Part 3
Basis for growth

9 ICT competence and R&D

Education, expertise, and research in ICT can strengthen Norway’s competitiveness and consolidate its position as one of the most developed, knowledge-based, and competitive economies worldwide. We must therefore have a sufficient high-level ICT competence. We must also have research excellence in ICT.

ICT is important not only in the ICT industry; it enables change and productivity growth in all sectors. An ICT perspective is therefore vital in other relevant professional education programmes such as health and care, energy, environment, design and architecture, crime prevention, and teaching.

The Government considers the most pertinent competence needs from an ICT perspective to be as follows:

• Norway needs core competence in computer science that can easily and widely be applied in industry and in the public sector.

• Norway needs interdisciplinary education programmes in computer science and certain key disciplines that are highly significant to industry and to the public sector.

• An understanding of ICT is vital in basic and further education in all professions. ICT’s role in education must reflect future rather than current needs.

Norway must have sufficient advanced ICT competence in industry and in the public sector.

• Basic education programmes should contribute to providing society with a good recruitment base for advanced ICT competence in the long term.

• Good cooperation and dialogue between educational institutions and industry are important.

• Professional graduates should be well prepared for a working life in which digital tools play a key role.

• Sound mechanisms for labour migration should be implemented to satisfy the need for advanced ICT competence.

• Research communities that hold international leadership in ICT are vital for Norwegian industry and the public sector. This applies both to ICT basic research and to applied research in fields crucial to Norwegian industry and to the public sector.

• High-quality ICT R&D is important for new enterprise and enhanced value creation.

9.1 Advanced ICT competence

Employee competence is essential to creating value in any enterprise. According to the white paper Education Strategy (St.meld. nr. 44 (2008–2009)), human resources have increasingly contributed to national wealth over the past 25 years, and now account for 80 per cent of it. In other words, human competence is Norway’s key growth factor. The supply of a skilled workforce will heavily determine Norway’s economic structure. Norway must host companies and industries with high value creation potential – regardless of disciplinary field – so as to ensure a high level of value creation. An adequate supply of advanced ICT competence is one element that will provide such capability. The Government is therefore concerned that Norwegian society and industry be supplied with such competence. This will provide a vital basis for innovation and new economic development in both the ICT industry and ICT-intensive industries. Adequate supplies of relevant competence can facilitate new enterprise and enhanced value creation.

According to projections from Statistics Norway, we will experience a lack of highly qualified technology specialists, including in the ICT field. The expected ICT skills shortage may therefore hamper economic development and goal achievement in several policy areas.

9.1.1 Companies’ needs and demands

The demand for engineers and ICT specialists is high, while the number of available employees is low. Therefore, employers will have difficulty recruiting ICT professionals. This trend is not limited to Norway; demand for ICT competence is growing throughout Europe, too, while the number of available candidates is declining. NAV’s enterprise survey conducted in autumn 20121 showed the most pressing labour shortages to be in engineering and ICT. The ICT sector is amongst those reporting most recruiting problems. In the survey, 16 per cent of respondents operating in this sector reported severe recruitment problems; that is, they had failed to satisfy recruitment needs during the previous three months. In addition, 5 per cent of these companies reported that they had recruited employees with lower or other formal qualifications than those required.

International surveys show that employees within the ICT industry and employees with ICT specialist competence account for almost 5 per cent of the total workforce in OECD countries. More than 20 per cent of all employees have jobs defined as ICT-intensive. Surveys show that ICT specialists, such as programmers, account for 3–4 per cent of the total workforce in most OECD countries. Generally, demand for ICT specialists exists not only in the ICT sector but in other economic sectors, too.2

Projections

Because ICT is integral to many fields, obtaining statistical data specific to the ICT industry is difficult.

Projections from Statistics Norway show that demand for highly qualified technology specialists, such as master of engineering graduates, will increase towards 2030.3 Employment of technology specialists with lower degrees is expected to stabilise during the same period. A 2010 study from the Ministry of Education and Research showed that technology specialists would experience increasing demand, along with teachers, scientists, economists, and healthcare workers.4

9.1.2 ICT education

Norway has both public and private institutions offering ICT education. Most higher education programmes are run by the large universities, the largest being the Norwegian University of Science and Technology (NTNU) and the University of Oslo (UiO). Combined, NTNU and UiO educate around 80 per cent of Norway’s masters graduates in computer science. Around 30 Norwegian institutions, three of them private, offer programmes in information technology and computer technology.

In 2010, slightly fewer than 1,000 students graduated from Norwegian ICT programmes at bachelor and master degree levels,5a 50 per cent decline since 2004. Despite society’s increasing demand for ICT, the level of interest in ICT programmes at all levels has steadily declined since 2004.6 Universities and university colleges publicise their programmes through the Norwegian Universities and Colleges Admission Service. In 2011, more than 3,000 study places in computer science were offered.

The Norwegian Universities and Colleges Admission Service’s application figures for 2012 show an increase in applications to ICT and natural science programmes. Applications to engineering programmes increased by 25 per cent compared to 2011.

The state universities and university colleges are independent, and have considerable powers to create and close programmes. When developing educational programmes, the institutions evaluate available academic resources, that is, the number of teaching staff, and how they can ensure academic quality. They must also take account of the number of applicants to the respective programmes. Pupil and student choice largely determines which programmes are offered and the dimension of the education system. In some areas, this dynamic can create gaps between labour market needs and students’ educational choices.

Why don’t more students choose ICT programmes?

The proportion of young people applying for ICT subjects has declined dramatically since 2004. International figures also suggest falling numbers of applicants to these subjects. Despite young people being highly active internet users, less than 30 per cent of boys and 15 per cent of girls plan to take ICT-related subjects at upper secondary school.7 Women are under-represented in technology professions in Norway.8

We lack sufficient knowledge about why the number of applicants to higher ICT education has fallen so dramatically. In future, therefore, we should examine whether ICT subjects present particular challenges that should be addressed. We must also consider initiatives to stimulate pupils’ interest in ICT and technology subjects at primary school level.

