Summary
Three events shaped the activities of the Independent Oversight Authority for Intelligence Activities (OA-IA) in 2021: the departure of the director of the Federal Intelligence Service (FIS); the marked increase in the number of reports concerning dissatisfied FIS employees; and staff changes at the OA-IA itself, including the departure of its director, Thomas Fritschi, after nearly five years at the helm. Despite these developments, the OA-IA fulfilled its main mandate, i.e. the oversight of intelligence activities.
In 2021, the OA-IA carried out audits in the following areas:
- Strategy and planning – 1 audit
- Organisation – 3 audits
- Cooperation – 8 audits
- Information gathering – 4 audits
- Data processing and archiving – 2 audits
A total of 18 audits were carried out and completed. Compared with the last few years, the number of recommendations made by the OA-IA has fallen significantly. This can be attributed on the one hand to improvements already achieved by implementing past OA-IA recommendations. On the other hand, the OA-IA, having spent the early years largely gaining an overview of the various intelligence activities, is now performing more in-depth audits. This makes formulating level-appropriate recommendations more demanding and therefore fewer in number.
In line with its risk assessment, the OA-IA focused its oversight activities in 2021 on the FIS, where it carried out 17 audits.
The OA-IA used considerable resources examining cooperation between the FIS and the cantonal intelligence services (CIS) and assessing the protection of critical infrastructures through cyber defence and information gathering through human sources (human intelligence, HUMINT). It also conducted an extraordinary, extensive audit in the area of HUMINT, which was not originally on the 2021 audit plan. The FIS addressed those areas requiring improvement. The long transition period after the departure of its director and staff dissatisfaction have been challenging for the FIS. It achieved good marks with respect to cooperation with the CIS; this close cooperation makes a major contribution to Switzerland’s internal security. In the cyber field, the FIS reviewed its practice with respect to information gathering and informed the OA-IA regularly and in detail about its progress so that a decision could be made on whether to conduct a full audit.
The OA-IA reviewed cyber defence at the Electronic Operations Centre (EOC). The audit showed that the necessary competences for protecting critical infrastructure at the FIS and EOC have been established and the two bodies cooperate well. In addition, the OA-IA participated as an observer in the meetings of the Independent Control Authority for Radio and Cable Communications Intelligence (ICA).
The OA-IA carried out an audit on data protection at the Military Intelligence Service (MIS). Although the MIS processes personal data, this is not the focus of its work; its legal mandate is primarily to gather information on foreign countries. The OA-IA did not identify anything that led it to doubt the lawfulness of personal data processing at the MIS.
In addition, the OA-IA and the cantonal oversight authorities met at a conference to cultivate and strengthen relations.
The 2021 Annual Report was prepared in consultation with the DDPS and the Control Delegation of both the National Council and the Council of States from 14 to 27 February 2022. Where feedback indicated formal or material errors in the report or interests worthy of protection that precluded publication of certain parts, these were taken into account.
Conclusion
The OA-IA formulated 18 recommendations regarding the 18 audits conducted. Implementing these recommendations will reduce existing risks in intelligence activities and improve their effectiveness.
Staff insecurity at the FIS had a negative effect on its intelligence activities in the year under review. Although it has taken initial steps to improve the situation, these are unlikely to be sufficient to remedy the situation in the long term. The FIS’s structures and process must be examined and if necessary adapted. This will create stability in the long term, thus reducing risks. To achieve this, the FIS requires the support of the DDPS. The falling number of OA-IA recommendations indicates that existing risks in intelligence activities have either been eliminated or at least minimised.
Based on the OA-IA’s risk assessment, the audit of the two military intelligence bodies, the MIS and the EOC, was less comprehensive and no recommendations had to be made for them. It remains to be seen how the EOC will be integrated into the Armed Forces Cyber Command in the future.