3 Means for strengthening national control and building cyber resilience
The state has a range of means for achieving national control and building cyber resilience. These means must be assessed individually and in context, and will vary depending on where you are in a spectrum of conflict, how much control is desirable in different contexts and any associated costs. Means for safeguarding national security must also be assessed in light of Norway’s obligations under international law, including free trade agreements with third countries. As we strengthen our ability to withstand the actions of state threat actors, they will adapt their use of their means in a way that may affect our national security interests. Our means must therefore be adapted and developed over time to meet these challenges.
On a general basis, it is important to give sufficient priority to means with a preventive effect. Incident management is often more expensive and intrusive than prevention. The focus on preventive measures is important on all levels of society, from individuals to companies and authorities. The PST, the police and the NSM have a specific responsibility here. At the same time, society must have sufficient resources to deal with incidents once they have occurred.
Textbox 3.1 Cyber attacks cost NOK 20 million on average
A global study from IBM shows that 83% of the world’s companies have experienced at least one cyber attack in the last two years. The cost of an average cyber attack on a company has increased by 13% in just 2 years. The cost averages NOK 20 million in the Nordic countries and NOK 40 million globally.
When Norsk Hydro was hit by a widespread cyber attack in 2019, the company was completely paralysed, and the costs of the attack were NOK 800 million. Another example is the Danish shipping company A.P. Møller-Mærsk. The company was hit by a cyber attack in 2017, the costs of which were estimated to be between 200 and 300 million US dollars.
Changing economic framework conditions place higher demands on priorities and effective resource utilisation. This means that prioritising the preventive measures becomes more and more important, and will result in having to balance between different considerations, needs and wishes. Means such as increased national ownership and control through the acquisition of strategically important companies, natural resources and infrastructures, for example, have a direct cost. The need for national control for reasons of national security can also result in costs for society and industry. For example, if increased reporting obligations were required or if restrictions on private ownership, access to international capital, business cooperation, and relations with other states were enforced. Norway has obligations through the EEA agreement and other international agreements, such as WTO regulations and free trade agreements, which must be safeguarded if ownership restrictions are to be introduced. Risk acceptance is another important element, including an assessment of adequate national control and cyber security. Society’s use of resources and proportionality to achieve national control and digital resilience must be assessed against effectiveness. For this reason, cost-benefit assessments must be carried out. The many considerations mentioned here must be weighed against the consideration of safeguarding national security and together constitute a good decision-making basis.
3.1 Regulation must follow developments in society
Regulation is the primary means for ensuring national control, and is also cost-effective. Legal instruments usually consist of various injunctions or prohibitions, combined with the power to be able to grant permits, rights and obligations or exemptions linked to these. Regulation is a strong, but often necessary, tool. It creates predictability and is a prerequisite for equal treatment in a state governed by the rule of law.
3.1.1 The Security Act – our most important tool for safeguarding national security
The Security Act is uniquely positioned to safeguard national security. According to the Security Act, assets that are important to our national security interests must be designated and secured in line with the law’s requirements. The ministries designate fundamental national functions and can decide that companies that are of vital importance for fundamental national functions shall be subject to the Security Act.1 This asset mapping is a continuous process which covers all areas of society. This mapping work is complex and shows, among other things, that there are extensive mutual dependencies across areas of society, and that this dependency changes relatively quickly. There is a need to update and improve the overview in order for preventive security work to be as targeted and effective as possible. This will be prioritised across all areas of society in line with the Ministry of Justice and Public Security’s leading and coordinating role within the work on preventive national security on the civilian side.
Figure 3.1 Satellite-based communication, surveillance and earth observation are among the fundamental national functions.
Photo: Shutterstock
The government is interested in ensuring that the Security Act is adapted to the current risk and threat picture at all times, and will therefore put forward the necessary proposals for adaptations to the regulations. The law as a means of safeguarding national security is strengthened through revisions to the Security Act. See Chapter 4.2.1 for proposed changes to Chapter 10 of the Security Act about ownership control.
Companies that are subject to the Security Act must have sufficient expertise to follow up on the law’s requirements. A shared security understanding, security culture and a basic securing of assets that are important to national security must develop over time. The Ministry of Justice and Public Security has asked the ministries to map their own security expertise during 2022, and will follow up with feedback to the ministries (see Chapter 3.4.1 for further discussion).
Textbox 3.2 Changes to the Police Act and the Police Databases Act
In Prop. 31 L (2022–2023), the Ministry of Justice and Public Security has proposed amendments to the Police Act and the Police Databases Act regarding the PST’s intelligence mission and use of openly available information. The proposal suggests that the PST should prepare analyses and intelligence assessments about conditions in Norway that could threaten national security interests. Moreover, it is proposed that the PST processes openly available information if it is believed to be necessary for the preparation of analyses and intelligence assessments, even if the individual information in isolation is not necessary. These proposals will enable the PST to assess to a greater extent the likely future development of threats in Norway and the threat actors Norway will face in the future, and will be an important measure to safeguard national security.
