down via cyber. So, that is completely unreal, but it has a mobilizing component to it. The media is also to blame partially, even though I think they’re getting better now and being more careful. But I don’t think we’ll get rid of the term because it just signifies something happening in the military realm. But I think it does us a disservice, because we keep looking at the military all the time. When we did that before the Snowden revelations, especially we in academia, before it was clear that it’s not actually the military that we should look at, but the intelligence services that have built up capabilities for a completely different type of operation, which is subversion or something under the threshold of war, the gray zone, so or whatever all those operations that we then started seeing also after 2010, more and more, where you have different goals. And I said, I mean, they might be linked to actual military invasions. If you look at Ukraine, for example, you had cyber components there too. But they work on a different level. So, I would say term cyber war, forget about it, use cyber operations. And be very careful in how you talk about the effects and the goals and the motivations that are behind it.
Dr. Christian Folini: And it really only makes sense in a multi domain operation.
Dr. Myriam Dunn Cavelty: Absolutely, as a as an add on to you know, bigger goals that you have anyway, that are often geopolitical, or political, strategic, whatever. And it’s a tool in a toolbox basically, that you have at your disposal, just that and not more. And it is enough, that it is this. But if you don’t understand it, but it should also be seen in a context.
Dr. Christian Folini: Okay. Think the toolbox idea very much resonates with an army, I suppose.
Lt. Gen. Thomas Süssli: Absolutely.
Dr. Christian Folini: There are more options.
Lt. Gen. Thomas Süssli: And I very much agree. And I’m very happy you said that, because we also try to avoid the term cyber war. There is sometimes cyber in war, which is we talk about ends, means and ways to achieve a goal and cyber is just a mean, and you mentioned the multi domain operation. And this is exactly how we think. What concerns me a bit, a lot of people think that cyber is going to replace the existing threats. It’s not, it’s going to make them more dangerous even. And this is the reality now and cyber is always part of an overall operation. And as you [Dr. Dunn Cavelty] said before, we never saw actually that cyber will switch off the light in the country, on its own. And at the end in military terms, it always has been and it’s going to be boots on the ground, that makes a difference.
Dr. Christian Folini: And this will stay around.
Lt. Gen. Thomas Süssli: It’s what we see in all these examples: It starts with cyber, but it also starts on political level, on the economic level. Criminality plays a big role, and then it’s cyber, it’s information operation. But then finally, those are the boots on the ground that are going to make the difference or the decision.
Dr. Christian Folini: …when it gets real somehow.
Lt. Gen. Thomas Süssli: When it gets real, yes.
Dr. Christian Folini: Okay. Yes. I got that.
Now there we have the law that defines what the army is allowed to do, where it’s going to be employed. What scenarios do you see or plan with, where you see the new Cyber Command being actually used in the future when it becomes active?
Lt. Gen. Thomas Süssli: I’m going to start with the most dangerous, which is probably defense operations. So, where there is an attack by state or non-state actor against Switzerland, where we see cyber being used in such cases. First is to defend our own networks. And then secondly, also be prepared to do active measures, active measures, also to say, right now, the legal basis is either it’s Intelligence Service Act, or then it’s the military act, but then it needs Federal Council approval, which is very difficult. But then in case of a real conflict, the army then can conduct attacks on its own responsibility. So, this will be the extreme, one extreme. And the more we also see is in case of severe cyber attacks against critical infrastructure, but then this will be like in COVID, like supporting the hospitals, this will be also – I will call it – subsidiary to civilian needs. So, the army can then go and help critical infrastructure. And this is also we’re prepared to do and we’re going to prepare ourselves as mobile cyber teams to do that. But that’s not something actually I really expect, because it’s always every company, every network, every critical infrastructure is different. And at the moment where the attack already happened, there’s not a lot we can do anymore. So, it’s more about crisis management, about seeing whether the backup was there or not. So, I’m not sure this is really something a realistic picture. In prevention of a cyber attack it’s very difficult because the weakest part is obviously human being. So, it’s the human sitting in front of a computer. And we cannot put a soldier besides every user making sure he doesn’t click that email or open that attachment. So, I’m not sure it is really a realistic scenario, but we prepare for that.
