SWITCH's Computer Emergency Response Team (CERT) turns 20 years old in 2016. We take a look back.

Text: Anja Eigenmann, published on 23.08.2016

20 years old and as successful as ever: SWITCH's Computer Emergency Response Team (CERT) has always worked hard in the interests of cybersecurity in Switzerland. The fact that its tireless efforts behind the scenes have made .ch the most secure top-level domain in Europe and one of the most secure in the world is without doubt its greatest achievement.

The CERT's formation was a process of many stages, a crucial one being membership of the Forum for Incident Response and Security Teams (FIRST). It was recognised by CERT/CC, the CERT coordination body at Carnegie Mellon University in Pittsburgh, Pennsylvania/USA 20 years ago. This gave SWITCH access to information from the international "web of trust", opening the way to membership of FIRST. However, the story actually starts long before that. Let us travel back in time and look into how SWITCH-CERT came about, how it has developed and a few highlights from its history. As you will see, there is plenty to celebrate.



  • Pre-history: Robert T. Morris releases the first computer worm. Known as the Morris worm, it shuts down 6,000 computers on the Internet. This equates to some 10% of all the machines connected to the network. Intriguingly, Morris is the son of the chief scientist at the National Computer Security Center, a division of the National Security Agency (NSA). The 23-year-old is thrown out of university and fined USD 10,000. The Morris worm leads to the creation of the first ever CERT by the Software Engineering Institute at Carnegie Mellon University in Pittsburgh, USA.


  • The first example of ransomware, the AIDS Trojan, appears. Ransomware locks files on victims' computers and demands payment to unlock them. The AIDS Trojan is spread via floppy disks given away free to subscribers of PC Business World magazine and people on the mailing list for a World Health Organization AIDS conference. After an incubation period has passed, it encrypts all of the files on a system and displays a message on the screen containing an account number in Panama to which US$ 18 is to be paid in return for a decryption program.


  • The global Forum for Incident Response and Security Teams, FIRST, is formed.


  • The CERT mindset is born: The SWITCH foundation starts incorporating security precautions into the data transfer network. In its Annual Report, Managing Director Peter J. Gilli writes, "Besides the quantitative requirements, however, the need for new features (e.g. multimedia, security) (...) will also require further investment."


  • Hysteria in cyberspace: fears abound that the Michelangelo virus will bring about a digital apocalypse by – as security expert John McAfee is quoted as saying – "erasing data from five million computers". It later turns out that the damage actually caused was only minimal. McAfee explains that an interviewer had pressed him for a number, and he had replied "somewhere between 5,000 and five million," but this was not reported.


  • Hacker Kevin Poulsen achieves notoriety for manipulating a US radio station's phone system over an extended period together with his friends. The gang manages to fix it so that only they can get through to phone-in competitions. It nets two Porsches, holidays and US$ 20,000 in cash. Poulsen had been charged with phone manipulation and selling military secrets back in 1988, but he went on the run. He is ultimately caught and sent to prison for five years.


  • Building the CERT: SWITCH hires security expert Hannes P. Lubich to help it set up a security department that will offer its services to SWITCH clients. He provides an account of his work in the Annual Report: "The SWITCH Computer Emergency Response Team dealt with a number of security incidents on behalf of SWITCH clients in the year under review. It also accepted a consulting mandate and kept SWITCH clients continually informed about security breaches as they arose."


  • The CERT makes a name for itself: Hannes Lubich and Thomas Lenggenhager travel to Karlsruhe, Germany to attend a FIRST workshop for the first time. This marks the start of SWITCH's collaboration with FIRST, its aim being to become a member.
  • The Annual Report states, "In the year under review, the security department (SWITCH-CERT) dealt with more than 20 reports of security incidents from SWITCH clients. It also provided expert opinions as part of a disciplinary investigation and accepted a series of consulting mandates from new clients and external organisations."

  • SWITCH introduces security precautions for e-mail, including the first Pretty Good Privacy (PGP) key, signed by Thomas Lenggenhager, Hannes P. Lubich and Christoph Graf.



