4 National control of assets of importance to national security
It is important to ensure national control of assets of importance to national security.1 Examples from recent years show that the use of economic means against assets such as infrastructure, companies, property, natural resources and technology can represent a security risk, and this is a particular challenge.
State actors can use economic means to exploit vulnerabilities, strengthen the effect of other means of power or help to legitimise these means of power. This comes in conflict with our national security interests. Investments and acquisitions can, for example, be used as a means of gaining insight into sensitive information relating to emergency arrangements, critical infrastructure or political decision-making processes. Economic means can also grant access to technology and resources of strategic significance.
Research-based expertise about the use of economic means which could threaten our security is crucial in order to take the right measures to strengthen resilience against this activity. The Ministry of Justice and Public Security has given several research assignments to the Norwegian Defence Research Establishment (FFI) and the Norwegian Institute of International Affairs (NUPI). The assignments include foreign investments and ownership in Norway.
4.1 Overview of assets and value chains
4.1.1 Mapping companies and assets
A fundamental prerequisite for safeguarding national security is that the authorities have an overview of assets and companies that are important for national security. Such an overview is necessary in order to be able to assess which of the measures described in chapter 3 are relevant and appropriate for ensuring national control. There is a need for a better overview of foreign ownership in companies and property, among other things. The need for new tools, such as the development of registers, access to and use of databases and analysis tools, must be assessed in more detail. The use of such tools must not violate confidentiality considerations.
The Security Act has a proper methodology for mapping assets of decisive and significant importance to the state’s ability to safeguard national security interests (fundamental national functions). This mapping shows that national security is safeguarded by a large amount of companies in all areas of society, and that there are extensive dependencies both within the same sector and across sectors. This mapping is complex, and the dependencies change relatively often. The government therefore wants to prioritise this mapping so that it is sufficiently updated and detailed, in order for the use of means to be as accurate as possible.
The government believes that there is also a need for a better overview of companies and assets to which the Security Act does not apply, but which may nevertheless be of importance to national security. This will concern companies and assets that have less than decisive importance for national security, but which, as part of a total or in a given context, could have such importance that it may be appropriate to take measures. This can be physical, digital or other assets, such as e.g. research information and knowledge, infrastructure, companies, property and natural resources. An overview of such assets can give central and local authorities insight into assets of importance to national security within their area of responsibility, and will supplement the overview that central authorities have from mapping in accordance with the Security Act. Based on this overall picture, the authorities can assess relevant instruments to safeguard national security, including national ownership and control. How the overview is to be followed up, for example related to responsibilities and roles, instruments and regulations, must be assessed in more detail. It will be necessary to see such an overview in context with other relevant work, such as changes to the Security Act and the screening of economic activity against companies that are not subject to the Security Act. The government will intensify this work.
The government will assess how to appropriately gain a better overview of companies and assets that are not covered by the Security Act, but which may still be of importance to national security.
4.1.2 Increased overview of our dependencies and value chains
Central services and functions in society are largely dependent on long and partly blurred value chains. A value chain can be explained as a structure of deliveries between companies. The value chain represents a dependency between companies to deliver services or products. Value chains can include physical infrastructure, digital dependencies, ownership and sub-suppliers. Value chains are often complex and opaque with many dependencies, which often cross international borders.
Failures in value chains can have major consequences. The Covid-19 pandemic and the war in Ukraine have shown us how vulnerabilities in international value and supply chains can challenge security of supply. If the power supply fails, large parts of society will come to a standstill. Outages in the digital infrastructure lead to the unavailability of digital services in the affected area. Outages in satellite-based services will have consequences for e.g. the Armed Forces, rescue services, shipping, aviation and parts of the financial industry.
Threat actors can exploit vulnerabilities in value chains which are important for national security, and/or gain control over central parts of value chains through e.g. ownership. Vulnerabilities in a value chain can result in activity which could threaten our security being carried out against subcontractors in the value chain, either as a goal in itself or as part of achieving goals higher up in the value chains.
Norway has an open economy and is a digitalised society. This means that we have many complex and cross-border value chains, over which it is difficult to have control. Digital value chains have received a lot of international attention through value chain attacks in recent years (see text box 4.1 about SolarWinds). Individual companies are responsible for having an overview of and control over their value chains, to the extent possible. Increased provision of services requires better follow-up of suppliers, including companies having sufficient ordering expertise and making sufficient security assessments.
Textbox 4.1 SolarWinds
In December 2020, the American IT company SolarWinds was exposed to a supply chain attack. The attack was a sophisticated and extensive cyber operation in which the threat actor managed to establish a backdoor in one of SolarWinds’ programmes. The backdoor was then included in an update of the programme that SolarWinds itself distributed to its customers, over 18,000 companies worldwide. US authorities later stated that the actor behind the attack probably had Russian origins.
Some of the severity lay in the type of programme that was affected. It is designed to carry out network monitoring and will therefore usually have wide access to the company’s infrastructure. By infiltrating this, the actor gained a very favourable starting point for getting into the network and bypassing security mechanisms.
The case had extensive consequences for those affected, including US government agencies and large technology companies such as Microsoft. After gaining access to companies that had installed the update via the backdoor, the actor strengthened their capabilities against designated targets. It indicated that the actor did not exploit all the access it had obtained, but rather prioritised certain companies that were exposed to more targeted methods for further compromise.
