NCSC Switzerland BACS assessment on AI in vulnerability management — defenders warned against over-reliance on AI detection

The Swiss NCSC published a formal signed BACS assessment on 1 May 2026 titled "Use of AI in vulnerability management" (NCSC Switzerland Im Fokus, 2026-05-01). The assessment characterises AI as "highly significant for cybersecurity" with an asymmetric dual-use risk: while AI-based detection tools accelerate vulnerability identification for defenders, the NCSC observes that the same technology "is making hackers' work much easier," particularly in malware-development efficiency. The key NCSC finding is that the actual scale of fully autonomous AI-driven cyberattacks remains unclear — defenders should not treat AI-augmented detection as a solved problem justifying reduced investment in foundational controls. The NCSC recommends prioritising: continuous patching discipline, strong access management and privileged-access controls, staff security awareness, and regular structured security reviews. What defenders need to do differently: in ISG-covered Swiss entities a BACS position paper carries supervisory weight under the NCS implementation framework; CISO functions should document how their AI-security tool deployments are complemented by (not substituting for) the NCSC's foundational-controls baseline. This is a measured regulatory pushback against vendor claims that AI-powered detection can replace security fundamentals. Single-source national-CERT carve-out applies.

ebas.ch — the Swiss banking-sector and Lucerne University of Applied Sciences (HSLU) e-banking awareness portal — reported on 2026-05-07 that SMS-blaster fraud is establishing itself in Switzerland. A portable device (concealable in a vehicle or backpack) broadcasts as a rogue base station with strong signals that force nearby smartphones within several hundred metres to attach and to downgrade from 4G/5G to 2G. The 2G network lacks mutual authentication between handset and base station, allowing the operator to inject SMS directly into the victim's handset — entirely bypassing the mobile carrier's SMSC, where anti-phishing and anti-spam filters are applied (ebas.ch, 2026-05-07). The lure SMS impersonates authorities, banks or courier services, directing victims to credential-harvesting pages. A brief unexpected RAT downgrade from 4G/5G to 2G on a managed handset, in the absence of corresponding carrier outage signal, is the technical fingerprint of a rogue base station in proximity — although ebas.ch does not report observed victim handset-side telemetry as part of its disclosure.

Why it matters to us: Federal employees and contractors using government-issued or BYOD mobile devices are exposed to the same proximity-targeted lure that no carrier filter can stop. SMS-blaster activity is invisible to enterprise mobile threat-defence (MTD) products that rely on link reputation alone — the lure arrives via SMS, but the device-side signal is a sudden 4G/5G → 2G → 4G/5G transition that some EDR-MDM stacks (Intune mobile telemetry, Jamf Protect) can surface. Suggest disabling 2G on managed Android estates where MDM supports the setting (Android 12+ via setAllowedNetworkTypesForReason / Enterprise restrictions); iOS Lockdown Mode disables 2G but is impractical for routine federal use. Map smishing-lure handling to existing IR runbooks. Mapped to T1566 Phishing at the technique level — the smishing variant delivered via a rogue base station bypasses operator-side SMS filtering by attacking the radio-link delivery channel, not by manipulating data in flight to its intended endpoint. ebas.ch is the only source for the Swiss-localised signal — see § 7 [SINGLE-SOURCE-OTHER] notice.