Meld. St. 9 (2022–2023)

National control and cyber resilience to safeguard national security— Meld. St. 9 (2022–2023) Report to the Storting (white paper)

To table of content

2 Introduction

In this white paper, the government will clarify strategic direction, priorities and measures for safeguarding national security in selected areas. Special attention is given to strategically important companies, natural resources, infrastructures and technologies. The government will also highlight selected areas within cyber security. This report is delimited against the broad public security and preparedness perspective.

In this report, the government wants to reinforce efforts to strengthen society’s collective resilience. Knowledge, expertise and awareness on all levels of society are essential to achieve this. It is about understanding risk and threat, why national security is important, how it affects the individual, and which relevant measures should be implemented. In Norway, we have a high degree of trust – for each other, and for the authorities. A high degree of trust makes us more resistant to disinformation operations from other states, which may aim to create political and social unrest. However, this trust can also be under pressure in Norway, and the level of trust can vary between population groups. We must therefore strengthen the entire population’s understanding, knowledge and awareness of both threats and measures. If the state’s actions are not understandable and predictable, and the population has insufficient knowledge, this can undermine trust in the authorities over time. In an open society like Norway, we must consider that various types of legal activity can be misused, including for intelligence purposes. Different considerations will need to be assessed and taken into account, and there will always be a residual risk.

In addition to initiation, developing and implementing measures through its own means, the Ministry of Justice and Public Security has a coordinating and driving role for preventive national security and cyber security on the civilian side. This means that the Ministry of Justice and Public Security must, among other things, design the government’s policy, including establishing national requirements and recommendations, across various areas of society. The Ministry of Defence has overall responsibility for preventive national security and cyber security in the defence sector.

Below is a description of a more challenging risk and threat environment, as well as what is included in the concepts of national control and cyber security. Chapter 3 discusses the means for strengthening national control and building cyber resilience. National control of assets of importance to national security are discussed in Chapter 4. Chapter 5 discusses the economic and administrative consequences.

2.1 A more challenging risk and threat environment

We face a more challenging risk and threat environment and are challenged by states with security policy ambitions that do not correspond with our own national security interests. Increased willingness to confront non-Western states, Russian use of military power and energy as a weapon are examples of this. The invasion of Ukraine has created lasting changes in the relationship between Russia and Western countries.

Increased globalisation, great power rivalry and constant changes in the security situation greatly affect the national threat picture and present us with security challenges. The High North’s increased strategic significance and our role as an energy supplier mean that Norway is particularly exposed to intelligence and sabotage activities, and other unwanted activity. Climate changes also affect national security over time. Furthermore, it appears from the Perspective Report that the annual budgetary scope for manoeuvre will be reduced in the coming decade, compared with the previous one.1

Figure 2.1 We are facing a more challenging risk and threat environment

Figure 2.1 We are facing a more challenging risk and threat environment

Photo: Norwegian National Security Authority

Traditional distinctions between peace, crisis and armed conflict have become blurred. State actors such as Russia and China often carry out activities that may be legal to promote their own strategic goals. This is part of the normal situation, but this activity can also harm our national security. We must take account of the fact that some states try to affect political decisions, public opinion and debate in Norway. Diplomatic, informational, military, economic, financial, intelligence and legal means from individual states can, individually or in combination, constitute hybrid threats directed at Norway. In recent years, the threats relating to foreign investments and acquisitions that can be used to access strategically important assets such as technologies and resources have been more visible.

Textbox 2.1 Hybrid threats

Hybrid threats are a term for strategies for competition and confrontation below the threshold of armed conflict, which can combine diplomatic, informational, military, economic, financial, intelligence and legal means to achieve strategic objectives. Hybrid threats can be found in security policy grey-zones with the aim of creating discord and destabilisation. The use of means can be widely distributed and can combine open, covert and hidden methods. The use of means can be aimed at specific activities or situations, or be designed more long-term to create doubt, undermine trust and thereby weaken our democratic values. Hybrid threats are, by their nature, complex, and challenge early warning, a common situational awareness as well as effective and coordinated handling.

More and more assets of importance to national security are managed and processed in the digital domain. Digitalisation and technology development bring about increased efficiency and renewal, but at the same time introduce new vulnerabilities, dependencies and concentration risks. This can be exploited by threat actors and must thus be handled. The rapid pace of development and the changes in the security policy situation make it increasingly difficult for companies to maintain a proper level of security throughout the entire spectrum of conflict.

Figure 2.2 Digitalisation introduces new vulnerabilities and risks.

Figure 2.2 Digitalisation introduces new vulnerabilities and risks.

Photo: Norwegian National Security Authority

2.2 National control and cyber security

National control

National control is not a goal in itself, but one of many means for safeguarding national security.

Textbox 2.2 National security

National security, as the phrase is used in this report, is the state’s ability to safeguard national security interests. Norway’s national security interests are defined in Section 1-5 of the Security Act as the country’s sovereignty, territorial integrity, and democratic system of government, and overall security political interests related to; a) the activities, security and freedom of action of the highest state bodies, b) defence, security and preparedness, c) relationships with other states and international organisations, d) economic stability and freedom of action and e) the basic functionality of society and the basic security of the population.

National control of companies and assets of importance to national security can be achieved through

  • regulations in law, for example the Security Act and its regulations, which impose obligations on companies.

  • complete or partial state ownership.

  • complete or partial national ownership, which includes enterprises beyond the state, such as municipalities and county municipalities, in addition to private Norwegian ownership.

  • sufficient overview by the authorities of assets that are important for national security, whether they are subject to the Security Act or not.

  • public-private, civil-military and international cooperation.

  • advice and guidance to actors who own assets of importance to national security.

  • different combinations of the above.