Dr. Christian Folini: Okay, yes, I get that. I was pleased to hear that you don’t really expect that scenario, because it’s somewhere a bit in the room with National Cyber strategy and the army is now doing that, and I think a lot of people are afraid that the army is knocking on the door, please, please give me a keyboard, I want to connect to your network now. So good to hear it is not very likely.
Switzerland, or our national teams, took part in European military exercise in February. We also were invited to participate at the NATO Locked Shields exercise. [These] exercises happen every year, every two years. Is this something that is important for an army like ours? Do you compete for fun? Or is it actually interesting for you to learn?
Lt. Gen. Thomas Süssli: There might be some fun to it. It is not completely right. Now, but for us it’s important is it’s kind of a benchmarking, because we cannot benchmark with like the economy, we cannot benchmark with banks. And it’s also like relationship building or a network building with other counterparts in other countries. And this is really very fruitful and important to us. And also we have seen in the past Locked Shields you mentioned, also it was it was important to see where we stand. I was also like, for us it was good to see we are not at the end, but we were not the beginners neither. We were somewhere in the midfield. That was good to see that. We don’t have the budgets other countries have. That was very important for me to see also, that we spend the budget for the right capabilities. Yeah, that’s like kind of a benchmarking to us. And also it was kind of fun though.
Dr. Christian Folini: It’s good to hear.
Do you think that is generally something that army struggles with to like the benchmarking? Where are we? Are we good? Set for a serious lack of wars, to train or…?
Dr. Myriam Dunn Cavelty: Yes of course, it’s hard to benchmark because a lot of it is secret. That is the nature of the cyber domain, because a lot of it is in the Intel, a lot of it is about capabilities and practices that you just don’t see. Even getting budgets is difficult. That’s why visiting other countries and trying to find out what they’re really doing is I’m sure important. The benchmarking and the exercising I think we could do more here. The budget was mentioned, but if something that we add at the ETH also think should be supported more not only for the Swiss, but also in general: to have a good wargaming or tabletop exercising capability that people can draw on, especially in the cyber domain, especially then also going beyond the cyber. Because one of the things that are difficult are those scenarios that are likely to have a cyber component but not only and how do you exercise that? How do you get those teams together that you know…, Because there I think that is where the difficulty will come from. It’s not if you get the like-minded people together that already know each other, you might have a good exchange daily anyway you understand each other. But what if then suddenly you have somebody from a hospital that you need to talk to? Those are the difficult scenarios, and I think more could be done here.
Dr. Christian Folini: Okay. So that becomes a cultural issue afterwards, no longer a technical issue, it becomes about humans.
Dr. Myriam Dunn Cavelty: Yes definitely. I mean, that’s my big topic. Also. I mean, nothing here was technical so far, but I think we have a tendency still, to think cybersecurity too technical. And we often forget the other skills that are needed. I mean, somewhere mentioned, crisis management has nothing to do with the technical. You need different skills. And I think we’re also when we think about recruitment, or you know, the workforce in the future, or education, we sometimes forget to think about those interconnections to other realms. What do we need? Also, you know, of course, the forensics was mentioned, to the law, also the policy field. Which is mine. What kind of specialist do we need to understand inter linkages between cyber, or the next thing that’s coming. I hope we can talk about the future because now we’re just saying cyber, and we think we know what cyberspace is, but who knows what we will have in 10 years? It might look different than what we have now. And how do we make sure that we have people that understand that future technology? Because I mean, that is a big problem also with education: we constantly educate backwards, basically. We have our ideas, and then we educate in four years times we have to specialists, but maybe they don’t fit anymore.
Dr. Christian Folini: Yeah, that is a possibility.