Focus on mathematics, science, and technology

The strategy entitled A Joint Promotion of Mathematics, Science and Technology was launched in 2006. The strategy’s main goals are to stimulate interest in mathematics, science, and technology (MST) and to strengthen recruitment and completion rates at all levels in the education system. In addition, Norwegian pupils’ MST competence will be strengthened, and the proportion of girls choosing mathematics, physics, chemistry, and technology increased. Through this strategy, a national resource centre for MST recruitment, the RENATE Centre (National Centre for Contact with Working Life for the Promotion of the Natural Sciences and Technology), was established. By using mentors and role models, RENATE will show young people, parents, and teachers that MST offer exciting, creative, and interesting career opportunities. Since its launch, the MST strategy has been followed up in three action plans.

9.1.3 The role of business and industry

Business and industry receive the ICT competence the education institutions supply. However, companies must also ensure they have sufficiently qualified workforces for their own needs. Workers in today’s workforce must have opportunities to take continuing and further education so as to receive new and relevant knowledge. Experienced employees can thus acquire ICT competence adapted to industry’s needs. It should be easy for employees to take continuing and further education. This is an issue which business and industry also consider important. Companies can facilitate continuing and further education internally, though they should do so in dialogue with educational institutions.

Cooperation between the university and university college sector and industry

As we have seen, production in Norway of ICT graduates will be limited in future. ICT competence is needed in many areas in society. Many disciplines will compete for the best candidates. This challenge must be monitored closely and solutions found jointly by educational institutions, industry, and the authorities.

In the 2010 white paper on education strategy, the Government highlighted the general need for cooperation between education and working life.9 To formalise and consolidate cooperation, all the state universities and university colleges have established councils for cooperation with working life (Råd for samarbeid med arbeidslivet (RSA)). The council members must represent social partners, students, and other relevant stakeholders. The councils must also prepare strategies for cooperating with working life, during which they will discuss issues such as development of degree programmes and continuing and further education. This mechanism must be used and further developed in the area of ICT.

9.1.4 Internationalisation of education

In the white paper Internationalisation of Education (St.meld. nr. 14 (2008–2009)), the Government highlights internationalisation initiatives in Norway and abroad. Because most of the world’s knowledge development happens outside Norway, Norwegian educational institutions and research communities must have extensive international networks. These can be established through exchange schemes for students and teaching staff and through research activities.

Norway has gradually become one of the few European countries offering free higher education to students from outside the EEA and EU. Many international students therefore apply to study in Norway. International students represent a vital recruitment base for institutions struggling with low application rates, perhaps particularly so concerning science subjects.

The Norwegian Directorate of Immigration (UDI) conducted a survey to map the extent to which international students remain in Norway and enter the Norwegian workforce on completing their studies.10 Around 8 per cent of students at Norwegian institutions hold foreign citizenship. As of autumn 2011, around 2 per cent of the student population consists of international students studying mathematics, science, technology, or engineering subjects. Many international students leave Norway on completing their studies, but more than half (55 per cent) who arrived in 2008 from so-called ‘third countries’ (outside EU/EEA) are still in Norway today. Among those who came from EU/EEA countries, 25 per cent still live in Norway. Statistics also indicate that a large proportion of international students working in Norway today have jobs that are relevant to their studies, and at highly professional levels. Among students who came to Norway between 2000 and 2002, 90 per cent are studying, working, or actively seeking employment.

Source NIFU Doktorgradsstatistikk, februar 2012 [Nordic Institute for Studies in Innovation, Research and Education. Doctoral Degree Statistics, February 2012]

International contact is vital for enabling Norway as a knowledge-based society to compete and cooperate in the global education and labour markets.11The Norwegian Centre for International Cooperation in Higher Education today administrates several programmes supporting international education cooperation. The Government will assess the need to strengthen international cooperation in ICT competence.

9.2 ICT competence in other professions

In line with increasing digitisation, a growing number of professions which previously made little use of ICT is realising the importance of digital competence and digital tools. In a growing number of areas, ICT is no longer a supporting function, but rather the core of the operation. To contribute to developing and implementing good innovative ICT solutions in these areas, it is necessary to have people with system understanding and high technical competence combined with sector knowledge. Today’s professional programmes must also address future needs. Therefore, the ICT perspective must be incorporated into other relevant professional programmes as well as into lower degree programmes. This is one issue forming the basis for the white paper Education for Welfare (St.meld. nr. 13 (2011–2012)), which covers health and welfare policy.

ICT in the health and care services

Major reforms are being implemented in the health and care sector, as described in chapter 6. These reforms entail introducing new technology such as web-based services, mobile health and care services, and smart home solutions. Such changes require health professionals with the competence to use them. The structure and content of health and social science programmes must reflect the competence needs of the services. A particular need exists for new thinking in the health and social science programmes at universities and university colleges so as to give students a better platform for understanding and using new technology at all levels of health and care services.

ICT in crime prevention

ICT is increasingly used in criminal activities. The scale of criminal activity targeting computer systems, computers, and mobile phones is growing. ICT is therefore becoming increasingly important in crime prevention. Electronic evidence or computer seizures are becoming increasingly important elements in most criminal investigations. Various trends indicate that cybercrime is increasing. The police must take measures to acquire the necessary competence to detect, identify, and handle cybercrime. The police must also increase its presence on the internet through web patrols and hidden surveillance. To accomplish this, police training programmes must provide necessary ICT training. In consultation with the Director of Public Prosecutions, the National Police Directorate appointed a working group in 2011 to prepare a report on how the police work on cybercrime, electronic evidence, and online presence. Its mandate was to find out how the police could address these issues in future.

