Fredrik Sand

Politicians' vision of cybersecurity remains an illusion 

Cyber security Information and cyber security Information integrity
The Financial Supervisory Authority (FI) report on measures to strengthen the digital resilience of the financial sector has both flaws and merits. There is even a hint of self-criticism between the lines. It is also striking that the work in FI's area has not actually made any progress when it comes to cyber security. The government has a great deal of responsibility here, but FI cannot simply shift the blame. 

One example of how developments have not kept pace is FI's lingering skepticism about outsourcing. Here, Finansinspektionen wants to give itself veto power over individual agreements. One of the motives is that FI's own supervision would become more complicated. Time has run away from the authority here. Outsourcing parts of operations or other activities is now well-tested and common. It is the regulations and supervision that must adapt to reality. Outsourcing can often increase safety. A veto right would increase uncertainty for private operators and could be counterproductive. Furthermore, we could lose both innovation and competitiveness.

The authority's description of the Swedish e-identification system and its supervision also leaves something to be desired. The reader might almost get the impression that FI is unaware that there is a system of choice in which the Swedish Agency for Digital Government (Digg) is responsible for reviewing and approving e-identifications and that there are alternatives that are growing on the market. The fact that the Swedish Post and Telecom Authority (PTS) has supervisory responsibility for so-called trusted services, and thus also for bank ID, for example, is also not mentioned in the report. As FI itself shows, information security in society is a complex issue.

Unsurprisingly, FI also recognizes that the skills shortage in information and cyber security is a major problem. Here, the government and parliament could perhaps make a major contribution, namely to ensure that our education systems become better at providing us with the skills that are in demand in the labor market.

The report is most interesting when it discusses the situation in the financial sector in more detail. It turns out that information and cyber security at the policy and regulatory level is quite complex. There are national and EU rules. Rules that apply broadly and sector-specific rules. The threats are also complex and varied. The report contributes here by providing an overview of the situation in the financial sector and outlining proposals for the future.

Some politicians and others discussing information security policy have a vision that there should be an authority, a ministry and a minister who takes responsibility for cyber security. Finansinspektionen's review in the report makes it abundantly clear that such a vision will remain an illusion.

To ensure that the road ahead does not lead to a mirage , hard work is needed from many. Because information security policy is like information security work itself - it must be long-term and systematic. A quick government assignment is therefore not enough - even in one sector. This does not mean that the work has been in vain. On the contrary, when we say that there is a need for increased awareness and understanding of cyber threats - at all levels - this is the kind of evidence that is needed to take the work forward.

https://www.fi.se/contentassets/7ed22f2de362421b8590699ec253746e/forst-digital-motstndskraft-ftg-fin-sektor.pdf