Government information security policy meets reality 

Halfway through the term of office, the responsible ministers Carl-Oskar Bohlin (M) and Erik Slottner (KD) make a major announcement (DI 10/10) about information security policy. TechSweden's business policy expert Fredrik Sand comments.

At the outset, it is important to note that this government has shown a real and sincere interest in information and cyber security issues - and has taken action. This is very welcome. These issues have not been dealt with in the way they require by successive governments for more than twenty years. I think it's true what the ministers say - this is a pioneering effort. So hats off to the initiatives!

Some of the issues raised in the article are also in line with the proposals in TechSverige's report Techbranschens förslag för att möta cyberhoten: more resources, clearer division of responsibilities, the importance of cooperation with the business community and the link to NATO membership. But if you tip your hat, you can also see what is hidden underneath. So now a little more detail on what the government is actually doing.  

In the op-ed, the ministers write a lot about the serious security situation and the complexity of the threats - but less about how complex it is for the government to do anything about it. The security situation and threats are by now well known. It is also good that the government is addressing electronic communications issues and allocating funds to do so. Cables, mobile masts and backup power are clear and important issues. In this situation, it is also good that the government is investing funds in building the next generation emergency radio system, Rakel generation 2, based on existing infrastructures and the capabilities of commercial players. 

The simplest and most obvious criticism is that the government is making strategic decisions before it has presented the new and overdue national strategy for information and cyber security. So it is simply not possible to determine whether these measures are appropriate and in line with a strategic plan. The government has also taken shortcuts on other issues.  

The controversial National Cyber Security Center (NCSC) will now be headed by the Swedish Armed Forces Radio Establishment (FRA). The basis for this decision was submitted to only 11 government agencies. No business interests or the wider public sector were consulted. This is in stark contrast to how the report on the implementation of the key NIS2 directive in this area was implemented in Sweden. Over 210 stakeholders were consulted. Incidentally, the report barely mentions FRA at all. Of course, it does not make sense. 

At the government's suggestion, companies are now forced to participate in the previously voluntary private-public cooperation in the National Telecommunications Service Group (NTSG). This aims, among other things, to improve the ability to restore infrastructure quickly. Cooperation in the NTSG has worked well. However, it is important to emphasize that cooperation on defence, preparedness and resilience issues should be based on voluntary agreements with companies. The forms of work must be adapted to the companies' conditions - not what is easy and free for the state to do.  

The government also wants to map and strengthen municipalities' cybersecurity. It's hard to disagree, of course, but this is where the strategic questions start to arise. Is the most appropriate way to organize this (and other things like NIS2) to move the NCSC to the signals intelligence agency FRA?  

FRA is recognized as technically skilled in the field, but a high level of information and cyber security requires organization, cooperation, information exchange and rules - as well as knowledge of the core activities to be protected. It is far from certain that Sweden's most secretive authority is best suited to the task. The area is also characterized by increased regulation, mainly from the EU, which will require a lot of interaction with the Union, but above all with the private and public actors affected by the regulation. Furthermore, FRA has an extremely important main mission in these times of unrest - intelligence gathering. Arguably, this will not be easy to reconcile and will require a lot of FRA's development capacity and a major cultural change. That said, the FRA's technical expertise and parts of its intelligence certainly need to be part of a national information and cyber security system, but taking responsibility for the whole is a far cry from the mission of one of Sweden's most secretive agencies since its creation in 1942. 

The article in DI also addresses some of Slottner's responsibilities regarding government IT operations. The increased investment in this area is justified by the fact that it increases security and cost efficiency in government IT operations. This is not small potatoes. The market for public IT operations was SEK 17 billion in 2021 and is expected to be SEK 21 billion in 2025. It could all be more efficient. When 158 public authorities were surveyed, 100 were found to have their own data centers - a total of 220.  

However, Slottner points out that it is authorities with a high level of IT capacity (not quite the same as IT competence) that should offer IT operations services to others. This would strengthen cybersecurity throughout the public sector, Slottner says. How, is a bit unclear, as municipalities are the largest part of the public sector. The most serious thing, however, is that the government puts the IT-heavy government agencies first. The IT managers there will, in a kind of artificial market, offer services to the directors general of the small and medium-sized authorities. TechSverige was already concerned when the committee presented its proposals and the debate article reinforces the concern that the policy is not clear enough that services related to government IT operations should primarily be delivered by private actors.  

The government's proposals will mean that a number of authorities will have a very strong position and influence not only in IT operations, but in key aspects of digitization in the public administration. The role of private service providers therefore needs to be strengthened across the board, and clarifying rules and mechanisms put in place to realize it. Market solutions are usually preferable if a good balance is to be struck between security, cost-effectiveness, innovation and societal benefits. This also applies to information and cybersecurity work. 

Well, we tipped our hats, only to find once again that there was someone unmentionable in the details. The government's commitment to information and cyber security is very welcome. However, it is not enough to resolve turf wars between authorities or to have a limited view of security work in society and what it really means.  

Decisiveness is good, but as we know, speed does not compensate for misdirection. For example, the article did not address the area where the public sector can probably do the most to improve security - a better supply of skills in information and cyber security. A broader allocation is needed here than that previously announced by the government in the form of a cybersecurity campus at KTH. Important and welcome, but not enough. 

We must hope that the desire to achieve rapid results is now also complemented by the government's commitment to the difficult trade-offs and issues that will arise when the government's information security policy now meets reality. Information and cyber security is an important social issue and much remains to be done. TechSweden's members have a lot to contribute to this development. Now it is important to fill the organizational sketches with real content. Cooperation with the private sector will be crucial here.