The report, Politiet i det digitale samfunn12[The Police in the Digital Society], focuses on potential improvements and describes how the police work on electronic evidence, cybercrime, and online presence. It also suggests ways of addressing these issues in future. The police are assessing the measures presented in the report, including the need for training in technology literacy at all levels within the police force.

ICT in the education sector

Use of digital tools is one of the basic skills pupils will learn as part of their basic education, and is an integral component in competence aims in all subjects. To achieve such aims, teachers should possess teaching competence in ICT, be able to use digital teaching materials, and integrate technology in their teaching.

The basic skills are entrenched in the curriculum for primary school teacher education. However, an OECD study shows that teacher education programmes do not offer practice-based experience in ICT.13The programmes therefore fail to demonstrate how technology can be used effectively in the classroom. Teachers who rarely or never use digital teaching materials in their teaching say that one of the main reasons for this is their personal competence levels.14 Qualified teachers must also be updated in this area.

Through Kompetanse for kvalitet15[Competence for Quality], the Government has implemented a large-scale further education programme for teachers. The aim is to increase the number of teachers who have up to 60 credits in subject competence and subject-didactic competence and who specialise in subjects and areas in particular need of improvement. Because ICT is not a separate subject in primary schools, it is not prioritised as a separate subject area. Instead, both the basic skill of using digital tools and subject-specific pedagogical use of ICT will be included in all courses provided.

The need for knowledge about technology also applies for kindergarten personnel. The new curriculum for pre-school teacher education states that, on completion of their studies, students must have broad knowledge about children’s emerging digital skills.

ICT in the public sector

Both state and municipal administrations are undergoing extensive digitisation, with emphasis on improving interoperability between different ICT systems and collaboration between agencies (see chapter 8). Achieving the goal of a digital public sector requires robust infrastructure, well-designed and efficient common services and common components, and good adaptation to agency-specific functions.

Such a project requires public sector employees with competence in specialist fields such as ICT architecture, system development, data security, and data protection.

9.3 Labour migration

Even though the number of ICT graduates will increase in coming years, it will probably not meet society’s demands for ICT competence. Enterprises that fail to find the competence they need resolve this challenge in different ways. In some cases, they recruit employees with lower qualifications, or buy services from consultancy firms or staffing companies. Many also recruit relevant competence from abroad. The Government’s labour migration policy is based on the white paper Labour Migration (St.meld nr. 18 (2007–2009)). The Government wants to facilitate easy and effective recruitment of necessary labour from abroad.

The EEA will constitute the main arena for Norwegian employers’ recruitment of labour from abroad. The work permit requirement for EEA citizens was abolished in 2009. Instead, a registration scheme was introduced, requiring EEA citizens intending to live and work in Norway for more than three months to register with the police or with a service centre for foreign workers.

Third-country nationals, that is, citizens from countries outside the EU/EEA area, still require residence permits to work in Norway. Permits may be granted to skilled workers16 who have received a concrete offer of employment based on Norwegian pay and working conditions. An early employment scheme has been created to speed up recruitment of labour from third countries. The scheme enables employees who have applied for a residence permit to start work while their applications are processed. In addition, the Directorate of Immigration is obligated to process 80 per cent of applications received from migrant workers within four weeks.

NAV is creating a portal dedicated to providing better information to foreign workers wishing to work in Norway. This will act as a gateway to all relevant information on labour migration and import of services. Furthermore, NAV is currently establishing a pilot project at selected foreign service missions to provide information on job opportunities in Norway.

Service centres for foreign workers have been set up in Oslo, Stavanger, and Kirkenes to assist foreign nationals wishing to work in Norway.

The Ministry of Labour has asked OECD to review the Norwegian regulations and initiatives and to assess whether they facilitate the desired labour migration. The report is expected to be published in autumn 2013.

9.4 ICT research and development

The Government’s strategy for ICT R&D is currently being prepared, and ICT R&D will therefore be only briefly mentioned in this white paper.

The close link between education and research means that education can respond to changing needs, society’s needs, and scientific advances.

In 2009, ICT R&D activities worth NOK 8.7 billion were conducted in Norway,17 representing around 20 per cent of total R&D costs.

Industry accounts for around 80 per cent of ICT R&D. Most of this (approximately 90 per cent), however, constitutes development. Around half of industrial R&D is conducted in industries which traditionally use considerable ICT but which are not naturally defined as belonging to the ICT sector, such as the oil and biotechnology industries. This situation illustrates the significance of ICT across sectors and industries.

In 2012, evaluations of the Research Council of Norway18and of Norwegian ICT research19 were published. Both evaluations express the need for increasing public investment in Norwegian ICT research. The issue of grants for ICT research will be addressed in ordinary budgetary processes.

9.4.1 Policy instruments for ICT R&D

Public ICT research is often conducted by universities, university colleges, research institutes and health authorities. The largest actors are NTNU and UiO, which combined accounted for around 75 per cent of the universities’ total ICT research activities in 2009.

The state allocates around NOK 2 billion to ICT R&D every year, some of it as part of the annual basic allocations to the universities and university colleges. The allocation goes towards financing permanent research and teaching positions.

Open competitive arenas

Government grants are also allocated to competitive arenas whereby the best projects win funding. The competitive arenas offer possibilities to stimulate research in areas of particular social significance. The most important actor in the open competitive arenas is the Research Council of Norway. The EU’s Framework Programme for Research constitutes the most important international arena.

VERDIKT

The Research Council of Norway’s VERDIKT programme (Research Programme on Core Competence and Value Creation in ICT) has been the largest Norwegian publicly funded ICT programme since its establishment in 2007. VERDIKT will run until 2014, and had a total budget of NOK 180 million in 2011. The Research Council of Norway has begun work on determining future ICT programmes once VERDIKT is concluded in 2014.