NSM worked closely with national and international collaboration partners to map the scope of the incident. Recommendations from the Cybersecurity and Infrastructure Agency in the US (CISA), FireEye and Microsoft were followed, and NSM encouraged all companies that used the software in their infrastructure to familiarise themselves with the available documentation. Many of SolarWinds’ customers in Norway had installed a compromised version of the programme. The major consequences did not occur because the backdoor was not used. Still, this type of supply chain attack is something that NSM expects more of in the future, with potentially significant consequences for Norwegian targets.
We depend on international collaboration in order to achieve national control over value chains, both physical and digital. Norway will work to maintain close, binding and predictable international cooperation to identify value chains that are important for national security and to reduce failures in these value chains.
The government will initiate a collaborative project between the Ministry of Local Government and Regional Development and the Ministry of Justice and Public Security to assess the need for measures within risk management of digital value chains.
Textbox 4.2 Emergency stockpile for medicines
A resilient health preparedness must be adapted to the challenges and the current security situation. The Covid-19 pandemic has also highlighted international dependencies and vulnerabilities. A national emergency stockpile for infection control equipment has been set up, where regional health organisations own inventory, are responsible for purchasing, rolling out and developing stock. The government will continue the stockpile in 2023, and it includes respiratory protection, masks, gloves, eye protection, surgical gowns and full-coverage suits and has a volume equivalent to six months of pandemic consumption.
In this project, a mapping of selected value chains linked to critical digital infrastructure that is of importance to national security will be carried out, which will form the basis for the establishment of effective guidance and appropriate regulation for Norwegian companies. Mapping will also contribute to developing measures and lay the basis for a revision of the NSM’s basic principles for IT security. Moreover, such a survey will be able to contribute to the work of designating fundamental national functions and their critical digital dependencies, as well as to the work of designating socially important and essential services as part of the work on the Cyber Security Act. The framework for risk management of digital value chains will be included as a knowledge base in this work.2
Textbox 4.3 Supply chain security in the power supply
In 2021, an investigation carried out by the Norwegian Water Resources and Energy Directorate (NVE) showed that cyber attacks primarily affected administrative IT systems in the power industry and that attacks could move to companies via suppliers that had been attacked. NVE has statutory requirements for deliveries of operational control systems to the most critical facilities, and recommends that the industry familiarise themselves with the risk and threat reports from PST, the Norwegian Intelligence Service and the NSM, as well as to assess land risks. NVE also collaborates with trade organisations in order to raise the knowledge base and further develop relevant guidance material.
4.2 Strategically important companies
Norway has an open economy that is closely integrated with the world’s economy. Openness to foreign investment is positive for economic growth and prosperity, but at the same time makes us vulnerable to foreign states with hostile intentions. PST’s national threat assessment for 2021 listed unwanted acquisitions as a significant threat to Norwegian interests. The concern was repeated in the threat assessment for 2022 and was supported by risk and threat assessments from the other intelligence and security services.
The Norwegian state already uses a number of means to ensure national control over strategically important companies. The Security Act has provisions on ownership control in companies subject to the act, and state ownership is used as a tool in some cases. The reasons for state ownership are also apparent from the white paper on ownership policy, and are discussed in section 3.2. There is a need for a better overview and control of ownership structures in strategically important companies in Norway in order to identify any activity which could threaten our security. Examples of strategically important companies include the defence and security industry, including those that are not subject to state ownership. Even though much work is being done in this area, and the government is further strengthening opportunities to gain a better overview and control, there will always be a residual risk that must be managed.
Textbox 4.4 Foreign states increase their expertise and technology through acquisitions
In the ‘Bergen Engines case’, acquisition as a means for appropriating technology was brought to the fore. In Royal Decree 21/1898, the decision that halted the sale of the Bergen company, states: ‘Norwegian industry and Norwegian knowledge and research institutions are targets for Russian intelligence activities. Russia shows particular interest in companies that have unique expertise and technology, including within the defence industry and maritime sector. The Western sanctions regime is causing Russia to seek alternative methods to acquire critical technology and expertise in order to further develop its own military capabilities. The use of private actors is an example of such a method, and is something which makes it more challenging to detect and prevent covert procurement.’
4.2.1 Ownership control and screening mechanisms based on the Security Act
Chapter 10 of the Security Act gives the authorities the opportunity to control ownership in companies that are subject to the Security Act. The provision set out in Section 2-5 grants the authorities the right in extreme circumstances to intervene in the economic activities of companies that are not subject to the Security Act under specific conditions. However, Section 2-5 of the Security Act is intended to act as a safety valve.
Norway has a screening mechanism based on the Chapter 10 and Section 2-5 of the Security Act. The mechanism consists of an interministerial network, led by the Ministry of Justice and Public Security, as well as an agency network led by the NSM. In 2021, the NSM was appointed as the national contact point for notifications related to security-threatening economic activities. The process and criteria for handling cases under Chapter 10 are described in the Act, while in 2022, guidelines were drawn up for the ministries’ handling of cases concerning possible security-threatening activity in companies that are not subject to the Security Act and where it may be appropriate to use Section 2-5. The Norwegian authorities aim to have the opportunity to detect, assess and possibly intervene in economic activity that could threaten national security. At the same time, it is important that Norway’s obligations under international law are safeguarded and that unnecessary or disproportionate burdens are not placed on business or restrictions on trade with other countries. This is challenging since the management of security-threatening economic activity hits the intersecting point between security interests and commercial, foreign policy and trade policy considerations. The different ministries therefore work closely together to evaluate and weigh the various considerations against each other.