3.1.2 Practice of existing legislation
The government believes that many existing regulations in various areas of society can contribute to achieving national control, not just the Security Act.2 Certain regulations do not include national security as an assessment criterion today, while other regulations already have provisions that take care of the security perspective. The government believes that there is room for manoeuvre for safeguarding national security in existing regulations in different areas of society, and that this room for manoeuvre should be better utilised.
The practice of different regulations cannot be seen in isolation, but must be seen across areas of society. Different permit schemes and management perspectives can create blind spots, which can be exploited by foreign states at the expense of national security interests. Our ability to protect national security is therefore dependent on the individual sectors and the authorities being jointly aware of the threat picture, their own assets and dependencies, within and across areas of society. The principle of cooperation (“samvirkeprinsippet”) is important in this regard. In addition, the Ministry of Justice and Public Security and the Ministry of Defence are important drivers of cooperation between the civilian and military sides.
The government will go through relevant existing legislation to ensure that consideration of national security is included as an assessment criterion where appropriate.
With regard to strategically important assets, companies, property, infrastructure, natural resources and technology, relevant regulations that can be assessed in more detail include concession legislation, the Planning and Building Act, the Waterfall Rights Act, the Energy Act, and the Ports and Waters Act. This does not mean that considerations of national security will always weigh more heavily, but that it must be considered as a minimum. The purpose is to make demands on those who administer legislation, and those who must comply with it in order to prevent unwanted actors from gaining insight, control and influence over assets that are of importance to national security. It is appropriate to make any adjustments in the relevant regulations as part of another review of the law. The legislation must also be seen in context with other legislation, to avoid unnecessary double regulation.
3.1.3 Export control
The Export Control Act3 and related regulations4 apply to the export of specified goods, technology, including intangible outputs, technical data packages or production rights for goods, as well as certain services. The aim is to ensure that exports that can be used for military purposes, or as weapons of mass destruction, do not contribute to conventional, military capacity building in countries of concern, and to ensure that export is in accordance with Norwegian foreign and security policy interests.
The control of the export of strategic goods and technology is increasing in complexity in line with security policy developments and changes in the threat picture to Norwegian interests. Countries with which we do not have security cooperation with seek strategic goods, technology, services and knowledge from Norway to strengthen their military capability. This covers conventional military capacity building and programs for weapons of mass destruction, as well as equipment that can be used for intelligence activities or mapping of critical infrastructure in Norway. Norwegian technology communities are constantly exposed to attempts to circumvent export control regulations.
The government wants to clarify and strengthen export control regulations, and clarify the practice of control of knowledge transfer in and from Norway. This includes clarifying what export control-regulated knowledge transfer is, and introducing a provision on license obligations for knowledge transfer in the export control regulations.
In spring 2022, the Ministry of Foreign Affairs conducted a general hearing of proposals for changes to the export control regulations. The Ministry of Foreign Affairs is in the process of assessing these proposals and will follow up the regulatory work further in 2023.
3.1.4 Proposal for a new Norwegian cyber security Act
The government is considering putting forward a proposal for an act on cyber security. Central to this is making companies accountable and ensuring the implementation of national advice and recommendations.
The government plans for the bill to apply to operators of essential services within the areas of energy, transport, health, water supply, banking services, financial market infrastructure and digital infrastructure. Furthermore, it will also apply to the providers of digital services, more specifically providers of cloud services, digital marketplaces and digital search engines. The regulations will also clarify what is required for a business to be considered an operator of essential services. The Norwegian cyber security act will require companies to implement security measures and notify of serious cyber incidents. This applies to certain areas of society which have an essential important role in maintaining critical social and economic activity. As the act is further developed, particular attention will be paid to expanding its scope, and to ensuring that national advice and recommendations are followed up by companies to a greater extent. The act will facilitate the introduction of the EU’s NIS Directive.5
Textbox 3.3 Long-term strategic work
Norwegian authorities have worked strategically with cyber security over a long period of time through major studies, reports to the Parliament (“Storting”), strategies and the development of measures. Norway was the second country in the world to produce a national strategy for cyber security in 2003. In 2019, Norway became the first country to publish a fourth strategy. Internationally, Norway is considered to be a mature country in this area and for many, an attractive partner for collaboration. This report to the Storting further builds upon long-term work where strengthened advice and guidance and the need for further regulation have been identified as important areas.
