Government allocates responsibility for cybersecurity - but does the analysis hold?
As the government tackles the issue of cybersecurity, it is unlikely to be as easy as it might have been. There is a strong need to clarify responsibilities in this area and the government is taking some commendable initiatives. However, there is no getting away from the fact that policy is being developed piecemeal and piecemeal in a crucial and serious area - although this government is not solely to blame.
As the government tackles the issue of cybersecurity, it is unlikely to be as easy as it might have been. There is a strong need to clarify responsibilities in this area and the government is taking some commendable initiatives. However, there is no getting away from the fact that policy is being developed piecemeal and piecemeal in a crucial and serious area - although this government is not solely to blame.
In a debate article in DN (26/4 2023), several ministers, headed by the Prime Minister, announce that the Swedish Armed Forces Radio Establishment (FRA) will be responsible for the National Cyber Security Center (NCSC), which has previously been shared between several authorities. The six ministers also announced stronger cooperation with the business community, increased ambitions in international work on information and cyber security, and a new national strategy. Important and good announcements.
It is undisputed that the FRA has a high level of technical expertise and other important capabilities to deal with cyber threats. The question is whether an intelligence agency can easily develop the ability to lead and assist in the work on information and cyber security across the breadth and depth of society. It is a complex interaction between technology, organization and operations, among other things. To this must be added rules and requirements from, for example, supervisory authorities in widely differing areas where the state's responsibility and influence shift. Furthermore, it is somewhat surprising that the government is doing this without first conducting the evaluation of the NCSC that was previously promised. It is clear that the ministers are throwing the cyber yeast into the furnace and even admit it when they write that the forms of inter-agency cooperation "will be analyzed urgently." Even a seasoned observer of information security policy would raise his eyebrows, were it not for the fact that the Swedish National Audit Office published a report with serious criticism on the same day.
"Strengthening the Government Offices' work on these issues is urgent."
It is of course welcome that the government sees a need to strengthen cooperation with the business community, including situation reports. The energy sector, the transport sector and the telecom sector should be the focus of information exchange and support. These are obviously important sectors, but it is unclear what the basis for prioritization is. Several of the high-profile hostage program attacks have affected municipal activities as well as regional areas of responsibility.
Strengthening the Government Offices' work on these issues is urgent. The National Security Council should be given a coordinating role. There is certainly a lot that the Council can coordinate, and do so well, especially if it has a narrow view of the area and what should be done. The more difficult challenge is to raise security broadly in society and articulate the role of the state in supporting it. There is a need for more ministries to get involved in their areas. Here, one of the signatories showed commitment earlier. The Minister for Education, Mats Persson (L), has taken on the issues of information security at universities and colleges. The other ministers in the government must be asked to urgently analyze their areas of responsibility.
According to the article, the government will also start work on a national information and cybersecurity strategy in 2023. Of course, it's hard to disagree, although one would have thought that strategic thinking would precede the initiatives and changes now being made. Well, the previous strategy left a lot to be desired when it came to the relationship with industry. The opinion piece gives hope that things can be better this time.
The government's commitment to international issues, where it wants to be a "driving force in international cyber issues", is also welcome. In EU cooperation alone, there have been a number of proposals in recent years that require attention - both in Brussels and in implementation in Sweden. NATO membership will require more.
The debate article wants to show that there is room for action. It is of course appropriate to remind the ministers once again that one of the most important things the government can do is to reduce the skills shortage in information and cyber security. It does not need to be "hastily analyzed" that there must also be the right skills to increase security.
Fredrik Sand
Business policy expert, TechSverige