Dr. Myriam Dunn Cavelty: And I think that’s a challenge. Absolutely not only for the armed forces, or everybody also for us educators, higher education. How do you make sure you have people that can smartly adjust to new developments also in technology.
Dr. Christian Folini: For the next 40 years after they leave University.
Dr. Myriam Dunn Cavelty: Exactly.
Dr. Christian Folini: Let’s talk about artificial intelligence.
Before you became head or chief of the Swiss Army, you already as the head of the FUB, pushed for artificial intelligence, or you mentioned it in public speeches, that this was an important topic for you, that you were developing capabilities. I looked up a presentation, the cyber defense campus organization quoted you saying “artificial intelligence will in the foreseeable future add a new dimension to decision making”. In January when you gave an interview in the NZZ you or your successor as leader of the FUB said, that sensors will be equipped with artificial intelligence or the processing of sensor-signals will be equipped with artificial intelligence to condense the data they’re receiving into knowledge, somehow. Is this one of the capabilities that you want to focus on the Cyber Command? Or how where do we stand two years later? Is the foreseeable future already here? Or how foreseeable is it?
Lt. Gen. Thomas Süssli: It actually is foreseeable as we are in the process of planning it right now. What I was referring to then, is what we call the sensor to shoot loop, or we have the sensors, then we have our intelligence service internally, then we have decision making, and then we have the like the effectors, where we provide an effect. And digitalization for armed forces means also to automate that cycle and digitalize it. And the sensors the idea is really to out of all operations spheres, to take sensor data out of like the air, space, ground, electromagnetic room, and integrate those sensor data to recognize new patterns in that and gain knowledge out of that. That was what we were referring to. And in order to do that, because data becomes so big if you start to integrate all sensors, and all spheres, that needs artificial intelligence. There’s one application of artificial intelligence. There’s another one and when I talk about cyber artificial intelligence, I am always referring to the good, the bad, the ugly application of artificial intelligence. Good is where we use it to recognize an intruder in the to our networks that can be used for that. The bad application of artificial intelligence might be to break hash codes. And the ugly might be to use artificial intelligence to intrude and to actually to fulfill tasks which took months so far. If you go into a network this horizontal detection that takes weeks or months, and we fear a bit of what we see, we have concerns that this could be done in in hours in the future, using artificial intelligence. That will be the good, the bad, the ugly application of artificial intelligence. And this will be actually a concern of Cyber Command, the automation of digitalization of sensor to shoot to loop, the Cyber Command will provide the digital infrastructure, but then this will be the joint operation command conducting those kinds of actions then.
Dr. Christian Folini: You confirmed that it’s a lot of data, a lot of signals coming from the sensors. And it’s more than humans can possibly process. That’s why you want artificial intelligence. Now,on a conceptual level, you don’t control the signal of the sensor, that’s the point of the sensor is placing it there. And then your enemy triggers the signal. So, you’re basing your knowledge or intelligence on signals controlled by the enemy somehow. And that is then something you base your decision on.
Is this too short thought?
Lt. Gen. Thomas Süssli: I’m not sure. I mean, what we do is, what we do today is we have human sensors, also detecting what they see, what they hear, what they get. And in the future, this will be digital sensors, that’s going to be replaced, but it’s always the same. So, either you see an aircraft or not, or you hear it or you detect it in the electromagnetic sphere. That’s not going to change. It’s just a lot more of data. And it’s the way we integrate it.
Dr. Christian Folini: I’m not sure I buy into this, because I think if, if an expensive system, especially if it’s a pet project by the big boss, says something, it’s very different from a human person say “look, I get the feeling I’ve seen an airplane”. Because this is afterwards, it’s like on paper, it’s printed, this is now official. And in a very hierarchical organization like the army, somebody to question such an official statement by a machine will be very hard.