The government will continuously assess regulation to ensure that companies that support important functions in society have sound cyber security. Among other things, the EU’s revised NIS Directive will be significant in deciding how the Norwegian Cyber Security Act is further developed. Other relevant EU legislation includes the EU’s Cybersecurity Act, which deals with the mandate of the European Union Agency for Cybersecurity (ENISA), and a common European framework for voluntary certification of IT products, services and processes. Efforts are being made to incorporate this regulation into the EEA agreement. The EU has also recently launched the Cyber Resilience Act which sets minimum requirements for cyber security in products and services. A draft legislation on digital operational resilience for the financial sector, the Digital Operational Resilience Act, is also being considered in the EU. The goal of this legislation is to ensure that all participants in the financial system have the necessary measures in place to reduce the danger of cyber attacks and other unwanted incidents. The draft builds on the NIS Directive and will take precedence over the NIS Directive’s rules where applicable once it has entered into force. The proposed regulations are considered to be EEA-relevant.
Textbox 3.4 The EU’s proposal for a revised NIS Directive
In November 2022, the EU agreed to a new directive, NIS2. The scope of the directive has been extended compared to the NIS Directive by adding new sectors and entities. Entities to which the regulations will apply will be classified based on their importance and divided into two categories: essential or important entities and, respectively, subject to different supervisory regimes. The new directive also strengthens the security requirements for companies with a list of basic measures that must be applied as a minimum, and gives more precise provisions for the reporting of incidents. Furthermore, security in supply chains and supplier relationships is addressed. EU member states are given a deadline of 21 months to introduce the directive nationally, at which time the current NIS Directive will be repealed.
3.2 National ownership to ensure national control
In some areas, national ownership contributes to ensuring national control. This applies, for example, to energy and natural resources, important infrastructure and strategically important elements of Norwegian private sector. National ownership includes state ownership, county municipal ownership and municipal ownership, as well as private Norwegian ownership. Due to complex value chains and ownership structures among other things, national ownership does not necessarily imply national control.
‘State ownership’ refers to the state’s direct ownership of companies. Since 2002, a white paper on ownership policy has been presented to the Storting in each parliamentary session about the state’s overall direct ownership of companies. The ownership report explains why the state is an owner, what the state owns and how the state exercises its ownership. The current ownership report6 lists public security and preparedness as reasons why state ownership can be an appropriate measure. The following appears in the ownership report:
“Regulation is the primary policy instrument used for safeguarding considerations relating to national security, civil protection and emergency preparedness. Examples of such regulation are the Business and Industry Preparedness Act, the Power Contingency Regulations, the Security Act and the Electronic Communications Act. State transfers to manufacturers, contracts with private actors or other forms of cooperation with business actors that are administered and managed through the respective sector ministries are examples of other policy instruments.
In special cases, the State may consider it necessary to prevent undesirable interests from obtaining access to information, influence or control over companies that are of importance to national security, civil protection or emergency preparedness. This can be achieved by, among other things, making the companies subject to the Security Act or by owning a specific stake in certain companies.”
“State ownership based on civil protection and emergency preparedness normally suggests that the State should own more than half the company. This helps to prevent outside interests from acquiring majority shareholding or gaining influencing through positions on the board.’’
Textbox 3.5 State ownership as a means for public security and preparedness
Public security and preparedness have for a long time been justifications for state ownership. The state operated its own production of defence material through Kongsberg Våpenfabrikk, Horten Verft and Raufoss Ammunisjonsfabrikker. These companies were established in the 19th century under the auspices of the Norwegian Armed Forces, and were spun off in 1947 into separate, independent companies. The companies eventually also entered into other industrial production. The state has continued ownership of the ammunition business through Nammo, and of the production of other military material through the Kongsberg Group.
Public ownership (state, county municipal or municipal ownership) can provide the public with large revenues, and facilitate the desired social development and democratic control. At the same time, public ownership can be resource-demanding, can have economic costs, require significant follow-up and be politically sensitive. National control can be achieved through various means and is not necessarily the same as public ownership. Having control can include preventing undesirable actors from gaining control of or possibly acquire property, resources or infrastructure that can give them insight or influence, or reduce our own political or economic room for manoeuvre. This can also be achieved through private Norwegian ownership of companies, property or other assets.
Checking to identify the real owners of e.g. infrastructure, natural resources or property of importance to national security is important. The government wants a better oversight of this. It will provide insight into whether ownership can be a challenge for national security. Information about foreign ownership is registered by a number of institutions, both Norwegian and international, but the information is currently not systematised to a large extent. This therefore requires extensive national and international cooperation. The need for oversight of strategically important areas is more closely discussed in Chapter 4.
3.3 National and international cooperation
Cooperation and information sharing across society, services, sectors, public-private and across international borders is crucial in the work on national security. For example, various private and public actors have much relevant information that can contribute to increased insight and common understanding of the risk and threat picture. This contributes to a better basis for decisions and an adapted use of our means, and makes us better able to protect assets of importance to national security in peace, crisis and armed conflict. Increased expertise and involvement at all levels of society must be an integral part of meeting the risk and threat picture. By strengthening individual security, we contribute to strengthening our collective security.