User-driven research-based innovation

User-driven research-based innovation (BIA) is the Research Council of Norway’s programme oriented towards R&D in industry. It is an open competitive arena, which means that projects from different areas compete for funding on the basis of research quality, degree of innovation, and value-creating potential. In other words, the projects originate in companies’ own strategies and needs. Funding is worth 25–50 per cent of total project costs. The projects are organised in consortia whereby companies and R&D communities cooperate on achieving results. The knowledge, technology, and ICT industries account for 20 per cent of the portfolio. The ICT projects under BIA cover a wide spectrum, from software, sensors, and electronics to services and development methods. Public agencies may participate in BIA as partners but may not apply directly.

SkatteFUNN

SkatteFUNN is a tax deduction scheme for business and industry. Norwegian companies with research or development projects are entitled to tax deductions on costs related to R&D. The purpose of the scheme is to stimulate more R&D activities in business and industry and thereby enhance innovation. ICT often proves to be a research area not only for companies belonging to the ICT sector. In 2011, ICT was the most-used area in SkatteFUNN, with 1,384 projects, ahead of services (637), biotechnology (345), environmental technology (281), and innovation in and for the public sector (107). Measured by sector with most SkatteFUNN projects, ICT was again the largest, with 683 projects, ahead of marine/seafood (405) and petroleum (365). In 2011, projects in the ICT sector were expected to result in tax deductions worth NOK 481 million. Expected tax deductions for ICT projects in other sectors are of similar value.

Tax deductions related to R&D projects for small and medium-sized enterprises20 can be 20 per cent, and for large companies 18 per cent. The ceiling for costs eligible for tax deduction is NOK 5.5 million per year for companies’ internal R&D and NOK 11 million for R&D conducted both internally and procured from approved R&D institutions. This system allows small and medium-sized enterprises in particular to benefit from the scheme.

Industrial PhD

Industrial PhD is a three-year PhD scheme which a doctoral candidate completes in a company. The candidate is employed by the company, and the research topic must have clear relevance to the company. The Industrial PhD provides the company with new expertise and expands its network of contacts in academia.

Companies entering into a collaboration agreement under the Industrial PhD scheme receive an annual grant from the Research Council of Norway equivalent to 50 per cent of the established rates for doctoral research fellowships. The candidate employed must be formally admitted to an ordinary doctoral degree programme at a university or university college. The scheme can be a good alternative for companies without the resources to participate in large-scale research projects.

The number of technology projects under the Industrial PhD scheme has risen; a total of 43 per cent of the projects are technology-oriented, and many contain elements of ICT. Many ICT projects are related to oil and gas technology, some to the health and care sector, and still others to teacher education and cognitive technology. For 2012, resources have been set aside for around 40 new projects under the Industrial PhD scheme.

The public sector will need advanced ICT competence in future, particularly relating to digitisation and transformation. Many actors, both in research institutions and in public agencies, have called for a funding mechanism similar to and in addition to the Industrial PhD. Under such a scheme, the public sector would partly fund doctoral studies for its own employees within areas of importance to the agency in question. In its white paper on research with long-term perspectives (Meld. St. 18 (2012–2013)), the Government announced that it would pursue this issue by assessing a scheme for public agencies similar to the Industrial PhD scheme. In work on following up the Digital Agenda, a pilot scheme will therefore be considered, aimed specifically at themes and research topics related to ICT in the public sector. This work will be conducted within the current budgetary framework. Initial work will entail examining the mechanism, limitations, and scope of such a scheme in cooperation with the Research Council of Norway.

9.4.2 Strategy for ICT R&D

The white paper Climate for Research (St.meld. nr. 30 (2008–2009)) highlights ICT as one of three areas of R&D where specific strategies are needed. The goal is to achieve outstanding research results and national expertise of high calibre.

An international expert committee recently conducted an evaluation of Norwegian ICT research. The evaluation shows that while the quality of national research is good, room for improvement still exists. A key recommendation is that Norway needs a national strategy to give direction to research.

10 Reliable ICT

Already in 2000, the Vulnerability Committee’s report A Vulnerable Society (NOU 2000: 24) ascertained that ICT systems had become part of the backbone of society and that society had become more vulnerable to failures in these systems. Since then, ICT systems have become increasingly essential, more integrated in all areas of society, and more crucial to society’s ability to function. Information security is therefore an important aspect of civil protection, and systems and procedures are needed to prevent and manage cyber incidents. General trust in ICT solutions offered by the private and public sectors is vital. Experience in e-commerce shows that trust in, for example, secure payment solutions, has a major impact on how many use them (see chapter 4.2). Without such trust, deployment of ICT will be affected and the speed of transition to ICT in the public and private sectors will slow down.

Data protection will also be challenged by new ways to communicate and to use information systems and networks. Identity fraud is an increasing challenge for private citizens, businesses, and the authorities. Users of Norwegian public services must feel confident that their personal data will not fall into the wrong hands or be misused.

The Government has four main goals for network and information security:

• better coordination and shared situational awareness

• robust and secure ICT infrastructure for everyone

• good ability to handle adverse ICT events

• high level of competence and security awareness

By ‘information security’ is meant that information is securely stored, properly processed, and made accessible when needed. It is crucial that information is not disclosed to unauthorised parties and that only authorised individuals gain access to it. The technical term for this attribute is confidentiality. Furthermore, information and information processing must be complete, correct, and valid; attributes collectively known as integrity. ICT systems must also satisfy certain requirements for stability to ensure that they can be accessed when needed; an attribute commonly referred to as accessibility.

Information security is a continuous process. The fast pace of technology development means that new security challenges are constantly emerging as new products and technology solutions are introduced and usage patterns change. Security protection challenges all levels of society, from personal computers and mobile devices (such as mobile phones and tablets) to systems critical for society.