The government aims to put forward proposals for changes to Chapter 10 of the Security Act, on ownership control etc., in early 2023.
The main purpose of the proposal is to strengthen the ability to protect our national security interests against other states’ use of financial instruments by increasing the authorities’ access to information about changes in ownership in the companies that are subject to the Act. The purpose is also to clarify rules on the suspension of acquisitions, etc., so that the law does not limit Norwegian companies’ opportunities to attract investment beyond what is necessary to protect national security interests.
The proposal means that the ministries are given increased opportunity to make the provisions in the Security Act, including the provisions on ownership control in Chapter 10 of the Security Act, applicable to more companies than today. Furthermore, it is proposed to lower the threshold for the acquisition of companies to be reported to the authorities, and that both the transferor and the company, in addition to the acquirer, are obliged to send a notice of acquisition.
This will strengthen the authorities’ ability to intervene in cases where an actor’s attempt to gain control or significant influence over a Norwegian company is considered to be in conflict with national security interests.
4.2.2 Screening of economic activity against companies that are not subject to the Security Act
The national screening mechanism has been established on the basis of Chapter 10 and Section 2-5 of the Security Act. There will however be cases of economic activity against Norwegian companies which potentially could threaten our security that are not captured through the reporting obligation under Chapter 10 for companies subject to the Security Act. There is therefore a need to look more closely at a possible mechanism to capture potential security-threatening economic activity for companies to which Chapter 10 does not apply. Section 2-5 is, as mentioned under 4.2.1, intended to function as a safety valve, not as a basis for ordinary processes. The regulations therefore do not provide details about sectors, criteria or the process for processing cases of potential security-threatening economic activity.
The government has appointed a public committee to investigate the need for regulations, or a scheme to screen economic activity against companies that are not subject to the Security Act. This must be seen in the context of the current screening mechanism and the proposal for changes to the Security Act’s provisions on ownership control. The committee will deliver a Norwegian Official Report (NOU) in December 2023.
The committee must look at how relevant countries handle screening cases and take this into account in their assessments. The committee will also look at the work of an interministerial working group set up by the Ministry of Foreign Affairs, which is considering the future organisation of export controls.3 A survey carried out by NUPI (2021) of a selection of countries’ screening mechanisms shows that there is great variation in how different western countries’ screening mechanisms are set up, but that several EU countries are in the process of harmonising their regulations and mechanisms against the requirements set in the EU screening regulation from 2019.4
4.2.3 The need to strengthen the national control of properties of security relevance
In their risk and threat assessments, The Norwegian Intelligence Service, PST and the NSM have pointed out that foreign ownership of properties in certain geographical areas may pose a threat to national security interests.
Certain properties may be of security relevance because they are located near critical infrastructure, such as ports, defence facilities or power supplies. This can include commercial properties, holiday homes, agricultural and forestry properties or other types of property. A ‘property of security relevance refers to a property which, due to its location, can facilitate security-threatening activities against a critical national object or infrastructure.
In the Bergen Engines case, the property’s location was emphasised in the justification for stopping the sale:
‘The property is strategically located by the northern approach to Bergen and defence installations of security importance for Norway and allied nations. Russian intelligence activities against Norwegian aims and interests may result in the property appearing as an interesting platform for Russian services.’
Foreign ownership interests in property can be represented in Norway via foreign private individuals who live here, via enterprises they control or have shares in, or as investments in property without any other form of registered activity in Norway. Information about who owns properties is only to a small extent systematised in ways that provide an overview of foreign ownership interests, despite the fact that a lot of relevant data is collected. Information about owners is often recorded in ways that do not differentiate between Norwegian and foreign actors.
When assessing ownership of property and the use of property, it is important to assess the scope in extant regulations, for example to systematise extant data, and give relevant authorities access to information on ownership of properties.
Textbox 4.5 New legislation in Finland cuts down on who can own property
FFI report 22/00426 on ‘Russian economic statecraft – implications for Norwegian security’ mentions new Finnish legislation: ‘In Finland, in 2018, the authorities raided several Russian-owned properties with extensive surveillance equipment installed on the property. The properties were located near strategically important ports and waterways in the Baltic Sea, and the ultimate owner was hidden through companies registered in tax havens. While the properties may be linked to non-state, criminal activity, Finnish security and intelligence services generally point to properties in Finland purchased by Russian actors being used for military purposes. It is the concentration of properties near strategically important locations that arouses the suspicion of the security and intelligence services.’
In 2019, the Finnish authorities introduced a law making it obligatory to apply for permission for the purchase of certain properties. The law is administered by the Finnish Ministry of Defence.
The aim is to present proposals for changes to the Security Act’s ownership provisions, etc. early 2023. Proposals for changes to Section 7-3 of the Security Act are being considered to specify that companies’ risk assessments must identify specific properties with locations that can allow for security-threatening activities against critical national objects and infrastructure. This could increase the vigilance and awareness of companies, and lower the threshold for notifying the security authority when companies receive information about activities related to properties that may pose a risk. The proposal also suggests that the security authority should have an oversight of properties of security relevance where risk cannot be reduced by security measures.