3.3.1 Collaboration between intelligence and security services
Extensive cooperation and information exchange between our intelligence and security services is fundamental for national security. Information about and understanding of the risk and threat picture is vital for ensuring that various actors can identify their own vulnerabilities and safeguard their own security. A prerequisite for this is appropriate frameworks and tools, especially for the handling and dissemination of highly classified information.
In order to contribute to increased information exchange and coordination between the Norwegian Intelligence Service and PST on specific cases, the collaboration was further strengthened in the summer of 2021 through the establishment of a Joint Intelligence and Counter-Terrorism Centre. In November 2022, the government established the National Intelligence and Security Centre (NESS). The PST, the Norwegian Intelligence Service, NSM and the police will collaborate in NESS to strengthen our national ability to detect and understand hybrid threats – and our own vulnerabilities – as well as to ensure good decision-making support for the authorities. This collaboration builds on the enhanced collaboration between PST and the police established in February 2022, in order to develop national hybrid threat picture. This measure emphasises the government’s prioritisation of work against hybrid threats.
The Joint Cyber Coordination Centre (FCKS) is a permanent, co-located professional environment consisting of representatives from the NSM, the Norwegian Intelligence Service, PST and Kripos. The work done by FCKS helps to increase our national ability to protect ourselves against serious cyber attacks and maintain a comprehensive risk and threat picture for cyberspace. Furthermore, they contribute to important analyses at strategic level, which forms a basis for the government’s decision making.
Textbox 3.6 Intelligence and security services
The Norwegian Police Security Service (PST) is Norway’s national domestic intelligence and security service, subject to the Ministry of Justice and Public Security. The PST is tasked with preventing and investigating serious crimes against the nation’s security. As part of this, the service must i.a. identify and assess threats related to unlawful intelligence activities, the proliferation of weapons of mass destruction, sabotage and politically motivated violence or coercion. These assessments will contribute to policy development and support political decision-making processes.
The Norwegian Intelligence Service is Norway’s foreign intelligence service. The service is a part of the Norwegian Armed Forces, but the work covers both civilian and military topics. The Norwegian Intelligence Service’s main task is to notify of external threats to Norway and prioritised Norwegian interests, support the Norwegian Armed Forces and defence alliances in which Norway participates, and support political decision-making processes with information of special interest to Norwegian foreign, security and defence policy.
The Norwegian National Security Authority (NSM) is a national competent authority for preventive security in accordance with the Security Act. Among other things, the NSM gives advice on the protection of and supervises the safeguarding of critical national information, information systems, objects and infrastructure. The NSM is also national specialist hub for cyber security and is responsible on a national level for updating, warning and coordinating the handling of serious cyber attacks.
Figure 3.2 The PST is Norway’s national domestic intelligence and security service.
Photo: Ministry of Justice and Public Security
3.3.2 National Cyber Security Centre at NSM (NCSC)
Through the National Cyber Security Centre, the NSM has established an arena for national and international collaboration for detection, handling, analysis and advice related to cyber security. The Centre includes partners from business, academia, defence and the public sector who actively contribute to mutual cooperation for a more robust digital Norway. Around 50 companies currently participate, with more and more joining. The partner program will be strengthened, both to open up for more partners and to facilitate more information sharing.
With more partners, the need to divide the partner network into target groups increases. This is important in order to build trust and share information internally in the network, and to reach out with better adapted information to individual companies in a more efficient way. The National Cyber Security Centre is an important part of the NSM’s work with advice and guidance, detection and incident handling (see points 3.5 and 3.6).
To strengthen research, innovation and expertise within cyber security, Norway is following up on the EU’s regulation on the establishment of a network of national coordination centres for cyber security. In this context, a centre will be established, in order to build up and coordinate the national part of the European expert community within cyber security and generally stimulate research, innovation and competence development nationally. An important task for the centre will be to promote and give guidance to applicants to the European investment programmes DIGITAL and Horizon Europe’s cyber security-related calls. The centre is also expected to be able to allocate EU funds and national co-financing to third parties. DIGITAL and Horizon Europe are EU investment and research programmes, in which Norway already participates.
The Ministry of Justice and Public Security is working to enable the NSM and the Research Council of Norway to establish Norway’s national coordination centre for cyber security. The centre will collaborate with other cyber security communities in Norway.
Figure 3.3 National Cyber Security Centre in the NSM.
Photo: Norwegian National Security Authority
3.3.3 International cooperation
In an international economy and a digitalised society, where dependencies, means and threat actors are not limited to national borders, international collaboration is important to achieve national control. This includes working for responsible government behaviour in the cyber space and seeking to use existing channels, such as the EU’s framework for foreign direct investment screening, for access to information about economic activity which could threaten our security.
Experience from our allies, NATO, the UN and the EU can give useful insight on best practice across international borders and help adapt national regulations to have a common approach, where appropriate. In light of Finland’s and Sweden’s NATO applications, it will be particularly relevant to seek common Nordic solutions where possible, given our similar governance systems, values and risk and threat picture. By taking a clear role internationally and being able to point to national initiatives and priorities, Norway could also be perceived as a predictable and reliable ally and partner, which is important for our position in international cooperation.