  • CERT goes live: SWITCH-CERT receives accreditation from CERT/CC, the CERT coordination body at Carnegie Mellon University in Pittsburgh, Pennsylvania. This gives SWITCH access to information from the international "web of trust", opening the way to membership of FIRST.
  • Hannes P. Lubich leaves SWITCH. The Annual Report states, "Thomas Lenggenhager took over as head of SWITCH-CERT in mid-1996 following the departure of Hannes Lubich. Over the year as a whole, a total of 30 security incidents were dealt with. Most of these involved placing foreign CERTs in contact with organisations in Switzerland or vice versa. One of SWITCH's permanent tasks is forwarding security bulletins that bring new problems to clients' attention. Security checks of some organisations' networks were carried out on request. SWITCH-CERT was invited to join the TERENA Technical Advisory Group (TAG) with the aim of establishing a pan-European security coordination body. (...) SWITCH is also represented within FIRST Task Force 1."
  • SWITCH-CERT launches its first public website.


  • The newly formed Federal Office of Communications (OFCOM) is tasked with regulating SWITCH's activities relating to the .ch top-level domain, including security measures.
  • The SWITCH Annual Report states, "The number of security incidents dealt with remained more or less stable, despite the fact that hackers are increasingly using tools that automatically search entire networks for known loopholes that have not yet been closed by system administrators. Since most incidents involve more than one country, the start of EuroCERT's operations as a European security coordination body on 1 May 1997 marks a significant milestone."


  • SWITCH becomes a member of FIRST.
  • Christoph Graf is placed in charge of SWITCH-CERT.


    • Network misuse with spam and distributed denial of service (DDoS) attacks is one of the biggest problems facing universities and thus among SWITCH-CERT's main challenges.
    • EuroCERT is disbanded, mainly due to a lack of funding.


  • Further to TERENA's request at the start of 2000 for proposals regarding a service to replace EuroCERT, the Trusted Introducer (TI) service enters pilot operation. Its premise is simple: it collects information on security teams. Those that meet certain criteria are awarded Level 2 status. SWITCH-CERT is listed as a TI.
  • The Loveletter worm spreads extremely quickly starting on 4 May, causing damage estimated at USD 15 billion.


  • The Code Red and Nimda worms keep the digital world on edge after infecting hundreds of thousands of computers within an extremely short time. Everyone who follows SWITCH-CERT's recommendations suffers no harm.
  • SWITCH-CERT is among the first CERTs to achieve Trusted Introducer Level 2 status (see 2000 above).


  • SWITCH undergoes a reorganisation and forms a new Security division. It is headed by Christoph Graf. Staff from various divisions were previously responsible for security. Services for clients are split into Incident Handling, Consulting and Security Lab.


  • Three worms at once cause a stir: SQL Slammer, Blaster and Sobig.F. The latter still ranks as one of the most harmful worms of all time, having caused damage estimated at USD 37 billion.
  • SWITCH-CERT launches a new service called Internet Background Noise (IBN), which visualises network traffic and enables users to analyse the spread of viruses and worms.
  • The Security Working Group is formed.


  • At the end of the year, Switzerland's Reporting and Analysis Centre for Information Assurance (MELANI) begins its operations. SWITCH provides CERT services for MELANI.
  • SWITCH-CERT launches a new security service based on NetFlow data. It alerts clients when systems are found to be infected with viruses and worms or exhibit behaviour that points to an infection. This was made possible by the new tools NfSen and NFDUMP, developed by a SWITCH-CERT employee.


  • Phishing reaches Switzerland: cybercriminals send hundreds of manipulated e-mails in an attempt to get hold of e-banking clients' login details. SWITCH-CERT is commissioned by MELANI to work for a closed group of clients, primarily handling phishing attacks on Swiss financial institutions. It starts holding technical workshops for the benefit of this closed group. SWITCH also supplies technical content concerning MELANI information for the general public, including.


  • Serge Droz is placed in charge of security at SWITCH.


  • Neil Long of Team Cymru, an international collective of IT security professionals, visits SWITCH and comments that the Swiss academic network has above-average security. Indeed, SWITCH-CERT is now able to identify and neutralise a bot infection, for example, within one working day in most cases.
  • The NetFlow software tools NfSen and NFDUMP from SWITCH-CERT have become established internationally and are proving very popular.


  • SWITCH enters the marketplace with extended CERT services under its own brand.
  • A new security service called SWITCHguard protects holders of .ch domain names against unwanted changes.


  • The first banks sign up to SWITCHcert.
  • The Conficker worm, still at large years later, is discovered.