In order to strengthen the authorities’ ability to detect security-threatening activities related to the ownership and use of property, the government wishes to give Kartverket (the Norwegian Mapping Authority) and the NSM the task of arranging a system that would generate a necessary overview of property of security relevance. Such access can be granted on the basis of Section 4, third paragraph, letter h) of the regulations on the disclosure, further use and other processing of information from the land register.
Hidden ownership of real property can have consequences for national security interests if the properties are used for security-threatening activities. As part of strengthening national control/checks into hidden ownership, the government has begun work to map challenges related to hidden ownership in real property.
The government will strengthen checks of hidden ownership of properties of security relevance, and is considering:
proposing changes to the Security Act which specify that company owners have a duty to undertake risk assessments which identify specific properties with locations that can allow for security-threatening activities against critical national objects and infrastructure.
giving the security authorities electronic access to the land register in order to have an oversight of properties of security relevance.
mapping challenges associated with hidden ownership of real property, including a possible registration obligation.
taking a closer look at how being obliged to apply for permission to purchase certain properties can possibly be regulated.
4.2.4 Emphasise national security in spatial planning
The area part of municipal master plans must, to the extent necessary, show considerations and restrictions that are significant for the use of the area. National security is not currently a factor that is considered in current provisions. The government will consider changing this.
The state and regional bodies concerned can raise objections to proposals for the spatial and zoning plan of municipal master plans in matters that are of national or significant regional importance, or which are of significant importance to the relevant body’s area of expertise. Through the rules on the right to object, a system has thus been established for checking current provisions. Furthermore, it is delegated to the state administrators to guide the municipalities in spatial planning, among other things related to the provisions on public security. This guidance role is important, as it contributes to increasing the municipalities’ expertise in spatial planning.
The Government will take a closer look at the provisions in the Planning and Building Act to ensure that national security is emphasised in spatial planning. Furthermore, the government will consider expanding the rules on the right to object, so that the state has the right to object in areas related to national security. The government will also consider expanding the state administrator’s duty of guidance towards the municipality in relation to national security.
4.2.5 Safeguarding national security concerns in concession legislation
The Concession Act aims to regulate and control the sale of real property in order to achieve effective protection of agricultural production areas and conditions of ownership and utilisation that are most beneficial to society.5 The Act applies to the acquisition of real property, but not to indirect transfers such as the acquisition of shares or impersonal companies that own real property. In addition to acquisitions, the Act provides authority for checks if e.g. long-term rights of use are established on a property that would require a concession in the event of a transfer. Such rights are subject to a concession regardless of the size of the area seized by the rights. The Act stipulates that this applies to all acquisitions, but exceptions to this have been made in the Act and in regulations. In practice, exceptions have meant that checks are usually only relevant when someone acquires a property that is to be used for agricultural purposes, or when acquiring property located in municipalities with a reduced concession limit, and where the purpose of acquisition is to use the property for purposes other than year-round housing.
Municipalities can grant concessions, set conditions for concessions, or reject applications. In each specific case, there is a broad interpretation of which conditions of ownership and utilisation that are most beneficial to society. This means that various societal considerations and interests can be included in the assessment of the concession application. As a consequence, the Concession Act can also be linked to national security since it provides an overview of who acquires property. It may be desirable to regulate the acquisition of certain properties, for example based on a value survey, as discussed in 4.1.1.
The government will take a closer look at the practice of the Concession Act, so that national security considerations are assessed before concessions are granted, where relevant.
The purpose of this is to prevent unwanted actors from gaining insight, control and influence over properties that are of importance to national security.
4.3 Strategically important infrastructure
An infrastructure can consist of physical elements, such as water supply, underwater infrastructure, installations at sea, ports, airports, or outer space (ground-based and satellite-based). Infrastructure can also consist of digital and more high technology elements such as algorithms and sensors. Mapping, acquisition of and investing in important infrastructure can create opportunities for infiltration, surveillance and sabotage. This can enable attacks or disturbances in the social functions supported by that infrastructure. Furthermore, import of technology from foreign companies can make critical infrastructure vulnerable to future cyber attacks. In today’s security environment, it is important to assess different instruments to secure strategically important infrastructure, of significance for national security.
Textbox 4.6 Critical Entities Resilience (CER) – a new directive from the EU
The EU is working on a new directive (the CER directive) to increase the security of member-states’ ability to deliver critical goods and services, and to ensure that populations have access to these in crisis situations. The directive includes services such as drinking water, energy, health, transport, digital infrastructure, public authorities, outer space and the finance sector. The directive is meant to strengthen EU countries’ societal resilience.
Ensuring national control over critical infrastructure that crosses Norway’s national borders is challenging, but important. The current security environment emphasises this. For this type of infrastructure, Norway is dependent on international cooperation in order to achieve national control.
The government will map strategically important infrastructure in order to identify which allies and close partners we are most dependent on in order to secure national control, and will establish a close, binding and predictable collaboration with them.
4.3.1 National cloud service
Many Norwegian companies choose to buy cloud services from large commercial, multi-national companies. This usually helps to increase companies’ security as they can phase out outdated IT solutions and access secure infrastructure and professional security environments. At the same time, the government is concerned with the overall national dependencies on foreign cloud suppliers, and the consequences of this dependencies in the event of potential crises and conflicts. For some companies, the use of cloud services should therefore be assessed against the need for national control and national preparedness.
