Sweden, today, is one of the leading countries in digitisation in the EU. This has made us fast and cost-effective but also vulnerable. Harmful effects in one area can quickly have extensive consequences for others as well. Electricity supply and payment systems are clear examples.
Outdated IT systems
An audit report from the Office of the Auditor General (OAG) in October shows that 31 out of 49 government agencies studied have problems with obsolete IT systems. The OAG believes the authorities have not worked on the issue in the long term, which causes a number of problems.
For example, about 80 per cent of the authorities in the survey state they have difficulty maintaining the desired level of information security in one or more of their business-critical systems. More than one in ten authorities answer that this applies to all or most of the systems.Together with issues like the IT events at the Swedish Transport Agency a few years ago, the OAG’s report indicates security has been too low a priority in many large public projects in Sweden.
Far from enough
This spring came the new Security Protection Act. It should improve protection against many threats to minimize serious national consequences. But the national capacity, including available resources, is still far from sufficient to live up to the intentions of the legislation.
With 80 per cent of the authorities surveyed failing to maintain the desired level of information security, we can assume security-sensitive operations also have sub-par security. These are activities that, according to the new Security Protection Act, must be protected from operator-driven threats as there’s a risk of serious national consequences if the system goes down.
Imagine an attack
Sweden today has evolved far beyond the parameters of the old Security Protection Act. An important difference is that threats or attacks are no longer delimited by national borders but spread internationally. Imagine yourself if an attack knocked out central payment systems. How many hours or days would it take before it had serious national consequences?
In investigations such as SOU 2018: 82, new supervisory authorities are also proposed for security protection, such as the Swedish Financial Supervisory Authority, the Swedish Transport Agency, the Swedish power grid, the Swedish Post and Telecom Agency, and the Swedish Energy Agency. On the other hand, there is great uncertainty regarding the need for resources, delimitation, coordination and the new sanctions proposed. Several of the new supervisory authorities also have supervisory objects that were not previously covered by the Security Protection Act.
The issue of resources is, as in all major social projects, crucial to success and should not be underestimated. The Swedish Financial Supervisory Authority, for example, estimates a need for ten full-time positions to manage its new role.
Today, Sweden cannot offer credible protection to many of the country's security-sensitive operations. It has not even been possible in certain sectors to ascertain what these activities are. But with the new safety protection legislation in place, including other investigative proposals, we will hopefully see a change.
Now, all actors, both private and public, must spend time and resources on integrating a credible security protection into their operations.