Sweden’s Proposed National Cybersecurity Strategy

The Swedish Government recently published its inquiry on the current state of national cybersecurity in Sweden. The report, Cyber security in Sweden – strategy and measures for secure information in central government (full text only in Swedish), will serve as the foundation for the Swedish national cybersecurity strategy. Below is an excerpt of the executive summary and the key recommendations for the future national strategy.

Executive Summary

Cyber security is a support activity to improve the quality of central government functions while also being a necessary activity to guarantee that legislation from the Government and the Parliament is actually implemented. Essentially, it is about protecting the fundamental values and goals in our society, such as democracy, personal privacy, economic growth and political stability.

The objective is to achieve a high level of cyber security in central government administration that promotes:

  • the rights and freedoms of citizens, and personal privacy;
  • the functionality, efficiency and effectiveness, and quality of
    central government administration;
  • law enforcement;
  • the ability of central government to prevent and deal with serious
    disruptions and crises; and
  • business sector growth, through central government being
    skilled and clear in formulating requirements.

The strategy sets out six strategic objectives and strategic areas for cyber security. Various proposed measures are given within each strategic area.

1. Governance and oversight of cyber security in central government shall be strengthened.

A national governance model for cyber security in society will be established. The Government will establish a government agency council for cyber security comprising representatives of the relevant government agencies. A new ordinance on government agencies’ cyber security will be introduced.

Cyber security oversight of the central government sector will be coordinated and strengthened. The Swedish Civil Contingencies Agency will be given a general oversight mandate for government agencies’ cyber security. Sectoral oversight will be reviewed.

Cyber security auditing will be developed. Management responsibility at government agencies for maintaining security in their information management shall be enhanced through a reporting requirement, regulated by statute.

2. Central government shall state clear security requirements as a procurer of IT products and services, and services involving the handling of information.

Central government procurement shall contain references to standards and certification requirements that apply to central government in situations where security levels have been established for each activity. The Swedish Civil Contingencies Agency is mandated to establish minimum requirements for security in commonly used IT products used by government agencies.

A requirement will be introduced, whereby a government agency must report which contractor it has chosen when framework agreements for IT solutions have been used. With regard to services and products for use in communication in central government, the procuring agency should consider the possibility of applying the Defence and Security Procurement Act if procurement under the Public Procurement Act permits insufficient security requirements.

The Government will deepen the dialogue between private and public actors, as well as education and research institutions in the area.

3. Government agencies shall communicate in a secure way

All government agencies listed in the annex to the Emergency Management and Heightened Alert Ordinance will be connected to the Swedish Government Secure Intranet (SGSI). During the expansion of SGSI, appropriate measures will be taken to develop sensor technology.

All agencies are to use the same synchronized time scale for the time they use in their IT systems.

The Government will instruct the Swedish Civil Contingencies Agency, the National Defence Radio Establishment, the Defence Materiel Administration and the Swedish Armed Forces to develop the process for securing cryptographic functions.

4. All government agencies shall report IT incidents to create a basis for improved knowledge and status reports.

Systems will be introduced for obligatory IT incident reporting for all government agencies. These will be adapted to the contents of the EU Directive on Network and Information Security (NIS Directive).

The Swedish Civil Contingencies Agency will be instructed to issue implementation provisions to prepare for obligatory IT incident reporting. Government agencies will be provided with status reports regarding IT incidents.

5. The prevention of and fight against cybercrime shall be strengthened.

The ratification of the Council of Europe Convention on Cybercrime should be concluded. It should be considered whether a regulation can be introduced in the Public Access to Information and Secrecy Act whereby secrecy can be maintained regarding information that is exchanged between law enforcement agencies and other agencies involved in law enforcement work within the area of cyber security.

A review of the provisions on coercive measures in Chapters 27 and 28 of the Swedish Code of Judicial Procedure and other sections of law shall be conducted to ensure that law enforcement agencies are able to carry out their activities in the digital environment.

6. Sweden shall be a strong international partner.

The Government will ensure that Sweden takes resolute and consistent action in all relevant international and regional forums.

Key Points of the New US Cyber Strategy

The new US Department of Defense Cyber Strategy that was published last week offers a remarkably clear and comprehensible insight to the US military view on cybersecurity and is the first official update to the DoD strategy published in 2011.

So what can we learn from how the US DoD thinks about “cyber” in 2015?

“Cyber” is indisputably a military domain

The strategy repeatedly refers to cyber, cyberspace, cybersecurity, cyberattacks (the list goes on) but since there are no definitions of either concept it is not very clear exactly what the DoD is talking about when it comes to “cyber”. What is clear however, is the fact that cyber is indisputably a military domain. A concept that was, and in some corners continue to be, widely contested during the evolution of the Internet seems to have cemented itself in the global policy debate along with the notion that nation states continue to be key actors in Internet governance and global cybersecurity issues.

However, the DoD does not claim ownership of “cyberspace” but instead frequently stresses the importance of cooperation and multilateralism – both in terms of cooperation with domestic industry as well as international partners. The strategy, presented at Stanford University, especially seeks to appease the somewhat tense relations between the Pentagon and Silicon Valley through the idea that “if we cannot get Silicon Valley to come to the Pentagon, we’re going to bring the Pentagon to Silicon Valley”.