A main priority for Norway at an international level is to work for strengthened compliance with current international law among UN member states. In 2021, Norway published its national positions on selected international law issues in cyberspace to contribute to a strengthened common understanding of how international law applies. The services and products we use are often completely or partially produced and developed in other parts of the world. This requires collaboration on international standards from a security perspective.
The government wants Norway to work towards a close, binding and predictable international cooperation on national security and counter hybrid threats together with allies, partners, NATO, the UN and the EU.
The government wants Norway to actively participate internationally for strengthened compliance with current international law. Norway will contribute to the work on the preparation of international voluntary norms and standards within cyberspace. The government will also strengthen collaboration with international partners to create an open, secure, stable and peaceful cyberspace.
3.4 Competence and awareness raising
3.4.1 Security competence in society
Competence about threats, vulnerabilities and effective countermeasures are a prerequisite for being able to protect assets against unwanted incidents. A lack of competence about risk and knowledge of our own assets and vulnerabilities leads to reduced security management and a weaker connection between the actual risk picture and measures that reduce risk. There are many examples where the combination of a lack of understanding of assets and a culture of openness has led to information about e.g. property and infrastructure of importance to national security being openly available on the internet, i.e. risk and vulnerability analysis or an overview of socially critical infrastructure. Companies and public bodies that manage assets of importance to national security must assess the consideration of national security to a sufficient extent when such information is made available.
Technical security measures alone cannot stop potential threat actors. It is therefore necessary to build a good security culture across all of society. This assumes that everyone – individuals, companies and authorities – is aware of the security challenges and has the necessary basic knowledge of countermeasures that are relevant to them. This increases robustness, but also the individual’s awareness and understanding of security. It is particularly important to strengthen the understanding of assets and competence about threats, vulnerabilities and effective security measures among top level managers and decision-makers. A good security culture is expressed through each company’s overall security behaviour.
NorSIS coordinates National Cyber Security Month every year in October on behalf of the Norwegian authorities. This is an example of an awareness raising measure in society at large. The aim of this campaign is to strengthen the cyber security competence of companies and individuals. Another example is the national training portal, ovelse.no, which offers all Norwegian companies free training in cyber security.
Figure 3.4 The ovelse.no platform is the authorities’ training platform, to help all companies in Norway to access free training in cyber security.
Screenshot: ovelse.no
Textbox 3.7 Media literacy
Media literacy is important for the population’s resilience. This is a highly prioritised area for the Norwegian Media Authority, which conducts a survey on media literacy in the population every two years. The mapping includes exposure to and handling of disinformation and fake news, knowledge of differences in editorial and commercial content, privacy, knowledge of sources and trust in the media. The Norwegian Media Authority implements measures and advice to ensure that the population is well equipped to navigate and understand the media. Tenk, which is the educational department of the fact-checking service Faktisk.no, develops teaching programs which cover critical media use and source awareness for use in schools.
In order to facilitate good follow-up of the Security Act, the Ministry of Justice and Public Security has asked the ministries to map management positions that have roles and responsibilities linked to the ministries’ fundamental national functions. These managers need security clearance and expertise of security management, risk assessment, asset assessment and basic cyber security.
The Ministry of Justice and Public Security has also recommended that all ministries, in accordance with the Security Act, map which management positions in underlying companies require security clearance and security expertise. Results are to be submitted to the Ministry of Justice and Public Security by the end of 2022. The ministry will then assess the need for further competence measures on public companies to safeguard our national security interests.
Textbox 3.8 National strategy for cyber security competence
The national strategy for cyber security competence from 2019 facilitates a long-term build-up of competence, including the national capacity in research, development, education and awareness raising measures aimed at the population and companies. The strategy has been developed by the Ministry of Justice and Public Security in collaboration with the Ministry of Education and Research.
Textbox 3.9 National public information campaign
On behalf of the Ministry of Justice and Public Security, NorSIS will, cf. Prop. 78 S (2021–2022). carry out a national public information campaign on cyber security. The aim of the campaign is to increase security awareness and competence in the population. The campaign will be implemented in collaboration with relevant actors such as the NSM and the police. The campaign is directly targeted at the population and small and medium-sized companies, and will have a style and message that are easy to understand. One of the themes that will be promoted is measures to contribute to increased cyber security in the population, such as two-factor authentication for various services. In order to reach as many people as possible, it is planned that the campaign will largely take place on social media. The campaign will start in December 2022 and will continue throughout 2023.
3.4.2 Adequate national specialist expertise
Surveys of supply and demand show a need for more graduates in cyber security. In recent years, a number of measures have been implemented to reduce the skills gap. Several long-term measures are considered. For example, the full effect of increased admission to IT-related subjects has not yet come in the form of number of graduates.
