The cyber threat is the biggest threat against the state of Norway in 2019, according to both civilian and military intelligence services. Nevertheless, cyber defense is barely mentioned in the public defense debate. Why not?
The cyber defense protects the armed forces against digital attacks. And it is the “glue” that makes the army, the air force and the navy able to interact.
The cyber defense unit was established as a separate unit in 2012 and it carries two main responsibilities: It is responsible for protecting the armed forces’ ICT systems against digital threats from a wide array of military and civilian actors; and it is responsible for securing good information flow and a good situation image and understanding within the armed forces, so that the army, the air force and the navy have access to the same information and are able to interact across sectors.
In short; the cyber defense is the armed forces’ glue and armor when facing the digital future.
That is clearly evident in the Chief of Defense’s professional military advice, which was presented last month. From the lowest level of ambitions (D) to the highest (A), the cyber initiative and strengthening the cyber defense remain a firm priority throughout.
“In order to face the development and threat image in the cyber domain, the capacity for protecting and situation understanding in the cyber domain is strengthened throughout the intelligence services as well as the cyber defense. This strengthening applies to both personnel and equipment. The ability to supply secure communication services is also strengthened, says Chief of Defense Håkon Bruun-Hansen.
“In order to face the development and threat image in the cyber domain, the capacity for protecting and situation understanding in the cyber domain is strengthened”
The cyber defense was one out of two areas highlighted by Chief of Defense Håkon Bruun-Hansen when he presented his professional military advice at the press conference.
- The armed forces are today heading towards a digitalized and network-based defense structure. Longer reach for our sensors and weapons makes real-time transferring of data between the different actors a necessity in order to fully exploit our capacities. We must make sure that all can exchange data with each other, we must have alternative communication opportunities on land, in the air as well as in space. We must be able to protect ourselves against or circumvent cyber attacks or attacks through digital warfare in order to not lose decisive abilities early on in the fight. In order to succeed with this, taking a significant initiative in the cyber sector is decisive. And we have included such an initiative for all the alternatives, he said during the press conference.
Nevertheless, this hardly receives any mention in Norwegian media, who have mainly focused on cars, ships, planes and bases.
Not very specific
Cyber Defense Head of Communications Knut Grandhagen has no answer as to why that is so, though he assumes the cyber defense may appear not to be very specific.
- In the cyber defense, time is irrelevant. Geography is irrelevant. Cyberattacks happen faster than a blitz of light and thus, managing prevention and campaigns is demanding. To many people, relating to these new challenges is rather demanding, he says to High North News.
Grandhagen also believes that terms are confused. Many use ‘cyber defense’ as a term that encompasses both the accumulated police effort, the national cyber defense centre, the intelligence services and the cyber defense. Whereas the military organization of the Cyber Defense holds a responsibility that is exclusively about protecting the Defense.
- However, in the modern world, the dependence on a solid cyber defense goes way beyond the armed forces. And from 2021 onwards, our responsibility is extended to include the entire defense sector, not just the armed forces as is the case today, he says.
Richard Utne, one of the professional profiles of the NGO Utsyn, a forum for foreign and security policy, argues that the use and understanding of terms and concepts is decisive.
- I have previously documented that there is a general lack of overall clarification of the understanding of the term ‘risk’ amongst actors contributing to public safety and security in Norway. The consequence of this may in a worst-case scenario be a systematic collapse, and this threat is most genuine as new technology increases mutual dependence, he says and refers to Whitepaper #10 Risk in a Safe Society, in which it reads:
“The use and understanding of terms may be of significant importance in work related to public safety, and it is vital for a precise and solid professional debate in this area. If various offices and actors do not share a joint understanding of terms, this may lead to misunderstandings, weakened ability to interact and it may in a worst-case scenario affect our ability to manage incidents.”
Putting out fires
The biggest challenge for the Norwegian cyber defense is the preventive aspect of its work.