More and more companies are choosing public cloud services to meet the need for new and improved IT solutions. However, for several state enterprises, it is a challenge that there is no access to functional and cost-effective cloud services with a sufficient degree of national control. It can lead to increased risk if such solutions are nevertheless chosen. The alternative is that companies may choose local solutions, which can lead to higher costs and limited access to new technological tools. This problem is expected to grow in the future.
The government will consider the establishment of a national cloud service to ensure increase national control over critical IT infrastructure, and to protect important information.
In November 2021, NSM was commissioned to investigate the need for a national cloud service. A number of central actors are involved in this work. The investigative work is extensive, complex and addresses several fundamental and cross-sectoral issues, including technological, security-related, organisational, legal and financial issues. The alternatives that are assessed must be based on the national processing and storing of data. Security challenges that may arise if a supplier is subject to the jurisdiction of foreign states are included in this assessment. The same applies to the ownership model, for example if the national cloud service is to be owned and operated by the state itself, but using expertise and innovative power from the private sector. This investigation must be delivered by the end of 2022, so that quality assurance can be carried out by the summer of 2023.
Textbox 4.7 Other countries’ national cloud services
Many of our nearest neighbouring countries have activities related to national cloud services. Sweden has not yet established a state service, but has carried out several investigations and clarifications. Denmark has established ‘GovCloud’ which is run by the Danish Agency for Governmental IT Services, and which allows which for applications to be submitted in a publicly owned and operated cloud service. Germany has established ‘Die Bundescloud’ which is a closed cloud service which is developed, owned and run by the state. The United Kingdom has a ‘G-Cloud’ which helps to make procurement easier, with standardised framework agreements and approval of suppliers.
4.3.2 Data centres
A data centre is an infrastructure which stores and carries digital services and data, and forms an important part of the digital foundation, in line with infrastructure for electronic communication. Meld. St. 28 (2020–2021) Our shared digital foundation refers to the growing fusion of traditional electronic communication and IT, cloud and data centre services, where third-party providers are being more closely integrated into electronic communication providers’ solutions.
Today, many critical digital services are delivered from data centres, and companies are increasingly dependent on them. Some examples of services carried by data centres are mobile services, such as calls and data, payment services, health and welfare services, critical communication services, TV and radio distribution (DAB), the Norwegian Armed Forces’ communication services and future emergency and preparedness communication.
The government will specify requirements for security and preparedness for data centres, and has submitted a legislation proposal for consultation. This proposal suggests setting requirements for appropriate level of security for data centre services, as well as introducing a registration obligation for data centre actors, which will enable the authorities to have a better overview of the data centre industry in Norway. The defence sector is exempt from the regulation of data centre operators.
Data centres and anonymous leasing can be abused by criminal and state actors. Ultimately, such leasing challenges national security, as cyber attacks can be carried out from Norway without the Norwegian authorities having the opportunity to locate owners or equipment.
The government will investigate current measures to uncover and combat the leasing and use of data centres for criminal and security-threatening purposes. The consequences of current measures for the data centre industry and national data storage capacity must be assessed. The investigation will start when the new Electronic Communications Act is presented to the Storting.
The government also wishes to carry out a survey of which data centres provide services of importance for critical societal functions. Such a survey will reveal whether sectors and their redundancy are concentrated in a small number of data centres, and whether this poses a concentration risk. This survey will cover data centres within and outside of Norway. For data centres in Norway, the survey will include dependencies to electronic communication networks and power supplies that supply the data centres. It will also be relevant to know the reason why certain companies use foreign data centres, and what it would take for them to switch to using data centres in Norway. Based on this survey, the Ministry of Justice and Public Security, in collaboration with relevant ministries, will assess measures in this area. In accordance with the established division of responsibilities between the civilian sectors and the defence sector, a corresponding survey and follow-up for the defence sector will be carried out by the Ministry of Defence.
For reasons of national security, it is very important in some areas that we have control over stored data and that this is available in various parts of the spectrum of conflict. The government wants the functions upon which society is most dependent to be delivered from data centres in Norway, or close allies and partners. An appropriate level of security is required at these data centres. Operation and storage of information of importance to national security interests was one of the issues that was highlighted in connection with discussions about IT infrastructure in health institutions after the events in Helse Sør-Øst in 2018.6 At the same time, the war in Ukraine has made it clear that it can be precarious to have all such infrastructure located in one’s own country. For Norway, this means that we need sufficient redundancy, including through international cooperation and agreements. The police opened a new data centre in 2021, where other actors in the justice sector are also present. The police are also working on choosing a concept for a corresponding data centre to ensure redundancy.
Textbox 4.8 Operation and management of IT solutions in state enterprises
On behalf of the Ministry of Local Government and District Affairs, an external survey has been carried out to map the extent to which the current organisation of operation and management of state IT solutions is suitable for solving future demands and challenges in terms of cost efficiency and secure development, operation and management of the state’s IT solutions. This survey shows that a significant proportion of state enterprises have not drawn up a sourcing or cloud strategy. This can lead to vulnerabilities at national level, as it is possible to lose track of the value chains upon which Norway is dependent, and where specific data is stored. However, the survey shows that 65% of enterprises comply to a high degree (54%) or to a very high degree (11%) with the basic principles for security management drawn up by NSM.