The government will strengthen its national control through more active use of available means. The government will prioritise improving the overview of companies and assets which are of importance to national security, use means such as relevant legislation and national ownership, and increase society’s level of knowledge of risks, threat actors and preventive security.

National control as a means must be used in such a way that it promotes predictability and trust, and does not lead to unnecessary restrictions on value creation and foreign investments in Norway, or on Norwegian market access in foreign markets. National control which limits foreign activity in Norway can bring about political and economic costs for Norwegian society, and can affect foreign and trade policy considerations and cooperation with other countries. It is therefore important to have an approach that balances security and control against other important societal considerations, such as a free and open society or the need to provide companies with the best possible framework conditions and predictability. Cost-benefit and risk acceptance will be part of these assessments. The Security Act’s purpose statement emphasises that ‘security measures [must be] implemented in accordance with the fundamental legal principles and values of a democratic society.’

Textbox 2.3 ‘The Bergen Engines case’

On 15th December 2020, Rolls-Royce plc alerted Norwegian authorities that they would start the process of selling the Norwegian-registered company, Bergen Engines AS. Transmashholding Group (TMH Group) was one of the potential buyers, and the purchase was planned to be carried out by TMH International AG, a Swiss-registered company that is 100% owned by Russian-registered TMH Group. On 4th February 2021, Rolls-Royce announced the signing of an agreement with TMH regarding the planned sale of Bergen Engines AS.

Bergen Engines AS is a manufacturer and supplier of engines and generators to both the civilian and defence sectors in Norway and other allied countries, including the USA and the Netherlands. A sale of Bergen Engines AS would involve the transfer of the company’s technology, expertise, material, real property, customer portfolio and service and maintenance agreements. On the basis of the information about the transaction process, the Norwegian authorities started work to map all conditions related to the possible sale of Bergen Engines AS.

On 8th March 2021, Rolls-Royce was alerted by the National Security Authority that Norwegian authorities were considering whether the transaction should be stopped in accordance with the Security Act. Furthermore, the Norwegian authorities assumed that any transfer of knowledge in connection with due diligence and related activity was stopped until this had been clarified. On 12th March 2021, Rolls-Royce confirmed that both the transaction process and all knowledge transfer to TMH had been temporarily halted pending a final decision from Norwegian authorities. TMH confirmed the same on 15th March 2021.

On 26th March 2021, the Norwegian authorities decided on the basis of the first paragraph of Section 2-5 of the Security Act that Rolls-Royce plc and their subsidiaries were required to stop the sale of the shares in the Norwegian company Bergen Engines AS to TMH companies. The decision halted any transfer of shares, assets, property, industrial or technological information or other rights in Bergen Engines AS to TMH. Bergen Engines AS was later sold to the British company Langley Holdings.

Cyber security

Digitalisation contributes to better services, more efficient use of resources and increased productivity in society. Digitalisation also brings the world closer together. The downside of digitalisation is that we become more vulnerable. Our society is dependent on critical societal functions working. This in turn requires that digital systems that support these critical societal functions work everywhere and at all times. But digital systems are becoming increasingly complex, and the rate of change is high. With a more challenging threat environment and an increased number of cyber attacks, preventive security work is all the more important. The government therefore wants to strengthen society’s collective resilience against cyber threats.

Cyber security has gone from being a technical subject to become a global strategic issue. Cyber security includes both technical and administrative security measures, and includes the protection of systems and the information in them. Cyber security is therefore about protecting ‘everything’ that is vulnerable because it is connected to or otherwise depends on information and communication technology.

On a strategic level, cyber security concerns security policy, where challenges must be largely solved through international, civil-military and public-private cooperation. The broad use of hybrid tools by certain states which can conflict with our national security interests highlights the significance of cyber security being an integral part of other security work.

The war in Ukraine and the gas pipeline explosions in the Baltic Sea are stark reminders of the importance of security work, including cyber security. As a result of these incidents, preparedness against cyber attacks, among other things, that could affect the petroleum sector or other critical companies has increased. Power and electronic communication are examples of infrastructures where cyber resilience is significant. When it comes to cyber security work, it is especially important to identify dependencies, work broadly with security and see measures in context. Strategically important infrastructure is crucial in this context and is discussed in more detail in Chapter 4.3.

Society’s collective cyber security depends on the preventive work of each and every company. Company leaders are responsible for their company’s ability to prevent and handle incidents. In line with the Ministry of Justice and Public Security’s coordination responsibility for cyber security on the civilian side, the authorities provide national advice and recommendations and make resources available as far as possible when a serious incident occurs. The Norwegian National Security Authority (NSM) is the national agency for cyber security. The National Cyber Security Centre (NCSC) is a part of the NSM and contributes to protecting fundamental national functions, public administration and business from cyber attacks. The Norwegian Police Security Service (PST) and the police are also key actors, and the National Cybercrime Centre (NC3) at The National Criminal Investigation Service (Kripos) contributes to national and international work. The Norwegian Intelligence Service contributes in preventing, uncovering and countering foreign threats against Norway and Norwegian interests, including in the digital domain.

In recent years, a good cyber security knowledge base has been established, so that both companies and authorities are better able to implement the right measures. However, the NSM has registered a large increase in the number of cyber attacks in recent years. The NSM has stated that around 80% of the incidents they deal with could have been avoided if basic security measures had been followed. It is therefore important to increase awareness-raising and strengthen preventive work. Companies and authorities must have expertise and capacity to uncover and handle unwanted incidents.

Figure 2.3 NSM has recorded a large increase in the number of cyber attacks.

Figure 2.3 NSM has recorded a large increase in the number of cyber attacks.

Photo: Shutterstock

Footnotes

1.

Meld. St. 14 (2020–2021) Perspective Report 2021.

To front page