The Office of the Auditor General of Norway has previously revealed several weaknesses in information security in the public sector.22 In Annual Report 2011. Report on the state of Norway’s security systems, the Norwegian National Security Authority (NSM) stated that important ICT systems were often inadequately secured and that agencies’ exposure to threats was increasing. The Computer Crime Study 2012 (Mørketallsundersøkelsen^TM), revealed a growing gap between security threats and security measures in the public and private sectors. Simultaneously, agencies and enterprises increasingly depend on ICT.

Information security is becoming increasingly important to economic growth, civil protection, and national and international security policy. Many countries have formed strategies and guidelines for information security. Norway has also developed its own strategy for information security.23 This strategy follows up previous guidelines on information security, and will be implemented through an action plan that will be revised when necessary.

The Government gives high priority to information security.

10.1 Current situation and challenges

When people hear about threats to information security, many think of cybercrime or cyberwarfare. However, threats against information security can be intentional or unintentional, and can just as easily be a case of unintentional harm to physical infrastructure as a case of sabotage of a computer system.

Society has become more vulnerable to brief service outages in systems and networks, partly because of increasingly complex multiple systems interoperating and depending on each other. Examples of these are processing industry monitoring and control systems, advanced measuring systems in power grids, and traffic signal and control systems.

10.1.1 Securing physical infrastructure

Statistics from the Norwegian Post and Telecommunications Authority show that mobile phone usage has increased from 12 per cent of total phone traffic in 2001 to 72 per cent in the first half of 2012. A growing number of people are using mobile phones exclusively. Today, telecom networks are used for exchanging everything from basic text messages and conversations to controlling complex industrial systems.

A growing number of businesses and private individuals are using cloud services, that is, web-based services for storing and processing information. Use of cloud computing is increasing our dependence on the internet as infrastructure.

ICT infrastructure is dependent on power supply. To varying degrees, providers of ICT infrastructure and services have protected themselves against unstable power supply. Those who have done so are generally only protected against brief power outages. Secure and predictable power supply will be particularly critical for ICT infrastructure providers and for businesses dependent on ICT. This dependency represents a significant vulnerability in society.

Threats to infrastructure

In future, we can expect more frequent and more extreme climate incidents such as heavy precipitation, storms, drought, flooding, and landslides. Gradual changes will occur, such as higher temperatures, rising sea levels, and increasing precipitation. These may result in more frequent and severe forest fires and in more frequent breakdowns in and damage to physical infrastructure.

Human error also damages physical infrastructure, usually when cabling is cut during excavation or when work is done on IT systems. Such incidents can be the result of carelessness, insufficient preparatory work, or deficient documentation.

To prevent negative consequences of natural events, accidents or acts of sabotage, critical infrastructure must be adequately secured. If infrastructure is classified in regulations as critical to national security interests, measures must be taken to prevent identified threats and possible incidents – both intentional and unintentional. Securing information infrastructure is critical to network and information security.

Security needs must be balanced against environmental and economic considerations when planning and deploying infrastructure. In establishing infrastructure, environmental and economic considerations often result in common conveyance routes for cabling, shared antenna masts, and co-location of technical equipment. Experience shows that such measures can compromise security. On the other hand, security measures for one type of infrastructure can provide protection for another infrastructure following the same route. One such example is where infrastructure protecting roads from landslides also contributes to protecting cables laid under road surfaces.

10.1.2 Threats to ICT systems

Unforeseen events and human error

Unplanned downtime in ICT systems may be caused by external attacks, but it can also be caused by unforeseen events and human error. Human error manifests itself in many forms and can be extremely difficult to foresee. An event can often be attributed to a human error made long before the event.

Errors in ICT systems can be caused by insufficient testing or by failure to test the right things. They can also be caused by miscalculations in, for example, system design, or by use of an ICT system for purposes other than originally intended. Occasionally, attempts to fix an error result in new, even more severe errors. Unplanned downtime can also be caused by manufacturing errors in hardware or components that go undetected during quality assurance or testing.

Businesses must establish procedures for avoiding human error. Nonetheless, there is a high probability of an incident occurring because something happens which no one had envisaged, or because a series of unforeseen circumstances occur or because procedures are not followed. It is therefore crucial to have plans and procedures for dealing with incidents – regardless of cause.

Source Statistics on the number of cases handled at the NorCERT Operations Centre

Cyberattacks and cybercrime

Increased use of the internet and mobile devices has led to greater risk of exposure to cyberattacks and cybercrime. The trend in targeted attacks on critical ICT systems by professional criminals is growing. Attackers often use security holes in software and hardware. Civilian agencies, military units, and private companies are all exposed to espionage and sabotage. Many countries are developing capabilities to conduct cyberwarfare.

Annual threat assessments from the authorities show that the threat of ICT-based espionage and sabotage has increased in recent years. Many countries are developing intelligence and offensive capabilities for use in and against ICT infrastructure. Such activities seek to gain access to, manipulate, or delete sensitive information.

NorCERT (Norwegian Computer Emergency Response Team), a department under the NSM, constantly detects cyber incidents in Norway. The number of such incidents tripled between 2007 and 2011. Furthermore, incidents have become more severe and require more follow-up.

‘Cybercrime’ is a generic term for various types of criminal activity, either using ICT tools to commit crimes or committing criminal acts involving computer data and computer systems. Typical examples are crimes for profit such as e-commerce fraud, identity fraud, denial of service (DoS) attacks, illegal access, damaging important information systems or infrastructure, and cyber espionage. Identity theft and identity fraud are increasingly challenging private citizens, businesses, and the authorities.

An underground market is now readily accessible on the internet where anyone can buy and sell information or tools for use in cybercrimes. Because of such activities, individuals with little ICT competence can carry out attacks.

Not all cyberattacks come from outside; employees may also steal data or cause damage to systems and data. For example, employees or former employees may be tempted by bribes or subjected to blackmail, or may seek revenge on current or former employers.