Lt. Gen. Thomas Süssli: I don’t even think this is comes down to hierarchy. So it’s more kind of sure, still, the analysts will be human beings, isn’t it? So again, out of the sensors, we gain information. But then knowledge is only a human being who makes knowledge out of that. And it will, at least in Swiss armed forces will always be a human who makes the decision. So, I’m not too concerned about that. And that doesn’t relate to hierarchy. It’s always an analyst, and he will receive a lot of data. And he will have to make up his own mind on what the intention of an enemy might be. So, this is always an analyst, I’m not too concerned about that. But the amount of data is going to grow. And new opportunity is not having more data, but to integrate the data out of all the spheres. So, space, air, ground, and electromagnetic room and also information room. That’s a new aspect to it.
Dr. Christian Folini: Okay, okay. Yes, I think I get that.
I presume that Switzerland is doing what all the armies are doing in this domain?
Dr. Myriam Dunn Cavelty: Yes, probably less than some big ones, as we know, but not because they don’t want to, but because Switzerland is too small to be a big mover in AI right now. So, it’s about data. And we know that in terms of geopolitics, data becomes much more important also for the training of systems for, for AI systems, etc. So, for me, one of the big topics in the future is access to data. So, we are also trying to push for open data movement, also in the European Union for open data. So that you know there is some, it’s almost like it a democratic approach to AI, that everybody can actually start training AI systems. Also for example so that we can see whether there are biases in the system. This is more important for the civilian domain right now already, you know, where you have facial recognition that – we know that from the States – for example, doesn’t recognize black faces, or female black faces, because the machine is only trained on men all the time.
Dr. Christian Folini: And white men.
Dr. Myriam Dunn Cavelty: White men, exactly.
So, there are a lot of biases that could come in. And I think with the, in the military domain, the big fear, and that has been discussed for many years already, is the lethal armed weapon systems which shoot by themselves, and we are far from that. I think and Mr. Süssli has said it, this is not in our [plan]. We don’t plan to do that. I don’t say nobody plans to do it. So that’s why there’s a lot of debate on the international level about banning those systems because they’re potentially dangerous. But I think whether there’s a human in the loop or not, that is the big difference. And so far, most armies have a human in the loop, even the big ones.
Dr. Christian Folini: …and we are grateful for that.
Dr. Myriam Dunn Cavelty: We are, yes. But who knows what the world looks like if the machine takes over, maybe it’s a better world who knows?
I think what’s important with technology and if you start linking them up with politics and war and all these kinds of things, is always to balance your views. To see the good, the bad and the ugly, because there’s never just one aspect there. And the tendency of human beings to either love technologies, that’s the optimist, or hate technologies is something that we all have in us, and I think we should have, we have to balance it, we have to look at it very carefully.
AI is a very good case in point, like it’s already there in cybersecurity. You have AI applications and machine learning for offense or defense. Whether the one or the other is going to be better, we simply cannot answer this question. It’s impossible. It’s a very dynamic development that goes into the future and will have a lot to do with governance or integration into organizations, for example. Technology by itself doesn’t really tell you a lot about what is going to happen.
Dr. Christian Folini: Or we kind of need to do this to learn, anyway.
Dr. Myriam Dunn Cavelty: And you cannot stop AI and machine learning at this point in time, that is – and quantum! That’s the next big topic that’s also going to come. That’s why I’m saying we are now still in this – also with the term Cyber defense – assumes that there is a system that we constantly need to patch because it has vulnerabilities and nobody knows them all. AI is used to actually discover vulnerabilities. So that’s a good use of AI right now.
But I am not sure that this is the future, we might really have a completely different digital, let’s say on Supra, or infrastructure there that we could start thinking about, that might no longer be linked to this let’s say “cat and mouse game”. That is optimistic, but it is possible.
Dr. Christian Folini: If I’m reading through different strategy papers, not only the army, but all the National Cyber strategy, contingency plans, etc. it resonates a lot with your research papers or research papers of your Think Tank, the Center for Strategic Studies at the ETH. So, I guess there is an exchange happening here, obviously, this is your client.
