Cybersecurity policy revelations on stage
You don't expect stand-up comedy when you attend MSB's big cybersecurity conference in October. With two directors general on stage, it is also a physical impossibility. For those who follow cybersecurity policy and the government's stated motives for it, however, it became involuntarily comical when the directors general of FRA and MSB appeared together and opened the conference. They talked about the shift of cybersecurity issues between them and what it means.
It goes something like this:
- The FRA is good at technology, which is why the National Cyber Security Center (NCSC) will be moved there.
- FRA is Sweden's most secretive authority, which means that its way of working differs from MSB's more open and coordinating role in society.
- Neither authority is directly known for its work on EU single market legislation, which is now increasingly used for information and cyber security.
- Of course, the directors-general did not mention that the result will also be that MSB, in its new guise as the Swedish Civil Defense Agency, will be stripped of almost everything cyber security. Perhaps not optimal for the "top node" in the arming of civil defense.
On stage, FRA's Director General was at least clear that it needs to become more like MSB in terms of transparency. Expanding in the technology area is probably difficult and inappropriate - FRA should not compete with cybersecurity companies. (Here, MSB's Director General was exemplarily clear and encouraged the use of private actors.) FRA is recognized as skilled in an important but narrow area. At the same time, broader societal issues such as regulation, advice and supervision are now being moved from a centrally located authority, which is also used to cooperating with other authorities, to one that has so far mostly worked with sky-high confidentiality requirements. The report describing how this will be done can also be read as a list of the problems with moving from MSB to FRA.
The Directors-General laid bare in a few minutes, probably unwittingly, the fundamental problems with the government's policy in this area. Basically, it raises the question of whether it is worth the trouble and whether it is a recipe for success or pancake?
The future will tell how this will work out. In any case, TechSverige has suggested that the arrangement needs to be evaluated after a number of years.
It was all illustrated when two program points on threat and actors followed each other. What the FRA told us was the same thing we have been hearing from them for perhaps the last ten years, noting that it has only gotten worse. The private cybersecurity firm Truesec was more explicit. Truesec provided details, showing trajectories, techniques, actors and links to foreign power. Simply put, more informative and useful.
At its core, the most important role of government in cybersecurity is probably not about the technology, but about areas where government has responsibility and influence. This could be the role of education in providing skills - the Director-General of the FRA described the skills shortage as 'critical'. The state has the obvious role in law enforcement and legislation. This is where policy has gone wrong. The focus, responsibilities and resources do not reflect the areas where the state can do the most good.
It should be said that the government has raised its ambitions for information and cyber security. This is good, and it is now high time to start working on the issues. There is also a great deal of commitment to the NCSC - both among public and private actors. Make the most of it.
Fredrik Sand
Business policy expert, TechSverige