10.2 Strategic priorities

The Government has set seven strategic priorities to address the security challenges we face. These priorities are intended to ensure that we achieve the goals set for cyber security:

A more comprehensive and systematic approach to information security

Private and public organisations shall safeguard information security comprehensively and systematically. This entails a conscious use of information security management systems (ISMS) based on recognised standards. Requirements must be tailored to the risk facing the individual organisation. The nature, size and social significance of the organisation will dictate its level of ambition and the allocation of resources to security efforts. Critical infrastructure, such as power grids and electronic communication networks, must be prioritised.

Improving ICT infrastructure

ICT infrastructure supporting critical functions must be robust and reliable to avoid cyber incidents as far as possible. Achieving robustness and reliability requires identifying the most important functions and services in society, and the agencies responsible for them. This process will help identify infrastructure critical for agencies and, consequently, for society as a whole. Such efforts will simplify national control and follow-up of civil protection, and strengthen risk management by sector authorities and respective agencies, as well as business continuity planning in critical activities.

A common approach to information security in public administration

Citizens, the business sector, and the public sector must have confidence in the security and reliability of public sector business systems and online services. Risk and vulnerability should form the basis for all implementation of ICT security in public administration.

Safeguard society’s ability to detect, alert, and handle serious ICT incidents.

Norway must be in a constant state of proactive operational preparedness in order to prevent, detect, and coordinate reactions to serious ICT incidents. In this context, relevant authorities and organisations must work in close collaboration, with special emphasis on working with those parts of the private sector that own or operate infrastructure. This collaboration must address both intentional and unintentional events, such as technical or human error, accidents, or natural disasters.

Safeguard society’s ability to prevent, detect, and investigate cybercrime.

Cyber criminals must not be able to prepare or carry out criminal acts without significant risk of being detected and prosecuted. Public authorities will continue to increase their capacity in this field in order to detect cyber crime that directly or indirectly may have an impact on national security or vital national interests.

Continuous efforts to raise awareness and competence

Citizens, and employees and managements in Norwegian businesses must be security conscious and must enhance their competence in information security.

High-quality national cyber security R&D

Norwegian research communities should be at the forefront of many aspects of network and information security. Norwegian participation in international research should be encouraged.

10.3 Information security and data protection in public digital solutions

Increased public sector digitisation means that information security will become increasingly important (see chapter 8). In future, Difi will strengthen its work on public sector ICT security. A competence group will be established in Difi to act as a driver of and contributor to improving management and quality assurance of information security in the public sector.

Processing of personal data is necessary for the public sector to be able to exercise public authority and provide services. Citizens’ privacy must be protected as much as possible. Public authorities should lead by example in protecting citizens’ privacy and should give particular consideration to data protection issues.

An important principle of data protection is to only gather and process the personal data necessary to perform the service in question. If providers of public services shall be granted access to individuals’ personal data, systems must allocate graded access according to roles and pre-defined access levels. Implementing the Government’s digitisation programme will require new ICT solutions in several areas. These solutions must have sound systems for identity management and access control.

10.4 Responsibility for ICT security

Work on national civil protection and emergency preparedness has for many years been based on the principles of liability, conformity, and decentralisation.24

• Principle of liability means that the authority, agency, or department ordinarily responsible for a sector shall also be responsible for emergency preparedness and for maintaining operations during a crisis or catastrophe.

• Principle of conformity means that the organisation that shall handle a crisis should be as similar as possible to the regular organisation.

• Principle of decentralisation means that crises shall be handled at the lowest possible organisational level. The entity closest to a crisis will normally be best placed to understand the situation and therefore best suited to handling it.

Experience shows that, in crises, there is a strong need to view society’s total resources in relation to each other. It is crucial that all authorities and agencies cooperate across sectors on prevention, emergency preparedness, and crisis management. Therefore, in the white paper on civil protection (Meld. St. 29 (2011–2012)), the Government is introducing a new principle, the principle of cooperation:

• Principle of cooperation means that an authority, agency, or department shall be independently responsible for ensuring best possible cooperation with relevant actors and agencies concerning prevention, emergency preparedness, and crisis management. Cooperation should take place not only between public agencies; private organisations and voluntary groups are also important cooperation partners.

10.4.1 Ministerial responsibilities for ICT security

Ministries have overall responsibility for ICT infrastructure security in their respective sectors and for ensuring that preventive efforts in ICT security in their sectors are satisfactory. These responsibilities entail identifying critical infrastructure, initiating preventive and preparedness measures, planning crisis management, and following up work on information security in their respective agencies.

Some ministries have specific roles in ICT security:

The Ministry of Justice and Public Security is responsible for coordinating civilian security. In addition to initiating, developing, and implementing measures through its own channels, the Ministry acts as initiator and coordinator with respect to other sectoral authorities. The Ministry ensures that civil protection policy is followed up in all areas of society. ICT security constitutes a key and integrated element in this coordination work.

The Ministry of Government Administration, Reform and Church Affairs is responsible for coordinating government ICT policy. The Ministry has specific responsibility for promoting a stronger and more comprehensive approach to information security in the public administration. This responsibility involves choosing common standards, using information security management systems, and providing guidance at the highest level. The Ministry is also responsible for improving coordination of work on information security by agencies and for contributing to coordinated solutions.

The Ministry of Defence is responsible for cyber security in the military sector, including preventive measures. The Ministry of Defence has management responsibility for the NSM and administrative responsibility for the National Security Act.

The Ministry of Transport and Communications is, by virtue of its responsibility for the Norwegian Post and Telecommunications Authority, responsible for ICT security related to electronic communication networks and services.

10.4.2 Agency responsibilities

Several regulations instruct public agencies to use information security management systems. This requirement is stated in the eGovernment Regulations, which apply to the entire public sector. The Personal Data Regulations apply to both the private and the public sectors. In addition, the Security Act applies to the entire public sector and to specific areas in the private sector. Several regulations state provisions requiring security to be adapted to risk.