4.3.3 Solutions for classified communication
We currently have a range of systems for classified communication. Many of these systems are developed, operated and managed by the defence sector. There is currently no common actor who is responsible for looking after the needs of civilian sectors in this work from a total defence perspective. Several systems are currently being developed, phased in or phased out. Another challenge is the fact that many of the solutions have different operating and management models on the civilian side.
The government will assess which environment and which actor are best suited to take care of the civilian sectors’ needs for solutions for classified information. This is to ensure a more consistent delivery of classified systems in civilian sectors, and effective interaction between civilian sectors and the defence sector.
4.3.4 Digital communication infrastructure
Digital infrastructure carries increasingly valuable and critical services for Norwegian society. It is clearly stated in the government’s political platform that the cases in which the state should take ownership of digital infrastructure, in order to secure these assets, will be assessed. The government is therefore setting up an expert committee to assess how the state can ensure national control over critical digital communication infrastructure. The Ministry of Local Government and Regional Development is coordinating this work.
Undersea fibre cables make up an important part of the digital infrastructure. New technology can detect possible threats to undersea fibre cables, for example by analysing acoustic signals. The government is strengthening telecom preparedness on the Norwegian continental shelf. Means of doing this include, among other things, a support scheme for the purchase of new technology that enables identification of threats to undersea fibre cables, funds to carry out investigations of important undersea fibre cable stretches and the purchase of equipment that can detect disturbances to satellite-based services, e.g. GPS on the Norwegian continental shelf.
4.3.5 Space activity of importance to national security
The intelligence and security services have increasingly highlighted the importance of space activity for national security and national security interests in recent years. This has been strengthened by changes to the European and global security environment, especially in the last year. Preventive security will thus become increasingly important in this area, both in outer space and ground-based installations. Norway is an important space nation, and our geographical position is attractive for space activities, including launching satellites and deploying ground-based sensors.
The government considers space activities in outer space and on the ground to be of strategic importance for Norway’s foreign, security, and defence policy. In the work on the new Space Act, the government places emphasis on safeguarding national security interests. In addition, the government is seeking to further identify which areas within space activities that are particularly relevant to national security. In order to ensure the cross-sector considerations within space activities, specific matters are discussed in an interministerial space security committee.
4.4 Strategically important natural resources
Natural resources can be of importance to national security. In connection with the implementation of the Security Act, fundamental national functions have been identified within water supply, power supply, food supply and petroleum operations, among other things. Other natural resources are currently not defined as crucial for national security. However, natural resources such as mineral deposits, forest and agricultural resources should be assessed based on their importance for national security. Foreign ownership of strategically important natural resources may challenge our own control of these resources in the long run.
4.4.1 Ensuring control over strategically important natural resources
Regulatory instruments are the most important means for ensuring national control over strategically important natural resources, and can be used to prevent certain actors from purchasing some types of property or resources. State ownership is one of a number of means that have been used to ensure control over and, to some extent, to ensure income from the country’s large natural resources. At the same time, natural resources are location-bound. The state will therefore have a certain degree of control over these resources, regardless of ownership, and can regulate their management in different ways. National control of natural resources does not just refer to ownership, but also to our national ability to extract and utilise these resources.
An important element to consider when assessing the need for national control over natural resources is their geographical location, for example in areas of particular importance for national security or safeguarding Norway’s sovereignty. Geographically, Svalbard and the High North are particularly relevant because of their strategic position, but locations near critical national objects will also be of great importance. Moreover, natural resources can be important for national security based on the needs they cover, for example security of supply, energy, water or food.
It is not necessarily a goal to have national ownership of natural resources that are crucial for national security. Rather, it may be important to have national control through other means, to prevent other actors from gaining ownership or control over such natural resources. This also applies where a natural resource is not currently considered to be of importance to national security, but which in the longer term may become important to our national security if another actor gains influence or control over it.
Norway must have relevant technological expertise on, for example, mineral deposits, extraction of water resources, oil and gas, and wind power. This can help to reduce our own dependence and vulnerabilities.
Textbox 4.9 The significance of energy, minerals, water and forest resources
Energy resources
Energy resources have been, and are, an important part of the basis for settlement, industry and business throughout Norway. The government wants our renewable energy resources to be used and refined in Norway. The government’s climate policy must also contribute to a strong national ownership of natural resources.
A number of countries are seeking information about Norway’s decision-making processes in energy production. Companies in the petroleum sector must be prepared for unauthorised persons trying to gain access to information. This is even more relevant given the energy dimension of Russia’s warfare in Ukraine. In 2022, the government has put in place a number of measures to secure the petroleum sector.
There is currently a large degree of national ownership within the petroleum sector. The concession system ensures national control over those companies who are granted the right to extraction permits on the Norwegian continental shelf, and important decisions require the consent of the authorities. For reasons of national security, the Ministry of Petroleum and Energy may deny access to petroleum activities if the applicant or licensee is actually controlled by a state outside of the EEA, or by national from such a state.
Energy legislation sets requirements for both physical and cyber security, and has a wider scope than the Security Act. However, the aim of this legislation is not to safeguard national security, but power supply. This legislation will safeguard security of supply for power, and set requirements for preventive security and preparedness for both accidental and non-accidental incidents.
