Government and security: risk of unfair competition

It is late, very late, in the mandate period when the government actually delivers some measures in the field of information and cyber security. During the summer, the government has decided that the Swedish Civil Contingencies Agency (MSB) will strengthen the CERT-SE function and simplify the support provided in the field of information and cyber security, and that the mandate of the Swedish Defence Radio Establishment (FRA) will be expanded.

Enhanced and expanded possibilities for authorities to help have long been requested by businesses. In essence, the decisions are therefore welcome, even if one would have liked them to have come earlier. The government has resources, in some cases unique, that can promote information security work in Sweden.

It is of course good that the government is taking an interest in information and cyber security in the final months of its term of office. It is also wise that the state's capabilities are being developed in this area, and the fact that more businesses are benefiting from the support the state can provide is also positive.

However, the government and public authorities must be careful not to enter areas where private companies can and should have the leading role in developing information security. Unfair competition, funded by taxpayers, is discouraged.

There is therefore every reason to closely monitor how the authorities handle their new tasks. This also applies to the National Cyber Security Center, which has similar tasks.

MSB is tasked with providing advice and support in the preventive work of authorities, regions, municipalities, companies and other organizations. The new mandate to MSB means that CERT-SE's support in information security work will be simplified and developed. The expanded mandate for the FRA means that the agency may also provide support to, among others, companies that are not state-owned and that handle information that is deemed to be sensitive from a vulnerability point of view or in terms of security or defense policy. Although FRA possesses a high level of expertise and unique information, very advanced services are also available on the private market today. There are, of course, private companies that can provide equivalent support to that provided by CERT-SE and MSB.

Perhaps, however, the threat of unfair competition is not imminent - but trumped by another major problem. These authorities are also likely to experience a skills shortage across the IT sector - not least in information and cyber security. There is a strong demand for information security skills among the 70,000 people that TechSverige has estimated will be missing in the IT industry by 2024. When the government spends over SEK 90 billion on higher education and research, there should be room to prioritize better so that supply better meets demand.

More work will be needed from government and parliament, government agencies and others to increase information and cyber security. One of the most important things the state can do is to help solve skills shortages in information security. At present, there is a lack of both a uniform picture of the demand for different security skills and access to a range of training that meets the demand. A first step could be to coordinate actors in the field to analyse and identify skills needs. Then, training providers at different levels and in different forms can be given the conditions to start meeting training needs.

The government is a major player in education and influences the framework for many others. If the government is serious about information and cybersecurity work, it is high time to contribute to strengthening the supply of skills - for its own authorities, but above all to meet the demand from the IT industry that wants to hire.

Fredrik Sand

Industrial policy expert