- Threat actors are extremely good at learning from each other and dedicating people and time to find weaknesses and coming up with new forms of attack. One can argue that we try to do the same on the defensive side, however, getting ahead of the threat actors is very demanding.
Most forms of digital defense today are built up around signature-based detection, which simply explained means to search through data traffic and electronic signals looking for known indicators of attacks, and to then stop the threat when it is discovered.
- However, that requires that someone has already been attacked. To discover unknown or new threats is a far more demanding process that requires a lot of time and personnel resources.
In addition, the classification levels for information and information sharing with the private sector makes this work hard.
- We lack an efficient system for quickly identifying and managing major incidents, Grandhagen argues.
Must run faster
Nor do decisionmakers at Stortinget, the Norwegian parliament, debate or focus much on the cyber defense. At least not in public.
During a recent debate labeled “The Balancing Art of Security Policy” organized in Bodø recently, MP Hårek Elvenes (Conservatives), Eirik Sivertsen (Labor) as well as Per-Gunnar Skotåm (Red Party) were challenged by Per Gøran Wilhelmsen, Chief Sergeant at the Cyber Defense, on why neither of them mentioned the cyber threat during the debate.
Eirik Sivertsen, representing Labor in Stortinget and being Head of Delegation for the Norwegian Delegation for Arctic Cooperation, recognized that politicians today lag behind when it comes to cyber security.
- We live in a society growing all the more dependent on electronic tools, yet so far, we do not pay sufficient attention to the risk these also entail. This is unchartered waters and we have not come far enough. That said, I do not think this is a particularly Norwegian problem and knowledge has improved over the past few years. Though I worry about attacks that may potentially paralyze society through taking out communications networks and getting control over important bodies in society.
- We probably have to acknowledge that there are new forms of attacks and threat that we do not yet quite know how to manage well enough. We are not where we should be, we are lagging behind as usual – and perhaps we should start running faster.
Richard Utne points out that cyberattacks causing damage, destruction or disturbances in the private sector are still a rather rare occurrence:
- But the ‘cyber threat’ and digital attacks against critical infrastructure is a fast-growing worry. A report from the Norwegian Defense Research Establishment (FFI) concludes that the perception that cyber threat is a decisive factor in conflicts in order to permanently paralyze an opponent with spectacular digital attacks to societal infrastructure hardly is realistic. Instead, cyber threat should be viewed as a tool power used alongside with other coordinated events where the main target is winning dominance over the information domain, taking ownership of the narrative and shifting a strategic point of gravity in order to not achieve agreement on repercussions or to identify how good preparedness there is, and/or on what level authorities identify that they carry a decisive responsibility to protect the resilience of society, he says.
We are not where we should be, we are lagging behind as usual – and perhaps we should start running faster.
The cyber defense holds the responsibility for military infrastructure. However, the cyber defense has not been included in the newly created Joint Cyber Coordination Center (FCKS), which consists of the military and civilian intelligence services, the National Security Agency and the National Criminal Investigation Service.
- And that is my main cause for worry. Because the cyber defense protects the armed forces and through that the Chief of Defense’s ability to defend Norway. If a Russian soldier marches across he borders with a gun, he will be stopped by the Army, which goes out to protect Norway as a nation. However, if a major cyber-attack were to occur, the armed forces cannot assist the nation as the principle of sectoral responsibility forms the foundation, argues Wilhelmsen of the Cyber Defense.
A new Security Act entered into force on 1 January 2019. The Security Act is based on the principle of sectoral responsibility. That means, in brief, that every sector holds the responsibility for maintaining its own data security and is to report to its respective Ministry in the case of attack or other threats.
However, this is at the same time a question about the cooperation principle, which requires cooperation across the former sector divisions. Simultaneously maintaining these two principles is at times demanding. One example in which the sectorial principles and the cooperation principle are actively challenged would be in the case of so-called hybrid scenarios.
