No easy solutions to cyber attacks

Cyber security
In the wake of recent IT disruptions and cyberattacks, here are the simple solutions. On editorial page Dagens industri (Nov. 8, 2022) suggests that if one authority should set the tone for Sweden's cyber defense, it should be the Swedish Defence Radio Agency (FRA). DI is not alone in this stance. But is it that simple?

Knowledge of information and cyber security needs to be shared across society and business, and across many - if not all - regulatory, emergency response and sectoral authorities. This is because it is not just a technical or intelligence issue (where FRA has a lot of experience). Legislation and regulation play an important role.

Information and cyber security work needs to be conducted in a context and permeate the entire business - as in healthcare, in an unemployment fund or in a municipality. With all due respect to the FRA, their knowledge may not cover all relevant industries, sectors, regulations and other things that need to be considered in order for information security to be high in all these activities.

Earlier this year, Finansinspektionen (FI) presented the hastily written report Strengthening the digital resilience of firms in the financial sector. FI argued that the ambitions of its own supervision needed to be raised, but also pointed to the complex landscape of multiple authorities and overlapping legislation. In short, nothing that the FRA can or should have a leading role in, but is happy to assist with relevant technical knowledge and other information.

One example is payments from unemployment insurance funds, which have recently been affected by an attack. The Unemployment Insurance Inspectorate (IAF) is tasked with ensuring that unemployment insurance works. It is unlikely that the IAF can become an authority with in-depth knowledge of information and cyber security, but it certainly has a role to play in ensuring that information security work within its area of responsibility is effective.

Politicians and others discussing information security policy often take the view that there should be only one authority, one ministry and one minister responsible for information and cyber security. Reality tells us once again that the work is much more difficult and will require persistence.

No single actor has the whole solution. Collaboration with industry and other authorities will be needed. The Swedish Civil Contingencies Agency (MSB) and the National Cyber Security Center (NCSC) must contribute to the whole. The lack of skills in information and cyber security is a major problem. Here, the government and parliament could make an important contribution, namely to ensure that our education systems are better at providing us with the skills that are in demand.

There is simply a lot to do, but no simple solutions that leave all responsibility to one actor. Collaboration and information sharing are fundamental to adequately respond to cyber attacks.

Fredrik Sand
Industry policy expert, TechSverige