  • study by IT security provider McAfee confirms that .ch Internet addresses are among the most secure in the world.
  • SWITCH sends an e-mail to holders of .ch domains warning them about the Conficker worm and explaining how they can protect themselves against it.
  • Domain fraudsters attempt to extract money from holders of .ch domains by telling them that someone wants to register the same domain name as theirs with a different ending and claiming that this endangers the .ch domain name.
Kassensturz, 2009


  • SWITCH-CERT is shortlisted by TERENA for Trusted Introducer certification.
  • Article 14fbis of the Ordinance on Addressing Resources in the Telecommunications Sector (OARTS) enters into force (since replaced by Article 15 of the Ordinance on Internet Domains). It enshrines the malware process in law and allows SWITCH to deactivate infected .ch websites quickly. This is pioneering legislation. It is essential in making .ch one of the most secure top-level domains in the world.
Radio interview with SWITCH's Head of Security Serge Droz on the change in the law.
  • SWITCH publishes videos for Swiss Security Day, organised by the InfoSurance association.


Video for Swiss Security Day.




  • SWITCH-CERT is certified at Trusted Introducer (see above).
  • The FBI catches the creator of a piece of malware called DNSChanger, which altered the Domain Name System (DNS) on infected PCs such that users were unknowingly redirected to different websites. DNS servers were replaced by servers that functioned correctly. These are finally turned off on 9 July 2012. SWITCH sets up a website allowing users to test if their PC is infected.




  • The Flashback Trojan infects Apple Mac computers on a large scale. Some 650,000 Macs are affected worldwide. SWITCH works on the case together with a company called Dr. Web and informs Internet service providers so that they can contact the affected clients.




  • On 10 January 2013, a massive DDoS (distributed denial of Service) attack hits the .ch name server. SWITCH acts quickly in response to the threat, and all .ch websites remain accessible without interruption.
  • The people responsible for the Blackhole exploit kit are arrested in Russia.
  • The Swiss Confederation's Parliamentary Services unit commissions services from SWITCH-CERT. In addition, six leading Swiss banks now depend on the commercial SWITCHcert service.
  • Law enforcement authorities – including the Cybercrime Coordination Unit Switzerland (CYCO) – mount a successful global assault on the ZeroAccess botnet, which controls around two million computers remotely. SWITCH experts play a key role in the operation.


  • SWITCH is a founding member of the Swiss Internet Security Alliance (SISA). The Alliance aims to make Switzerland the safest country on the Internet.


  • The Heartbleed and Shellshock vulnerabilities test the online world's nerves.
  • SWITCH is awarded ISO 27001 certification for its registry's information security management system
  • In response to the flood of phishing cases, SWITCH introduces a phishing process along the same lines as its malware process (see 2010).
  • The Gameover Zeus Trojan is almost completely stopped in a takedown operation. It was used to spy on victims, carry out DDoS attacks and spread spam.


  • SWITCH wins a CENTR Award for the security of its registry.


  • US Internet analysis firm Architelos publishes a study attesting that SWITCH has made .ch the most secure top-level domain in Europe.
  • SWITCH-CERT develops a new protection mode for Swiss universities, known as DNSfirewall, which blocks access to malicious websites.
SWITCH employee Matthias Seitz at the presentation of DNSfirewall at TNC16 in Prague.
  • Security is no longer merely a team, it is an entire SWITCH division.
  • SWITCH launches a public awareness campaign together with SISA, hosting firms and Internet service providers under the banner Safer Internet.
  • SWITCH-CERT is instrumental in the creation of CH-CERTs, a forum for experts to hold regular discussions on security topics.


  • Security guru Mikko Hyppönen does SWITCH the honour of giving a keynote speech at its Domain pulse conference in Lausanne.

Story and video about Mikko Hyppönen at the Domain pulse conference in Lausanne.
  •  Martin Leuthold becomes Head of Security
  • Malware-infected banner advertisements on Swiss newspaper websites cause headaches for users. 
  • Together with MELANI, SISA and other key players, SWITCH holds a Ransomware Day  to raise awareness of this widespread form of cybercrime (see also 1989).
  • SWITCH-CERT celebrates 20 years of success.
About the author
Anja   Eigenmann

Anja Eigenmann

Anja Eigenmann has worked at SWITCH since 2012 and is currently an editor for online and print media. She trained as a journalist and later completed a Master of Advanced Studies in Business Communications. She has previously been an editor-in-chief and consultant, among other things, and has led a course in online content writing.

Other articles