- Notice: In a hearing document for whitepaper 2019:13, it says “to assess whether, also for the cases not regulated by the Preparedness Act, there should be introduced a cross-sector power of attorney decision that allows the government to temporarily supplement, and if necessary, make excemptions from, the current legislation”.
Hårek Elvenes and the rest of the Standing Committee on Foreign and Defense visiting the Cyber Defense near Lillehammer about a month ago.
- We do not have sufficient overview over the digital threats. The organisations are in their infancy and have not quite found their form yet, while the threats are new and accelerating. The first step was to organize the Cyber Defense. That was done in 2017. We have come one step further, however, the threats are yet vague and also branch in to civil society, as last seen during the attack at Helse Sør-Øst [one of the national health administration bodies], Elvenes says and continues:
- It may come to – though I do not have any support for this, neither in government nor parliament documents – the Cyber Defense seeing its responsibilities being extended even into the civilian sector.
The idea is not rejected, neither by the Labor nor the Red Party representatives.
- I understand your thinking, though it is possible to argue both for and against. Nevertheless, this is unchartered territory and I will not reject an alternative for discussing how we can secure ourselves better against digital threats, said Sivertsen of the Labor Party.
- Attracting military competence to also cover the civilian sector should be possible. It works well for instance in the Coast Guard, Skotårm says and closes:
- We can, however, never secure ourselves against stupidity and foolishness. And when Helse Sør-Øst outsources its patient records to India, and through that in practice leaves the following up of 800,000 patients to a company in a country for which we have no idea as to how they maintain data security, then that is foolishness, and we cannot secure ourselves against it.
We can never secure ourselves against stupidity and foolishness.
Fears Paper Tigers
Head of Communications Knut Grandhagen will not have an opinion on whether the Cyber Defense should take more responsibility, included for the civilian sector.
- We are currently dimensioned for protecting the armed forces, and we are marginally equipped to do so. Is our responsibilities were to be extended in the future, we have to also receive more resources so that we can build out our capacity and avoid establishing paper tigers, he says and underlines:
- We will, of course, take on the task if it were to be assigned to us.
Grandhagen argues that there are two main challenges when it comes to digital threats for the Norwegian society today.
- The Norwegian population, businesses and public sector are all very concerned with making digital services widely available, but rather few have insight into and an understanding for the threat image and how to protect themselves. On the positive side, we note that commercial actors such as Telenor and Telia have recently started selling security services, which may indicate that there is a market for selling more secure services, which is good.
The other threat is the fact that new IT systems and digital services are acquired without there being funding and resources set aside for maintaining security in these solutions over time.
- We generally see that where digitalization is closely related to the business model, for instance in the finance industry, focus on security is high, whereas in many other sectors, the security level is lower and under pressure.
Utne quotes whitepaper #38, which reads: “A changed security policy situation, combined with hybrid threats, makes civil-military cooperation in cyberspace more relevant than ever before. The military and civilian sector use to an increasing extent a common ICT infrastructure and services are purchased by commercial stakeholders. This means that they also have common digital vulnerabilities. Good cooperation between civilian and military authorities is crucial."
- Implicitly, a joint situation understanding is a critical necessity for interaction.
Do not have enough knowledge
When asked by High North News whether politicians and decision-makers have sufficient knowledge about the cyber defense, Eirik Sivertsen is clear in his answer:
Hårek Elvenes says:
- I cannot respond for others, but I am sure knowledge about cyber threats and how to face these can be improved. These are complex and rather recent threats. And that is why we set up the Cyber Defense a few years ago.
While Per-Gunnar Skotåm, who at the time of writing is attending a NUPI seminar to learn more about this as a direct consequence of his being challenged by the Chief Sergeant of the Cyber Defense during the debate in Bodø, says:
- I believe rather few really understand what it is about. The fact that this came up in the debate recently is the exact reason for my prioritizing this now, he says.
This article was originally published in Norwegian and has been translated by HNN's Elisabeth Bergquist.