There are security gaps in video surveillance of army installations. There are also problems with data protection. (icon picture)
The Defense Department (VBS) admits the problems openly. Some of the video cameras that the Swiss army uses to monitor its buildings and facilities are inadequately protected against hacker attacks. They are also not state-of-the-art. Furthermore, data protection regulations are not observed. This is the conclusion of an internal investigation report commissioned by Federal Councilor Viola Amherd (60).
The cameras are installed, for example, at the entrances to military installations, weapon sites, logistics centers or army administration buildings. However, it is not even known how many such cameras exist. The internal audit of the DDPS states in a test report that there is no overall overview, reports Radio SRF.
Army neglects IT security
Internal Audit used random samples to check whether the video surveillance systems were adequately protected against hacker attacks. Their worrying conclusion: the army is neglecting IT security. “Most of the IT security documents are not available or only insufficiently documented,” reads the report.
The Federal Office for Armament Armasuisse actually defined the technical specifications four years ago. At most locations, however, they are “not fully met”, criticizes the revision.
One reason for this: Most video cameras are more than ten years old: “The surveillance equipment used is not regularly checked for publicly known weaknesses at all locations and updated using software updates.”
Data protection neglected
The army also pays too little attention to data protection. It is often unclear how the sensitive image material is handled. For example, it has not been finally clarified how long the material must be kept or who may edit it.
There are model regulations for video surveillance. However, a generally formulated regulation for video surveillance is “not sufficient from the point of view of data protection and information protection law”.
The internal DDPS revision therefore recommends clarifying the responsibilities for data protection for each location, ensuring that the minimum requirements for IT security are met and that an inventory of all video surveillance systems is created.
Unified monitoring solution planned
“The defense group shares these findings,” says the DDPS in a written statement to Radio SRF. There is a deficit in the regulations in particular. In the course of the year, all regulations would be reviewed and individually adapted for each individual location. Data protection should also be taken into account.
With regard to IT security, the army also wants to go beyond the books in its video surveillance: “In order to increase the quality of surveillance and to reduce the effort for on-site interventions in the event of false alarms, the army’s logistics base has started the ‘CCTV Defense’ project”.
By the end of 2026, a new, uniform surveillance solution should be introduced at around 30 army locations: “The older, analogue video surveillance systems will be replaced by digital elements.” Other locations could later be connected to this unified monitoring system. (dba)