Dr. Myriam Dunn Cavelty: Yes, for many many years, absolutely.
Dr. Christian Folini: Would you say that Switzerland or the army is a good student?
Dr. Myriam Dunn Cavelty: Oh, absolutely. But they’re not students. I think we don’t educate anybody. We really just propose options. We often study how others do it. You asked me how does Switzerland compare? Very often we look at approaches of other countries and then kind of draw lessons from that and then, often in a dialogue with our partners in the administration, we start talking about what could be changed or not etc.
Dr. Christian Folini: So, it’s like, an autonomous execution of your ideas?
Dr. Myriam Dunn Cavelty: Not always, of course, no, it should be an input into a process that is not ours to steer. So, it’s an invitation to read interesting things.But I would say that the administration, and the army belongs to the administration, is its own animal. And as because you asked in Switzerland, there is many, many, many peculiarities that we need to know. And one of them is that you cannot steer just from one end. And then you know, expect it to go into the direction that you hope it will…
Dr. Christian Folini: That is probably not working in Switzerland.
Dr. Myriam Dunn Cavelty: No, and probably not in other countries either. But I mean, that’s a reality. And I think trial and error is important, too. And learning is always doing certain things badly and changing them. And I think we’ve come a long way. And with the new strategy, as I said, I think that everything’s there that needs to be there. The roles are clear, roles, responsibilities, and the different tasks. Whether that will be executed as it is said, that is a different thing. But I think the basis is there. Is good.
Dr. Christian Folini: Good. Good to hear.
I got the impression there is an ongoing struggle between the civil part of the cyber defense, let’s say MELANI, NCSC and the army. Like who is given, or particularly: can NCSC, can Florian Schütz give you orders on security, on server hardening? Can they request your data to analyze it themselves? And it seems they’re in advantage right now and I think it was in the January interview that you gave. You said we’re going to overhaul the law because this is the Army’s domain. And we want to remain completely autonomous. Is that the situation? Is there this rat race or this continuous struggle?
Lt. Gen. Thomas Süssli: The question is on what data we exchange actually, and what we talk about. First of all, we accept very much what Florian Schütz is doing. And what he did is, he established like a map of all we do at administration level. And then he identified the white spots, he is in process of filling them now. And he always, he also did detected application. But then I refer to I was explaining before the green and blue type of systems. And the problem is the green systems: First of all, they are fully encapsulated, not connected to our other infrastructure. Okay, so it’s like an island, it’s easier to protect. And then also, many of those systems are classified. So if you disclose flaws in those systems, and those information goes into another system and into another system. So, if someone will actually gets hold of that data, it’s very easy than to break it. So that’s our concern. So what we say is actually we exchange information on floors, we detect ourselves in that environment, we exchange that. We respect very much his ideas, his concepts, and also his instructions. But we play it in our own responsibility. That’s actually the differentiation.
And right now the law, the legal basis for our own systems, is still that the systems of armed forces are still part of the administration, which is not ideal in every case, especially when…
Dr. Christian Folini: So, you want to separate this more.
Lt. Gen. Thomas Süssli: Yes, that’s the idea. And also to say we work very closely with MELANI. So, I would say it’s even on a daily basis, so there’s a very close cooperation. So, there’s no reason for concerns. And also after the interview in NZZ, I had a chat with Florian Schütz. I think he was a bit upset in the beginning. But then we have been very, very able to explain to him why we actually need this separation.
Dr. Christian Folini: And how you differentiate between the blue and the green systems.
Lt. Gen. Thomas Süssli: Absolutely. And I think it’s also a relief to him, because in those systems in those green systems, classified, separated, isolated, he won’t be too much involved in that.
Dr. Christian Folini: Okay. Good. We’re soon coming to an end here. And I need to select my remaining questions now. Let’s return to cyber politics, your research topic. What are you researching right now?