Mineral resources
Social development has shown that there is an increasing need for minerals, especially as a result of the shift towards a green economy. Minerals can be critical for important societal purposes and for technology development in strategically important areas. Internationally, it has been shown that control over raw material production can be used to monopolise the value chains. Mineral resources can be of importance to national security. It can therefore be desirable to prevent unwanted foreign actors from gaining access to mineral resources in Norway, on land or on the seabed. This can be due to those actors’ national technological development, potential military use of civilian technology, and possibly through the property’s location near critical national objects or infrastructure.
Water supply
Developments in the threat picture in recent years have shown a need for increased attention to the security of water supplies. Municipal water utilities have been exposed to cyber attacks on water and sewage infrastructure during 2021. Norwegian water supply must be equipped to withstand both intentional and unintentional incidents. Prevention and preparedness in the water supply are important for public security. A secure water supply is a basic national function as defined in accordance with the Security Act.
Forest and agricultural resources
Ownership of forest and agricultural properties can be of importance to national security when the property is in a strategic location, or is close to critical national objects or infrastructure. Furthermore, the totality of foreign ownership of forestry and agricultural properties can constitute a vulnerability for national security, if large areas of land are not owned nationally. National ownership and control of forest properties will be important. The government will continue working to ensure Norwegian ownership of forest properties through concession legislation. Furthermore, concession legislation for agricultural ownership contributes to national control and long-term, solid management of agricultural resources.
Textbox 4.10 Meraker Brug
Meraker Brug was one of the largest private forest and wilderness properties in Norway, and has a history stretching back to the early 18th century. The property has a total area of 300,000 acres, of which more than 50,000 acres are productive forests. The property lies in the municipalities of Meråker, Stjørdal, Malvik and Steinkjer. Statskog SF has entered into an agreement to buy 94% of AS Meraker Brug’s shares and is in the process of purchasing the remaining. The purchase was approved by the Storting in November 2022. Through state ownership, the government has ensured the property remains in Norwegian hands. With this purchase, Norway’s largest privately-owned property passes into public ownership and common natural resources benefit the community.
4.5 Strategically important technology
Technological development is progressing ever faster. The distinction between civilian and military technology is getting blurred, while more and more actors are gaining access to the same technology. Technological development affects international relations and the instruments used by states and non-state actors in peace, crisis, and armed conflict. If Norway is to be able to utilise technological development to strengthen national security, it is crucial to have national expertise, research and development, in addition to creating business development. As a small nation, Norway does not have the resources to have expertise within all emerging and disruptive technologies. It is therefore important to assess which technologies are of importance to national security and the areas in which there is a particular need for national expertise. Examples of this can be quantum technology, artificial intelligence, computer science or space technology.
Within defined strategically important technology areas, national ownership and control can include having sufficient national specialist expertise, preventing foreign investments that threaten national security or having clear export control regulations for the transfer of knowledge into and from Norway. Reference is also made here to Meld. St. 17 (2020–2021) Cooperation for Security – National Defence Industrial Strategy [for a] Technologically Advanced Defence for the Future and the Ministry of Defence’s strategy to protect Norwegian-developed defence technology. The strategy is geared towards national areas of technological expertise and also includes other areas of technology that are defined as critical, especially emerging and disruptive technologies, such as space technology.
4.5.1 National Centre for Applied Cryptology
Cryptology is an important part of the national preventive security work and is essential for protecting classified information. Technological development, with rapidly increasing computing power, reduces the level of security in today’s crypto algorithms. In some cases, we must take into account that encrypted information that we consider secure today could be stored by unauthorised persons and decrypted at some point in the future. The problem is further made relevant by developments in quantum computers. It is thus crucial to ensure that we have the required expertise to meet these cryptology challenges. There is a need for cryptology expertise within academia, the crypto industry and the authorities.
Norway is a significant supplier of high classified cryptography to other NATO countries. These deliveries form an important basis for cooperation which is of importance to national security. It is key to ensure the national capability and competence required to meet crypto developments and to maintain the position as a credible supplier of crypto solutions to NATO.
The NSM was granted NOK 6.2 million in 2022 to establish a national centre for applied cryptology. The Centre will contribute to Norway maintaining and further developing national crypto competence and ensure Norway is equipped to meet future challenges in cryptology. The NSM’s upgraded high-technology crypto laboratory is a central part of the Centre.
4.5.2 Bringing together expertise and capability building in various technology areas
Different technologies reinforce and interact with each other. Artificial intelligence, with the use of machine learning and big data, the Internet of Things, 5G/6G, the development of quantum technology and other ground-breaking technologies are examples of this. The use of new technologies in security areas will increase, and the balance between offensive and defensive capabilities will be challenged and constantly find new forms.
An example of this is that complex telecommunication infrastructure will increasingly be controlled by automatic analysis based on artificial intelligence. This technology enables self-repairing networks with a very short time for reconfiguration after an incident, but at the same time, it opens an arena for new and advanced attacks. Telecommunications companies have control over how and to what extent this is to be introduced, and the Electronic Communications Act requires an appropriate level of security.
Another example is quantum technology. Quantum computers will be able to solve certain types of complicated tasks that are unsolvable with today’s classic computers. It is likely just a question of time before quantum computers will be able to crack some of the most common encryption mechanisms currently in use.
In addition, technological developments, such as the Internet of Things, show that it will be possible to include sensors and network connectivity to many, if not most, of the objects which surround us. Close international cooperation is an important arena for standardisation and necessary regulation.