The government will map the need for cyber security expertise and will assess measures based on the needs of the workforce.
Within certain areas of significance for national security, there is a need for personnel with specialist expertise at doctoral level. Personnel must be able to lead research and development in areas where they process information that could have decisive consequences for national security if the information becomes available to unauthorised parties.
A sufficient number of graduates at master’s level is a prerequisite to ensure more graduate researchers and others highly competent personnel with security clearance in the fields of cyber security and cryptology. 90% of students of ‘science subjects, craft subjects and technical subjects’ were Norwegian in 2021. The proportion of foreign students on programmes relating to cyber security varies between study programmes, but in total it was just 5% in 2021.7 Increasing the admission to cyber security and other IT studies will therefore contribute to increasing the proportion of researchers and other highly competent people who will be able to obtain security clearance.
Any changes in student admissions are assessed in the annual state budgets. At the same time, the government expects universities and university colleges to assess the scope of cyber security in their study portfolios themselves, based on the needs of the workforce and the wishes of their applicants, as they must do for all their educations, including doctoral educations.8
Recruiting doctorate candidates who can be given security clearance is already currently a challenge in various technological areas. In the last ten years, well over 60% of those who completed a doctorate in technology at a Norwegian educational institution have had foreign citizenship.9 The proportion of foreign nationals applying for recruitment positions in mathematics, natural sciences and technology was close to 90% in the period 2016–2018.10 This is a development that must be taken seriously.
The government will continue with earmarked funds for the Research Council’s industry PhD and public sector PhD schemes aimed at cyber security and cryptology. These funds are available for all qualified applicants who have security clearance.
Textbox 3.10 The balance between a still open and internationally oriented education and research sector and increasing emphasis on security considerations
Increased internationalisation has for a long time been a goal of Norwegian higher education and research policy, and an important instrument for increased quality and relevance in Norwegian education and research. Good facilitation of long-term cooperation with strong professional environments in other countries is crucial for the further development of Norway as a nation of knowledge, and for Norwegian contributions to solutions to the challenges we as a society face. This also includes countries with which we do not have security cooperation.
In Norway, as in other like-minded countries and in the EU, OECD, etc, there are discussions as to how to facilitate a good balance between a still open and internationally oriented education and research sector and increasing emphasis on security considerations. In line with this, ‘responsibility’ has been introduced as a fundamental principle in the current strategy for higher education and research collaboration with priority countries outside the EU.1
Several measures have been taken to facilitate collaboration within higher education and research in priority areas while safeguarding national interests. This includes a permanent round table for academic cooperation with China, which is coordinated by the Ministry of Education and Research, and ‘Møteplass Kina’ [Meeting Place China], which is organised by the Research Council and the Norwegian Directorate for Higher Education and Skills. The round table is aimed at strategic management, while ‘Møteplass Kina’ is aimed at those who work more operationally with higher education and research collaboration at Norwegian universities, colleges and research institutes. In addition, work is underway to develop national guidelines for responsible international cooperation, which will be available during the first half of 2023.
1 The Panorama Strategy (2021–2027) regjeringen.no.
Recruiting candidates who can be given security clearance for doctoral education in cyber security and cryptology will also require targeted efforts from universities and university colleges. As mentioned above, the government expects educational institutions to determine the scope of their doctoral education according to the needs of the workforce and the wishes of applicants. In the case of employment in recruitment positions where the employee will be in situations that require either security clearance, access clearance or authorisation, universities and university colleges must ensure that the appointed person receives the necessary clearances, as required by the Security Act.
Most PhD candidates in technological subjects will not need security clearance during their doctoral education, but they may need security clearance in the job they go to after completing their doctorate. In some subject areas of importance to national security, it will therefore be desirable to ensure that a sufficient number of doctoral candidates who can get security clearance after education. With the current regulations for security clearance and employment in government positions, it is unclear how universities and colleges can regulate the intake of research fellows in order to fulfil the desire to train doctoral candidates who can get security clearance. At the same time, the workforce's need for doctoral candidates who can get security clearance is unclear. Before the government starts assessing the regulations, the need should be assessed.
The government will examine the workforce's need for doctoral qualifications for positions where a security clearance is required.
Textbox 3.11 Public-private collaboration on security testing and critical system investigations
Norway must have the expertise and capacity to verify and validate equipment and systems that are integrated into systems that are critical to society’s ability to function. Over several years, NTNU, in close collaboration with the power industry, has worked to build up such a capacity that can be used for security testing and investigations of hardware and integrated systems. Statkraft, Statnett, Eidsiva, KraftCERT, NVE, NSM and Energy Norway have been driving forces behind this public-private collaboration initiative. Together with partners, NTNU is now making an investment of approx. NOK 15 million to establish a laboratory environment to meet this need. The investment is made in connection with Norwegian Cyber Range.