Many factors in everyday working life can complicate agencies’ security policies:

• Employees are increasingly allowed to choose which mobile devices (computers, tablets, mobile phones) to use and to switch between using equipment at home and in the workplace. This situation makes security work more complex and more difficult in terms of assessing risk and vulnerability and in documenting personal security.

• A growing number of Norwegian companies outsource operating and system development tasks to service providers based abroad. Local operating conditions, regulations, and practices might deviate from Norwegian requirements for secure ICT operation.

• Many companies have internal – often industry-specific – or specially adapted systems that can make it difficult to understand the consequences of installing security updates. Updates can also create interruptions in production and delivery processes.

• Companies sometimes have customised systems running on platforms no longer supported by the manufacturer. In such cases, they will no longer receive patches to handle vulnerabilities. Updating to new platforms can demand considerable resources to replace legacy software and hardware and to adapt systems. Although developing new, more modern systems is usually more expedient, it is time consuming and expensive.

Before companies begin implementing security measures, they often conduct risk and vulnerability analyses. Such analyses assess the probability of an incident and its consequences. Measures are implemented following a cost-benefit analysis. How much a company’s customers are willing to pay for increased security often plays a role.

However, many companies – including private companies such as banks and telecommunication providers – administrate systems that are considered critical infrastructure. In such cases, the respective authorities set requirements for such systems’ continuity of operation. In case of incidents involving electronic communication, such as faults in software, loss of or interruption to internet and mobile phone services, etc., companies are legally required to notify the Norwegian Post and Telecommunications Authority.

The public sector

The public sector must conduct sound risk and vulnerability assessments. The Norwegian Data Protection Authority, the NSM, and the Office of the Auditor General of Norway have uncovered weaknesses in the public sector’s risk assessments. Existing security measures were found to be fragmented and not systematic enough, and work on information security was found to be neither sufficiently entrenched in agency managements nor sufficiently integrated with their performance management practices. Increased use of international security standards in the public sector will contribute to increased integration and systematisation of security work.

Consideration will be given to requiring public agencies to adopt standards for information security. Information security can be an integral part of an agency’s overall management system for continual improvement of work processes, achievement of objectives, health, safety, and environment, environmental management, social responsibility, etc.

The principle of agencies’ being responsible for their own information security is challenged by the new ways in which agencies operate. In future, public agencies will share or reuse common functionalities – also called ‘common components’ – to a far greater extent (see chapter 8.2). From this perspective, assessments of information security will be essential. For example, agencies can no longer rely on their own security policies alone. The trend in establishing common components such as Altinn and the eID Gateway contributes to professionalization of security tasks, but it also places higher demands on coordination.

10.4.3 User responsibilities

In many cases, the individual user has become a key defence against intentional cyber incidents, meaning that demands placed on users are increasing. They are expected to be able to recognise fake websites, e-mails, images, and antivirus programmes, and virus-infected attachments. In addition, individual users are expected to install and use security tools and programmes without necessarily being qualified to do so. These issues present major challenges.

Use of web forums and social networks also creates a number of security challenges. Users and agencies need to be more aware of this. They also need information on data protection and potential threats. There is also a need to raise user awareness about the consequences malware can have for themselves, their employers, and other internet users, and about individual responsibility to prevent distribution of malware. Information obtained from social networks can provide valuable background information to cyberattackers. Such information can be used, for example, for social manipulation. These types of attacks, where attackers use methods such as fear, grooming, and baiting, are becoming increasingly widespread.

Inadequate security measures by private individuals can also have consequences for civil protection. A key element in this connection is the use of botnets. A botnet is a network consisting of thousands of computers which, unknown to users, are infected by Trojan horse programmes and controlled by criminal organisations. These programmes are used to perform so-called ‘denial-of-service attacks’ whereby a website is so deluged with access enquiries that it cannot respond to legitimate traffic and is therefore unable to provide service. These attacks are used for purposes of, for example, blackmail, or are politically motivated.

Personal computers controlled by criminals can also be used to illegally spread stolen personal data or credit card details. Such stolen information is then sold on the illegal market and used for identity theft, blackmail, and fraud targeting credit card companies and online banks. Criminals can also use so-called ‘proxy servers,’ which can avoid criteria for legally accessing online services or that can hide the identity of the party contacting a website.

Although individuals must exercise critical judgement online, they may be unable to do so if they lack sufficient information and competence. Both authorities and individual employers have a responsibility to ensure that such information is available and to increase awareness of information security. Many public and private actors are working on enhancing security competence among the population (see chapter 2.2.1). Although many actors are already cooperating with each other, better coordination will further reinforce these efforts.

11 Effective innovation policy instruments

The overarching goal of the Government’s industrial policy is to create an optimal climate for value creation in the Norwegian economy and for full employment. Profitable companies mean secure jobs. Economic policy is important for the Norwegian ICT sector and for implementing the Digital Agenda. It is also important for companies based on innovation and business development through ICT – without being part of what we traditionally refer to as the ICT sector.

Like other parts of the economy, the ICT sector should have good framework conditions, the principal ones being effective taxation, infrastructure, competence (basic, applied, and advanced), access to capital, and other mechanisms that promote innovation and competitiveness. Initiatives such as public purchases and procurement, standardisation and ICT architecture, and development of new digital common solutions from the public sector have significance for the ICT industry (see chapter 8). Beyond general framework conditions, industrial policy is implemented by means of innovation policy instruments.

