National digital security: No time to wait
While various government bodies are responsible for defining the way forward for Norway's digital resilience, our collective national security is also dependent on initiatives and actions being implemented from the bottom up - at each individual company
Written by:
The blog post is also available in Norwegian, click the globe symbol at the top right corner to access it
TL;DR
Since the new Norwegian Security Act came into force in 2019, there’s been debate around how and how quickly it should be implemented. The Norwegian Office of the Auditor General (Riksrevisjonen) has pointed out that progress on identifying and securing critical infrastructure is too slow. And while this work is ongoing, several value chains are likely to have insufficient security.
This blog post discusses how Norway's digital resilience depends on measures being taken both at the national level, but also by individual companies. Furthermore, it argues that there is much that companies can and should do already today while waiting for the implementation of the Security Act.
Introduction
Digitalisation has come far in Norway. And many of the functions that keep the wheels of society moving have transferred to the internet. This digitalisation is important and positive for a sustainable society. However, this also makes us vulnerable. Tensions in Europe have put societal security in the forefront, and there is an urgent need to strengthen Norway's digital resilience.
Identification and implementation take time
Since the new Security Act came into force in 2019, there’s been debate around how the requirements of the law should be implemented. It is up to each individual ministry to ensure proper security within its sectors, and to identify what is to be covered by the law; be it businesses, infrastructure or services. This work has of course required a good deal of coordination between sectors. Thus, the speed of implementation has also been reduced.
Although the National Cyber Security Strategy for Norway aims to identify and secure critical infrastructure, the Norwegian Office of the Auditor General recently pointed out that progress is too slow. The identification of fundamental national functions and dependencies were supposed to be completed in July 2021, but is still ongoing. A lack of capacity and competence is highlighted as a reason. The fact that it was only last year that infrastructure related to oil and gas was recognised as being subject to the Security Act is an example of how sector-specific considerations also drag out the process.
From reactive to proactive security
This also illustrates how security too often is being added as a reactive measure, even when we are aware of current threats and vulnerabilities.
There are usually three reasons for this: The first is a lack of overview of the risks relevant for the business. While risks related to finance and the market are often mapped, the security of critical values and functions are less often part of this process. Without a comprehensive understanding of risk, it is challenging to predict how changes in the operational environment can affect the business.
Another reason is cost control. Investing in security can be perceived as a poor investment. At the same time, in many cases there is also a lack of understanding that the costs of incidents can be far higher than for preventive measures, not only for the business, but also for the value chain and society in general. This is related to the last reason, which is an often insufficient recognition that the dependencies between business and national interests go both ways. Not only does Norway's digital resilience depend on measures taken by each individual business, but the individual business also depends on effective national functions. Together, we can work to become more proactive in securing national interests.
While the identification of dependencies linked to fundamental national functions is ongoing, several value chains are likely insufficiently secured. However, these challenges are not new. Previous reports from the Norwegian Office of the Auditor General also emphasises these risks. In March 2021, the office found that Norway's power supply was not sufficiently prepared for cyber-attacks. In October 2022, another report revealed that the Norwegian Armed Forces have not been able to secure their information systems. In parallel with this, The Norwegian Police Security Service (PST) and the National Intelligence Service's annual assessments highlight that state-supported threat actors may be willing to take increased risks in their operations against Norwegian interests. We must accept that implementation of the Security Act will take time. At the same time, we cannot afford to stay passive.
Much can be done today
Pending implementation of the Security Act, much can be done today. Many of the competences, capacities and abilities to implement digital security lie outside the public sector. But how can we mobilise these capacities?
Part of the answer may be found in increased coordination between public and private actors. Knowledge is a prerequisite for identifying and addressing security needs. In order to form a common situational awareness arrangements should be made for increased information sharing, also from and between private entities. The National Cyber Security Center (NCSC) is a natural common ground that can help strengthen coordination. We also see the positive effect of sectoral CERTs (such as NKom, KraftCERT and Nordic Financial CERT), both as coordinating bodies in their own sector and as links between the Norwegian National Security Authority (NSM) and private business. Such arenas could be strengthened, and more sectors included.
In 2017, NSM created a quality scheme for suppliers that offer incident management. The arrangement is a good illustration of how public and private actors can work together to improve the pace and quality of security work. This model could be extended to more security-related domains, and include other competent security environments.
But the most important thing is probably the effort made in each individual business. Together, we can form a robust digital foundation, which both supports and receives support from national functions. If we are to succeed with digitalisation, it is a prerequisite that companies and organisations place more emphasis on increasing their own resilience to cyber-attacks.
NSM's fundamental principles for ICT security are a good place to start, even for companies that are not subject to the Security Act. We can also contribute by taking an active part in organisations that coordinate this kind of work, like the NCSC, the Norwegian Business and Industry Security Council or sectoral CERTs. As well as by seeking help and advice on how your company can improve its ability to protect itself from qualified entities.
There is no time to wait.
Get in touch