3.5 Advice and guidance – the user in focus
A high level of common understanding of security, the risk and threat picture, from individuals to companies and public enterprises, is important for national security and national control. This also includes why national security is important, what instruments the authorities have at their disposal, what requirements are placed on various public and private actors and how it affects the individual. The sum of individual measures contributes to greater resilience in society against unwanted events.
3.5.1 The establishment of a national portal and support tool for cyber security
The government will launch a national portal for cyber security and a support tool for all Norwegian companies to make national advice and recommendations available in line with Prop. 78 S (2021–2022).
Advice and guidance on cyber security is often not well known and is only to a limited extent systematically followed up and prioritised by companies. The portal will be a common gateway for different user groups, but will be designed so that everyone receives uniform advice adapted to their user group. This should not require prior knowledge of roles and responsibilities within the area. The work of developing a portal started in autumn 2022 with a planned launch during 2023. The portal’s contents will be developed by central actors with roles and responsibilities related to cyber security. NSM leads the work, and will establish, manage and run the portal.
Increased security in individual companies is an important contribution to society’s collective security. In order to contribute to more systematic work with cyber security, NSM will offer a support tool to all Norwegian companies through the national portal. The tool will make it easier for companies to evaluate their own security maturity level and contribute to national advice being better known and implemented by companies.
Textbox 3.12 National advice and recommendations on cyber security are not used enough
In 2021, The Ministry of Justice and Public Security and the Ministry of Defence conducted a survey among Norwegian companies about the national strategy for cyber security and awareness of national advice and recommendations for cyber security. The results show that those companies that are aware of the national recommendations in the strategy and NSM’s basic principles use these to a large extent in their operations. This applies to both the public and private sectors, regardless of the size of the company. Only a small number of companies have followed up on all recommendations. The main reason is stated to be a lack of time, but also that the companies are unsure of how to proceed.
3.5.2 Merging government guidance resources
Several state authorities provide advice and guidance about cyber security, and the authorities’ work in this area can appear fragmented and uncoordinated to the outside world.11 The portal and the support tool described in Point 3.5.1 will contribute to better coordination and making advice and guidance more available. The government will consider further measures to strengthen coordination at authority level and make it easier for the end user.
The government will map user needs and experiences with the current organisation of guidance in cyber security. This is to assess tasks, responsibilities and organisation, and whether merging of government guidance resources will be able to produce efficiency gains.
3.5.3 A secure digital network architecture (‘Zero Trust’)
During the last decade, the work on a secure network architecture has increasingly taken as its starting point the fact that one cannot have more trust in machines and services in a company’s internal network than one has in arbitrary machines and services on the open internet. A consequence of this is that digital identities, authentication and access management have become central tools for establishing a secure network architecture. This approach has been called ‘Zero Trust’ architecture.
The government will ensure that Norwegian recommendations on secure network architecture are updated in line with the development of international standards in this area.
3.6 National detection capability and incident management
3.6.1 National incident management
A large proportion of the threats against Norway occur in cyber space. Over time, NSM has experienced a sharp increase in cyber attacks. According to the NCSC, this is a trend that is expected to continue in the future. The cyber attacks on the Storting in 2020 and 2021 were attacks on our democracy and show the seriousness of the cyber risk picture. For the first time, Norway took the step of making a public attribution to another state. It was announced that Russia was behind the attack. The following year, it was announced that the second data breach against the Storting was carried out from China.
To help meet this challenge, the NSM has been granted NOK 15 million in 2022, cf. Recommendation 270 S (2021–2022) to Prop. 78 S (2021–2022). The grant will expand the number of positions in the NCSC and will improve the ability to coordinate, analyse and handle incidents and provide practical assistance to affected companies.
Textbox 3.13 The Oil Fund experiences cyber attacks every day – cyber attacks are the Fund’s biggest concern
Norges Bank Investment Management has the daily task of managing the Norwegian Government Pension Fund (‘the Oil Fund’) and makes a major effort to reduce the likelihood and consequences of cyber incidents on its own operations. The number of attacks they experience is increasing, and attackers are constantly using more advanced methods and means. Thus, cyber security has become one of the biggest concerns for the fund’s manager.
Sector-specific response communities are an important measure to ensure the sharing of information and support for handling cyber attacks. Most sectors have established such communities or have entered into various forms of cooperation in this regard. These response communities are the link between the NSM and individual companies in various sectors. On behalf of the Ministry of Justice and Public Security, an external evaluation of sectoral response community scheme has been carried out. The overall impression is that cooperation between the various actors works well, that there is a good exchange of information, methods, experiences and competence across the communities, and that the system of sectoral response communities has provided a more unified security environment in Norway. A main conclusion is that the national effort should be combined to secure fundamental national functions. Moreover, preventive cyber security should be included to a greater extent in the national model for incident management and balanced against operational work. Given the lack of expertise within cyber security, it is also important that the national model for incident management is sustainable over time.