Even if it is difficult to know the results of this technological development, the consequences will likely be significant. The government will monitor developments and contribute to ensuring that there is good and robust Norwegian expertise within the various technology areas.
4.6 The High North
The High North is Norway’s most strategically important area, and the government will give new impetus to the High North policy. The government wishes to emphasise cooperation with other countries, and the increased activity on land in Norway. It is important for the government to ensure Norwegian ownership of important infrastructure and properties, and national control of natural resources in the High North.
At the same time, foreign intelligence activities in the High North can weaken Norwegian authorities’ scope of action. The greatest threat is still from Russian and Chinese intelligence agencies. It is expected that Russian intelligence services will continue their mapping of civilian and military infrastructure in the region, while China and Chinese actors will continue to prioritise their long-term positioning in the High North, including for future resource extraction. State means for contributing to national security in the High North should be assessed in light of the region’s strategical significance. Properties, infrastructure, natural resources and companies of importance to national security should therefore be individually assessed with regard to their geographical location along the coast, in border regions and near important infrastructure.
Larger towns and many coastal areas in Northern Norway have good demographic development. However, there are also sparsely-populated areas and large distances where the population is decreasing and where big changes in the population’s demographic constitution are occurring.7 The less central municipalities and the smallest municipalities in terms of population are facing the largest challenges. This includes in particular recruiting labour and providing services. These challenges are greatest in Nord-Troms and Finnmark.
Given the High North’s strategic location and significance, these development trends may have consequences for the municipalities, and for the state’s handling of unwanted incidents that can threaten national security. This in itself represents a vulnerability, in that the municipalities are more dependent on private investment to carry out legally required tasks and ensure citizens’ welfare. Municipalities can lack sufficient expertise and experience to be able to handle and assess cases of importance to national security, such as setting up Russian war memorials, foreign property acquisitions or certain forms of tourism.
Vibrant and viable civilian society in Northern Norway, especially in the east of Finnmark, is an important part of Norwegian security. Securing Norwegian settlement in the areas close to Russia’s border helps to underpin Norwegian sovereignty and Norwegian interests in the region.
Through Prop. 78 S (2021–2022), the government has strengthened the ability of the intelligence and security services and the police to prevent security-threatening activities, especially in our three northernmost counties.
Svalbard
Svalbard is of great strategic importance for Norway’s scope of action in the High North and the Arctic, and Svalbard policy is therefore an important part of the High North Policy of the government. National control contributes to achieving the objectives set by the Storting in regard to Svalbard policy. There is a substantial tradition of overarching political consensus regarding the core patterns of Svalbard policy, the objectives of which having been fixed for a long period of time:
Consistent and firm enforcement of sovereignty
Proper observance to the Svalbard Treaty and control to ensure compliance with the treaty
Maintenance of peace and stability in the area
Preservation of the area’s distinctive natural wilderness
Maintenance of Norwegian communities in the archipelago
The government’s central policy instruments for societal development in Svalbard are the comprehensive white papers to the Storting regarding Svalbard, legislation, economic policy instruments, various forms of ownership, including property, land and infrastructure, as well as strategies. The objectives of Svalbard policy necessitate that regulations and other relevant frameworks for Svalbard are assessed and adapted in accordance with observed patterns of societal development.
Voting rights and state ownership
Certain policy instruments are utilised in Svalbard that are not utilised on the mainland. This is in part a consequence of the fact that certain sections of Norwegian legislation are not applicable to Svalbard, including the Immigration Act. In recent years there has been an increased influx of people to Longyearbyen directly from foreign countries. Longyearbyen Community Council is the locally elected municipal body for Longyearbyen, administering assets as well as functions of national significance. Persons elected to the Council must have a good knowledge of the objectives of Svalbard policy and the special framework conditions for Svalbard. Consequently, a requirement that foreign nationals have at least three years of residence in a municipality on the mainland to be able to vote and stand for election in Longyearbyen has been introduced.
State ownership is another policy instrument utilised on Svalbard. The government owns several companies in Svalbard, either directly or indirectly. Store Norske Spitsbergen Kulkompani AS (SNSK), Kings Bay AS, Bjørnøen AS and The University Centre in Svalbard AS are all companies directly owned by the state. The rationale for state ownership of these companies is in part contributing to the objectives of Svalbard policy outlined above.
The government is also a large landowner in Svalbard. Government owned property includes all the land in and around Longyearbyen. In 2016, the government purchased the property Austre Adventfjord near Longyearbyen. In total, the government direct ownership amounts to 98.75% of the land on Svalbard.
Direct state ownership of companies, state ownership of land and Norwegian legislation provide a solid basis for managing Svalbard for the good of the public.
Footnotes
In such assessments, different considerations will always have to be weighed, as discussed under point 2.2.
Risk management in digital value chains. Norwegian Directorate for Civil Protection (dsb.no).
See more about the export control work under 3.1.3.
Regulation (EU) 2019/452 of the European Parliament and of the Council of 19 March 2019 establishing a framework for the screening of foreign direct investments into the Union.
Act relating to concession in the acquisition of real property (28th November 2003).
Recommendation 386 S (2017–2018) Recommendation to the Storting from the Health and Care Services Committee.
‘Regional development trends 2021’, Report, Ministry of Local Government and Regional Development.