A catastrophic attack is no longer the primary focus

Since 2013, the Director of US National Intelligence has named the “cyber threat” as the number one strategic threat to the United States but the new strategy indicates a shift in what kind of threat the US is actually concerned with. When cybersecurity began its rise to prominence following 9/11 the debate was littered with warnings of catastrophic, crippling attacks and metaphors of “cyber 9/11s” and “cyber Pearl Harbors”.

In contrast, the DoD has now shifted their attention to persistent low level attacks that could damage individuals, firms, and some industrial systems as well cyberespionage that steals U.S. intellectual property to undercut the US technological and military advantage. The strategy also (unsurprisingly) singles out China, Russia, Iran, North Korea, and the Islamic State (IS) as actors that have displayed an overt level of hostile intent towards the United States and its interests in cyberspace.

Concern for malware proliferation and zero-day markets

The strategy highlights the proliferation and marketisation of malware as a key security challenge for the United States. The opportunities for nation states, non-state actors, or individuals to purchase destructive malware and other capabilities continue to increase and has created a dangerous and uncontrolled market that serves multiple actors within the international system, often for competing purposes.

This will most likely be an increasingly important policy issue for the US government where it will be faced with the two-pronged challenge of creating norms or regulation that can appease both political adversaries and the legitimate information security research sector.

A new found belief in deterrence

The concept of deterrence (and comparisons to the nuclear weapons proliferation debate) have been present in the cybersecurity debate for a long time. However, very few policy makers and scholars have found Cold War deterrence frameworks to be applicable or relevant to cybersecurity – mainly due to the low barrier of entry and attribution problems. There have been signs that the US policy has been slowly shifting in relation to “cyberdeterrence” and it is now clear that the DoD believes deterrence is not only possible but necessary for a secure US cyberspace.

The DoD presents a three-fold deterrence strategy of response, denial, and resilience.

  • Response – The US needs to convince a potential adversary that it will suffer unacceptable costs if it conducts an attack on the United States and the strategy makes it clear that the US will continue to respond to cyberattacks at a time, in a manner, and in a place of their choosing, using appropriate instruments of US power and in accordance with applicable law.
  • Denial – In essence making the US infrastructure so difficult to successfully attack that potential adversaries will be deterred to try.
  • Resilience – To achieve a national infrastructure that is so resilient and redundant that it continues to operate even if an adversary is successful in a disruptive or destructive attack.

There seems to be little concern for attribution problems as the DoD quotes “significant investments” from both Pentagon and the intelligence community in the collection, analysis, and dissemination capabilities to reduce the anonymity of state and non-state actor activity in cyberspace.

The US capability for attribution will be key in dissuading actors from conducting cyberattacks and will grow increasingly important for deterrence as activist groups, criminal organisations, and other actors acquire advanced cyber capabilities over time.

Offense is the new defense

The new strategy presents a clear policy shift from the DoD when it comes to openness with offensive cyber capabilities, which previously have been (mostly) absent from public strategy documents. While the strategy does not disclose the specifics of what offensive capabilities the US currently possesses it is made clear that the “DoD must be able to provide the President with a wide range of options for managing conflict escalation” – including disrupting an adversary’s command and control networks, military-related critical infrastructure, and weapons capabilities.

The strategy also gives some hints when it would be appropriate for the US military to conduct (offensive) cyber operations to protect U.S. interests in an area of operations.

For example, the United States military might use cyber operations to terminate an ongoing conflict on U.S. terms, or to disrupt an adversary’s military systems to prevent the use of force against U.S. interests. United States Cyber Command (USCYBERCOM) may also be directed to conduct cyber operations, in coordination with other U.S. government agencies as appropriate, to deter or defeat strategic threats in other domains.

These offensive cyber capabilities are to be developed and deployed to achieve key security objectives with precision and minimal loss of life and destruction of property. The DoD also envisions that these capabilities will be synced with kinetic operations across all domains of military operations.

Aggressive defence policy can create security dilemmas

Whereas the DoD acknowledges the need for offensive capabilities, it is also concerned with the potential negative consequences of offensive policy. An increasingly aggressive cyber policy may create a security dilemma with a global escalation of offensive capabilities that could endanger US interests in cyberspace.

To ensure that the DoD supports the overall US policy for an open, free, and prosperous Internet it is made clear that the DoD will always act in a way that reflects enduring US values, including support for the rule of law, as well as respect and protection of the freedom of expression and privacy, the free flow of information, commerce, and ideas.

Any decision to conduct (offensive) cyber operations will be made with the utmost care and deliberation and under strict policy and operational oversight, and in accordance with the law of armed conflict. This is also in line with recent US policy efforts to build influence over Internet policy and cybersecurity issues by promoting norms supportive of US policy objectives. How successful this cautionary offensive doctrine will be remains to be seen but it will undoubtedly be challenging for nation states to justify why certain actors are entitled to offensive capabilities and others are not.

However, the strategy also makes it clear that not all cyberattacks will warrant a military response and that the US will continue to be flexible in its responses, including the possibilities for diplomatic action, legal action, and economic sanctions.