The government will further develop the national framework for managing cyber incidents. This is to ensure a sustainable incident handling model in line with society’s needs.
Textbox 3.14 Team Norway
Commissioned by the Ministry of Justice and Public Security and the Ministry of Defence, NSM and the Norwegian Cyber Defence Force coordinate Norwegian participation in the international cyber exercise Locked Shields. The purpose of Norwegian participation is to train response communities in incident management in the civilian and military sectors. Through the establishment of ‘Team Norway’, the NSM and the Norwegian Cyber Defence Force have followed up the strategy of extensive public-private and civil-military cooperation to meet cyber threats.
Figure 3.5 Norway has frequently participated in the international exercise Locked Shields.
Photo: NATO CCDCOE, Ardi Hallismaa
3.6.2 Digital resilience in the municipal sector
Unwanted cyber incidents in municipalities can have large consequences on services for citizens, and can result in large costs for the municipalities and for the Norwegian society. Although cyber security in the municipalities is handled within public security, a hybrid threat picture makes it necessary to work towards better digital resilience also from a national security perspective. In a challenging economic situation, it will however be difficult for the municipalities to set the necessary priorities and acquire cyber security expertise.
In February 2022, over 200 municipalities attended a meeting with the Minister of Justice and Public Security and the Minister of Local Government and Regional Development. The purpose of this meeting was to raise awareness of cyber security in the municipal sector, inform about a changed risk and threat picture and enter into dialogue with the municipalities about how the state can contribute so that they are better equipped to prevent and handle unwanted cyber incidents. As a follow-up to the municipal event, the government wants municipalities to have a permanent response community that meets the municipalities’ needs.
The government will contribute to the prevention of unwanted cyber incidents in the municipal sector and will designate a sectoral response community that can meet the municipalities’ needs.
Textbox 3.15 Østre Toten municipality exposed to ransomware virus
On 9th January 2021, Østre Toten municipality was exposed to ransomware, which put large parts of the municipality’s network back to manual management for a long time. The actor had stolen significant amounts of data. The municipality’s operational ability was greatly reduced when most of the municipality’s digital services were down. The situation worsened further on 29th March, when parts of the stolen data were published on the dark web. The municipality had to handle sensitive personal data that had been stolen, and inform and support people who were affected. In practice, the incident meant that the alarm system at nursing homes was replaced with bells, the locking system in the municipality’s buildings did not work, and that the health centre’s records were inaccessible. The incident has cost the municipality around NOK 34 million.
3.6.3 Establishing next-generation national detection capability
‘Advanced persistent threats’ are the defining threat to national cyber security. The actors behind them are often considered to be government actors who work systematically over time to create access to relevant systems.
The early warning system for digital infrastructure (VDI) functions as a ‘digital burglar alarm’ to detect attacks. VDI is a network of sensors that are deployed at selected public and private enterprises that have critical infrastructure. The sensors make it possible for the NSM to detect and verify cyber attacks.
In order to increase the effectiveness of the system, the number of companies participating in the VDI collaboration and the analysis capacity to handle larger amounts of information will have to increase. The NSM has been granted NOK 30.3 million for this initiative, cf. Recommendation 270 S (2021–2022) to Prop. 78 S (2021–2022). Next-generation VDI will be expanded with several different components that are designed to work together and overall will be more efficient than today. The expansion is also an important contribution to seeing the totality of and the work with a national situation picture in the cyber domain.
One of the government’s ambitions is to further develop national detection capabilities. Development in this area will require long-term investment, which also includes infrastructure. Central to this is the further development of VDI and any requirements for VDI sensors for important suppliers that support key functions in society. Increased analysis capacity and technical capacity in the NSM will be considered in order to detect incidents which could threaten our security.
Footnotes
Fundamental national functions are defined in the Security Act as ‘services, production and other forms of enterprise of such importance that a complete or partial loss of function will have consequences for the state’s ability to safeguard national security interests.’
Certain relevant regulations will be discussed in chapter 4.
Act relating to the Control of the Export of Strategic Goods, Services, Technology, etc.
Regulations concerning the export of defence material, multi-purpose goods, technology and services.
Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.
Meld. St. 6 (2022–2023) A greener and more active state ownership – The state’s direct ownership of companies.
Higher education statistics from the Norwegian Directorate for Higher Education and Skills.
Recommendation 425 S (2020–2021) and Meld. St. 19 (2020–2021) Management of state universities and university colleges.
Statistics Norway 2022. Article: Rekordmange utenlandske statsborgere blant de nye doktorene i 2021 [Record number of foreign citizens among new PhD graduates in 2021].
NIFU 2019. Søking, rekruttering og mobilitet i UH-sektoren sektoren [Attractive academic careers? Searching, recruitment and mobility in the HE sector]. Report 2019:10.
NOU 2018: 14 IKT-sikkerhet i alle ledd [ICT Security at Every Stage].