Marcel Zumbühl, Chief Information Security Officer of Swiss Post
1. Swiss Post is a logistics company. Why does it need a Chief Information Security Officer?
Information security is very important for our Group. Few people realize that Swiss Post is Switzerland’s third-largest IT employer. Modern logistics cannot function without a robust IT system. Today’s parcel volumes can only be sorted and delivered within deadlines thanks to robust infrastructure and a variety of technological resources. Even Postbuses are small moving data centers. Anywhere technology is used is at risk of a cyberattack. Alongside parcel and letter deliveries, Swiss Post also offers a range of digital services such as “My consignments”, digital mailboxes, e-voting and digital health. Our customers place their trust in us, and this trust entails responsibility. Swiss Post therefore invests continuously in strong information security. Every month, Swiss Post successfully fends off around 100 targeted attacks and over 10 million phishing attempts. However, the company invests not only in its own robustness, bur also in the security of its products and services.
2. Swiss Post now supports the OWASP Core Rule Set cybersecurity framework. What does this consist of?
OWASP Core Rule Set (OWASP CRS for short), in combination with Apache ModSecurity, is one of the most effective IT security solutions available today. Thanks to well-defined rules, this solution enables us to quickly recognize typical attack patterns and thus report and block threats. At Swiss Post, this solution recently proved its worth during a public intrusion test of the e-voting system. In 2023, Swiss Post successfully fended off over 50,000 attacks as part of the test.
OWASP CRS is an open-source solution. It is distributed licence-free and is therefore free of charge. An active specialist community tests and develops the solution – effectively, but without payment. By sponsoring the foundation, Swiss Post is supporting a strong security system that helps to strengthen cybersecurity worldwide.
3. What role does open source play in cybersecurity?
Open source is often associated only with licence-free software provision. But the concept goes beyond the commercial aspect: it is also about “open knowledge”, by which I mean transparency, participatory security and collective intelligence. Today, companies use these in a targeted manner to ensure the most effective cybersecurity possible. When we disclose an application’s program code, experts can examine it in detail and report vulnerabilities. We take this approach with solutions such as e-voting: all key components and system documentation have been publicly accessible since 2021. Swiss Post actively encourages ethical hackers to attack its applications. Our bug bounty programme is one of the biggest in Europe. For over four years, we have relied on the swarm intelligence of a large community of ethical hackers, with whom we continuously test and improve our systems. In return, they receive rewards based on the severity of the vulnerabilities that are found and confirmed. The maximum reward for finding a critical vulnerability in the e-voting system is 250,000 francs. So far, we have paid out a total of around 200,000 francs for suggestions as to how we can improve the e-voting system. For the overarching bug bounty programme for all Swiss Post services, this figure is 600,000 francs.
4. Since 2022, Swiss Post has done more than just protect its own systems against cyberattacks – it now also offers cybersecurity monitoring and security to various companies and authorities. How did this come about?
We all do a lot of tasks on the Internet every day. Every time we place an order, book a doctor’s appointment or even fill out our tax declarations online, we are sharing more information about ourselves. We need to protect this against attacks. Swiss Post itself handles sensitive data. This includes the official postal addresses of Swiss residents or bank details of PostFinance customers. To protect this data properly, Swiss Post has gained considerable expertise in the field of cybersecurity. With the acquisition of Hacknowledge SA in Morges and terreActive Ltd in Aarau, we now offer our customers powerful tools to protect their systems and data.
As a company owned by the Confederation, Swiss Post is committed to responsible digitization. Cybersecurity and correct handling of data are important cornerstones of this commitment.
5. How does Swiss Post’s Information Security team work in conjunction with its cybersecurity subsidiaries?
As CISO of Swiss Post, I am a member of the Board of Directors of both companies. This means I am directly involved in strategic management. There is also a reverse transfer of knowledge: in particular, solutions from the two cybersecurity subsidiaries are used to protect our other subsidiaries. In addition to targeted penetration tests, they help us to extend Swiss Post’s cybersecurity protection to these companies. There is also a regular operational dialogue between the teams at Swiss Post and the two subsidiaries. As a result, both companies are part of our cybersecurity expert team.
6. Which developments do you think will influence cybersecurity in 2024?
Thanks to recent innovations such as ChatGPT, artificial intelligence is the current hot topic. These solutions are practical in everyday life, but provide new challenges for cybersecurity. For example, they can be manipulated. If provided with enough false information, they can give you the wrong result. Swiss Post is working with the Dalle Molle Institute for Artificial Intelligence at the Università della Svizzera italiana on the robustness of artificial intelligence systems. We want to understand how to improve protection, detect and ward off attacks and ensure business continuity. As such, we want to improve the security of the AI solutions used in our logistics and contribute to the secure use of artificial intelligence in Switzerland.
2024 will be an exciting year for cryptography. We’re expecting the first encryption algorithms that cannot even be cracked by quantum computers. Quantum computing is still at the experimental stage, but development is progressing rapidly, and we can already see that current encryption systems will not be able to handle this computing power. Our specialists at the cryptography center in Neuchâtel have the important task of testing the new algorithms and accelerating their introduction.
On the subject of participatory security: our big bug bounty programme will be five years old in 2024, and we want to transfer all online applications running at *.swisspost.ch to a public programme in the course of the year. In this way, we want to encourage other companies to see cybersecurity as an opportunity. Because successful cybersecurity means that customers trust systems.