The Swedish Government recently published its inquiry on the current state of national cybersecurity in Sweden. The report, Cyber security in Sweden – strategy and measures for secure information in central government (full text only in Swedish), will serve as the foundation for the Swedish national cybersecurity strategy. Below is an excerpt of the executive summary and the key recommendations for the future national strategy.
Cyber security is a support activity to improve the quality of central government functions while also being a necessary activity to guarantee that legislation from the Government and the Parliament is actually implemented. Essentially, it is about protecting the fundamental values and goals in our society, such as democracy, personal privacy, economic growth and political stability.
The objective is to achieve a high level of cyber security in central government administration that promotes:
- the rights and freedoms of citizens, and personal privacy;
- the functionality, efficiency and effectiveness, and quality of
central government administration;
- law enforcement;
- the ability of central government to prevent and deal with serious
disruptions and crises; and
- business sector growth, through central government being
skilled and clear in formulating requirements.
The strategy sets out six strategic objectives and strategic areas for cyber security. Various proposed measures are given within each strategic area.
1. Governance and oversight of cyber security in central government shall be strengthened.
A national governance model for cyber security in society will be established. The Government will establish a government agency council for cyber security comprising representatives of the relevant government agencies. A new ordinance on government agencies’ cyber security will be introduced.
Cyber security oversight of the central government sector will be coordinated and strengthened. The Swedish Civil Contingencies Agency will be given a general oversight mandate for government agencies’ cyber security. Sectoral oversight will be reviewed.
Cyber security auditing will be developed. Management responsibility at government agencies for maintaining security in their information management shall be enhanced through a reporting requirement, regulated by statute.
2. Central government shall state clear security requirements as a procurer of IT products and services, and services involving the handling of information.
Central government procurement shall contain references to standards and certification requirements that apply to central government in situations where security levels have been established for each activity. The Swedish Civil Contingencies Agency is mandated to establish minimum requirements for security in commonly used IT products used by government agencies.
A requirement will be introduced, whereby a government agency must report which contractor it has chosen when framework agreements for IT solutions have been used. With regard to services and products for use in communication in central government, the procuring agency should consider the possibility of applying the Defence and Security Procurement Act if procurement under the Public Procurement Act permits insufficient security requirements.
The Government will deepen the dialogue between private and public actors, as well as education and research institutions in the area.
3. Government agencies shall communicate in a secure way
All government agencies listed in the annex to the Emergency Management and Heightened Alert Ordinance will be connected to the Swedish Government Secure Intranet (SGSI). During the expansion of SGSI, appropriate measures will be taken to develop sensor technology.
All agencies are to use the same synchronized time scale for the time they use in their IT systems.
The Government will instruct the Swedish Civil Contingencies Agency, the National Defence Radio Establishment, the Defence Materiel Administration and the Swedish Armed Forces to develop the process for securing cryptographic functions.
4. All government agencies shall report IT incidents to create a basis for improved knowledge and status reports.
Systems will be introduced for obligatory IT incident reporting for all government agencies. These will be adapted to the contents of the EU Directive on Network and Information Security (NIS Directive).
The Swedish Civil Contingencies Agency will be instructed to issue implementation provisions to prepare for obligatory IT incident reporting. Government agencies will be provided with status reports regarding IT incidents.
5. The prevention of and fight against cybercrime shall be strengthened.
The ratification of the Council of Europe Convention on Cybercrime should be concluded. It should be considered whether a regulation can be introduced in the Public Access to Information and Secrecy Act whereby secrecy can be maintained regarding information that is exchanged between law enforcement agencies and other agencies involved in law enforcement work within the area of cyber security.
A review of the provisions on coercive measures in Chapters 27 and 28 of the Swedish Code of Judicial Procedure and other sections of law shall be conducted to ensure that law enforcement agencies are able to carry out their activities in the digital environment.
6. Sweden shall be a strong international partner.
The Government will ensure that Sweden takes resolute and consistent action in all relevant international and regional forums.