Dr. Myriam Dunn Cavelty: Oh, yes. How long do I have now?
Dr. Christian Folini: You have three minutes.
Dr. Myriam Dunn Cavelty: So, I think something that has become apparent in the last few years is the importance of private companies in cybersecurity, but also actually in shaping cyber threat knowledge. And I’m referring to threat Intel companies, many of them American, that, at least for us, again, academics or civil society, or people in the society, they provide the knowledge that we have of what’s going on in cyberspace. And very clearly, this is hugely biased. Because there’s a commercial interest, there is a closeness to the political decision making. Already many people go in and out of politics and back to companies. And that is an issue that we have. We believe we do not have the full knowledge, we do not know who shoots first, – I’m using a horrible term now- and if we do not have a better and let’s say, broader idea of the cyber threat landscape, we cannot understand political dynamics well.
Dr. Christian Folini: And that links to this open data discourse as well.
Dr. Myriam Dunn Cavelty: Exactly. This is something that we are working towards. I can’t tell you what the solutions will be. But one idea is obviously that academic institutions could take a stronger role here also to provide cyber threat knowledge or attribution knowledge. Because very often, this is about attribution, that somebody points a finger at somebody else and we cannot really verify whether that’s true or not. So, that is something that we’re working on and that I think it is important also for a better understanding as I said of the dynamics, but also what can be done in cyber and what the effects are, not only in cyber, but you know, societal, political, etc.
Dr. Christian Folini: Great. It’s interesting. You [Lt. Gen. Süssli] mentioned that the Cyber Defense Campus or I’ve got the impression it’s a project that is dear to you. It is a new initiative that brings together capabilities. I reckon it integrates with all the recruitment you’re doing, the recruits that you are educating. What is your wish in there? Where do you want to take this?
Lt. Gen. Thomas Süssli: Actually, I think what is really missing for armed forces is very difficult to talk to academia. I mean, except ETH… I had to say this now. No, really, I mean that’s close cooperation. And even they, in our capability development process, ETH CSS is very important, because what you do is you actually prove our concepts and give us feedback and that’s the importance of this relationship. But to us, it’s very difficult to get access to startups and companies. And the Cyber Defense Campus to me is a neutral platform where everyone can meet where Armed Forces where economy, academia can come together, exchange information or build a network in a neutral environment. And that’s the importance of that. And then the other ideas to sooner or later build an ecosystem, a cyber ecosystem in Switzerland, where actually, the economy, big companies can state their requirements for cyber tools. And the Cyber Defense Campus could be the platform, where we initiate the building of those solutions and tools together with startups and our forces.
So my final vision is this ecosystem.
Dr. Christian Folini: That sounds very Israeli to me, somehow.
Lt. Gen. Thomas Süssli: There is an idea actually, in Israel we see Be’er Sheva. But then we see also like Team 8, and Team 8 follows a very similar approach. So, there’s also a relationship, a huge network to the industry. So, they get ideas, and then they build solutions to them. But it’s always commercially driven, at least what I see. And this will be more like government driven, this approach.
Dr. Christian Folini: Okay, that is the difference.
Lt. Gen. Thomas Süssli: So, there is something new and maybe something is specific, always called a helvetism. So, it’s the helvetic solution, the Swiss solution for the same issue.
Dr. Christian Folini: Okay. Thank you very much. Thank you, Lieutenant General Süssli, Mrs. Dunn Cavelty.
That was an interesting talk. Unfortunately, we have to cut it at a given moment. Thank you for your interest in our “Swiss Cyber Storm in nutshell”. We’ll be back in August with our next edition. We plan to talk about or talk with security startups in Switzerland. And on October 12th there will actually be the Swiss Cyber Storm conference. We hope to do this a couple of stories up here in the Kursaal in Bern as a physical conference. And if that fails for whatever reason – I can’t think of anything – then it’s going to be a virtual conference. But we really plan to push through. Thank you very much.