9 Cyber security
Cyber security is a fundamental prerequisite for maintaining trust in the public sector’s IT systems and public digital services. Successful digitalisation is therefore also about safeguarding security and privacy requirements in a good way.
In January 2019, the Government published a national strategy for cyber security. This strategy also encompasses a subsidiary strategy for cyber security competence. The strategy is accompanied by an action plan with a number of concrete measures. Measure 5 in particular will support digitalisation of the public sector. With these strategies, the Government will achieve a common basis for handling cyber security challenges. The challenges arise from a rapid and far-reaching digitalisation of Norwegian society. Further development from previous national strategies is based on the need for strengthened public–private, civilian–military and international cooperation. The strategy’s primary target group comprises authorities and agencies in the private and public sectors, including municipalities and county authorities. The strategy also makes provisions ensuring that private individuals have the necessary knowledge and understanding of risks in order to use technology safely and securely.
The National Cyber Security Strategy for Norway defines goals for five priority areas:
Norwegian companies digitalise in a secure and trustworthy manner, and are able to protect themselves against cyber incidents.
- Critical societal functions are supported by a robust and reliable digital infrastructure.
- Improved cyber security competence is aligned with the needs of society.
- Society has improved ability to detect and handle cyber attacks.
- The police have strengthened their ability to prevent and combat cyber crime.
The Ministry of Justice and Public Security and the Ministry of Defence have the overall responsibility for following up the national strategy for cyber security. The individual ministries are responsible for ensuring that the strategy’s priorities and measures are followed up in their respective sectors.
National Cyber Security Strategy for Norway – Measure 5: Secure digitalisation in the public sector
Cyber security activities must be viewed from an overall perspective, across sectors and administrative levels, and in the context of civil protection activities. Secure digitalisation in the public sector is a key measure in the strategy.
The Agency for Public Management and eGovernment (Difi) evaluated the work on information security in central government agencies in 2018. The evaluation showed the need for continued reinforcement of work on the governance and control of information security in the agencies. Moreover, it emerged that all the ministries should improve their monitoring of security activities in the underlying agencies. The National Cyber Security Strategy for Norway states that:
- Difi’s work on the governance and control of information security shall be expanded to encompass both the central government administration and the municipalities because the challenges in the central government administration also apply to the municipalities.
- The agencies in the public sector shall be provided with more coordinated and comprehensive guidance on cyber security.
- Difi shall further develop its role with respect to guidance and recommendations in this area.
- Agency governance of cyber security shall be adapted to materiality and risk. In cooperation with the Norwegian Government Agency for Financial Management, Difi shall provide guidance to agency managers so that they can adequately monitor cyber security.
- Difi’s work in this area shall also be reconciled with the relevant authorities, with special emphasis on the Norwegian National Security Authority and the Norwegian Data Protection Authority.
- The Norwegian Directorate for Civil Protection shall facilitate and hold courses in the planning and execution of exercises for government agencies. Difi contributes to the development of exercises in the area of cyber security.
- The recommendations from the evaluation in 2018 shall be followed up through cooperation between Difi, the Norwegian Government Agency for Financial Management, the Norwegian Directorate for Civil Protection, the Norwegian Centre for Information Security (NorSIS) and the Norwegian National Security Authority.
The Ministry of Local Government and Modernisation is responsible for following up Measure 5. It is important that security considerations, which must be safeguarded by the local government sector as a separate administrative level, be allowed to play a necessary part in national activities and that the local government sector be ensured joint consultation on the implementation of initiatives.
The new Directorate of Digitalisation, in cooperation with the Norwegian Association of Local and Regional Authorities, Norwegian National Security Authority and the Norwegian Data Protection Authority, will play a key role in the work on a strengthened and coordinated approach to cyber security in public administration.