11.1 Innovation policy instruments

Innovation policy instruments will trigger socially and commercially profitable projects which otherwise would not be realised, regardless of industry sector. The purpose of innovation policy instruments is to contribute to better utilisation of society’s resources than would be the case were they not applied. Specifically, the market should continue to be the key source of capital for new projects, but the public sector can contribute when the market fails. Innovation policy instruments should not be the only funding source for projects, but should contribute to attracting private capital. Only in exceptional cases should public funding of projects constitute more than 50 per cent of project costs. Innovation Norway, SIVA (Industrial Development Corporation of Norway), and the Research Council of Norway manage a large portion of the Government’s innovation policy instruments. These instruments were created to counteract the effects of failed markets on small and medium-sized enterprises and on R&D and innovation projects. Nonetheless, market failure alone will not justify implementing government initiatives.

To ensure that policy instruments are well utilised, the Government has outlined eight criteria for assessing the use of innovation policy instruments:25

• Market failure must hamper economic value creation and growth.

• The impacts of market failure must exceed the cost of market intervention.

• The policy instrument implemented must be appropriate to correct the market failure as intended.

• The objective of the policy instrument must be clearly defined.

• No alternative instruments that would better achieve the policy instrument’s objective must exist.

• The criteria for selecting the policy instrument must be clear and predictable.

• The policy instrument must be simple to administrate so that the cost of applying it is small compared to its effect.

• Applicants seeking to participate in the policy instrument must be entitled to receive a decision within a reasonable time.

Since ICT is a key industry in its own right as well as highly significant for others, these criteria will also be important for the ICT industry.

11.1.1 Innovation Norway

Innovation Norway is a key contributor to national innovation policy instruments. The company has offices in all Norwegian counties apart from Akershus, and around 30 offices abroad. Innovation Norway administrates policy instruments related to finance, networks, competence, advisory services, and promotional services. Most of Innovation Norway’s policy instruments are essentially industry-neutral. Support is given to the best and most economically and financially profitable innovation projects, though some schemes can have other objectives. In its white paper on tools for growth (Meld. St. 22 (2011–2012)), the Government announced its intentions to:

• Simplify Innovation Norway’s policy instrument portfolio to make it easier for users to learn about the company’s programmes and services.

• Develop the current offering of capital to enterprises during the early growth stage.

• Strengthen Innovation Norway’s internationalisation efforts, prioritising small and medium-sized enterprises.

• Establish a professional and robust role in the national innovation policy instrument – Invest in Norway – to handle investment enquiries from abroad.

• Establish a new investment mandate for Investinor (see below).

• Establish new nationwide seed funds (see below).

11.1.2 SIVA

The main objective of SIVA is to contribute to innovation and economic development in all regions of Norway. The company does so through real estate activities and by developing strong regional innovative and value-creating clusters. Some examples of SIVA’s activities are programmes for business gardens and business incubators, and ownership interests in innovation companies and physical infrastructure. Business incubators are most often attractive policy instruments for new ICT companies. These schemes offer physical environments (premises) and advisory and support services to help entrepreneurs to further develop promising business ideas.

11.1.3 Investinor

Investinor is an investment company offering capital, by means of direct investment, to promising companies during their early growth stage. Investments must be made on a commercial basis and on the same terms as for private investors. The Government has granted Investinor a total of NOK 3.7 billion in equity. In the second quarter 2012, ICT was Investinor’s second-largest business sector, measured in number of investments. Much of the rest of Investinor’s portfolio has ICT as an important product or service element.

In its white paper on tools for growth (Meld. St. 22 (2011–2012)), the Government presented a shift of focus for Investinor’s core investment areas, from industries such as energy, environment, tourism, and the marine and maritime sectors to profitable investments in sectors:

• with business clusters having international comparative advantages

• that utilise vital natural resources

• that utilise new technology and competence

• that contribute to minimising environmental impacts and man-made climate change

These investments can be in environmental technology, energy, the marine industry, the maritime sector, tourism, ICT, biotechnology, and health technology.

11.1.4 Other key innovation policy initiatives

The white paper on tools for growth (Meld. St. 22 (2011–2012)) also announced other new and important initiatives:

Establishment of new nationwide seed funds

Seed funds are a form of policy instrument for providing new, innovative, and internationally competitive companies in their early growth stage with competent capital through cooperation between public and private investors.

ICT is a particularly important investment area for seed funding. These projects often have a relatively short time to market, are moderately capital-intensive, and internationally scalable. ICT projects are also in good supply. One of the four nationwide seed funds established focuses on ICT, while the other funds invest heavily in ICT-intensive projects. In practice, these funds are fully invested, and only invest in new projects to a small degree.

The Government therefore wants to establish up to six new nationwide seed funds. Each fund will have around NOK 500 million under management, and the state and private investors will each supply half the capital. The Government will also provide risk relief to private investors to trigger capital and competence. Industry practice is that funds specialise in certain industries to focus on resources and to thereby ensure best possible profitability. The funds’ focus areas will be determined by fund manager competence and investor interest. In addition to ICT, interesting investment areas might be energy, environmental technology, the marine sector, biotechnology, health technology, and tourism. The objective is to establish funds in all regions of Norway, with national investment mandates. Resources were allocated in the revised 2012 national budget for government participation in two new funds.

Network for business angels

Business angels are private investors who provide capital, competence, and networks to new businesses, often based on their own entrepreneurial experience. Networks between business angels can help potential entrepreneurs in need of capital and competence to find investors more easily. Simultaneously, such networks can enhance investors’ competence and investment skills. The Government has announced its wish to support establishment and further development of national networks for this type of investor.

Strategy for small enterprises

Eighty-eight per cent of ICT enterprises in Norway have 1–4 employees, which makes investment in such enterprises important. The Government will follow up the strategy laid out in Små bedrifter – store verdier [Small enterprises – great value], where 64 specific initiatives were launched to improve general conditions for small and medium-sized enterprises. One of the key initiatives is simplification. The goal for the strategy is for enterprises to spend less time on statutory administrative tasks and more time on operating and developing their businesses.